Deployment Architecture
Last updated
Last updated
Copyright © 2021 MOSIP. This work is licensed under a Creative Commons Attribution (CC-BY-4.0) International License unless otherwise noted.
This page has the proposed deployment architecture for eSignet in production.
A firewall is a network security device that monitors and filters incoming and outgoing network traffic based on an organization's established security policies. It protects against outside cyberattacks by shielding the network from malicious or unnecessary network traffic. All incoming traffic from the internet is routed through the firewall.
A load balancer is a network device or service that evenly distributes incoming network traffic across multiple servers or resources. It operates based on predetermined rules or algorithms and helps optimize the use of these resources. The primary purpose of a load balancer is to ensure that no single server becomes overwhelmed with traffic, thereby improving performance, availability, and reliability for users accessing a particular service or application.
Additionally, we use it in the following cases:
SSL termination
Proxy pass
TCP communication
UDP communication
Reverse Proxy
Wireguard is used as a trusted network extension to provide secure access to control and monitoring panels for operational team members, making sure that restricted APIs are not publically accessible.
The internal IAM system is used to manage access control for the operation team and client management API calls from client management systems
Deployment layers can be sectioned into the below three sections.
eSignet application services are deployed in the form of pods in the Kubernetes cluster.
Artifactory Service
This pod contains environment-specific libraries like HSM client and eSignet plugins. When the eSignet service pod starts, these libraries are downloaded from the artifactory and added to the application loader path.
Config Server
This pod is responsible for serving the external property files to application service pods. These property files are maintained in a private Git repository and the Config service acts more like a secure proxy.
OIDC UI
This pod will expose all the UI component files that are requested from the browser once the eSignet portal is accessed.
eSigent Service
This is the actual backend service which exposes all the RESTful API endpoints, which includes all endpoints related to OIDC, VCI, UI and client management. This service has a plugin-based mechanism to integrate with the ID system for actual user verification. It also connects to the below cluster for various needs.
PostgreSQL DB Cluster
All the data related to client policies, consent etc. are stored in this cluster. It should be a highly available cluster with necessary replication levels using solutions like Citus.
Redis Cache Cluster
All transactional caching needs are taken care of by the Redis cluster.
HSM Cluster
This cluster provides the necessary security to the cryptographic keys used in the application. Access to this cluster should be allowed only from a few selected nodes to control access and improve security.
Below additional Kubernetes, compatible tools are also configured into the Kubernetes cluster to take care of security and routing needs.
Ingress Gateway
An ingress Gateway is a load balancer operating at the edge of the mesh that receives incoming HTTP/TCP connections. It configures exposed ports, protocols, etc.
Istio Service Mesh
This is a service mesh used as an ingress gateway in the k8 cluster. Istio is used to manage the request routing in service-to-service communication. It can also help with service discovery, load balancing, failure recovery, metrics, and monitoring.
Docker Registry
Local docker registry is used to improve restart timings of containers where the images are configured to be pulled every time to the running node. It also helps with reducing the usage of internal bandwidth since images are caching within the setup.
Kubernetes Secrets
Kubernetes Secret is used for storing and managing sensitive information like DB passwords, keycloak secrets etc.. that is required by application pods. It gives us more control over how sensitive information is used and reduces the risk of accidental exposure.
Tools in the Control Panel will be used by operations team members to manage the deployment and maintain the uptime in the Kubernetes cluster
Rancher
Rancher is a complete stack for managing containers. It addresses the operational and security challenges of managing multiple Kubernetes clusters while providing DevOps teams with integrated tools for running containerized workloads. Rancher is integrated with IAM for the authentication of users.
Helm Chart
Helm chart is a package manager for Kubernetes-based Objects. For each module, multiple related components are grouped and their deployment scripts are packaged as hosted helm charts, so each module can be installed and upgraded independently.
Monitoring Panel will be used by operations team members to observe the health of various application pods and debug specific issues using application logs.
Application logs and metrics are collected by Fluentbit and dumped into Elastic Search and Prometheus respectively.
The application log data stored in elastic search is configured as reports using Kibana and can be used for searching logs when debugging application issues. The metric data stored in Prometheus are configured as charts in Grafana to continuously monitor the health of the environment and containers. Explicit notifications can be configured as alerts when the metrics reach a particular threshold.