Skip to content

Administrative Services

Overview

The ALTERNATIVE platform incorporates a suite of robust administrative services that form the backbone of its secure, efficient, and scalable infrastructure. These services work in concert to manage user authentication, network routing, SSL/TLS certification, and service mesh capabilities. This section provides an in-depth look at each of these critical components and their roles in maintaining the platform's operational integrity.

Keycloak

Keycloak serves as the cornerstone of the platform's identity and access management (IAM) system.

Key Features:

  • Single Sign-On (SSO): Enables seamless authentication across all platform components.
  • Fine-grained Access Control: Allows for detailed permission settings for users and applications.
  • Multi-factor Authentication (MFA): Enhances security with additional verification layers.
  • OpenID Connect (OIDC) Support: Ensures compatibility with modern authentication protocols.

Implementation:

Keycloak is deployed within the Kubernetes cluster, integrating tightly with other platform services to provide a unified authentication experience.

External DNS

External DNS automates the management of DNS records for the platform's services and applications.

Key Features:

  • Dynamic DNS Updates: Automatically syncs Kubernetes ingress resources with external DNS providers.
  • Multi-provider Support: Compatible with various DNS providers, ensuring flexibility.
  • Kubernetes Native: Operates seamlessly within the Kubernetes ecosystem.

Implementation:

Configured to work with the platform's chosen DNS provider, External DNS maintains accurate and up-to-date DNS records, crucial for service discovery and TLS certificate issuance.

Cert Manager

Cert Manager automates the lifecycle management of SSL/TLS certificates within the platform.

Key Features:

  • Automatic Certificate Issuance and Renewal: Eliminates manual certificate management tasks.
  • Let's Encrypt Integration: Provides free, automated SSL/TLS certificates.
  • Multiple Issuer Support: Allows for flexibility in certificate authorities.

Implementation:

Deployed as a Kubernetes add-on, Cert Manager watches for ingress resources and automatically provisions certificates as needed, ensuring all services maintain valid SSL/TLS encryption.

Ingress Controller

The Ingress Controller, based on NGINX, manages external access to services within the Kubernetes cluster.

Key Features:

  • Load Balancing: Distributes incoming traffic across multiple service instances.
  • SSL/TLS Termination: Handles encryption/decryption at the edge of the network.
  • Path-based Routing: Directs traffic to different services based on URL paths.

Implementation:

Configured to work in tandem with External DNS and Cert Manager, the Ingress Controller provides a secure and efficient entry point for all external traffic to the platform's services.

Istio

Istio is a powerful service mesh that enhances the platform's networking capabilities and security.

Key Features:

  • Traffic Management: Advanced routing and load balancing features.
  • Security: Mutual TLS encryption between services.
  • Observability: Detailed insights into service-to-service communication.

Implementation:

If implemented, Istio is deployed across the Kubernetes cluster, providing an additional layer of control and visibility over inter-service communication within the platform.

Integration and Synergy

These administrative services work together to create a robust, secure, and manageable infrastructure:

  1. Keycloak authenticates users and provides identity information.
  2. External DNS ensures services are discoverable.
  3. Cert Manager provides SSL/TLS certificates for secure communications.
  4. Ingress Controller routes external traffic to the appropriate services.
  5. Istio manages and secures inter-service communication.