Search

US-20260127006-A1 - SYSTEM AND METHOD FOR THE CENTRALIZED MANAGEMENT OF DISTRIBUTED INTERMITTENTLY CONNECTED RUNTIME PLATFORMS

US20260127006A1US 20260127006 A1US20260127006 A1US 20260127006A1US-20260127006-A1

Abstract

A system and method for the centralized management of distributed intermittently connected runtime platforms. The method may include creating an artifact store pre-loaded with a set of utilities, libraries, and artifacts necessary to perform initial infrastructure creation in a local environment, creating an instance infrastructure for a central management system, and creating two or more availability zones, wherein each availability zone includes a private subnet and a public subnet. The method may further include transferring state data necessary to perform infrastructure as code (IaC) automation from the local environment to the artifact store.

Inventors

  • Dagan Henderson
  • Dane Curran
  • Daniel Morrison
  • James Baker

Assignees

  • Raft LLC

Dates

Publication Date
20260507
Application Date
20251006

Claims (20)

  1. 1 . A computer-implemented method for the centralized management of distributed intermittently connected runtime platforms, the method comprising: creating an artifact store pre-loaded with a set of utilities, libraries, and artifacts necessary to perform initial infrastructure creation in a local environment; creating a bootstrapping instance infrastructure for a central management system in the local environment; creating two or more availability zones in the local environment, wherein each availability zone includes a private subnet and a public subnet; for each private subnet, creating a cluster of network nodes, a load balancer, a control plane configured to manage connections to the cluster of network nodes, a temporary bootstrap bastion, and assigning a set of administrator identities and permission policies to administer the cluster of network nodes; and transferring state data necessary to perform infrastructure as code (IaC) automation from the local environment to the artifact store.
  2. 2 . The computer-implemented method of claim 1 , further including: performing initial configuration of the central management system; creating a secondary management system, in the local environment, from the central management system via IaC and one or more automation pipelines; transferring management of the central management system to the secondary management system; and creating and managing distributed tenant platforms through the central management system.
  3. 3 . The computer-implemented method of claim 1 , wherein if the local environment is a hosted-server, then creating the bootstrapping instance infrastructure includes: creating the set of administrator identities and permission policies through a hosted user-interface; creating a bootstrapping network with at least one of internet access, or private cloud-provider endpoint connections to a set of application programming interfaces (API) endpoints used to create the central management system infrastructure; creating a bootstrap bastion and assigning the set of administrator identities and permission policies to the bootstrap bastion; and transferring the artifact store contents to the bootstrap bastion.
  4. 4 . The computer-implemented method of claim 1 , wherein if the bootstrapping instance infrastructure is created on a dedicated workstation, then creating the bootstrapping instance infrastructure includes: preloading the dedicated workstation with a first set of utilities, libraries, and artifacts necessary to perform the initial infrastructure creation; performing initial infrastructure creation using infrastructure-as-code (IaC) based automation; and securely transferring a second set of infrastructure management API keys and/or credentials to the dedicated workstation.
  5. 5 . The computer-implemented method of claim 1 , wherein performing initial configuration of the central management system further includes: deploying, via the bootstrap bastion, a first set of application images including at least a network driver, a storage driver, an ingress gateway, and an internal artifact store directly to each cluster of network nodes; copying a second set of application images for later use by the central management system to the artifact store; and deploying, via the bootstrap bastion, any remaining system components, including at least an identity provider, a source control repository, a continuous integration automation system, a secrets manager, an automated application deployment system, a service mesh, a policy agent, a vulnerability scanner, and time-series and log observability systems.
  6. 6 . The computer-implemented method of claim 1 , further including: performing initial configuration of a first identity, credential, and account management (ICAM) system; performing initial configuration of a first centralized identity management system; performing initial configuration of external authentication for an infrastructure provider; and decommissioning the bootstrapping instance infrastructure.
  7. 7 . The computer-implemented method of claim 6 , wherein the ICAM system is configured to initially require mutual transport layer security (mTLS) connections, including client certificates signed by a trusted certificate authority, before allowing access, and a built-in administrator account is initially provided to the ICAM by a secret management system.
  8. 8 . The computer-implemented method of claim 7 , wherein, during initial configuration, all systems are configured using the built-in administrator credentials provided via the secret management system, wherein after the ICAM system is configured, the built-in administrator account is configured to setup single sign-on access via the ICAM system and then the built-in administrator accounts are disabled.
  9. 9 . The computer-implemented method of claim 6 , wherein the ICAM system is configured to provide authentication access to an infrastructure's API endpoints and user interface.
  10. 10 . The computer-implemented method of claim 6 , wherein the ICAM system is configured to allow automation pipelines requesting temporary credentials for the infrastructure provider to enable secure automated management of infrastructure via the automation pipelines.
  11. 11 . The computer-implemented method of claim 6 , wherein before decommissioning the bootstrap bastion all infrastructure as code (IaC), libraries, and tools are transferred over to the artifact store before decommissioning the bootstrap bastion.
  12. 12 . The computer-implemented method of claim 2 , wherein creating a secondary management system from the central management system further includes: creating two or more secondary availability zones, wherein each secondary availability zone includes a private subnet and a public subnet; for each private subnet, creating a secondary cluster of network nodes and a load balancer; for each private subnet, creating a secondary control plane configured to manage connections to the cluster of network nodes; for each private subnet, creating a secondary temporary bootstrap bastion and assigning a second set of administrator identities and permission policies to administer the cluster of network nodes; transferring state data necessary to perform IaC automation to a secondary artifact store.
  13. 13 . The computer-implemented method of claim 1 , further including: creating one or more internal service endpoints to operatively connect a first set of components from the central management system, including at least infrastructure API endpoints, artifact stores, and secret managers, to a corresponding set of components in the secondary management system; performing initial configuration of a secondary identity, credential, and account management (ICAM) system; and performing initial configuration of a secondary centralized identity management system.
  14. 14 . The computer-implemented method of claim 13 , wherein application images for the secondary management system are deployed via the automated application deployment system of the central management system, and wherein the images served by the artifact store of the central management system are provided by the secret manager of the central management system.
  15. 15 . The computer-implemented method of claim 13 , wherein after the secondary ICAM system is configured, a built-in administrator account is used to configure single sign-on via the secondary ICAM system, and then the built-in administrator accounts are disabled.
  16. 16 . The computer-implemented method of claim 14 , wherein transferring management of the central management system to the secondary management system includes: using a secondary automated application deployment system from the secondary management system to manage each subsystem of the central management system; transferring IaC state data for the central management system to the secondary management system, and creating one or more secondary automation pipelines to automate future infrastructure.
  17. 17 . The computer-implemented method of claim 2 , wherein creating and managing distributed tenant platforms through the central management system includes: installing a firewall configured to create and manage virtual subnets at a tenant system location; establishing a virtual private network tunnel between the tenant system location and the central management system, and creating a management bastion configured to act as an agent of an integration automation system of the central management system; creating identities and permission policies for managing tenant-location infrastructure and storing them in the secrets manager of the central management system; creating one or more IaC repositories in the central management system and one or more integration pipelines to apply the IaC using credentials securely retrieved from the secrets manager of the central management system; creating a cluster of control plane nodes, via the integration pipelines, preloaded with application images from the control plane component, and creating a cluster of worker nodes preloaded with application images from the secondary artifact store; pushing a plurality of application images from the control plane to the secondary artifact store; creating and transferring administrator credentials and permission policies to the secrets manager of the central management system; deploying a plurality of components from the application deployment system to the central management system using credentials securely provided by the secrets manager; and adding tenant applications to the cluster of control plane nodes via the integration pipelines configured to push application images to the secondary artifact store of cluster or worker nodes, and deploying the applications via the application deployment system of the central management system.
  18. 18 . The computer-implemented method of claim 17 , wherein the integration pipelines are executed from an agent on the management bastion to enable the centralized management of edge infrastructure.
  19. 19 . A centralized management system for distributed intermittently connected runtime platforms system comprising: an artifact store pre-loaded with a set of utilities, libraries, and artifacts necessary to perform initial infrastructure creation; a primary management system deployed on a hosted server, and configured to manage and control a plurality of runtime platforms, wherein the primary management system includes two or more availability zones, and each availability zone includes a private subnet and a public subnet; and a secondary management system operatively connected to the primary management system, and configured to manage and control the primary management system, wherein the secondary management system is further configured to ensure continuity of command and control in the event of a loss or disruption of the primary management system, wherein the secondary management system is configured to recover and replace the primary management system via autonomous methods and automated routines.
  20. 20 . The centralized management system of claim 19 , wherein the primary management system is further configured to: store and execute automated routines that create, initialize, and monitor platform infrastructure for one or more connected runtime platforms; and deploy, initialize, and monitor a combination of services, tenant applications and security systems hosted on the one or more runtime platforms.

Description

CROSS-REFERENCE TO RELATED APPLICATIONS This application claims the benefit of U.S. provisional application 63/714,890, which was filed on Nov. 1, 2025 the contents of which is hereby incorporated by reference in its entirety. DISCUSSION OF THE RELATED ART Runtime platforms may provide tenant computer programs with an execution environment and supporting services, such as orchestration and scheduling of computer program executions, network service discovery, identity, credential and account management (ICAM), network traffic management, data storage and persistence, audit and application log aggregation, monitoring and observability, and security and compliance scanning, alerting, and enforcement. These platforms may be deployed to a single computing device, or a collection of multiple devices providing distributed compute resources, and may be installed in data centers intended for global user availability (in-cloud), co-located with a userbase or tightly coupled system (on-premises), or mobile (edge). The individual management of multiple platforms may pose a significant administrative burden, making centralized management a valuable and important solution, especially in disconnected, denied, intermittent, and limited-bandwidth (DDIL) environments. When managing platforms distributed across in-cloud, on-premises, and/or edge installations, existing centralized management systems may depend on reliable connectivity between the centralized systems and distributed platforms. If connectivity is lost, the operational stability of the runtime platform may be jeopardized, impacting tenant program availability and risking data corruption and/or loss. SUMMARY OF DISCLOSURE In one example implementation, a computer-implemented method executed on a computing device may include creating an artifact store pre-loaded with a set of utilities, libraries, and artifacts necessary to perform initial infrastructure creation in a local environment, creating a bootstrapping instance infrastructure for a central management system, and creating two or more availability zones, where each availability zone includes a private subnet and a public subnet. The method may further include transferring state data necessary to perform infrastructure as code (IaC) automation from the local environment to the artifact store. One or more of the following example features may be included. The method may further include, performing initial configuration of the central management system, and creating a secondary management system from the central management system via IaC and one or more automation pipelines. The method may also include transferring management of the central management system to the secondary management system, and creating and managing distributed tenant platforms through the central management system. If the local environment is a hosted-server, then creating the bootstrapping instance infrastructure may include creating the set of administrator identities and permission policies through a hosted user-interface, creating a bootstrapping network with at least one of internet access, or private cloud-provider endpoint connections to a set of application programming interfaces (API) endpoints used to create the central management system infrastructure, creating a bootstrap bastion and assigning the set of administrator identities and permission policies to the bootstrap bastion, and transferring the artifact store contents to the bootstrap bastion. If the local environment is a dedicated workstation, then creating the bootstrapping instance infrastructure may include preloading the dedicated workstation with a first set of utilities, libraries, and artifacts necessary to perform the initial infrastructure creation, performing initial infrastructure creation using infrastructure-as-code (IaC) based automation, and securely transferring a second set of infrastructure management API keys and/or credentials to the dedicated workstation. Performing initial configuration of the central management system may further include deploying, via the bootstrap bastion, a first set of application images including at least a network driver, a storage driver, an ingress gateway, and an internal artifact store directly to each cluster of network nodes, copying a second set of application images for later use by the central management system to the artifact store, and deploying, via the bootstrap bastion, any remaining system components including at least an identity provider, a source control repository, a continuous integration automation system, a secrets manager, an automated application deployment system, a service mesh, a policy agent, a vulnerability scanner, and time-series and log observability systems. The computer-implemented method may further include performing initial configuration of a first identity, credential, and account management (ICAM) system, performing initial configuration of a first centralized identity management system,