Deployment Topology
:::info Source
Sourced from services/certification-service/DEPLOYMENT_TOPOLOGY.md in the documentation repo.
:::
1. Containers
cert-api— internal + public REST.cert-issuer— issuance worker (consumes completion events).cert-renderer— headless-Chrome PDF/PNG worker (sandboxed).cert-outbox-relay— NATS publisher.
2. Scaling
| Container | Min | Max | HPA |
|---|---|---|---|
| api | 3 | 15 | CPU>60% |
| issuer | 2 | 20 | queue > 100 |
| renderer | 2 | 15 | queue > 50 |
| outbox-relay | 2 | 5 | backlog > 5000 |
3. Resources
api: 500m/2000m CPU, 512Mi/1.5Gi mem. issuer: 500m/2000m, 512Mi/2Gi. renderer: 1000m/4000m, 2Gi/4Gi (Chrome).
4. Storage
- Postgres schema
certification. - S3 for artifacts; per-tenant prefix; CDN-fronted.
- Artifacts indefinite retention; tenants can request deletion (subject to policy).
5. Caching
- Redis (per region): template cache, JWKS cache, verify result cache (60s TTL).
- CDN:
/api/v1/certificates/verify/{token}cached 60s (invalidated on revoke via CDN purge).
6. CDN
- Public verify page SSR + cached.
- Artifact URLs short-lived; CDN edge caches with signed-URL validation.
- JWKS at CDN edge with 5-min cache +
stale-while-revalidate.
7. Regional
- Per region; certificates live in tenant homeRegion.
- Public verify: anycast routing to nearest region; verifies cross-region via regional lookup (if cert in other region, redirect).
8. Service Mesh
mTLS. Egress: progress (to fetch completion evidence), media (logo assets), notification, search, analytics.
9. Release
Blue/green for api. Rolling for issuer/renderer. JWKS updates require CDN purge.
10. DR
RPO 15 min, RTO 90 min. Certificates indefinite retention → multi-region replica. Artifacts on S3 with cross-region replication.
11. Diagram
progress.completion.recorded.v1 ──▶ NATS ──▶ cert-issuer
│
▼
┌─ cert-renderer ─▶ S3 (artifacts) ─▶ CDN
│
▼
KMS sign JWS
│
▼
Postgres (certificates)
│
▼
cert-outbox-relay ──▶ NATS ──▶ notification, search, analytics
Public verify: CDN ──▶ cert-api ──▶ Postgres (read replica)
└─▶ Redis (cache)