Skip to content

Instantly share code, notes, and snippets.

@a2z-ice

a2z-ice/architecture-summary-gist.md

Last active March 9, 2026 15:18
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save a2z-ice/75fbc3c000760e1a6a9f03a6e1f9ecdf to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save a2z-ice/75fbc3c000760e1a6a9f03a6e1f9ecdf to your computer and use it in GitHub Desktop.
Download ZIP
BookStore Platform — Microservices Architecture Summary (Kubernetes, Istio, Flink CDC, Superset)
Raw
architecture-summary-gist.md

BookStore Platform — Architecture Summary

Overview

A production-grade microservices e-commerce bookstore deployed to Kubernetes, demonstrating real-world architecture patterns including zero-trust networking, event-driven data pipelines, and real-time analytics. Built as a proof of concept with production-aligned infrastructure — every component follows the same patterns used in large-scale distributed systems.

Infrastructure Architecture

BookStore Platform — Infrastructure Architecture

Architecture at a Glance

Layer Components Technology
Client Single-page application, OIDC login React 19.2 + Vite, PKCE (S256)
Ingress / Security Gateway routing, mTLS mesh, JWT validation Istio Ambient 1.28.4, K8s Gateway API
Application Services E-Commerce API, Inventory API, Admin API Spring Boot 4.0.3, FastAPI
Identity OIDC provider, RBAC, realm management Keycloak 26.5.4
Data & Messaging 4 isolated databases, event streaming, CDC PostgreSQL, Kafka KRaft, Debezium Server 3.4
Analytics & BI Stream processing, star schema, dashboards Flink 2.2.0 SQL, Superset (3 dashboards, 16 charts)
Observability Metrics, service mesh visualization, DB admin Prometheus, Kiali, PgAdmin

Key Architecture Decisions

Service Mesh & Zero Trust

Istio Ambient Mesh provides mutual TLS across all service-to-service communication without sidecar proxy overhead. ztunnel handles L4 encryption transparently. AuthorizationPolicies operate at L4 only (namespace + SPIFFE principal), compatible with the sidecar-free ambient model. JWT validation occurs independently at every backend service — no service trusts upstream claims.

Authentication & Authorization

Keycloak serves as the OIDC Identity Provider. The React SPA uses Authorization Code Flow with PKCE (S256 challenge), storing tokens exclusively in memory — never in localStorage or sessionStorage. Role-based access control distinguishes customer and admin realm roles, enforced at both the API gateway and individual service layers.

Event-Driven Architecture

Change Data Capture runs through two Debezium Server 3.4 pods (one per source database), capturing PostgreSQL WAL changes into Kafka topics. Apache Flink 2.2.0 runs four streaming SQL jobs with exactly-once semantics, transforming CDC events into a star schema in the analytics database. Kafka runs in KRaft mode (no Zookeeper dependency).

Data Architecture

Strict database-per-service isolation: four PostgreSQL instances with no cross-database access. Schema migrations run as Kubernetes init containers (Liquibase for Java, Alembic for Python). The analytics database uses a star schema with fact tables, dimension tables, and 10 materialized views powering Superset dashboards.

API Design

RESTful APIs built with Spring Boot 4.0.3 (Java) and FastAPI (Python). Kubernetes Gateway API handles all ingress routing via HTTPRoutes — no Ingress resources. Rate limiting uses Bucket4j backed by Redis. CSRF tokens are stored server-side in Redis and required for all state-changing requests.

Observability Stack

Prometheus scrapes Istio telemetry (istiod + ztunnel) and application metrics. Kiali provides real-time service mesh topology visualization with traffic flow. Apache Superset delivers business analytics across three dashboards with 16 charts covering sales, inventory, and revenue.

Data Flow

BookStore Platform — Live Data Flow (Animated)

User Request Flow:

Browser → Istio Gateway → UI Service (React SPA)
Browser → Keycloak (OIDC PKCE login)
UI → E-Commerce API (JWT-protected)
E-Commerce → Inventory Service (service-to-service mTLS)

CDC Pipeline:

Source DBs → Debezium Server 3.4 → Kafka → Flink 2.2.0 SQL → analytics-db → Superset

Checkout Flow:

  1. User submits checkout — E-Commerce Service validates cart and JWT
  2. E-Commerce calls Inventory Service over mTLS to reserve stock
  3. Order persisted to database; order.created event published to Kafka
  4. Debezium captures the DB change → Kafka → Flink transforms → analytics-db
  5. Superset dashboards reflect new order data in real time

Security Invariants

  • All inter-service traffic encrypted via Istio mTLS (STRICT mode)
  • JWT validated independently at every backend service
  • Non-root containers with read-only root filesystems and all capabilities dropped
  • Secrets managed exclusively through Kubernetes Secrets (no hardcoded config)
  • NetworkPolicies enforced per namespace
  • CSRF tokens stored server-side in Redis

Infrastructure

  • Local Kubernetes via kind (3 nodes: 1 control-plane, 2 workers)
  • 8 NodePort services exposed directly via kind host port mappings
  • No kubectl port-forward used anywhere — all access via stable ports
  • All stateful services backed by PersistentVolumeClaims with host-path storage
  • Idempotent shell scripts for full cluster lifecycle (bootstrap, recovery, teardown)

Test Coverage

  • 155 end-to-end tests via Playwright (all passing, zero flaky)
  • Unit tests for both backend services (JUnit, pytest)
  • CDC pipeline verification: insert → poll analytics DB within 30s
  • Smoke tests covering pods, HTTP routes, Kafka, and Debezium health

Technology Stack

Category Technology Version
Frontend React + Vite 19.2
Backend (Java) Spring Boot 4.0.3
Backend (Python) FastAPI latest
Identity Keycloak 26.5.4
Service Mesh Istio Ambient 1.28.4
Gateway Kubernetes Gateway API istio
Databases PostgreSQL 4 instances
Messaging Apache Kafka KRaft mode
CDC Debezium Server 3.4.1
Stream Processing Apache Flink 2.2.0
BI / Analytics Apache Superset latest
Observability Prometheus + Kiali
Cache / Sessions Redis
E2E Testing Playwright latest
Container Orchestration Kubernetes (kind)

Built as a production-grade proof of concept demonstrating microservices best practices, zero-trust security, event-driven architecture, and real-time analytics.

Raw
index.html
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>BookStore Platform — Microservices Architecture</title>
<!-- OpenGraph for LinkedIn preview -->
<meta property="og:title" content="BookStore Platform — Microservices Architecture" />
<meta property="og:description" content="Production-grade microservices e-commerce bookstore on Kubernetes with Istio mTLS, Flink CDC, and Superset analytics. 155 E2E tests passing." />
<meta property="og:image" content="https://raw.githubusercontent.com/a2z-ice/ecom-ms/schema-reg/docs/diagrams/architecture.gif" />
<meta property="og:type" content="article" />
<meta name="twitter:card" content="summary_large_image" />
<meta name="twitter:title" content="BookStore Platform — Microservices Architecture" />
<meta name="twitter:image" content="https://raw.githubusercontent.com/a2z-ice/ecom-ms/schema-reg/docs/diagrams/architecture.gif" />
<style>
:root { --bg: #0f172a; --card: #1e293b; --text: #e2e8f0; --muted: #94a3b8; --accent: #3b82f6; --border: #334155; }
* { margin: 0; padding: 0; box-sizing: border-box; }
body { font-family: 'Inter', -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif; background: var(--bg); color: var(--text); line-height: 1.7; }
.container { max-width: 1100px; margin: 0 auto; padding: 40px 24px; }
h1 { font-size: 2.2rem; font-weight: 800; margin-bottom: 8px; background: linear-gradient(135deg, #60a5fa, #a78bfa); -webkit-background-clip: text; -webkit-text-fill-color: transparent; }
h1 + p { color: var(--muted); font-size: 1.05rem; margin-bottom: 40px; }
h2 { font-size: 1.4rem; font-weight: 700; margin: 48px 0 16px; padding-bottom: 8px; border-bottom: 1px solid var(--border); color: #f1f5f9; }
h3 { font-size: 1.1rem; font-weight: 600; margin: 24px 0 8px; color: #cbd5e1; }
p { margin-bottom: 16px; color: var(--text); }
img { width: 100%; border-radius: 12px; border: 1px solid var(--border); margin: 16px 0 24px; }
table { width: 100%; border-collapse: collapse; margin: 16px 0 24px; }
th { background: var(--card); text-align: left; padding: 10px 14px; font-size: 0.85rem; font-weight: 600; color: var(--accent); border-bottom: 2px solid var(--border); }
td { padding: 10px 14px; font-size: 0.9rem; border-bottom: 1px solid var(--border); }
tr:hover td { background: rgba(59,130,246,0.05); }
code { background: var(--card); padding: 2px 6px; border-radius: 4px; font-size: 0.88em; color: #f59e0b; }
pre { background: var(--card); padding: 16px; border-radius: 8px; overflow-x: auto; margin: 12px 0 20px; border: 1px solid var(--border); }
pre code { background: none; padding: 0; color: #e2e8f0; }
ul, ol { margin: 8px 0 16px 24px; }
li { margin-bottom: 6px; }
.badge { display: inline-block; background: linear-gradient(135deg, #059669, #10b981); color: white; font-size: 0.75rem; font-weight: 700; padding: 3px 10px; border-radius: 20px; margin-right: 6px; }
.badge.purple { background: linear-gradient(135deg, #7c3aed, #8b5cf6); }
.badge.orange { background: linear-gradient(135deg, #d97706, #f59e0b); }
.badge.red { background: linear-gradient(135deg, #dc2626, #ef4444); }
.badges { margin-bottom: 24px; }
footer { text-align: center; margin-top: 60px; padding-top: 24px; border-top: 1px solid var(--border); color: var(--muted); font-size: 0.85rem; }
footer a { color: var(--accent); text-decoration: none; }
footer a:hover { text-decoration: underline; }
</style>
</head>
<body>
<div class="container">
<h1>BookStore Platform</h1>
<p>Production-grade microservices e-commerce bookstore on Kubernetes</p>
<div class="badges">
<span class="badge">155 E2E Tests Passing</span>
<span class="badge purple">22 Sessions Complete</span>
<span class="badge orange">Istio mTLS STRICT</span>
<span class="badge red">Zero Trust</span>
</div>
<h2>Infrastructure Architecture</h2>
<img src="https://raw.githubusercontent.com/a2z-ice/ecom-ms/schema-reg/docs/diagrams/architecture.gif" alt="BookStore Platform — Infrastructure Architecture" />
<h2>Architecture at a Glance</h2>
<table>
<tr><th>Layer</th><th>Components</th><th>Technology</th></tr>
<tr><td><strong>Client</strong></td><td>Single-page application, OIDC login</td><td>React 19.2 + Vite, PKCE (S256)</td></tr>
<tr><td><strong>Ingress / Security</strong></td><td>Gateway routing, mTLS mesh, JWT validation</td><td>Istio Ambient 1.28.4, K8s Gateway API</td></tr>
<tr><td><strong>Application Services</strong></td><td>E-Commerce API, Inventory API, Admin API</td><td>Spring Boot 4.0.3, FastAPI</td></tr>
<tr><td><strong>Identity</strong></td><td>OIDC provider, RBAC, realm management</td><td>Keycloak 26.5.4</td></tr>
<tr><td><strong>Data &amp; Messaging</strong></td><td>4 isolated databases, event streaming, CDC</td><td>PostgreSQL, Kafka KRaft, Debezium Server 3.4</td></tr>
<tr><td><strong>Analytics &amp; BI</strong></td><td>Stream processing, star schema, dashboards</td><td>Flink 2.2.0 SQL, Superset (3 dashboards, 16 charts)</td></tr>
<tr><td><strong>Observability</strong></td><td>Metrics, service mesh visualization, DB admin</td><td>Prometheus, Kiali, PgAdmin</td></tr>
</table>
<h2>Key Architecture Decisions</h2>
<h3>Service Mesh &amp; Zero Trust</h3>
<p>Istio Ambient Mesh provides mutual TLS across all service-to-service communication without sidecar proxy overhead. ztunnel handles L4 encryption transparently. AuthorizationPolicies operate at L4 only (namespace + SPIFFE principal). JWT validation occurs independently at every backend service.</p>
<h3>Authentication &amp; Authorization</h3>
<p>Keycloak 26.5.4 as OIDC Identity Provider. Authorization Code Flow with PKCE (S256). Tokens stored in memory only — never in localStorage. Back-channel logout via POST (no Keycloak redirect). Role-based access: <code>customer</code> vs <code>admin</code> realm roles.</p>
<h3>Event-Driven Architecture</h3>
<p>Two Debezium Server 3.4 pods capture PostgreSQL WAL changes into Kafka topics. Apache Flink 2.2.0 runs four streaming SQL jobs with exactly-once semantics, transforming CDC events into a star schema. Kafka runs in KRaft mode (no Zookeeper).</p>
<h3>Data Architecture</h3>
<p>Strict database-per-service isolation: four PostgreSQL instances with no cross-database access. Schema migrations run as Kubernetes init containers. Star schema in analytics-db with fact tables, dimension tables, and 10 views.</p>
<h2>Live Data Flow</h2>
<img src="https://raw.githubusercontent.com/a2z-ice/ecom-ms/schema-reg/docs/diagrams/data-flow.gif" alt="BookStore Platform — Live Data Flow (Animated)" />
<h3>User Request Flow</h3>
<pre><code>Browser → Istio Gateway → UI Service (React SPA)
Browser → Keycloak (OIDC PKCE login)
UI → E-Commerce API (JWT-protected)
E-Commerce → Inventory Service (service-to-service mTLS)</code></pre>
<h3>CDC Pipeline</h3>
<pre><code>Source DBs → Debezium Server 3.4 → Kafka → Flink 2.2.0 SQL → analytics-db → Superset</code></pre>
<h3>Checkout Flow</h3>
<ol>
<li>User submits checkout — E-Commerce Service validates cart and JWT</li>
<li>E-Commerce calls Inventory Service over mTLS to reserve stock</li>
<li>Order persisted; <code>order.created</code> event published to Kafka</li>
<li>Debezium captures DB change → Kafka → Flink transforms → analytics-db</li>
<li>Superset dashboards reflect new order data in real time</li>
</ol>
<h2>Security Invariants</h2>
<ul>
<li>All inter-service traffic encrypted via Istio mTLS (STRICT mode)</li>
<li>JWT validated independently at every backend service</li>
<li>Non-root containers with read-only root filesystems</li>
<li>Secrets via Kubernetes Secrets only (no hardcoded config)</li>
<li>NetworkPolicies enforced per namespace</li>
<li>CSRF tokens stored server-side in Redis</li>
</ul>
<h2>Technology Stack</h2>
<table>
<tr><th>Category</th><th>Technology</th><th>Version</th></tr>
<tr><td>Frontend</td><td>React + Vite</td><td>19.2</td></tr>
<tr><td>Backend (Java)</td><td>Spring Boot</td><td>4.0.3</td></tr>
<tr><td>Backend (Python)</td><td>FastAPI</td><td>latest</td></tr>
<tr><td>Identity</td><td>Keycloak</td><td>26.5.4</td></tr>
<tr><td>Service Mesh</td><td>Istio Ambient</td><td>1.28.4</td></tr>
<tr><td>Gateway</td><td>Kubernetes Gateway API</td><td>istio</td></tr>
<tr><td>Databases</td><td>PostgreSQL</td><td>4 instances</td></tr>
<tr><td>Messaging</td><td>Apache Kafka</td><td>KRaft mode</td></tr>
<tr><td>CDC</td><td>Debezium Server</td><td>3.4.1</td></tr>
<tr><td>Stream Processing</td><td>Apache Flink</td><td>2.2.0</td></tr>
<tr><td>BI / Analytics</td><td>Apache Superset</td><td>latest</td></tr>
<tr><td>Observability</td><td>Prometheus + Kiali</td><td></td></tr>
<tr><td>Cache / Sessions</td><td>Redis</td><td></td></tr>
<tr><td>E2E Testing</td><td>Playwright</td><td>latest</td></tr>
<tr><td>Container Orchestration</td><td>Kubernetes (kind)</td><td></td></tr>
</table>
<footer>
<p>Built as a production-grade proof of concept demonstrating microservices best practices, zero-trust security, event-driven architecture, and real-time analytics.</p>
<p style="margin-top: 12px;"><a href="https://github.com/a2z-ice/ecom-ms">GitHub Repository</a> · <a href="https://gist.github.com/a2z-ice/75fbc3c000760e1a6a9f03a6e1f9ecdf">Gist (Markdown)</a></p>
</footer>
</div>
</body>
</html>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment