SAAS PLATFORM & INTERNAL INFRASTRUCTURE
AWSEKSKubernetesArgoCDGitLabAFT
End-to-end ownership of the production EKS cluster and internal infrastructure for a SaaS platform running in eu-west-1.
Architecture
- EKS 1.34 with Karpenter v1.8.2 autoscaling across three node pools:
- Spot — general workloads and CI runners
- On-demand — production services and observability stack
- Dedicated — self-hosted GitLab instance
- Bottlerocket OS on all worker nodes for minimal attack surface and automated updates
- ArgoCD for GitOps-based continuous delivery of all microservices
- GitLab CI/CD pipelines feeding into ArgoCD for the full build-deploy workflow
- Aurora PostgreSQL 17.6 Serverless v2 as the primary database layer
- Loki + Grafana for centralized log aggregation and observability dashboards
- Supporting Kubernetes stack:
- External Secrets Operator — secrets synced from AWS Secrets Manager
- Cert Manager — automated TLS certificate provisioning via Let’s Encrypt
- AWS ALB Controller — Kubernetes-native ingress via Application Load Balancers
- External DNS — automatic Route 53 record management from ingress resources
- Dual Terraform state architecture — separate state modules for AWS-level resources (VPC, EKS, RDS, IAM) and Kubernetes-level resources (Helm releases, namespaces, RBAC)
- AFT managing the multi-account AWS organization
Key Outcomes
- Zero-downtime Kubernetes upgrades across production workloads
- GitOps workflow enabling developer self-service deployments via ArgoCD
- Cost optimization through Karpenter spot instance scheduling for non-critical workloads
- Clean separation of infrastructure and application state in Terraform