System Design

Platform Architecture

Logical flow from internet edge to persistent storage across 7 planes. Every inter-layer boundary enforces TLS, mTLS, or token-based authentication. Cluster: soc1–soc6 · Talos v1.12.6 · K8s v1.35.2.

Logical Flow

Layer-by-Layer — Internet to Storage

Internet Edge

Cloudflare

DDoS · WAF · DNS · Zero Trust

dash.cloudflare.com ↗

WireGuard VPS

154.26.x.x — Tunnel Endpoint

HTTPS · TLS 1.3

Edge Ingress

OPNsense HAProxy

L7 LB · SSL Termination

MetalLB 0.15.3

SOC VIP: 172.16.x.x · SEC VIP: 172.16.x.x

ingress-nginx 1.15.1

K8s Ingress · soc5.onelabs.work

Cilium 1.19.2 / Hubble

eBPF CNI · L3–L7 · mTLS

hub.onelabs.work ↗

Cilium ClusterMesh

SOC ↔ SEC · shared svc · cross-cluster DNS

mTLS · OIDC Token · Authz

Identity & PKI

AD CA

Root CA · saza-AD-CA

adone.onelabs.work ↗

Active Directory

Identity · DNS · GPO

adone.onelabs.work ↗

Vault HA Raft

Secrets · PKI Intermediate

vault.onelabs.work ↗

Authentik SSO

OIDC · LDAP · MFA/OTP

sso.onelabs.work ↗

Dynamic Creds · Vault Token · RBAC

DevSecOps

GitLab CE 18.x

Source · CI/CD · CODEOWNERS

gitlab.onelabs.work ↗

Registry

regis.onelabs.work — OCI

regis.onelabs.work ↗

Trivy

CVE · IaC · Secret scan

Argo CD v3.3.6

GitOps · Auto-sync · Rollback

argo.onelabs.work ↗

AWX

Ansible · 149 Playbooks · Event-driven

awx.onelabs.work ↗

Alerts · Events · Artifacts

SOC & Threat Intel

TheHive

Case Mgmt · Triage

hive.onelabs.work ↗

Cortex

IR Analysis · 100+ Analyzers

cortex.onelabs.work ↗

MISP

IoC · STIX/TAXII

misp.onelabs.work ↗

OpenCTI

CTI · ATT&CK · STIX2

cti.onelabs.work ↗

Caldera C2

Red Team · Sandcat Agents

c2c.onelabs.work ↗

Metrics · Logs · NetFlows · Compliance

Observability

Prometheus Stack

kube-prometheus · ServiceMonitors

Loki

Logs · MinIO backend · 30d

Alertmanager

Route · Dedup · Discord/AWX

Grafana

Dashboards · SOC · OIDC SSO

grafana.onelabs.work ↗

Wazuh

SIEM · CIS · FIM · Agents

wazuh.onelabs.work ↗

KubeArmor + Kyverno

Runtime Policy · Admission

PersistentVolume · Snapshots → S3

Storage

Longhorn 1.11.1

Distributed · Replicated PV

stog.onelabs.work ↗

MinIO

S3 · Object Lock · Anti-RW

minio.onelabs.work ↗

INFRASTRUCTURE BASE Talos v1.12.6 · soc1–6 · sec1–3 K8s v1.35.2 · 9 nodes · 222 pods Kernel 6.18.18-talos cert-manager v1.20.1 → Physical Infra

Certificate Trust

PKI Chain — AD CA → Vault → Wildcards

All TLS certs derive from the Windows AD Root CA through Vault's intermediate engine. cert-manager automates issuance for all in-cluster services.

Root CA

saza-AD-CA

adone.onelabs.work · 172.16.x.x

Intermediate CA

Vault PKI Engine

vault.onelabs.work · HA Raft 3-node

Wildcard

*.onelabs.work

All production services

Wildcard (Legacy)

*.saza.com.au

Legacy + lab services

→ Physical Infrastructure

BACK

← Overview