Control Plane Namespace
The matih-control-plane namespace hosts all platform management services built with Java Spring Boot 3.2. These services handle authentication, tenant lifecycle, configuration management, auditing, notifications, and API routing.
Services Deployed
| Service | Port | Replicas | HPA Range | Purpose |
|---|---|---|---|---|
| iam-service | 8080 | 2 | 2-10 | Authentication, authorization, RBAC |
| tenant-service | 8080 | 2 | 2-8 | Tenant lifecycle, provisioning |
| config-service | 8080 | 2 | 2-5 | Feature flags, runtime configuration |
| audit-service | 8080 | 3 | 3-15 | Audit trail, compliance logging |
| notification-service | 8080 | 2 | 2-8 | Email, Slack, webhook notifications |
| billing-service | 8080 | 2 | 2-6 | Usage tracking, cost allocation |
| api-gateway | 8080 | 2 | 2-10 | API routing, rate limiting |
| observability-api | 8080 | 2 | 2-5 | Metrics aggregation API |
| platform-registry | 8080 | 2 | 2-4 | Service registry |
| infrastructure-service | 8080 | 2 | 2-4 | Infrastructure provisioning |
Shared Infrastructure
The control plane shares database and messaging infrastructure:
# From matih-control-plane/values.yaml
postgresql:
enabled: true
auth:
existingSecret: matih-db-credentials
primary:
persistence:
size: 50Gi
storageClass: gp3
readReplicas:
replicaCount: 2
redis:
enabled: true
auth:
existingSecret: matih-redis-credentials
sentinel:
enabled: true
replica:
replicaCount: 2
# Kafka - uses shared Strimzi cluster from data-plane
kafka:
enabled: false # Shared via FQDNKafka connectivity is configured via FQDN to the Strimzi cluster in the data plane:
platform:
kafka:
bootstrapServers: "strimzi-kafka-kafka-bootstrap.matih-control-plane.svc.cluster.local:9093"
securityProtocol: SSL
ssl:
truststoreSecret: "kafka-cluster-ca-cert"Network Policies
The control plane enforces strict network isolation:
# From matih-control-plane/values.yaml
networkPolicy:
enabled: true
defaultDeny: true
allowInternalTraffic: true
allowFromApiGateway: true
allowToPostgresql: true
allowToRedis: true
allowToKafka: trueDatabase Initialization
A Kubernetes Job initializes databases on first deployment:
dbInit:
enabled: true
image:
repository: postgres
tag: "15-alpine"
postgresql:
existingSecret: ""
userKey: "postgres-password"
passwordKey: "postgres-password"
backoffLimit: 3
ttlSecondsAfterFinished: 300Security Context
All control plane pods run with identical hardened security:
podSecurityContext:
runAsNonRoot: true
runAsUser: 1000
fsGroup: 1000
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALLPod Anti-Affinity
Control plane services spread across nodes for high availability:
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/part-of
operator: In
values:
- matih-control-plane
topologyKey: kubernetes.io/hostname