From 44e0cb788e361faf2f1a65d7021a00a597d88f2e Mon Sep 17 00:00:00 2001 From: Alexandra Molnar Date: Mon, 10 Feb 2025 10:39:18 +0000 Subject: [PATCH] Rework concepts --- edge_management/edge_mgmt_arch.adoc | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/edge_management/edge_mgmt_arch.adoc b/edge_management/edge_mgmt_arch.adoc index db35113927..684a27dfdd 100644 --- a/edge_management/edge_mgmt_arch.adoc +++ b/edge_management/edge_mgmt_arch.adoc @@ -1,29 +1,29 @@ [#edge-mgmt-arch] = Understanding the {rhem} architecture -The {rhem} uses an agent-based architecture, which means that a {rhem} agent runs on each edge device that periodically communicates with the {rhem} service for device management and monitoring. -The agent autonomously updates the device and reports the device status to the service. +The {rhem} uses an agent-based architecture, which means that a {rhem} agent runs on each edge device. +The devices periodically communicate with the {rhem} service through the agent. +The agent autonomously handles device management and monitoring. This agent-based architecture allows for a scalable and robust device management under limited network conditions. -The {rhem} service consists of the following components: - -* an API server that exposes both agent-facing and user-facing API endpoints -* a PostgreSQL database for storing inventory and runtime information such as the current target configuration and the reported actual configuration -* worker processes +The {rhem} architecture has the following main concepts: Agent:: The {rhem} agent runs on each device. The agent periodically connects to the {rhem} service for monitoring and updates. Service:: The {rhem} service handles user and agent authentication and authorization, device enrollment and inventory, rolling out updates to devices, and rolling up status from devices. +API server:: A part of the {rhem} service that exposes both agent-facing and user-facing API endpoints. Device:: A combination of a real or virtual machine, an operating system, and application workloads that function together to serve a specific purpose. -Device Spec:: A specification of a state of the device that the user defines. -Device Status:: A record of the state that the device is reported to actually have. -Device Template:: A template for device specs that serves to control deviations between the configurations of devices. +Device spec:: A specification of a state of the device that the user defines. +Device status:: A record of the state that the device is reported to actually have. +Device template:: A template for device specs that serves to control deviations between the configurations of devices. Fleet:: A group of devices governed by a common device template and common management policies. +PostgreSQL database:: A database for storing inventory and runtime information, such as the current target configuration and the reported actual configuration. +//// Field Selector:: Filters and selectors for {rhem} objects based on the values of specific resource fields. Field selectors follow the same syntax, principles, and support the same operators as Kubernetes field and label selectors. Labels:: Organizers for devices and other resources. Label Selector:: Groups or filters for devices and other resources based on assigned labels. +//// -[#edge-mgmt-api-server] == Understanding the {rhem} API server The {rhem} service communicates with various external systems to authenticate and authorize users, get mTLS certificates signed, or query configuration for managed devices. @@ -36,7 +36,7 @@ Users must authenticate with the configured external authentication service to o Agent-facing API endpoint:: Agents connect to the agent-facing endpoint. The endpoint is mTLS-protected which means that the service authenticates the device based on its X.509 client certificates. During enrollment, the device's unique certificate is bootstrapped based on hardware root of trust. -The private key is protected by the Trusted Plaftom Module (TPM), therefore the client certificate cannot be used by another entity. +The private key is protected by the Trusted Platform Module (TPM), therefore the client certificate cannot be used by another entity. Certificates are automatically rotated before they expire. [#edge-mgmt-agent]