C4 — Container Diagram
The local and production shapes share the same service boundaries. Local Compose uses a compact grafana/otel-lgtm container for observability; production Helm keeps collector, metric, log, and trace backends independently deployable.
mermaid
graph LR
Client[Client apps and partners]
Kong[Kong Gateway<br/>mTLS, rate-limit, correlation-id]
Keycloak[Keycloak 26<br/>FAPI policies, PS256]
Services[Finnest services<br/>Hono on Bun]
Admin[Power Admin]
CLI[Finnest CLI and TUI]
Postgres[(PostgreSQL 18)]
NATS[(NATS JetStream)]
Redis[(Redis 8)]
LGTM[Local grafana/otel-lgtm]
Alloy[Production Alloy collector]
Client --> Kong
Kong --> Keycloak
Kong --> Services
Admin --> Services
CLI --> Services
Services --> Postgres
Services --> NATS
Services --> Redis
Services --> LGTM
Services --> AlloyContainer Responsibilities
- Kong owns public ingress concerns: mTLS, correlation IDs, CORS, and rate limiting.
- Keycloak owns OIDC/FAPI policy enforcement and signing keys.
- Finnest services own business APIs, repository access, domain validation, and emitted events.
- PostgreSQL owns durable business state, audit trails, migrations, and transactional outbox rows.
- NATS owns internal asynchronous delivery.
- Redis owns cache/rate-limit/shared ephemeral state.
- Observability receives OTLP traces, metrics, and logs with PII redaction already applied by services.