Skip to content

Target Condition: Logto IAM service deployed and operational in production #199

New issue
New issue
Open
0 of 1 issue completed
Open
Target Condition: Logto IAM service deployed and operational in production#199
0 of 1 issue completed
Assignees
amaralc
Labels
target-condition
Milestone
Challenge: Open source IAM service up and running in production
@amaralc

Description

@amaralc
amaralc
opened on Feb 5, 2026

Vision

Agility — Software so easy to change that adapting to new demands is the default, not the exception.

Direction

Move from a fully configured but undeployed IAM service to a live, production-grade Logto instance serving authentication and authorization for PeerLab.

Qualitative Description

Aspect Current Target
Deployment status Configured but not deployed Running in GKE Autopilot production
Authentication capability Firebase Auth only Logto OIDC/SAML available in production
Infrastructure provisioning Terraform + Crossplane modules exist Terraform apply provisions full stack end-to-end
Admin access No production admin console Logto admin console accessible at logto-admin.{domain}
Local development parity Minikube setup works Local and production environments aligned

Outcome Metrics

Metric Current Target
IAM service availability in production 0% (not deployed) 99%+ (healthy pods, passing probes)
OIDC endpoints responding None All standard endpoints (/.well-known/openid-configuration)
Admin console accessible No Yes, via logto-admin.{domain}

Process Metrics

Metric Current Target
Time from commit to IAM deployment ∞ (no pipeline) < 30 min via CI/CD
Infrastructure provisioning steps (manual) Untested in production Zero manual steps after initial setup
Local-to-production config drift Unknown Verified parity via shared K8s manifests
Mean Time to Detect IAM issues (MTTD) N/A < 5 min (liveness/readiness probes)
Mean Time to Recover (MTTR) N/A < 15 min (HPA + rolling restart)

Obstacles (Known)

  • Bootstrap script to manage GCP org (domain, email, account) must be up to date and functional
  • GCP project and VPC must be provisioned with correct network configuration
  • Domain and DNS records need to point to the GKE ingress static IP
  • Crossplane must be bootstrapped in the cluster before PostgreSQL can be provisioned
  • Managed certificates require DNS validation which may take time to propagate
  • Database credentials must be securely generated and stored in Kubernetes secrets
  • Terraform state backend (GCS bucket) must be configured for the target environment

Sub-issues

Metadata

Metadata

Assignees

Labels

target-condition

Projects

Explore

Status

No status

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions