🛡️ SECURITY & IDENTITY

Defense in Depth

Zero-trust security: SSO, secrets management, policy enforcement, runtime detection, and certificate automation.

ZERO-TRUST SECURITY LAYERS

1

Identity

Keycloak

OIDC SSO across all services

2

Secrets

Vault + ESO

Encrypted at rest, synced to pods

3

Policy

Kyverno

Admission control, mutation, validation

4

Runtime

Falco

eBPF-based anomaly detection

5

Scanning

Kubescape

CIS, NSA, MITRE compliance

Single Sign-On Everywhere

One Keycloak login grants access to every platform service. No separate credentials anywhere.

Vault
Harbor
Grafana
ArgoCD
OneDev
AFFiNE
Backstage
APISIX Dashboard
Supabase
Matomo

Secrets Management

Zero secrets in Git. Zero secrets in etcd. Everything flows through Vault.

graph TD
  TF["Terraform"]:::terraform
  VAULT["Vault
HA / 3 Raft replicas
Encrypted at rest"]:::vault
  CSS["ClusterSecretStore
vault-backend"]:::store
  ES["ExternalSecret
Per-app, per-namespace"]:::external
  KS["Kubernetes Secret
Mounted as env or volume"]:::k8s
  POD["Pod
Consumes secret transparently"]:::pod

  TF -->|"Provision secrets"| VAULT
  VAULT --> CSS
  CSS --> ES
  ES --> KS
  KS --> POD

  classDef terraform fill:#0e3a3a,stroke:#06b6d4,color:#67e8f9,stroke-width:2px
  classDef vault fill:#2e2a0e,stroke:#facc15,color:#fde68a,stroke-width:2px
  classDef store fill:#14332a,stroke:#4ade80,color:#86efac,stroke-width:2px
  classDef external fill:#2e1a47,stroke:#a78bfa,color:#c4b5fd,stroke-width:2px
  classDef k8s fill:#1e3a5f,stroke:#60a5fa,color:#93c5fd,stroke-width:2px
  classDef pod fill:#2e1a0e,stroke:#f97316,color:#fdba74,stroke-width:2px

All Components

Keycloak

production

Enterprise identity and access management with OIDC, SAML, social login, and LDAP integration.

Role: Centralized SSO for all platform services — Vault, Harbor, Grafana, ArgoCD, OneDev, AFFiNE

HashiCorp Vault

production

Secrets management, encryption as a service, and privileged access management.

Role: HA deployment (3-replica Raft cluster) storing all platform secrets, DNS credentials, TLS certificates

External Secrets Operator

production

Kubernetes operator that synchronizes secrets from external stores into Kubernetes secrets.

Role: Bridges Vault ↔ Kubernetes: syncs secrets to pods, pushes certificates back to Vault

cert-manager

production

Automatic TLS certificate management with Let's Encrypt ACME protocol support.

Role: Automated certificate issuance via DNS-01 challenges with Cloudflare

Kyverno

production

Kubernetes-native policy engine for validation, mutation, and generation of resources.

Role: Enforces security policies: label requirements, container restrictions, cross-tenant isolation

Falco

production

Runtime security monitoring using eBPF probes to detect anomalous container behavior.

Role: Real-time threat detection: shell spawning, privilege escalation, sensitive file access

Kubescape

deployed

Kubernetes security platform for continuous scanning against NSA, MITRE, and CIS benchmarks.

Role: Compliance scanning and hardening recommendations

Open AppSec

deployed

ML-based web application firewall and API security.

Role: WAF protection for exposed services

← BACK TO FULL STACK