Infrastructure Engineering Hub
Scalable open-source infrastructure for microservices โ from local development through VPS production to Kubernetes with minimal friction.
๐ Type: Map of Content (MOC)
๐ค Owner: Ktwenty Threel
๐ฏ Outcome: Understand the platform, the architecture, and where everything lives
Table of Contents
Platform at a Glance
A scalable open-source infrastructure for microservices โ from local development through VPS production to Kubernetes โ with minimal configuration changes between tiers. All components are open-source and interchangeable. The local development experience is first-class, and the same containers that run on your machine deploy to production without modification.
The platform follows a natural progression through three layers:
Logical flow
Workspace โ Infrastructure โ Services โ Dev โ Prod VPS โ Prod K8s Every section in this document follows this progression.
๐๏ธ VS Code Workspace Setup
A multi-root workspace configuration that manages all services, infrastructure, and this documentation in a single VS Code instance. Each service gets its own debugger launch configuration. The VS Code Test Explorer runs inside a dev container with parallelized per-test debugging capabilities.
๐๏ธ Base Infrastructure
All services run behind Envoy Gateway, which handles TLS termination, path-based routing, and header manipulation. A generate_certs sidecar provisions internal certificates. Keycloak provides OIDC/SSO with a pre-configured realm template for development. PostgreSQL runs as a shared instance with per-service schemas, initialized via startup scripts. MailDev (dev only) captures all outbound email for inspection. An echo server (dev only) mirrors requests for gateway debugging.
Pre-configured configs ship for Envoy Gateway (dev and prod-ready for VPS, minimal changes for K8s), Keycloak realm import (dev), PostgreSQL database initialization scripts, and Envoy secrets generation scripts.
In development, Ngrok exposes the entire local stack via a public HTTPS URL โ enabling OAuth callbacks, webhook integrations, mobile testing, and client demos against your actual environment. In production on VPS, Ngrok is replaced by direct public exposure through Envoy with Let's Encrypt certificates.
๐งฉ Django Service Template
New services are generated via an updatable Copier Template) in a few steps. Each service ships with four apps following HackSoft Styleguide 2+ best practices: API (Django REST Framework), authentication (django-allauth + Keycloak OIDC), authorization (RBAC with Keycloak as source of truth), and core (admin panel, healthchecks). An optional public app provides a django-htmx powered frontend with branding, SEO, and analytics setup. Pre-commit hooks, linting, and formatting are included.
Multiple Django services can be generated from the same template and deployed on the same infrastructure under different subdomains โ each service registers as a new Envoy route and Keycloak client within the existing setup.
Ready to start?
See the Workspace Setup for step-by-step setup.
Architecture
Instead of each service managing its own authentication, routing, and database, these concerns are centralized into shared infrastructure.
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ INTERNET โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโฌโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ
โ HTTPS (443) / HTTP (80 โ 301 redirect)
โผ
โโโโโโโโโโโโโโโโโโโโโโโ
โ Ngrok Tunnel โ (dev only โ replaced by
โ (Public URL โ โ direct DNS in prod)
โ Local Stack) โ
โโโโโโโโโโโโฌโโโโโโโโโโโ
โ
โผ
โโโโโโโโโโโโโโโโโโโโโโโ
โ Envoy Gateway โ
โ โโโโโโโโโโโโโโโโโ โ
โ TLS Termination โ
โ Path-Based Routing โ
โ Rate Limiting โ
โ HTTP โ HTTPS โ
โ X-Forwarded-* โ
โโโโโโโโโโโโฌโโโโโโโโโโโ
โ
โโโโโโโโโโโโโโโโโโโโโโผโโโโโโโโโโโโโโโโโโโโโ
โ โ โ
โผ โผ โผ
โโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโ
โ Keycloak โ โ Django โ โ Django โ
โ โโโโโโโโโโ โ โ Service A โ โ Service N โ
โ OIDC / SSO โโโโโโ โโโโโโโโโโ โ โ โโโโโโโโโโ โ
โ RBAC Roles โ โ allauth โ โ allauth โ
โ User Mgmt โ โ RBAC sync โ โ RBAC sync โ
โ Source of โ โ DRF + htmx โ โ DRF + htmx โ
โ Truth โ โ โ โ โ
โโโโโโโโฌโโโโโโโโโ โโโโโโโโโฌโโโโโโโโ โโโโโโโโโฌโโโโโโโโ
โ โ โ
โ โโโโโโโโโโโโโดโโโโโโโโโโโโโโโโโโโโโ
โ โ
โผ โผ
โโโโโโโโโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโ
โ PostgreSQL โ โ MailDev โ โ Echo โ
โ โโโโโโโโโโโโโโโโโ โ โ โโโโโโโโโโ โ โ โโโโโโโโโโ โ
โ Shared Instance โ โ SMTP Capture โ โ Request โ
โ Per-Service Schemas โ โ Web UI โ โ Debugging โ
โโโโโโโโโโโโโโโโโโโโโโโโ โ (dev only) โ โ (dev only) โ
โโโโโโโโโโโโโโโโโ โโโโโโโโโโโโโโโโ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
โ VS Code Multi-Root Workspace โ
โ โโโโโโโโโโโโโโโโโโโโโโโโโโโโโ โ
โ Per-service debuggers ยท Parallelized test runner โ
โ File exclusions ยท Shared settings โ
โโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโโ
The โโโโ arrow between Django Service A and Keycloak represents the internal backchannel: Django exchanges tokens with Keycloak directly over the Docker bridge network, never routing through the public gateway. See Backchannel Separation for details.
Component Responsibilities
| Component | What It Does | Swap It For |
|---|---|---|
| Envoy Gateway | Routes traffic by path/subdomain, terminates TLS (Let's Encrypt on prod, Ngrok on dev), rate limiting, HTTPโHTTPS redirect | Traefik, NGINX, Kong |
| Keycloak | SSO, OIDC, user management, RBAC source of truth, synced to services via django-allauth | Any OIDC provider |
| PostgreSQL | Shared database instance, per-service schemas, initialized via startup scripts | Any SQL backend |
| MailDev (dev only) | Captures all outbound email, web UI for inspection | Mailhog, Mailtrap, any SMTP provider |
| Echo (dev only) | Mirrors requests back for gateway route debugging | Any echo server |
| Ngrok (dev only) | Exposes local stack via public HTTPS URL for OAuth callbacks, webhooks, mobile testing | Cloudflare Tunnel, localtunnel โ replaced by direct DNS in prod |
| Django Services | Generated from updatable Copier template, each with API, auth, RBAC, admin, optional htmx frontend | โ |
| VS Code Workspace | Multi-root config with per-service debuggers and parallelized test execution | JetBrains (manual setup) |
Scaling Path
Same images, different orchestration
Your application code and Docker images never change between tiers. Only the orchestration layer, secrets management, and infrastructure configuration evolve.
๐ ๏ธ Local Development โ Docker Compose
Your laptop runs the full stack. Envoy routes, Keycloak authenticates, PostgreSQL stores, MailDev captures email, VS Code debugs. Ngrok exposes everything via a public HTTPS URL โ OAuth callbacks, webhook integrations, mobile testing, client demos all work against your actual dev environment. A separate compose.yaml wires up dev-only services (MailDev, echo server) and relaxed configurations (permissive hostnames, plaintext secrets, hot-reload).
๐ MVP Production โ Docker Compose on VPS
Deploy compose.prod.yaml to a single VPS (Hostinger, Kamatera, etc.). Dev-only services are gone. Let's Encrypt replaces Ngrok for public TLS. Keycloak locks down its hostname and issuer. Secrets come from environment files outside the repo. The same Envoy Gateway configs that ran locally now serve production traffic โ no rewrite, no translation layer. This tier carries most startups through their first real scaling event.
โก Production at Scale โ Kubernetes
Each container becomes a pod. Envoy Gateway configs translate directly to Kubernetes Gateway API resources. PostgreSQL moves to a managed service (RDS, CloudSQL). Keycloak scales horizontally. Backchannel encryption becomes a requirement โ via service mesh mTLS or Keycloak-native TLS. The application images stay identical; only the orchestration and persistence layers change.
What Changes Between Tiers
| Component | ๐ ๏ธ Local Dev | ๐ VPS Prod | โก K8s Prod |
|---|---|---|---|
| Compose file | compose.yaml |
compose.prod.yaml |
Helm charts / manifests |
| Public access | Ngrok tunnel | Direct DNS + Let's Encrypt | Ingress / Gateway API |
| TLS | Ngrok handles it | Let's Encrypt at Envoy | Cert-manager + Ingress |
| Envoy Gateway | File provider, relaxed | File provider, prod-ready | K8s Gateway API (native) |
| Keycloak hostname | --hostname-strict=false |
KC_HOSTNAME=https://${DOMAIN}/auth |
Same, or dedicated auth subdomain |
| Keycloak realm | --import-realm from JSON |
--import-realm (planned: config-cli) |
keycloak-config-cli or Terraform |
| Backchannel | Plain HTTP, Docker bridge | Plain HTTP, Docker bridge | Encrypted (mesh mTLS or native TLS) |
| Secrets | .env files, plaintext |
.env files outside repo |
K8s Secrets / Vault |
| PostgreSQL | Shared container | Shared container + persistent volume | Managed service (RDS, CloudSQL) |
| MailDev (captures all) | Real SMTP provider | Real SMTP provider | |
| Echo server | โ Running | โ | โ |
| Monitoring | Docker logs + Admin Console | Docker logs + Admin Console | Prometheus + Grafana |
| Scaling | Single instance | Single instance | Horizontal pod autoscaling |
| Deploy method | docker compose up |
docker compose up |
CI/CD pipeline |
Stack Reference
Technologies listed by platform layer
Each layer corresponds to a separate repository. See Platform at a Glance for how these layers connect.
๐๏ธ Workspace Setup
Configuration and tooling for the multi-service development experience.
VS Code Workspace โ Multi-root workspace managing all services, infrastructure, and documentation. Per-service debugger launch configs and parallelized test execution via dev containers. โ Configuration ยท Setup ยท Debugging
๐๏ธ Base Infrastructure
Shared services that every Django service depends on. Run with
docker compose up.
Envoy Gateway โ Front door for all traffic. TLS termination (Let's Encrypt on prod, Ngrok on dev), path-based and subdomain routing, HTTPโHTTPS redirect, header manipulation. Configs are file-based, prod-ready for VPS, and translate to Kubernetes Gateway API with minimal changes. โ Setup & Configuration
Keycloak โ Centralized identity provider. OIDC/SSO authentication, RBAC group management, user lifecycle. Single realm (myrealm), synced to Django services via django-allauth on every login. Admin console for user and session management. โ Setup & Configuration ยท RBAC Model
PostgreSQL โ Shared database instance with per-service schemas. Initialized via startup scripts that create databases and schemas automatically. Each Django service gets logical isolation without operational overhead. โ Setup & Configuration
MailDev (dev only) โ Captures all outbound email from all services. Web UI for inspecting verification emails, password resets, and notifications without sending anything externally. Replaced by a real SMTP provider in production. โ Setup & Configuration
Echo Server (dev only) โ Mirrors incoming requests back in the response. Used for debugging Envoy Gateway routes, headers, and path matching before wiring up real services.
Ngrok (dev only) โ Exposes the local stack via a public HTTPS URL. Enables OAuth callbacks, webhook integrations, mobile testing, and client demos against the dev environment. Replaced by direct DNS + Let's Encrypt in production.
๐งฉ Django Service Template
Updatable Copier template that generates production-ready Django services.
Django Services โ Ships with API (DRF + HackSoft Styleguide 2+), authentication (django-allauth + Keycloak OIDC), authorization (RBAC), and core (admin panel, healthchecks) apps. Optional public app with django-htmx frontend with branding, SEO, and analytics setup. Pre-commit, linting, formatting included. Multiple services deploy on the same infrastructure under different subdomains. โ Create a Service
App internals: โ API ยท Authentication ยท Authorization ยท Core ยท Public Frontend
๐ Operations
Procedures, workflows, and troubleshooting across all platform components.
โ Operations Index
๐ Reference
Specifications, schemas, conventions, and the standards that shaped this platform.
โ Reference Index