Learn how all components play together.


Ingresses configure both the cert-manager and external-dns. external-dns is configured implicitly through the hostname mapping, whereas the cert-manager requires annotations or already present certificates to watch out for.



This figure shows the role of ingresses as they are configured to redirect every request to the oauth2-proxy. The nginx-ingress controller does not have a particular role, apart from the fact, that it is configured by routing rules in the shape of ingress resources. The most part of the OAuth2 process is done by browser redirects. Keycloak acts here as the identity provider, but also other IAM services can be used with the oauth2-proxy.


Logging & Monitoring

Both Elasticsearch and Prometheus are deployed together with Kubernetes daemons to gather data. Daemons are present on every worker node. Using the EFK Stack Fluentd is utilized to collect logs from workloads of a node, and to push them to Elasticsearch. In the case of Prometheus all metrics are scraped from the emitting sources, collecting daemons or services. The node-exporter is a daemon to collect node-specific data. The Kube-State-Metric service collects metrics of the overall Kubernetes cluster through its API.