Orchestra Platform Architecture
Domain Structure
Section titled “Domain Structure”The Orchestra Platform uses a hierarchical domain structure built around orchestraplatform.org to provide a comprehensive bioinformatics and data science learning environment.
See Domain Structure for details on subdomains and workshop URLs.
Core Platform Subdomains
Section titled “Core Platform Subdomains”| Subdomain | Purpose | Repository |
|---|---|---|
app.orchestraplatform.org | Main application dashboard and frontend where users create and manage workshops | orchestra-frontend |
api.orchestraplatform.org | REST API endpoints for the platform | orchestra-api |
docs.orchestraplatform.org | Documentation site (user guides, API docs, tutorials) | orchestra-docs |
Workshop Subdomains
Section titled “Workshop Subdomains”Each workshop instance gets a unique hostname following the pattern:
{workshop-id}.orchestraplatform.orgExamples:
genomics-101-abc123.orchestraplatform.orgrnaseq-analysis-2025jan-a1b2c3.orchestraplatform.orgproteomics-intro-cohort5-x9y8z7.orchestraplatform.org
Additional Service Subdomains
Section titled “Additional Service Subdomains”| Subdomain | Purpose |
|---|---|
status.orchestraplatform.org | System status page and uptime monitoring |
admin.orchestraplatform.org | Administrative interface for platform operators |
staging.orchestraplatform.org | Staging environment for testing |
Workshop ID Strategy
Section titled “Workshop ID Strategy”Workshop IDs follow the pattern: {course-name}-{session-id}-{random}
- course-name: Descriptive identifier for the workshop type
- session-id: Time-based or cohort identifier
- random: Short random string for uniqueness
This provides readable URLs while maintaining uniqueness and reasonable length.
DNS Configuration
Section titled “DNS Configuration”Wildcard DNS Setup
Section titled “Wildcard DNS Setup”A wildcard DNS record *.orchestraplatform.org points to the Kubernetes ingress controller, which handles routing individual workshop subdomains to the correct pods.
SSL/TLS
Section titled “SSL/TLS”All subdomains use HTTPS with automatic certificate management through cert-manager and Let’s Encrypt.
Platform Components
Section titled “Platform Components”1. Orchestra Operator (orchestra-operator)
Section titled “1. Orchestra Operator (orchestra-operator)”- Purpose: Kubernetes operator that manages workshop lifecycle
- Technology: Python, Kopf framework
- Responsibilities:
- Creates/deletes workshop resources (Deployments, Services, Ingresses, PVCs)
- Manages workshop expiration and cleanup
- Handles Custom Resource Definitions (CRDs)
2. Orchestra API (orchestra-api)
Section titled “2. Orchestra API (orchestra-api)”- Purpose: REST API for workshop management
- Technology: Python, FastAPI
- Responsibilities:
- Workshop CRUD operations
- Integration with Kubernetes operator
- Authentication and authorization
- Workshop status monitoring
3. Orchestra Frontend (orchestra-frontend)
Section titled “3. Orchestra Frontend (orchestra-frontend)”- Purpose: Web application for users to manage workshops
- Technology: React, TypeScript, Vite
- Responsibilities:
- Workshop creation and management UI
- User dashboard
- Workshop status display
- Integration with API backend
4. Orchestra Docs (orchestra-docs)
Section titled “4. Orchestra Docs (orchestra-docs)”- Purpose: Platform documentation
- Technology: Astro, Starlight
- Content:
- User guides and tutorials
- API documentation
- Architecture documentation
- Developer guides
Workshop Lifecycle
Section titled “Workshop Lifecycle”- Creation: User requests workshop through frontend
- API Processing: Frontend calls API to create workshop
- Operator Handling: API creates Kubernetes Custom Resource
- Resource Deployment: Operator creates all necessary Kubernetes resources
- URL Generation: Unique subdomain is assigned and ingress configured
- Ready State: Workshop becomes accessible via unique URL
- Expiration: Workshop automatically expires after configured duration
- Cleanup: Operator removes all associated resources
Security Architecture
Section titled “Security Architecture”Network Security
Section titled “Network Security”- All traffic encrypted with TLS 1.2+
- Workshop pods isolated in separate namespaces
- Network policies restrict inter-workshop communication
Access Control
Section titled “Access Control”- OAuth/OIDC integration for user authentication
- Role-based access control (RBAC) for Kubernetes resources
- Workshop-level access controls
Data Protection
Section titled “Data Protection”- Persistent volumes for workshop data
- Configurable data retention policies
- Secure secret management
Scalability Design
Section titled “Scalability Design”Horizontal Scaling
Section titled “Horizontal Scaling”- Multiple operator instances with leader election
- API server horizontal pod autoscaling
- Frontend served via CDN
Resource Management
Section titled “Resource Management”- Configurable resource limits per workshop
- Automatic resource cleanup on expiration
- Monitoring and alerting for resource usage
Development Workflow
Section titled “Development Workflow”Repository Structure
Section titled “Repository Structure”orchestra-operator/ # Kubernetes operatororchestra-api/ # REST API backendorchestra-frontend/ # React frontendorchestra-docs/ # Documentation siteDeployment Pipeline
Section titled “Deployment Pipeline”- Code changes trigger CI/CD pipeline
- Automated testing and building
- Container image creation and registry push
- Kubernetes deployment updates
- Health checks and monitoring
Future Considerations
Section titled “Future Considerations”Multi-Cloud Support
Section titled “Multi-Cloud Support”- Abstract cloud-specific resources
- Support for AWS EKS, Google GKE, Azure AKS
Advanced Features
Section titled “Advanced Features”- Workshop templates and marketplace
- Collaborative workshop sessions
- Integration with learning management systems
- Advanced analytics and usage reporting