Glossary¶

A¶

ADR (Architecture Decision Record) A document that captures an important architectural decision, its context, and its consequences. Stored in docs/decisions/.

Artifact Registry GCP-managed container and package registry. Orofi stores Docker images at us-central1-docker.pkg.dev/orofi-dev-cloud/orofi/ and Maven packages at us-central1-maven.pkg.dev/orofi-dev-cloud/orofi-maven/.

ArgoCD A Kubernetes-native GitOps tool that watches Git repositories and continuously reconciles cluster state to match the declared configuration. Runs in the argocd namespace.

ArgoCD Rollout A CRD from the ArgoCD Rollouts project that extends Kubernetes Deployments with canary and blue-green deployment strategies.

B¶

Bitbucket Pipelines CI/CD system used for building Docker images, running tests, and triggering deployments. Configuration files: bitbucket-pipelines.yml in each repository.

Bootstrap The process of setting up a new cluster from scratch — provisioning GCP resources with Terraform, then deploying Istio, cert-manager, and ArgoCD, after which ArgoCD deploys everything else.

C¶

cert-manager A Kubernetes operator that automates TLS certificate issuance and renewal from Let's Encrypt using DNS-01 challenges via Cloud DNS.

Cloud DNS GCP managed DNS service. All *.orofi.xyz zones are hosted in the orofi-cloud GCP project.

Cloud KMS (Key Management Service) GCP service for managing cryptographic keys. Used by microservice-identity for data-level encryption via key ring identity-microservice-{env}.

Cloud Memorystore GCP's fully managed Redis service. Used as the shared cache across all microservices.

Cloud NAT (Network Address Translation) GCP service that allows GKE nodes (which have no public IPs) to make outbound internet connections.

Cloud SQL GCP's fully managed relational database service. Orofi uses MySQL 8.0, one instance per environment.

ClusterIssuer A cert-manager resource (cluster-scoped) that defines how certificates are obtained. Orofi uses letsencrypt-prod, letsencrypt-staging, and letsencrypt-dev.

ConfigMap A Kubernetes resource for storing non-sensitive configuration data as key-value pairs.

D¶

DestinationRule An Istio resource that defines traffic policies (load balancing, connection pool settings, circuit breaking) for a service.

DNS-01 Challenge The ACME challenge type used by cert-manager to prove domain ownership by creating a TXT record in Cloud DNS. Works without a publicly accessible HTTP server.

DRY (Don't Repeat Yourself) A software principle. In the context of Terragrunt, it means writing module definitions once and reusing them across environments.

E¶

ESO (External Secrets Operator) A Kubernetes operator that syncs secrets from external secret stores (GCP Secret Manager in Orofi's case) into Kubernetes Secret resources. Runs in the external-secrets namespace.

ExternalSecret An ESO custom resource that references a secret in GCP Secret Manager and defines which Kubernetes Secret to create from it.

F¶

Flyway A database schema migration tool. The flyway-admin database user has access to all microservice databases and runs migrations via the {env}-flyway-admin-db-connection secret.

G¶

GCS (Google Cloud Storage) GCP object storage. Used for: Terraform state buckets (oro-dev-infra, oro-infra-stag, oro-infra-production) and microservice import/export data.

GKE (Google Kubernetes Engine) GCP's managed Kubernetes service. All Orofi workloads run on GKE zonal clusters in us-central1-a.

GitOps An operational model where Git is the single source of truth for system configuration. Changes to the cluster happen by committing to Git; ArgoCD applies them.

H¶

Helm The Kubernetes package manager. Used to deploy all platform components and microservices using templated charts.

HPA (Horizontal Pod Autoscaler) A Kubernetes resource that automatically scales pod replicas based on CPU/memory metrics. KEDA extends HPA with custom metrics.

I¶

IAM (Identity and Access Management) GCP's access control system. Controls who can do what on which GCP resources.

Ingress Static IP A GCP global external IP address reserved for the Istio IngressGateway. One per environment: orofi-{env}-cloud-{env}-ingress-static-ip.

Istio An open-source service mesh. Deployed at version 1.24.2. Provides mTLS, traffic management (VirtualServices, DestinationRules), and observability without code changes.

istiod The Istio control plane component. Manages certificate issuance (SPIFFE SVIDs), configuration distribution, and service discovery.

K¶

KRaft Kafka Raft — Kafka's built-in consensus protocol that replaces the ZooKeeper dependency. Used in Orofi's Kafka deployment (Bitnami chart v32.4.3).

KEDA (Kubernetes Event-Driven Autoscaling) A Kubernetes autoscaler that scales pods based on custom metrics from external sources (Kafka consumer lag, MongoDB connections, CPU) rather than just CPU/memory.

KMS (Key Management Service) See Cloud KMS.

L¶

Let's Encrypt A free, automated, open Certificate Authority (CA). cert-manager uses Let's Encrypt to issue TLS certificates for *.{env}.orofi.xyz domains.

Loki A log aggregation system designed to work with Prometheus and Grafana. Stores logs with label-based indexing (not full-text). Queried using LogQL.

LogQL The query language for Loki. Similar to PromQL but for logs.

M¶

mTLS (Mutual TLS) A TLS handshake where both client and server present certificates, authenticating each other. Istio enforces mTLS for all service-to-service communication.

N¶

Namespace A Kubernetes concept for isolating groups of resources. Each Orofi microservice runs in its own namespace (e.g., microservice-identity, api-gateway-public).

O¶

OAuth2 Proxy A reverse proxy that enforces OAuth2 authentication before allowing access to a service. Used in front of Kafka UI, Mongo Express, and Grafana. Uses Google OAuth2 restricted to @orofi.xyz accounts.

oro-gateway The Istio Gateway resource in istio-system that defines which ports and TLS settings the IngressGateway accepts traffic on.

P¶

PeerAuthentication An Istio resource that defines mTLS requirements for a namespace. Set to STRICT mode in all application namespaces, requiring mTLS for all inbound connections.

PITR (Point-In-Time Recovery) A Cloud SQL feature (requires binary logging) that allows restoring the database to any second within the retention window. Enabled on staging.

Prometheus An open-source metrics collection and alerting system. Scrapes metrics from all services (via Prometheus scrape annotations) and evaluates alert rules.

PSC (Private Service Connect) A GCP networking feature that allows services in one VPC to access services in another VPC privately. Used in staging to allow the devops project (orofi-devops-cloud) to access the staging Cloud SQL instance.

PSMDB (Percona Server for MongoDB) Percona's MongoDB distribution. The PSMDB Kubernetes Operator manages the MongoDB replica set lifecycle in Orofi clusters.

R¶

RDB (Redis Database Backup) Redis persistence mode that saves point-in-time snapshots to disk. Orofi uses RDB with 6-hour (staging) and 12-hour (dev) snapshot intervals.

RBAC (Role-Based Access Control) A security mechanism that grants permissions based on roles. Used in both Kubernetes (for cluster access) and ArgoCD (for deployment access).

Replica Set A MongoDB deployment mode with multiple nodes maintaining identical data copies. Staging uses 3 nodes; dev uses 1.

S¶

ScaledObject A KEDA custom resource that defines autoscaling triggers for a deployment. Orofi uses it for MongoDB (connections, CPU, lock queue) and microservices (Kafka lag, CPU).

Secret Manager See GCP Secret Manager.

SPIFFE (Secure Production Identity Framework for Everyone) A standard for workload identity. Istio issues SPIFFE-compatible X.509 SVIDs to pods for mTLS authentication.

SVID (SPIFFE Verifiable Identity Document) A certificate issued by Istio (signed by istiod's CA) that identifies a workload. Used as the client certificate in mTLS connections.

T¶

Terraform An infrastructure-as-code tool that provisions GCP resources declaratively. Used to manage all GCP infrastructure.

Terragrunt [Note: this repo uses Terraform with local.tf patterns rather than full Terragrunt terragrunt.hcl files. The term is used loosely to describe the modular Terraform structure.]

V¶

VirtualService An Istio resource that defines routing rules for HTTP/TCP traffic. Associates a hostname with a Kubernetes service and controls traffic splitting (for canary releases).

VPC (Virtual Private Cloud) GCP's isolated network. Dev uses 10.0.0.0/16, staging uses 11.0.0.0/16.

W¶

Workload Identity A GCP mechanism that allows Kubernetes pods to impersonate GCP service accounts without static credentials. Replaces service account key files with projected volume tokens.

Z¶

Zero Trust A security model where no traffic is trusted by default. In Orofi's dev environment, implemented via GCP firewall rules that deny all inbound traffic except from known IP ranges (35.226.57.140/32, 10.0.0.0/8, 11.0.0.0/16).