This is an advanced, hands-on lab demonstrating the architectural evolution of a modern Java application. We will build a system from the ground up, starting with a secure monolith and progressively refactoring it into a fully observable, distributed system using cloud-native best practices.
This lab is structured in distinct, self-contained phases. The main branch always represents the latest completed
phase. To explore a previous phase's code and detailed documentation, use the links below.
| Phase | Description & Key Concepts | Code & Docs (at tag) | Key Pull Requests |
|---|---|---|---|
| 1. The Secure Monolith | A standalone service that issues and validates its own JWTs. Concepts: AuthenticationManager, custom JwtAuthenticationFilter, jjwt library, and a foundational CI pipeline. |
v1.0-secure-monolith |
#2, #3, #4 |
| 2. Observing the Monolith | The service is containerized and orchestrated via docker-compose. Concepts: Micrometer, Prometheus, Grafana, custom metrics, and automated dashboard provisioning. |
v2.0-observable-monolith |
#6 |
| 3. Evolving to Federated Identity | The system is refactored into a multi-service architecture with an external IdP. Concepts: Keycloak, OIDC, OAuth2 Client (web-client) vs. Resource Server, Traefik reverse proxy, service-to-service security. |
v3.0-federated-identity |
#8 |
| 4. Tracing a Distributed System | Services are instrumented with the OpenTelemetry agent to generate traces. Concepts: Tempo, agent-based instrumentation, W3C Trace Context, Service Graphs, and a hybrid PUSH/PULL metrics architecture. | v4.0-distributed-tracing |
#10 |
| 5. Correlated Logs & Access Auditing | The three pillars of observability are complete (metrics, traces, logs). Alloy is the unified collection agent. Concepts: Loki, Grafana Alloy, Docker service discovery, structured JSON logs, AOP-based auditing, trace-to-log correlation, and detailed audit metrics. | v5.0-correlated-logs-auditing |
#12 |
| 6. Proactive Alerting | The system transitions from passive to proactive monitoring. Concepts: Alertmanager, declarative PromQL alert rules, alerting on technical vs. security metrics, and a UI-driven test harness. | v6.0-proactive-alerting |
#14 |
| 7. Continuous Security Integration | "Shift left" security by embedding automated scanning into the CI/CD pipeline. Concepts: SCA (OWASP Dependency-Check), Container Scanning (Trivy), DAST (OWASP ZAP), and automated vulnerability remediation. | v7.0-continuous-security |
#17 |
| 8. Advanced Secret Management | Enhances security by moving application secrets to HashiCorp Vault. Concepts: Vault as a secrets service, automated init container for population, Spring Cloud Vault (modern config), and robust test isolation. | v8.0-advanced-secret-management |
#19 |
- Start with the
mainbranch to see the final, completed state of the entire lab. - To explore any specific phase of the lab, use the "Code & Docs (at tag)" links in the table above. Each link will take you to the exact repository state at the end of that phase, where you will find its dedicated
README.mdwith instructions for running the project in that particular phase. - To understand the "why" behind the architectural decisions and evolutionary steps, review the Key Pull Requests for each phase.
To run the application and see usage examples for any phase, simply navigate to that phase's Git tag using the links in the "Workshop Guide" table above. Each tagged README.md file contains detailed, phase-specific instructions for setting up and running the project in that state.