Production-grade microservices platform implementing cloud-native best practices with GitOps-driven deployments
This repository contains the application source code and container build pipelines for a distributed microservices platform designed for Kubernetes. It follows the GitOps paradigm by separating application code (this repo) from infrastructure configuration (platform-ops).
- Architecture Overview
- Microservices
- Container Security
- CI/CD Pipeline
- Local Development
- Best Practices
- Deployment Flow
This platform implements a polyglot microservices architecture with the following characteristics:
- Multi-language services: Go, Node.js, and Python
- Cloud-native design: 12-factor app principles
- GitOps-driven deployments: Declarative infrastructure with Argo CD
- Immutable infrastructure: Container images tagged with Git SHA
- Observability-first: Prometheus metrics and Grafana dashboards
- Security hardened: Non-root containers, read-only filesystems, minimal attack surface
βββββββββββββββ
β Ingress β
ββββββββ¬βββββββ
β
βββββΌβββββ
βapi-nodeβ (Node.js - API Gateway)
βββββ¬βββββ
β
βββββΌβββββ
βcore-go β (Go - Core Business Logic)
ββββββββββ
ββββββββββββββββ
βworker-python β (Python - Background Jobs)
ββββββββββββββββ
Language: Node.js (Express.js)
Port: 3000
Responsibility:
- REST API gateway
- Request routing and orchestration
- Authentication/Authorization middleware
- Rate limiting and request validation
Health Endpoints:
GET /health- Liveness probeGET /ready- Readiness probeGET /metrics- Prometheus metrics
Technology Stack:
- Express.js
- Prometheus client
- Winston logger
Language: Go
Port: 8080
Responsibility:
- Core business logic
- Data processing and validation
- Domain service layer
- Database operations
Health Endpoints:
GET /health- Health checkGET /metrics- Prometheus metrics (promhttp)
Technology Stack:
- Go 1.21+
- Gorilla Mux / Chi router
- Prometheus Go client
- GORM (if using database)
Language: Python
Port: 8000
Responsibility:
- Scheduled background jobs (cron-like)
- Asynchronous task processing
- Data aggregation and reporting
- Batch operations
Health Endpoints:
GET /health- Worker health statusGET /metrics- Prometheus metrics
Technology Stack:
- Python 3.11+
- FastAPI / Flask
- APScheduler or Celery
- Prometheus Python client
All services implement defense-in-depth security with the following best practices:
Each Dockerfile uses multi-stage builds to:
- Separate build dependencies from runtime
- Minimize final image size
- Reduce attack surface
Security Controls:
β Non-root user (UID: 65532)
β Read-only root filesystem
β No shell in production images
β Distroless/minimal base images
β Capability dropping
β securityContext enforcement| Service | Base Image | Final Size |
|---|---|---|
| api-node | node:21-alpine |
~150MB |
| core-go | gcr.io/distroless/static |
~15MB |
| worker-python | python:3.11-slim |
~120MB |
- Trivy: Integrated in CI pipeline
- Snyk: Optional third-party scanning
- GHCR: Native vulnerability scanning
This repository implements Continuous Integration using GitHub Actions:
Triggers:
- Push to main branch
- Pull request to main
- Manual workflow dispatch
Steps:
1. Checkout code
2. Run tests and linters
3. Build Docker images (multi-arch)
4. Tag with Git SHA
5. Push to GHCR
6. Update image tag in platform-ops
7. Create Git commit
8. Push to platform-ops repository# Format: service-name:git-sha
ghcr.io/<org>/api-node:a1b2c3d
ghcr.io/<org>/core-go:a1b2c3d
ghcr.io/<org>/worker-python:a1b2c3d
# Additional tags
ghcr.io/<org>/api-node:latest
ghcr.io/<org>/api-node:v1.2.3 # Semantic versioningContinuous Deployment is handled by Argo CD in the platform-ops repository.
ββββββββββββββββ
β Developer β
β commits code β
ββββββββ¬ββββββββ
β
βΌ
ββββββββββββββββββββ
β GitHub Actions β
β (CI Pipeline) β
ββββββββ¬ββββββββββββ
β
βββΊ Build Docker images
βββΊ Tag with Git SHA
βββΊ Push to GHCR
β
βΌ
ββββββββββββββββββββ
β Update Tag in β
β platform-ops β
β values.yaml β
ββββββββ¬ββββββββββββ
β
βΌ
ββββββββββββββββββββ
β Argo CD β
β Auto-Sync β
ββββββββ¬ββββββββββββ
β
βββΊ Render Helm charts
βββΊ Apply manifests
βββΊ Deploy to K8s
β
βΌ
ββββββββββββββββββββ
β Kubernetes β
β Cluster β
ββββββββββββββββββββ
# Rollback is just a Git revert
cd platform-ops
git revert HEAD
git push origin main
# Argo CD automatically deploys previous version- Docker (v24+)
- Docker Compose (v2+)
- Go (v1.21+)
- Node.js (v20+)
- Python (v3.11+)
# Start all services
docker-compose up --build
# Start specific service
docker-compose up api-node
# View logs
docker-compose logs -f core-go
# Stop all services
docker-compose down# API Node
cd api-node
npm install
npm run dev
# Core Go
cd core-go
go mod download
go run main.go
# Worker Python
cd worker-python
python -m venv venv
source venv/bin/activate
pip install -r requirements.txt
python main.py# API Node
cd api-node
npm test
npm run test:coverage
# Core Go
cd core-go
go test ./... -v
go test -cover ./...
# Worker Python
cd worker-python
pytest
pytest --cov- Linting: ESLint (Node.js), golangci-lint (Go), Ruff (Python)
- Formatting: Prettier, gofmt, Black
- Testing: Jest, Go testing, pytest
- Coverage: Minimum 80% code coverage
- Use specific base image tags (not
latest) - Implement health checks in all services
- Use multi-stage builds to minimize image size
- Run as non-root user (security)
- Set resource limits in Kubernetes
- Implement graceful shutdown for SIGTERM
- Use .dockerignore to exclude unnecessary files
- Resource requests and limits
- Liveness and readiness probes
- Pod disruption budgets
- Horizontal Pod Autoscaling (HPA)
- Network policies
- Service mesh (optional: Istio/Linkerd)
- Metrics: Prometheus format (
/metricsendpoint) - Logging: Structured JSON logs
- Tracing: OpenTelemetry (optional)
- Dashboards: Grafana
- GitOps Repository:
platform-ops - CI/CD Documentation: GitHub Actions Workflows
- Container Registry: GHCR Packages
MIT License - See LICENSE file for details
Built with β€οΈ using cloud-native best practices