photoncloud-monorepo/docs/por/T015-overlay-networking/task.yaml

id: T015
name: Overlay Networking Specification
status: complete
goal: Design multi-tenant overlay network architecture for VM isolation
priority: P0
owner: peerA (strategy) + peerB (research/spec)
created: 2025-12-08
depends_on: [T014]

context: |
  PROJECT.md item 11 specifies overlay networking:
  "マルチテナントでもうまく動くためには、ユーザーの中でアクセスできるネットワークなど、
   考えなければいけないことが山ほどある。これを処理するものも必要。
   とりあえずネットワーク部分自体の実装はOVNとかで良い。"

  PlasmaVMC now has:
  - KVM + FireCracker backends (T011, T014)
  - Multi-tenant scoping (T012)
  - ChainFire persistence (T013)

  Network isolation is critical before production use:
  - Tenant VMs must not see other tenants' traffic
  - VMs within same tenant/project should have private networking
  - External connectivity via controlled gateway

acceptance:
  - Specification document covering architecture, components, APIs
  - OVN integration design (or alternative justification)
  - Tenant network isolation model defined
  - Integration points with PlasmaVMC documented
  - Security model for network policies

steps:
  - step: S1
    action: Research OVN and alternatives
    priority: P0
    status: complete
    owner: peerB
    completed: 2025-12-08
    notes: |
      Study OVN (Open Virtual Network) architecture.
      Evaluate alternatives: Cilium, Calico, custom eBPF.
      Assess complexity vs. capability tradeoffs.
    deliverables:
      - research summary comparing options
      - recommendation with rationale
    evidence:
      - research-summary.md: OVN、Cilium、Calico、カスタムeBPFの比較分析、OVN推奨と根拠

  - step: S2
    action: Design tenant network model
    priority: P0
    status: complete
    owner: peerB
    completed: 2025-12-08
    notes: |
      Define how tenant networks are isolated.
      Design: per-project VPC, subnet allocation, DHCP.
      Consider: security groups, network policies, NAT.
    deliverables:
      - tenant network model document
      - API sketch for network operations
    evidence:
      - tenant-network-model.md: テナントネットワークモデル設計完了、VPC/サブネット/DHCP/セキュリティグループ/NAT設計、APIスケッチ

  - step: S3
    action: Write specification document
    priority: P0
    status: complete
    owner: peerB
    completed: 2025-12-08
    notes: |
      Create specifications/overlay-network/README.md.
      Follow TEMPLATE.md format.
      Include: architecture, data flow, APIs, security model.
    deliverables:
      - specifications/overlay-network/README.md
      - consistent with other component specs
    evidence:
      - specifications/overlay-network/README.md: 仕様ドキュメント作成完了、TEMPLATE.mdフォーマット準拠、アーキテクチャ/データフロー/API/セキュリティモデル含む

  - step: S4
    action: PlasmaVMC integration design
    priority: P1
    status: complete
    owner: peerB
    completed: 2025-12-08
    notes: |
      Define how VmService attaches VMs to tenant networks.
      Design VmConfig network fields.
      Plan for: port creation, IP assignment, security group binding.
    deliverables:
      - integration design note
      - VmConfig network schema extension
    evidence:
      - plasmavmc-integration.md: PlasmaVMC統合設計完了、VmService統合フロー、NetworkSpec拡張、ポート作成/IP割り当て/SGバインディング設計

blockers: []

evidence:
  - research-summary.md: S1完了 - OVNと代替案の調査、OVN推奨
  - tenant-network-model.md: S2完了 - テナントネットワークモデル設計、VPC/サブネット/IPAM/DHCP/セキュリティグループ/NAT設計、APIスケッチ
  - specifications/overlay-network/README.md: S3完了 - 仕様ドキュメント作成、TEMPLATE.mdフォーマット準拠
  - plasmavmc-integration.md: S4完了 - PlasmaVMC統合設計、VmService統合フロー、NetworkSpec拡張

notes: |
  Key considerations:
  - OVN is mature but complex (requires ovsdb, ovn-controller)
  - eBPF-based solutions (Cilium) are modern but may need more custom work
  - Start with OVN for proven multi-tenant isolation, consider optimization later

  Risk: OVN complexity may slow adoption.
  Mitigation: Abstract via clean API, allow pluggable backends later.