# PRD: Layer 40 - Platform **Scope:** Deployment account. Cluster add-ons and shared controllers: secrets sync, storage driver, observability, and namespace standards. **Dependencies:** PRD_00-cross-cutting, PRD_00-bootstrap, PRD_10-network, PRD_20-eks. ## 1. Purpose and Execution Order | ID | Requirement | | ---- | ------------- | | R-P40-001 | This layer SHALL provision cluster add-ons and shared controllers required for ArgoCD, Wiki.js, and observability. | | R-P40-002 | The layer SHALL run after EKS and before ArgoCD and app-wikijs. | | R-P40-003 | Outputs SHALL be published to Parameter Store: namespace names and any add-on identifiers required by downstream layers. | ## 2. Secrets Sync Mechanism | ID | Requirement | | ---- | ------------- | | R-P40-101 | A secrets sync mechanism SHALL be installed so that workloads can consume secrets from AWS Secrets Manager. | | R-P40-102 | The mechanism SHALL be either: AWS Secrets Store CSI driver with Secrets Manager provider, or External Secrets with Secrets Manager backend. | | R-P40-103 | The mechanism SHALL allow Kubernetes secrets to be synced from Secrets Manager without storing secret values in code, logs, or Terraform state. | | R-P40-104 | The mechanism SHALL support the RDS managed master password secret and Wiki.js application secrets (e.g. app secret key, SMTP, OAuth) as defined in the cross-cutting secrets model. | ## 3. Storage Driver | ID | Requirement | | ---- | ------------- | | R-P40-201 | Storage driver support (e.g. EBS CSI) SHALL be installed or enabled consistent with EKS Auto Mode expectations for persistent volumes. | | R-P40-202 | The storage driver SHALL support PVCs required by Wiki.js for runtime data (persistence). | ## 4. Observability | ID | Requirement | | ---- | ------------- | | R-P40-301 | Baseline observability SHALL be installed: logs, metrics, and alerts to meet the assessment requirements (reliability, observability). | | R-P40-302 | Logging SHALL support forwarding or collection from the cluster (e.g. CloudWatch Logs, Fluent Bit, or equivalent). | | R-P40-303 | Metrics and alerting SHALL be configured so that cluster and application health can be monitored. | ## 5. Namespace Standards | ID | Requirement | | ---- | ------------- | | R-P40-401 | The `argocd` namespace SHALL be created (or ensured) for the ArgoCD installation. | | R-P40-402 | The `wikijs` namespace SHALL be created (or ensured) for the Wiki.js application. | | R-P40-403 | Namespace creation MAY be done in this layer or in the respective ArgoCD/Wiki.js layers; this layer SHALL ensure they exist before or as part of add-on installation. | ## 6. Parameter Store Outputs | ID | Requirement | | ---- | ------------- | | R-P40-501 | The layer SHALL publish to Parameter Store under `wikijs///40-platform/`: namespace names and any add-on identifiers required by downstream layers (e.g. ArgoCD, app-wikijs). | | R-P40-502 | The layer SHALL publish only under its own prefix. | ## 7. Destroy Behavior | ID | Requirement | | ---- | ------------- | | R-P40-601 | On `terraform destroy`, the layer SHALL remove add-ons, controllers, and namespaces it owns after 50-app-wikijs and 45-argocd have been destroyed. | | R-P40-602 | The layer SHALL delete its own Parameter Store prefix after successful destroy. | | R-P40-603 | A provision workflow and a destroy workflow SHALL exist; destroy SHALL run after 50-app-wikijs and 45-argocd. | ## 8. Implementation Notes - **Terraform root:** `terraform/40-platform` - **Workflows:** `tf-40-platform-provision.yaml`, `tf-40-platform-destroy.yaml` (extension `.yaml`) - **Secrets sync:** AWS Secrets Store CSI driver (EKS addon `aws-secrets-store-csi-driver`) plus Secrets Manager provider (Helm chart `secrets-store-csi-driver-provider-aws`) - **Storage driver:** EKS addon `aws-ebs-csi-driver`; optional StorageClass for Wiki.js PVCs - **Observability:** Fluent Bit (Helm chart `aws-for-fluent-bit`) for CloudWatch Logs - **Parameter Store (writes):** `argocd_namespace`, `wikijs_namespace`, `secrets_store_csi_addon_version`, `storage_class_name` under `wikijs///40-platform/`