Kubernetes (production)

Phase 1 status: Kubernetes deployment artifacts are not implemented. There is no Helm chart, Kustomize overlay, or official manifest set in this repository yet. Local development uses Docker Compose for dependencies only; auth and proxy run as host processes or ad-hoc containers you build yourself.

What exists today

Artifact	Phase 1	Notes
Helm / Kustomize manifests	No	Planned Phase 5
Docker images for auth/proxy	No official publish	Build from `services/*/Dockerfile` when present
Compose dev stack	Yes	Data stores only — not a production topology
Health probe contract	Yes	ADR-0022 defines `/health` and `/ready`
mTLS between services	Documented	Required in production; plaintext on local `ibex_internal` network only

Target architecture (preview)

The production layout below is design intent, not shipped configuration. It shows how Phase 1 services are expected to fit into a cluster once manifests land.

+--------------------------------------+                                                                        
|          Ingress / Gateway           |                                                                        
|                                      |                                                                        
|                                      |                                                                        
| +----------------------------------+ |                                                                        
| |                                  | |                                                                        
| |      API Gateway / Ingress       | |                                                                        
| |                                  | |                                                                        
| +----------------------------------+ |                                                                        
|                   |                  |                                                                        
+-------------------|------------------+                                                                        
                    |                                                                                           
                    |                                                                                           
                    |                                                                                           
+-------------------|------------------+                                                                        
|             Data plane               |                                                                        
|                   |                  |                                                                        
|                   v                  |                                                                        
| +----------------------------------+ |                                                                        
| |                                  | |                                                                        
| |                                  | |                                                                        
| |         Proxy Deployment         |-----+---+                                                                
| |              :8080               | |   |   |                                                                
| |                                  | |   |   |                                                                
| +----------------------------------+ |   +----------------------------+----------------------------+          
|                   |                  |       |                        |                            |          
|                   |                  |       |                        |                            |          
|   gRPC ValidateToken/ValidateAgent   |       |                        |                            |          
|                   |                  |       |                        |                            |          
|                   |                  |+-------------+                 |                            |          
|                   |                  ||      |      |                 |                            |          
|                   |                  ||      |      |+----------------|----------------------------|---------+
|                   |                  ||      |      ||                |    Observability           |         |
|                   |                  ||      |      ||                |                            |         |
|                   v                  ||      v      ||                v                            v         |
| +----------------------------------+ ||  .-------.  || +----------------------------+     +----------------+ |
| |                                  | ||  |       |  || |                            |     |                | |
| |                                  | ||  |       |  || |                            |     |                | |
| |         Auth Deployment          |--+  | Redis |  +->| Prometheus scrape /metrics |  +->| OTLP collector | |
| |      HTTP :8081 gRPC :9091       | ||  |       |   | |                            |  |  |                | |
| |                                  | ||  |       |   | |                            |  |  |                | |
| |                                  | ||  |       |   | |                            |  |  |                | |
| +----------------------------------+ ||  '-------'   | +----------------------------+  |  +----------------+ |
|                   |                  ||              |                                 |                     |
+-------------------|------------------+|              +---------------------------------|---------------------+
                    |                   +------------------------------------------------+                      
+-------------------|--------------------------------+                                                          
|               Managed dependencies                 |                                                          
|                   v                                |                                                          
| .----------------------------------.               |                                                          
| |                                  |               |                                                          
| |       Postgres + pgvector        |               |                                                          
| |                                  |               |                                                          
| |                                  |               |                                                          
| '----------------------------------'               |                                                          
|                                                    |                                                          
+----------------------------------------------------+

Planned probe configuration

When charts ship, operators should wire probes per ADR-0022:

Liveness → GET /health

Always 200 when the process responds. No external dependency checks. Restarts on hang/deadlock.

Readiness → GET /ready

503 when critical dependencies fail. Auth checks Postgres SELECT 1; proxy checks auth gRPC and Redis PING.

Metrics → GET /metrics

Prometheus text format from packages/metrics. Scrape both auth and proxy pods.

Critical readiness checks (Phase 1)

Service	Critical checks	Fails /ready when
Auth	`postgres`, `grpc`	Postgres unreachable or gRPC listener down
Proxy	`auth_grpc`, `redis`	Auth unreachable or Redis PING fails

Per-check timeout: 500ms. Overall /ready budget: 750ms.

Environment injection (preview)

Production pods will receive the same variables documented in Environment variables, injected via Kubernetes Secrets and ConfigMaps:

YAML

# Illustrative only — not a committed manifest
apiVersion: v1
kind: Secret
metadata:
  name: ibex-auth
stringData:
  POSTGRES_DSN: postgres://…
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: ibex-proxy
data:
  IBEX_AUTH_GRPC_ADDR: auth.ibex.svc.cluster.local:9091
  IBEX_PORT: "8080"
  IBEX_AUTH_VALIDATE_TIMEOUT: 50ms

Rollout expectations (future)

Phase 5 milestones will add:

Separate Deployments for proxy and auth with HPA on CPU and request latency
NetworkPolicy restricting gRPC to the internal mesh
PodDisruptionBudgets and coordinated shutdown via IBEX_SHUTDOWN_TIMEOUT
External Secrets Operator integration for POSTGRES_DSN and REDIS_URL

Until then, use Compose + host-run services for integration testing and refer to docs/OPS_GUIDE.md in the repository for operational runbooks as they mature.

Proxy health — probe response schemas
Docker Compose — supported local path today

Was this page helpful?

What exists today

Artifact	Phase 1	Notes
Helm / Kustomize manifests	No	Planned Phase 5
Docker images for auth/proxy	No official publish	Build from `services/*/Dockerfile` when present
Compose dev stack	Yes	Data stores only — not a production topology
Health probe contract	Yes	ADR-0022 defines `/health` and `/ready`
mTLS between services	Documented	Required in production; plaintext on local `ibex_internal` network only

Target architecture (preview)

The production layout below is design intent, not shipped configuration. It shows how Phase 1 services are expected to fit into a cluster once manifests land.

+--------------------------------------+                                                                        
|          Ingress / Gateway           |                                                                        
|                                      |                                                                        
|                                      |                                                                        
| +----------------------------------+ |                                                                        
| |                                  | |                                                                        
| |      API Gateway / Ingress       | |                                                                        
| |                                  | |                                                                        
| +----------------------------------+ |                                                                        
|                   |                  |                                                                        
+-------------------|------------------+                                                                        
                    |                                                                                           
                    |                                                                                           
                    |                                                                                           
+-------------------|------------------+                                                                        
|             Data plane               |                                                                        
|                   |                  |                                                                        
|                   v                  |                                                                        
| +----------------------------------+ |                                                                        
| |                                  | |                                                                        
| |                                  | |                                                                        
| |         Proxy Deployment         |-----+---+                                                                
| |              :8080               | |   |   |                                                                
| |                                  | |   |   |                                                                
| +----------------------------------+ |   +----------------------------+----------------------------+          
|                   |                  |       |                        |                            |          
|                   |                  |       |                        |                            |          
|   gRPC ValidateToken/ValidateAgent   |       |                        |                            |          
|                   |                  |       |                        |                            |          
|                   |                  |+-------------+                 |                            |          
|                   |                  ||      |      |                 |                            |          
|                   |                  ||      |      |+----------------|----------------------------|---------+
|                   |                  ||      |      ||                |    Observability           |         |
|                   |                  ||      |      ||                |                            |         |
|                   v                  ||      v      ||                v                            v         |
| +----------------------------------+ ||  .-------.  || +----------------------------+     +----------------+ |
| |                                  | ||  |       |  || |                            |     |                | |
| |                                  | ||  |       |  || |                            |     |                | |
| |         Auth Deployment          |--+  | Redis |  +->| Prometheus scrape /metrics |  +->| OTLP collector | |
| |      HTTP :8081 gRPC :9091       | ||  |       |   | |                            |  |  |                | |
| |                                  | ||  |       |   | |                            |  |  |                | |
| |                                  | ||  |       |   | |                            |  |  |                | |
| +----------------------------------+ ||  '-------'   | +----------------------------+  |  +----------------+ |
|                   |                  ||              |                                 |                     |
+-------------------|------------------+|              +---------------------------------|---------------------+
                    |                   +------------------------------------------------+                      
+-------------------|--------------------------------+                                                          
|               Managed dependencies                 |                                                          
|                   v                                |                                                          
| .----------------------------------.               |                                                          
| |                                  |               |                                                          
| |       Postgres + pgvector        |               |                                                          
| |                                  |               |                                                          
| |                                  |               |                                                          
| '----------------------------------'               |                                                          
|                                                    |                                                          
+----------------------------------------------------+

Planned probe configuration

When charts ship, operators should wire probes per ADR-0022:

Liveness → GET /health

Always 200 when the process responds. No external dependency checks. Restarts on hang/deadlock.

Readiness → GET /ready

503 when critical dependencies fail. Auth checks Postgres SELECT 1; proxy checks auth gRPC and Redis PING.

Metrics → GET /metrics

Prometheus text format from packages/metrics. Scrape both auth and proxy pods.

Critical readiness checks (Phase 1)

Service	Critical checks	Fails /ready when
Auth	`postgres`, `grpc`	Postgres unreachable or gRPC listener down
Proxy	`auth_grpc`, `redis`	Auth unreachable or Redis PING fails

Per-check timeout: 500ms. Overall /ready budget: 750ms.

Environment injection (preview)

Production pods will receive the same variables documented in Environment variables, injected via Kubernetes Secrets and ConfigMaps:

YAML

# Illustrative only — not a committed manifest
apiVersion: v1
kind: Secret
metadata:
  name: ibex-auth
stringData:
  POSTGRES_DSN: postgres://…
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: ibex-proxy
data:
  IBEX_AUTH_GRPC_ADDR: auth.ibex.svc.cluster.local:9091
  IBEX_PORT: "8080"
  IBEX_AUTH_VALIDATE_TIMEOUT: 50ms

Rollout expectations (future)

Phase 5 milestones will add:

Separate Deployments for proxy and auth with HPA on CPU and request latency
NetworkPolicy restricting gRPC to the internal mesh
PodDisruptionBudgets and coordinated shutdown via IBEX_SHUTDOWN_TIMEOUT
External Secrets Operator integration for POSTGRES_DSN and REDIS_URL

Until then, use Compose + host-run services for integration testing and refer to docs/OPS_GUIDE.md in the repository for operational runbooks as they mature.

Proxy health — probe response schemas
Docker Compose — supported local path today

Was this page helpful?