Infrastructure as Code (IaC), Kubernetes Manifests, and Service Mesh Configuration for the 3RVision Application
This repository contains the complete infrastructure setup for deploying the 3RVision application as a cloud-native microservices architecture. The project demonstrates modern DevOps practices and production-ready Kubernetes deployment patterns.
1. Infrastructure as Code with Terraform
- Automated Kind (Kubernetes in Docker) cluster provisioning
- Multi-node cluster setup with 1 control plane and 2 worker nodes
- Configurable port mappings for external access
2. Microservices Deployment on Kubernetes
- Three-tier architecture: Frontend, Backend, and ML Model services
- Each service deployed in isolated namespaces for better resource management
- ConfigMaps and Secrets for externalized configuration
- Health probes (readiness/liveness) for reliable service availability
3. Istio Service Mesh Integration
- Traffic Management: VirtualServices and DestinationRules for intelligent routing
- Canary Deployments: Weight-based traffic splitting (90/10) between stable and canary versions
- Header-based Routing: Route specific requests to canary using
x-canary: trueheader - Security: Strict mTLS (mutual TLS) encryption for all inter-service communication
- Load Balancing: Round-robin distribution with connection pooling
- Circuit Breaking: Outlier detection to prevent cascading failures
4. Observability Stack
- Prometheus: Metrics collection from Kubernetes, Istio, and Envoy proxies
- Jaeger: Distributed tracing with 100% sampling for request flow visibility
- Grafana: Visualization dashboards connected to Prometheus datasource
5. Production-Ready Patterns
- Canary deployment strategy for safe rollouts
- Namespace isolation for security boundaries
- RBAC configuration for Prometheus service account
- Automated deployment scripts for observability components
| Section | Description |
|---|---|
| Architecture Overview | High-level system design |
| Repository Structure | Project organization |
| Mind Maps | Visual diagrams of components |
| Getting Started | Setup instructions |
| Component Deep Dive | Detailed configurations |
| Canary Deployment | Traffic splitting strategy |
| Service Ports | Port reference table |
3RVision is deployed on Kubernetes with Istio service mesh for advanced traffic management, security, and observability.
┌─────────────────────┐
│ User/Client │
└──────────┬──────────┘
│
▼
┌──────────────────────────────────────────────────────────────────────────┐
│ KIND KUBERNETES CLUSTER │
│ (Terraform Provisioned) │
│ ┌────────────────┐ ┌────────────────┐ ┌────────────────┐ │
│ │ Control Plane │ │ Worker #1 │ │ Worker #2 │ │
│ └────────────────┘ └────────────────┘ └────────────────┘ │
├──────────────────────────────────────────────────────────────────────────┤
│ ISTIO SERVICE MESH │
│ │
│ Gateway ──────► VirtualService ──────► DestinationRule │
│ (Ingress) (Routing) (mTLS + Load Balancing) │
├──────────────────────────────────────────────────────────────────────────┤
│ MICROSERVICES │
│ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ FRONTEND │ │ BACKEND │ │ ML MODEL │ │
│ │ (Next.js) │───►│ (Go) │───►│ (Flask) │ │
│ │ Port: 3000 │ │ Port: 8080 │ │ Port: 5001 │ │
│ │ │ │ │ │ │ │
│ │ stable/canary│ │ stable/canary│ │ stable/canary│ │
│ └──────────────┘ └──────────────┘ └──────────────┘ │
├──────────────────────────────────────────────────────────────────────────┤
│ OBSERVABILITY STACK │
│ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ Prometheus │ │ Jaeger │ │ Grafana │ │
│ │ (Metrics) │ │ (Tracing) │ │ (Dashboards) │ │
│ │ Port: 9090 │ │ Port: 16686 │ │ Port: 3000 │ │
│ └──────────────┘ └──────────────┘ └──────────────┘ │
└──────────────────────────────────────────────────────────────────────────┘
3RVision-Infra/
├── Readme.md # This documentation file
├── .gitignore # Git ignore patterns
│
├── Terraform/ # Infrastructure as Code
│ └── kind-cluster/
│ ├── main.tf # Kind cluster definition
│ ├── variables.tf # Cluster configuration variables
│ └── outputs.tf # Cluster outputs (kubeconfig, endpoints)
│
├── k8s/ # Kubernetes Manifests
│ ├── backend/ # Backend service manifests
│ │ ├── deployment-stable.yaml # Stable version deployment
│ │ ├── deployment-canary.yaml # Canary version deployment
│ │ ├── service.yaml # Backend service definition
│ │ ├── secret.yaml # Environment secrets
│ │ └── backup-backend-deployment.yaml
│ │
│ ├── frontend/ # Frontend service manifests
│ │ ├── deployment-stable.yaml # Stable version deployment
│ │ ├── deployment-canary.yaml # Canary version deployment
│ │ ├── service.yaml # Frontend service definition
│ │ ├── secrets.yaml # Environment secrets
│ │ └── backup-frontend-deployment.yaml
│ │
│ ├── model/ # ML Model service manifests
│ │ ├── deployment-stable.yaml # Stable version deployment
│ │ ├── deployment-canary.yaml # Canary version deployment
│ │ ├── service.yaml # ML service definition
│ │ ├── configmap.yaml # Model configuration
│ │ └── backup-ml-deployment.yaml
│ │
│ └── observability/ # Monitoring & Tracing
│ ├── namespace.yaml # Observability namespace
│ ├── prometheus/ # Metrics collection
│ │ ├── config.yaml # Prometheus scrape config
│ │ ├── deployment.yaml # Prometheus deployment
│ │ ├── rbac.yaml # RBAC permissions
│ │ ├── deploy-prometheus.sh # Deployment script
│ │ └── verify-prometheus.sh # Verification script
│ ├── jaeger/ # Distributed tracing
│ │ ├── deployment.yaml # Jaeger all-in-one deployment
│ │ ├── deploy-jaeger.sh # Deployment script
│ │ └── verify-jaeger.sh # Verification script
│ └── grafana/ # Visualization dashboards
│ ├── datasource.yaml # Prometheus datasource config
│ ├── deployment.yaml # Grafana deployment
│ └── deploy-grafana.sh # Deployment script
│
└── istio/ # Service Mesh Configuration
├── gateway/
│ └── frontend-gateway.yaml # Istio ingress gateway
│
├── virtual-services/ # Traffic routing rules
│ ├── virtualservice-frontend-gateway.yaml # External traffic routing
│ ├── virtualservice-frontend-mesh.yaml # Internal mesh routing
│ ├── virtualservice-backend.yaml # Backend routing
│ └── virtualservice-ml.yaml # ML service routing
│
├── destination-rules/ # Load balancing & connection pools
│ ├── destination-rule-frontend.yaml
│ ├── destination-rule-backend.yaml
│ └── destination-rule-ml.yaml
│
├── mTLS/ # Mutual TLS configuration
│ ├── peer-authentication/
│ │ ├── peer-authentication-frontend.yaml
│ │ ├── peer-authentication-backend.yaml
│ │ └── peer-authentication-ml.yaml
│ └── verify-mtls.sh # mTLS verification script
│
└── telemetry/
└── tracing-config.yaml # Jaeger tracing configuration
USER REQUEST
│
▼
┌─────────────────────────────┐
│ Istio Ingress Gateway │
│ (Port: 30080) │
└─────────────────────────────┘
│
┌────────────────────────┼────────────────────────┐
│ │ │
▼ ▼ ▼
┌─────────────┐ ┌─────────────┐ ┌─────────────┐
│ FRONTEND │ │ BACKEND │ │ ML MODEL │
│ Namespace │ │ Namespace │ │ Namespace │
├─────────────┤ ├─────────────┤ ├─────────────┤
│ │ │ │ │ │
│ Service: │ │ Service: │ │ Service: │
│ frontend-svc│─────────►│ backend-svc │─────────►│ ml-svc │
│ Port: 3000 │ │ Port: 8080 │ │ Port: 5001 │
│ │ │ │ │ │
│ Deployments:│ │ Deployments:│ │ Deployments:│
│ • stable(2) │ │ • stable(2) │ │ • stable(2) │
│ • canary(1) │ │ • canary(1) │ │ • canary(1) │
│ │ │ │ │ │
│ Config: │ │ Config: │ │ Config: │
│ [Secrets] │ │ [Secrets] │ │ [ConfigMap] │
└─────────────┘ └─────────────┘ └─────────────┘
ISTIO SERVICE MESH TRAFFIC FLOW
┌─────────────────────────────────────────────────────────────────────────────┐
│ │
│ EXTERNAL TRAFFIC INTERNAL (MESH) TRAFFIC │
│ │ │ │
│ ▼ ▼ │
│ ┌─────────────┐ ┌─────────────┐ │
│ │ frontend- │ │ mesh │ │
│ │ gateway │ │ (default) │ │
│ │ Port:3000 │ │ │ │
│ └──────┬──────┘ └──────┬──────┘ │
│ │ │ │
│ ▼ ▼ │
│ ┌─────────────────────────────────────────────────────────────────────┐ │
│ │ VIRTUAL SERVICES │ │
│ │ │ │
│ │ Routing Rules: │ │
│ │ • Header "x-canary: true" ──► 100% Canary │ │
│ │ • Default Traffic ──► 10% Stable + 90% Canary │ │
│ └─────────────────────────────────────────────────────────────────────┘ │
│ │ │
│ ▼ │
│ ┌─────────────────────────────────────────────────────────────────────┐ │
│ │ DESTINATION RULES │ │
│ ├─────────────────────┬─────────────────────┬─────────────────────────┤ │
│ │ frontend-dr │ backend-dr │ ml-dr │ │
│ ├─────────────────────┼─────────────────────┼─────────────────────────┤ │
│ │ TLS: ISTIO_MUTUAL │ TLS: ISTIO_MUTUAL │ TLS: ISTIO_MUTUAL │ │
│ │ LB: ROUND_ROBIN │ LB: ROUND_ROBIN │ LB: ROUND_ROBIN │ │
│ │ TCP Conn: 100 │ TCP Conn: 100 │ TCP Conn: 50 │ │
│ │ HTTP Pending: 50 │ HTTP Pending: 50 │ HTTP Pending: 30 │ │
│ │ Outlier: 3 errors │ Outlier: 3 errors │ Outlier: 3 errors │ │
│ │ │ │ │ │
│ │ Subsets: │ Subsets: │ Subsets: │ │
│ │ • stable │ • stable │ • stable │ │
│ │ • canary │ • canary │ • canary │ │
│ └─────────────────────┴─────────────────────┴─────────────────────────┘ │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
mTLS SECURITY CONFIGURATION
┌─────────────────────────────────────────────────────────────────────────────┐
│ │
│ ┌──────────────────────────────┐ │
│ │ PeerAuthentication │ │
│ │ (STRICT mTLS Enforcement) │ │
│ └──────────────┬───────────────┘ │
│ │ │
│ ┌──────────────────────┼──────────────────────┐ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │
│ │ frontend-mtls │ │ backend-mtls │ │ ml-mtls │ │
│ │ NS: frontend │ │ NS: backend │ │ NS: ml │ │
│ │ Mode: STRICT │ │ Mode: STRICT │ │ Mode: STRICT │ │
│ └────────┬────────┘ └────────┬────────┘ └────────┬────────┘ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │
│ │ Envoy Sidecar │ │ Envoy Sidecar │ │ Envoy Sidecar │ │
│ │ (TLS 1.2/1.3) │ │ (TLS 1.2/1.3) │ │ (TLS 1.2/1.3) │ │
│ └────────┬────────┘ └────────┬────────┘ └────────┬────────┘ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │
│ │ Frontend App │ │ Backend App │ │ ML Model │ │
│ │ (plaintext) │ │ (plaintext) │ │ (plaintext) │ │
│ └─────────────────┘ └─────────────────┘ └─────────────────┘ │
│ │
├─────────────────────────────────────────────────────────────────────────────┤
│ ENCRYPTED TRAFFIC FLOW │
│ │
│ Frontend ◄───── [mTLS] ─────► Backend ◄───── [mTLS] ─────► ML Model │
│ │
│ All inter-service communication is encrypted with mutual TLS │
└─────────────────────────────────────────────────────────────────────────────┘
OBSERVABILITY ARCHITECTURE
(Namespace: observability)
┌─────────────────────────────────────────────────────────────────────────────┐
│ │
│ ┌───────────────────┐ │
│ │ Istio Telemetry │ │
│ │ (100% sampling) │ │
│ └─────────┬─────────┘ │
│ │ │
│ ┌──────────────────────┼──────────────────────┐ │
│ │ │ │ │
│ ▼ ▼ ▼ │
│ ┌─────────────────┐ ┌─────────────────┐ ┌─────────────────┐ │
│ │ PROMETHEUS │ │ JAEGER │ │ GRAFANA │ │
│ │ (Metrics) │ │ (Tracing) │ │ (Dashboards) │ │
│ ├─────────────────┤ ├─────────────────┤ ├─────────────────┤ │
│ │ Port: 9090 │ │ Port: 16686 │ │ Port: 3000 │ │
│ │ NodePort: 30090 │ │ NodePort: 30686 │ │ NodePort: 30330 │ │
│ ├─────────────────┤ ├─────────────────┤ ├─────────────────┤ │
│ │ Scrape Jobs: │ │ Collectors: │ │ Datasource: │ │
│ │ • prometheus │ │ • Zipkin (9411) │ │ • Prometheus │ │
│ │ • k8s-apiserver │ │ • gRPC (14250) │ │ │ │
│ │ • k8s-nodes │ │ • OTLP (4317) │ │ Features: │ │
│ │ • k8s-pods │ │ │ │ • Dashboards │ │
│ │ • istio-mesh │ │ Tags: │ │ • Istio metrics │ │
│ │ • envoy-stats │ │ • env: dev │ │ • Alerting │ │
│ │ • ingress-gw │ │ • cluster: kind │ │ │ │
│ └─────────────────┘ └─────────────────┘ │ Auth: │ │
│ │ admin/admin │ │
│ └─────────────────┘ │
│ │
├─────────────────────────────────────────────────────────────────────────────┤
│ DATA COLLECTION FLOW │
│ │
│ ┌─────────────┐ ┌─────────────┐ ┌─────────────┐ │
│ │ Frontend │ │ Backend │ │ ML Model │ │
│ │ + Envoy │ │ + Envoy │ │ + Envoy │ │
│ └──────┬──────┘ └──────┬──────┘ └──────┬──────┘ │
│ │ │ │ │
│ └───────────────────┼───────────────────┘ │
│ │ │
│ Envoy Proxy Metrics (port 15090) │
│ │ │
│ ┌───────────────┼───────────────┐ │
│ ▼ ▼ ▼ │
│ Prometheus Jaeger Grafana │
│ (scrape) (receive) (query) │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
- Docker installed and running
- Terraform v1.0+
- kubectl v1.25+
- Istio CLI (istioctl)
- Kind (optional - Terraform handles this)
# Navigate to Terraform directory
cd Terraform/kind-cluster
# Initialize Terraform
terraform init
# Review the plan
terraform plan
# Create the cluster
terraform apply -auto-approve
# Get cluster info
terraform outputWhat this creates:
- A Kind (Kubernetes in Docker) cluster named
3rvision-cluster - 1 Control Plane node
- 2 Worker nodes
- Port mappings: 30080 (HTTP), 30443 (HTTPS)
# Create namespaces with Istio sidecar injection
kubectl create namespace frontend
kubectl create namespace backend
kubectl create namespace ml
kubectl label namespace frontend istio-injection=enabled
kubectl label namespace backend istio-injection=enabled
kubectl label namespace ml istio-injection=enabled
# Deploy Frontend
kubectl apply -f k8s/frontend/secrets.yaml
kubectl apply -f k8s/frontend/deployment-stable.yaml
kubectl apply -f k8s/frontend/deployment-canary.yaml
kubectl apply -f k8s/frontend/service.yaml
# Deploy Backend
kubectl apply -f k8s/backend/secret.yaml
kubectl apply -f k8s/backend/deployment-stable.yaml
kubectl apply -f k8s/backend/deployment-canary.yaml
kubectl apply -f k8s/backend/service.yaml
# Deploy ML Model
kubectl apply -f k8s/model/configmap.yaml
kubectl apply -f k8s/model/deployment-stable.yaml
kubectl apply -f k8s/model/deployment-canary.yaml
kubectl apply -f k8s/model/service.yaml# Install Istio (if not already installed)
istioctl install --set profile=demo -y
# Deploy Gateway
kubectl apply -f istio/gateway/frontend-gateway.yaml
# Deploy Virtual Services
kubectl apply -f istio/virtual-services/
# Deploy Destination Rules
kubectl apply -f istio/destination-rules/
# Deploy mTLS policies
kubectl apply -f istio/mTLS/peer-authentication/
# Configure Tracing
kubectl apply -f istio/telemetry/tracing-config.yaml
# Verify mTLS
./istio/mTLS/verify-mtls.sh# Deploy observability stack
./k8s/observability/prometheus/deploy-prometheus.sh
./k8s/observability/jaeger/deploy-jaeger.sh
./k8s/observability/grafana/deploy-grafana.sh
# Verify deployments
./k8s/observability/prometheus/verify-prometheus.sh
./k8s/observability/jaeger/verify-jaeger.sh| File | Purpose |
|---|---|
main.tf |
Defines the Kind cluster with control plane and worker nodes. Configures port mappings for external access (30080→80, 30443→443). |
variables.tf |
Defines configurable parameters (cluster name defaults to 3rvision-cluster). |
outputs.tf |
Exports cluster information including kubeconfig path, endpoint, and certificates. |
| File | Description |
|---|---|
deployment-stable.yaml |
Production deployment (v2) with 2 replicas |
deployment-canary.yaml |
Test deployment (v3) with 1 replica |
service.yaml |
NodePort service on port 30080 |
secret.yaml |
Contains ML_SERVER_URL, AWS credentials, Gemini API key |
| File | Description |
|---|---|
deployment-stable.yaml |
Production deployment with 2 replicas, health probes |
deployment-canary.yaml |
Test deployment (v3) with 1 replica, health probes |
service.yaml |
NodePort service on port 30300 |
secrets.yaml |
Contains backend URLs, MongoDB URI, JWT secret, email credentials |
| File | Description |
|---|---|
deployment-stable.yaml |
Production deployment with 2 replicas, health probes |
deployment-canary.yaml |
Test deployment (v3) with 1 replica, health probes |
service.yaml |
NodePort service on port 30501 |
configmap.yaml |
Contains PORT and MODEL_PATH configuration |
- frontend-gateway.yaml: Configures the Istio Ingress Gateway to accept HTTP traffic on port 3000 for all hosts.
| File | Traffic Routing |
|---|---|
virtualservice-frontend-gateway.yaml |
External traffic: x-canary header → 100% canary; default → 10% stable, 90% canary |
virtualservice-frontend-mesh.yaml |
Internal mesh traffic with same routing rules |
virtualservice-backend.yaml |
Backend routing: x-canary → canary; default → 10% stable, 90% canary |
virtualservice-ml.yaml |
ML routing: x-canary → canary; default → 10% stable, 90% canary |
All services have consistent policies:
- TLS: ISTIO_MUTUAL (automatic mTLS)
- Load Balancer: ROUND_ROBIN
- Connection Pool: TCP (50-100 max connections), HTTP (30-100 pending requests)
- Outlier Detection: 3 consecutive errors, 30s interval, 30s ejection time
- Subsets: stable, canary (based on version label)
All namespaces (frontend, backend, ml) have STRICT mTLS enforcement, ensuring all service-to-service communication is encrypted.
| Component | Purpose | Access |
|---|---|---|
| Prometheus | Metrics collection and storage | NodePort: 30090, Port-forward: 9090 |
| Jaeger | Distributed tracing | NodePort: 30686, Port-forward: 16686 |
| Grafana | Visualization dashboards | NodePort: 30330, Port-forward: 3030 |
Prometheus Scrape Targets:
- Prometheus self-monitoring
- Kubernetes API servers
- Kubernetes nodes (kubelet)
- Kubernetes pods (with annotation)
- Istio control plane (istiod)
- Envoy proxies (port 15090)
- Istio Ingress Gateway
Jaeger Configuration:
- 100% trace sampling
- Custom tags: environment (3rvision-dev), cluster (kind-cluster)
- Zipkin-compatible endpoint at 9411
The infrastructure supports canary deployments through Istio VirtualServices:
┌──────────────────────────────────────────────────────────────┐
│ CANARY DEPLOYMENT FLOW │
└──────────────────────────────────────────────────────────────┘
Incoming Traffic
│
▼
┌──────────────┐
│ Header Check │
│ x-canary:true│
└──────┬───────┘
│
┌────┴────┐
│Yes │No
▼ ▼
┌────────┐ ┌──────────────┐
│ Canary │ │Weight-Based │
│ (100%) │ │Distribution │
└────────┘ │ │
│ ┌──────────┐ │
│ │Stable 10%│ │
│ └──────────┘ │
│ ┌──────────┐ │
│ │Canary 90%│ │
│ └──────────┘ │
└──────────────┘
| Service | Internal Port | NodePort | Port-Forward | Description |
|---|---|---|---|---|
| Frontend | 3000 | 30300 | 3000:3000 | Next.js application |
| Backend | 8080 | 30080 | 8080:8080 | Go API server |
| ML Model | 5001 | 30501 | 5001:5001 | Flask ML service |
| Prometheus | 9090 | 30090 | 9090:9090 | Metrics dashboard |
| Jaeger | 16686 | 30686 | 16686:16686 | Tracing UI |
| Grafana | 3000 | 30330 | 3030:3000 | Visualization dashboards |
| Istio Gateway | 3000 | - | - | HTTP ingress |