Platform Architecture

An opinionated stack combining proven tooling for zero-ops microservices.

High-Level Overview

graph TB
    Dev[Developer] -->|git push| GH[GitHub]
    GH -->|webhook| CI[CI/CD Pipeline]
    CI -->|build & scan| Reg[Container Registry]
    CI -->|update manifest| GitOps[Argo CD]
    GitOps -->|sync| K8s[Kubernetes Cluster]
    K8s -->|enforce| Kyverno[Policy Engine]
    K8s -->|metrics/logs/traces| OTel[OTel Collector]
    OTel -->|store| Prom[Prometheus]
    OTel -->|store| Loki[Loki]
    OTel -->|store| Tempo[Tempo]
    Prom --> Grafana[Grafana]
    Loki --> Grafana
    Tempo --> Grafana

    style Dev fill:#3b82f6
    style GH fill:#3b82f6
    style K8s fill:#10b981
    style Kyverno fill:#f59e0b
    style OTel fill:#8b5cf6
    style Grafana fill:#ec4899

StrixHQ combines best-in-class cloud native tooling into a cohesive platform. No custom glue code, only declarative configuration.

Component Stack

GitOps Layer

Argo CD

Git as single source of truth. Declarative deployments with automated sync and drift detection.

  • Continuous reconciliation
  • App-of-apps pattern for platform bootstrap
  • Sync waves for dependency ordering
  • Health checks for custom resources
  • SSO integration (roadmap)

Policy Layer

Kyverno

Kubernetes-native admission control. YAML policies, no Rego. Enforce mode for hard rules.

  • Mandatory resource limits
  • Non-root containers
  • Registry restrictions
  • Label compliance
  • Policy exceptions with TTL (Pro tier)

Observability Layer

Grafana Stack

Unified telemetry via OpenTelemetry. Metrics, logs, and traces in one pane of glass.

  • Prometheus for metrics
  • Loki for log aggregation
  • Tempo for distributed tracing
  • Correlated telemetry (trace_id linking)
  • Pre-configured dashboards per service

Ingress Layer

ingress-nginx

Battle-tested reverse proxy. SSL termination via cert-manager (Let's Encrypt).

  • Automated TLS cert issuance
  • Path-based routing
  • Rate limiting
  • Request buffering
  • Metrics export to Prometheus

Service Lifecycle Flow

sequenceDiagram
    participant Dev as Developer
    participant GH as GitHub
    participant CI as CI/CD
    participant GitOps as Argo CD
    participant K8s as Cluster
    participant Kyverno as Policies

    Dev->>GH: git push
    GH->>CI: trigger workflow
    CI->>CI: build + test
    CI->>CI: scan (Trivy)
    CI->>CI: generate SBOM
    CI->>GH: push image
    CI->>GH: update GitOps manifest
    GitOps->>GitOps: detect change
    GitOps->>K8s: apply manifest
    K8s->>Kyverno: admission webhook
    Kyverno->>Kyverno: validate labels
    Kyverno->>Kyverno: validate resources
    Kyverno->>Kyverno: inject sidecars
    Kyverno-->>K8s: allow/deny
    K8s->>K8s: create pods
    K8s-->>Dev: deployment success

Key Design Decisions

Why Kyverno (not OPA Gatekeeper)?

Decision: Kyverno for policy enforcement

Rationale:

  • Kubernetes-native YAML policies (no Rego learning curve)
  • Easier to audit by non-specialists
  • Faster policy development cycle
  • Built-in policy reporting

Trade-off: OPA is more flexible, but extra complexity not needed for PoC scope.

Why Grafana Stack (not DataDog/NewRelic)?

Decision: Self-hosted Grafana + Prometheus + Loki + Tempo

Rationale:

  • No vendor lock-in, 100% portable
  • Zero per-seat/per-host costs
  • Full control over data retention
  • OpenTelemetry native support

Trade-off: Operators must manage Grafana stack. Acceptable for PoC/MVP.

Why Argo CD (not Flux)?

Decision: Argo CD for GitOps

Rationale:

  • Better UI for troubleshooting and demos
  • App-of-apps pattern for multi-tenant
  • Mature RBAC and project isolation
  • Broader adoption in enterprise

Trade-off: Flux is more Kubernetes-native (CRDs only), but UI advantage weighs heavier.

Why kind (not k3s/minikube)?

Decision: kind for local development

Rationale:

  • CI-friendly (faster startup than k3s)
  • Multi-node clusters for real-world testing
  • Official K8s project, no custom patches
  • Docker-in-Docker support for builds

Trade-off: k3s is lighter, but kind is industry standard for CI.

Complete Tech Stack

Orchestration

  • Kubernetes 1.28+
  • Helm 3
  • Kustomize

GitOps

  • Argo CD
  • App-of-apps
  • Sync waves

Policy

  • Kyverno
  • Admission webhooks
  • Policy reports

Observability

  • Prometheus
  • Loki
  • Tempo
  • Grafana
  • OpenTelemetry

Ingress

  • ingress-nginx
  • cert-manager
  • Let's Encrypt

CI/CD

  • GitHub Actions
  • Trivy scanner
  • Syft (SBOM)

Runtimes

  • Node.js 20
  • Go 1.21+
  • Python 3.11+

Tooling

  • Docker
  • kind
  • kubectl
  • yq/jq

Need more technical details?

View the full documentation or request an architecture review.

Read the docs Get in touch