Auth Service — Deployment Topology
Status: populated Owner: SRE Last updated: 2026-04-19
Change log
- v1.2 (2026-04-19) — Namespace moved to
ghasi-identity(co-located with Keycloak); added Keycloak as a hard dependency; expanded Kong routes for SSO, SAML, SCIM, and tenant IdP management.
| Object | Value |
|---|---|
| Kind | Deployment |
| Namespace | ghasi-identity |
| Replicas | HPA 2–5, CPU 70% |
| Resources | requests 250m/256Mi, limits 1000m/512Mi |
| PDB | minAvailable 2 |
| ServiceAccount | auth-service (Vault K8s auth) |
| Listen | :3020 HTTP, :9464 metrics |
Dependencies: Keycloak (base IdP, same namespace), PostgreSQL (auth schema + read-only visibility into keycloak schema for nothing — interaction is via Keycloak Admin REST only), Redis, Vault, NATS. Firebase Admin retained only if legacy tenants remain.
Kong routes (upstream)
/v1/auth/login,/v1/auth/refresh,/v1/auth/logout,/v1/auth/mfa/*→auth-service:3020/v1/auth/sso/start,/v1/auth/sso/callback,/v1/auth/sso/logout→auth-service:3020/v1/auth/saml/*→auth-service:3020/v1/users/*,/v1/users/me/*,/v1/api-keys/*→auth-service:3020/v1/tenants/{tenantId}/identity-providers*→auth-service:3020(tenant-admin scoped)/scim/v2/*→auth-service:3020(per-tenant bearer token)
Internal-only (no Kong route): /.well-known/jwks.json, /v1/api-keys/lookup.
Keycloak sidecar topology
ghasi-identity namespace
├── keycloak (StatefulSet, 2 replicas, HA, Postgres-backed)
│ └── realm: ghasi-prod (per env); per-tenant IdP mappers configured via Admin REST
├── auth-service (Deployment, 2–5 replicas)
│ └── NetworkPolicy: can reach keycloak:8443 + postgres + redis + vault + nats
└── compliance-ai (Deployment, 1–2 replicas) — unrelated; shares namespace for tighter policy
Rollout
Canary 10% / 15 min. Rollback: image revert. JWKS rotation decoupled from rollout — never rotate during canary. Keycloak upgrades follow a separate cadence (quarterly LTS alignment); auth-service tolerates Keycloak minor version skew in both directions.