Skip to main content

Deployment Architecture

The local production-shaped stack includes:

  • frontend
  • api-service
  • worker-service
  • postgres
  • nats
  • clickhouse
  • mock-webhook

Implemented in the API runtime:

  • Auth/session seam.
  • OIDC JWT verifier.
  • Optional local Keycloak profile for OIDC integration testing.
  • Dev-token mode for local/dev/test only.
  • Kubernetes Secret resolution for integration credentials through the SecretProvider seam.
  • SIEM log source APIs and normalized ClickHouse-backed log search.

Implemented in Helm/deployed-cluster configuration:

  • Kubernetes Secret provider environment variables.
  • Namespace-scoped worker RBAC for Secret reads.

Heavier services remain profile-scoped or planned:

  • OTel Collector
  • Prometheus
  • Loki
  • Grafana
  • Production Keycloak or managed OIDC realm lifecycle
  • External Secrets Operator, CSI, Vault Agent, or platform sync to populate Kubernetes Secrets
  • OPA

AWS Phase 1 bootstrap is scaffolded, not deployed:

  • Remote state bucket and lock table bootstrap.
  • Isolated OneProtect VPC.
  • EKS dev cluster target.
  • RDS/Aurora PostgreSQL target.
  • ECR image repositories through a narrow dev ECR-only stack.
  • S3 evidence bucket with KMS.
  • IAM/OIDC role skeleton.
  • Helm values-aws-dev.yaml.
  • GitLab-first deployment pipeline with GitHub portability through shared scripts.
  • Private S3 + CloudFront docs-site hosting scaffold.
  • AWS dev infra plan readiness for ECR-only image publishing, VPC, private RDS/Postgres, EKS, runtime Kubernetes Secrets, and Helm render.
  • AWS dev Graviton/arm64 node preference with x86 fallback and multi-arch image requirement.

No AWS resources are applied manually from the repo. Terraform/OpenTofu must run through reviewed plan/apply gates once AWS role assumption and remote state are configured.

See the architecture diagrams page for implemented and planned flows.