Config Service — Deployment Topology
Status: populated
Owner: TBD
Last updated: 2026-04-18
Companion: Service Template · 17 technology-stack
1. Runtime
| Property | Value |
|---|
| Runtime | Node.js 22 LTS |
| Framework | NestJS 11 |
| Language | TypeScript 5.x |
| Package | @ghasi/service-config |
| Port | 3015 |
| Container base | node:22-alpine |
2. Replicas and Scaling
| Environment | Min replicas | Max replicas | Scaling trigger |
|---|
| Production | 3 | 10 | CPU > 60 % or request queue depth > 200 |
| Staging | 2 | 4 | CPU > 70 % |
| Dev/local | 1 | 1 | — |
The service is stateless (all state in PostgreSQL + Redis). Horizontal scaling is straightforward. Redis is shared across replicas; cache invalidation events via NATS ensure consistency.
3. Infrastructure Dependencies
| Dependency | Type | Notes |
|---|
| PostgreSQL 16 | Primary store | Separate schema config_svc; RLS enforced |
| Redis 7 | Cache | Namespace cfg:*; separate Redis instance or dedicated keyspace |
| NATS JetStream | Message bus | Streams: cfg-feature-events, cfg-role-events, cfg-ui-events, cfg-override-events, cfg-token-events, cfg-ops-events |
| facility-service | HTTP | GET /internal/hierarchy/nodes/{id}/ancestors |
| platform-admin-service | HTTP | License check + feature flag endpoints |
| access-policy | HTTP | POST /internal/access/evaluate |
| identity-service | HTTP | User membership validation |
| Kong | API Gateway | Routes /api/v1/config/* with JWT auth; IP-restricts /internal/* |
| Keycloak | Identity | JWT issuer |
| OpenTelemetry Collector | Telemetry | OTLP export to Grafana / Tempo |
4. Regions
| Region | Role | Notes |
|---|
| Primary (Afghanistan MoPH) | Active | All write traffic; primary PostgreSQL |
| Secondary (DR) | Standby | Read replica; NATS replication; promotes on failover |
Data residency: config data stays in the tenant's designated region per 13-security-compliance-tenancy.md.
5. Health Checks
| Endpoint | Checks |
|---|
GET /health/live | Process alive |
GET /health/ready | PostgreSQL connection OK; Redis connection OK; NATS connection OK |
Kubernetes: livenessProbe → /health/live; readinessProbe → /health/ready.
6. Resource Limits (Production)
| Resource | Request | Limit |
|---|
| CPU | 250 m | 1000 m |
| Memory | 256 Mi | 512 Mi |
7. Deployment Diagram