Back to Projects
Full StackFeatured

Secure & Scalable Architecture Template

A production-grade template demonstrating a microservices architecture pattern with two cooperating services. Features a Kotlin/Spring Boot EncryptionService handling AWS KMS and AES-GCM encryption via gRPC, and a NestJS CustomerService exposing REST and GraphQL APIs with PostgreSQL persistence. Includes comprehensive infrastructure-as-code with Helm charts and a full observability stack.

View on GitHub

2 Microservices

Services

gRPC + GraphQL + REST

Protocols

AWS KMS / AES-GCM

Encryption

Kubernetes + Helm

Deployment

Tech Stack

13 technologies used

KotlinSpring BootNestJSTypeScriptGraphQLgRPCPostgreSQLKubernetesHelmAPISIXOpenTelemetryPrometheusGrafana

System Components

4 interconnected services

The architecture consists of these cooperating services, each with distinct responsibilities:

EncryptionService

backend
:9090

Kotlin/Spring Boot gRPC server that encrypts and decrypts payloads. Supports AWS KMS for production key management or local AES-GCM keys for development. Handles all cryptographic operations to keep sensitive data secure at rest.

Protocol:gRPC
KotlinSpring BootgRPCAWS KMSAES-GCM

CustomerService

backend
:3000 (REST) / 3000/graphql

NestJS application exposing both REST and GraphQL APIs for customer management. Persists data in PostgreSQL via TypeORM and delegates encryption of sensitive fields to the EncryptionService via gRPC.

Protocol:REST + GraphQL
NestJSTypeScriptGraphQLTypeORMPostgreSQL

PostgreSQL

database
:5432

Primary data store for customer records. Encrypted fields are stored as ciphertext, decrypted on-demand via the EncryptionService when requested through the /decrypted endpoint.

Protocol:TCP
PostgreSQL 14+TypeORM Migrations

APISIX Gateway

gateway
:80/443

API Gateway providing centralized routing, authentication, rate limiting, and load balancing. Routes external traffic to the CustomerService while keeping the EncryptionService internal-only.

Protocol:HTTP/HTTPS
APISIXHelm

Data Flow

6 steps from input to output

How data flows through the system from client request to final response:

1
ClientAPISIX GatewayHTTPS

External requests enter through the API Gateway

2
APISIX GatewayCustomerServiceHTTP

Gateway routes to CustomerService (REST or GraphQL)

3
CustomerServiceEncryptionServicegRPC

Sensitive data encrypted/decrypted via internal gRPC calls

4
EncryptionServiceAWS KMSAWS SDK

Key management operations (production mode)

5
CustomerServicePostgreSQLTCP

Encrypted data persisted to database

6
All ServicesOpenTelemetry CollectorOTLP

Metrics, traces, and logs collected

Code Examples

3 ready-to-use snippets

Get started quickly with these practical code examples:

GRAPHQL

Create Customer (GraphQL)

Create a new customer with automatic field encryption

mutation CreateCustomer($input: CreateCustomerInput!) {
  createCustomer(input: $input) {
    id
    firstName
    lastName
    status
  }
}

# Variables:
# {
#   "input": {
#     "firstName": "Ada",
#     "lastName": "Lovelace",
#     "status": "ACTIVE"
#   }
# }
GRAPHQL

Fetch Decrypted Customer

Retrieve customer with decrypted sensitive fields

query DecryptedCustomerById($id: String!) {
  decryptedCustomer(id: $id) {
    id
    firstName
    lastName
    status
  }
}
BASH

Deploy to Kubernetes

One-command deployment using Helm charts

# Deploy encryption service
helm upgrade --install encryption ./helm/encryption \
  -n customer --create-namespace

# Deploy customer service
helm upgrade --install customer ./helm/customer \
  -n customer

# Install observability stack
helm upgrade --install otel-collector \
  open-telemetry/opentelemetry-collector \
  -n observability -f helm/otel/otel-values.yaml

Infrastructure

Production-ready deployment stack

Battle-tested infrastructure components for reliable operations:

Kubernetes + Helm

deployment

Container orchestration with Helm charts for reproducible deployments. Includes charts for both services, configurable via values.yaml for different environments.

KubernetesHelmMinikubeDocker

Observability Stack

monitoring

Full observability with metrics (Prometheus), visualization (Grafana), logs (Loki), and distributed tracing (OpenTelemetry). ServiceMonitor CRDs for automatic scraping.

PrometheusGrafanaLokiOpenTelemetryJaeger

APISIX API Gateway

gateway

Cloud-native API gateway for traffic management, authentication, rate limiting, and service discovery. Configured for internal service routing.

APISIXetcd

Secret Management

storage

Encryption keys delivered via Kubernetes Secrets or external secret stores. AWS KMS integration for production-grade key management.

Kubernetes SecretsAWS KMSAWS Secrets Manager

Key Features

  • EncryptionService built with Kotlin/Spring Boot handling encryption via gRPC protocol on port 9090
  • CustomerService using NestJS with both REST and GraphQL endpoints, PostgreSQL with TypeORM
  • Key management supporting both AWS KMS and local AES-GCM encryption modes
  • GraphQL Playground available for interactive API exploration and testing
  • Full observability stack with Prometheus, Grafana, Loki, and OpenTelemetry integration
  • Kubernetes deployment patterns via Helm charts for both services plus optional observability components
  • APISIX API Gateway samples for centralized routing, authentication, and rate limiting

Challenges Solved

  • Separating cryptographic concerns from application logic while maintaining performance
  • Designing a dual-protocol architecture (gRPC for internal, GraphQL/REST for external)
  • Creating comprehensive infrastructure-as-code that's both complete and adaptable

Outcomes & Impact

  • Reusable template for building secure, distributed systems with encryption at rest
  • Clear separation of concerns enabling independent service deployment and scaling
  • Production-ready observability setup for monitoring and debugging