1. Executive Summary 2. Architecture Overview 2.1 High-Level Architecture Diagram 2.2 Infrastructure Components 2.3 Communication Patterns 3. Service Catalog 3.1 API Gateway (Spring Cloud Gateway) 3.2 Authentication Service (Keycloak) 3.3 Service Discovery (Eureka) 3.4 Student Management Service 3.5 Curriculum & Subject Service 3.6 Enrollment & Approval Service 3.7 Examination Service 3.8 Assignment & Tutor Service 3.9 Grading & Billing Service 3.10 Notification Service (FastAPI) 3.11 Chat Service (Node.js + MongoDB) 3.12 File Storage Service 3.13 Certificate & Transcript Service 3.14 Reporting & Analytics Service 3.15 System Configuration Service 3.16 Suspension & Intake Service 3.17 Chatbot & FAQ Service 4. Shared Database Strategy 5. Event-Driven Communication (Kafka) 6. Docker Compose & Container Orchestration 7. Service Communication Matrix 8. Decomposition Roadmap 9. Monitoring & Observability 10. Security Architecture

1. Executive Summary

This document defines the architecture for decomposing the E-Learning monolithic Spring Boot application into a microservice ecosystem. The decomposition preserves all existing functionality while enabling independent scaling, deployment, and technology diversity.

Key Architectural Decisions

Decision	Choice	Rationale
Database Strategy	Shared PostgreSQL 17	Existing production data in `salvation` DB; avoids complex data migration. Services share the database with schema-level isolation.
Message Broker	Apache Kafka + Zookeeper	Event-driven decoupling between services; supports async notifications, audit trails, and eventual consistency.
Authentication	Keycloak	Replaces custom JWT implementation; provides SSO, role management, OAuth2/OIDC, and admin console out-of-the-box.
Service Discovery	Netflix Eureka	Spring Cloud native; automatic registration/deregistration with health checks.
API Gateway	Spring Cloud Gateway	Route management, rate limiting, circuit breaking, JWT validation — all Spring ecosystem native.
Notification Service	FastAPI (Python)	Lightweight, async-native, ideal for I/O-bound notification dispatch (email, SMS, FCM push).
Chat Service	Node.js + MongoDB	WebSocket-native runtime; MongoDB for flexible chat document storage.
Containerization	Docker + Docker Compose	Every component runs in its own container; reproducible across dev, staging, and production.

Constraint: The production database salvation (PostgreSQL 17) MUST remain intact. All services connect to the same database. No table dropping, renaming, or schema-breaking changes.

2. Architecture Overview

2.1 High-Level Architecture Diagram

Figure 1: Microservice Architecture — 14 business services + 3 infrastructure services, event-driven via Kafka

2.2 Infrastructure Components

Component	Technology	Port	Container Name	Purpose
GATEWAY API Gateway	Spring Cloud Gateway	8080	`salt-gateway`	Single entry point, routing, rate limiting, JWT validation
AUTH Keycloak	Keycloak 24+	8180	`salt-keycloak`	OAuth2/OIDC identity provider, SSO, role management
DISCOVERY Eureka	Spring Cloud Netflix Eureka	8761	`salt-eureka`	Service registration & discovery
BROKER Kafka	Apache Kafka 3.7+	9092	`salt-kafka`	Event-driven messaging between services
ZK Zookeeper	Apache Zookeeper	2181	`salt-zookeeper`	Kafka cluster coordination
DB PostgreSQL	PostgreSQL 17	5432	`salt-postgres`	Shared database (`salvation`)
CACHE Redis	Redis 7 Alpine	6379	`salt-redis`	Caching, sessions, Keycloak sessions
STORE MinIO	MinIO Latest	9000/9001	`salt-minio`	S3-compatible file storage
CHAT-DB MongoDB	MongoDB 7	27017	`salt-mongodb`	Chat message storage (document DB)
AUTH-DB Keycloak DB	PostgreSQL 17	5433	`salt-keycloak-db`	Keycloak-specific database (separate from `salvation`)

2.3 Communication Patterns

Pattern	Use Case	Technology
Synchronous (REST)	Client → Gateway → Service (CRUD operations)	HTTP/JSON via Spring Cloud Gateway
Asynchronous (Events)	Service → Kafka → Service (notifications, audit, sync)	Apache Kafka topics
WebSocket	Real-time chat between users	Socket.IO (Node.js Chat Service)
Service Discovery	Services locating each other dynamically	Netflix Eureka (heartbeat-based)
Token-Based Auth	JWT bearer tokens on all requests	Keycloak-issued OIDC tokens

3. Service Catalog

3.1 API Gateway INFRASTRUCTURE

Technology	Spring Cloud Gateway (Java 17)
Container	`salt-gateway`
Port	8080 (internal), exposed via Nginx on 443
Responsibilities	Route requests to services, validate JWT tokens against Keycloak, rate limiting, circuit breaking, CORS

Route Configuration

spring:
  cloud:
    gateway:
      routes:
        - id: student-service
          uri: lb://student-service
          predicates:
            - Path=/api/v2/students/**
        - id: enrollment-service
          uri: lb://enrollment-service
          predicates:
            - Path=/api/v2/enrollment/**, /SaltELearnAppApi/student/**
        - id: curriculum-service
          uri: lb://curriculum-service
          predicates:
            - Path=/api/v2/subjects/**, /api/v2/countries/**, /api/v2/territories/**
        - id: exam-service
          uri: lb://exam-service
          predicates:
            - Path=/api/v2/exam/**
        - id: assignment-service
          uri: lb://assignment-service
          predicates:
            - Path=/api/v2/assignments/**, /api/v2/materials/**
        - id: grading-service
          uri: lb://grading-service
          predicates:
            - Path=/api/v2/grading/**, /api/v2/billing/**
        - id: notification-service
          uri: lb://notification-service
          predicates:
            - Path=/api/v2/notifications/**
        - id: chat-service
          uri: lb://chat-service
          predicates:
            - Path=/api/v2/chat/**, /ws/**
        - id: certificate-service
          uri: lb://certificate-service
          predicates:
            - Path=/api/v2/certificates/**, /api/v2/transcripts/**
        - id: reporting-service
          uri: lb://reporting-service
          predicates:
            - Path=/api/v2/analytics/**, /api/v2/reports/**
        - id: config-service
          uri: lb://config-service
          predicates:
            - Path=/api/v2/settings/**, /api/v2/admin/schema/**
        - id: chatbot-service
          uri: lb://chatbot-service
          predicates:
            - Path=/api/v2/chatbot/**

3.2 Authentication Service (Keycloak) INFRASTRUCTURE

Technology	Keycloak 24+ (Quarkus-based)
Container	`salt-keycloak`
Port	8180
Database	Dedicated PostgreSQL on port 5433 (`salt-keycloak-db`)
Responsibilities	User authentication, JWT issuance, role management, SSO, password policies, OTP/2FA

Realm Configuration

Realm: salt
Client Roles: Admin (access_level=5), Tutor (8), ETO (9), Student (12)
Clients: salt-web-admin, salt-mobile, salt-exec-dashboard, salt-gateway
Identity Provider: Username/password with OTP email verification
Token Lifetime: Access token: 15min, Refresh token: 24h

User Migration

Existing users in tbl_sys_users will be migrated to Keycloak via a custom User Federation SPI or batch import script. BCrypt password hashes are compatible with Keycloak's hash provider.

Backward Compatibility: During the transition period, the Gateway supports both legacy JWT tokens (from tbl_sys_settings signing key) and Keycloak-issued OIDC tokens.

3.3 Service Discovery (Eureka) INFRASTRUCTURE

Technology	Spring Cloud Netflix Eureka Server
Container	`salt-eureka`
Port	8761
Dashboard	`http://localhost:8761`

All Spring Boot services register with Eureka on startup. The API Gateway uses lb://service-name URIs for load-balanced routing. Health checks run every 30 seconds.

# Each service's application.yml
eureka:
  client:
    service-url:
      defaultZone: http://salt-eureka:8761/eureka/
  instance:
    prefer-ip-address: true
    lease-renewal-interval-in-seconds: 30

3.4 Student Management Service SPRING BOOT

Container	`salt-student-svc`
Port	8101
Source	Extracted from: `StudentService.java` (63KB), `StudentController.java`
Database Tables	`tbl_student`, `tbl_tbl_ranks`, `tbl_student_achievements`

Endpoints

Method	Path	Description
GET	`/api/v2/students`	List all students (paginated, searchable)
GET	`/api/v2/students/{id}`	Get student details
POST	`/api/v2/students`	Register new student
PUT	`/api/v2/students/{id}`	Update student profile
GET	`/api/v2/students/{id}/performance`	Get academic performance summary
POST	`/api/v2/students/import`	Bulk CSV import

Kafka Events

Publishes: student.registered, student.updated, student.deleted
Consumes: enrollment.approved (update admission status)

3.5 Curriculum & Subject Service SPRING BOOT

Container	`salt-curriculum-svc`
Port	8103
Source	Extracted from: `SubjectsService.java`, `CountryService.java`, `TerritoryService.java`
Database Tables	`tbl_subjects`, `tbl_learning_level`, `tbl_countries`, `tbl_territory`, `tbl_languages`, `tbl_announcements`

Key Endpoints

Method	Path	Description
GET	`/api/v2/subjects`	List all subjects
GET	`/api/v2/subjects/by-level/{levelId}`	Subjects filtered by learning level + language
GET	`/api/v2/countries`	Countries with flags (Africa-first sorting)
GET	`/api/v2/territories`	Territories with country grouping
GET	`/api/v2/learning-levels`	Foundation, Certificate, Diploma

Caching: Subjects, countries, territories cached in Redis (TTL: 1 hour). Announcements cached (TTL: 5 min).

3.6 Enrollment & Approval Service SPRING BOOT

Container	`salt-enrollment-svc`
Port	8102
Source	Extracted from: `AdminApproval.java`, `EtoApproval.java`, `EnrollmentValidationService.java`, `AcademicLevelService.java`
Database Tables	`tbl_academic_level`, `tbl_student_subjects_selection`, `tbl_sessions`

Key Endpoints

Method	Path	Description
POST	`/api/v2/enrollment/enroll`	Student self-enrollment with subject selection
POST	`/api/v2/enrollment/{id}/eto-approve`	ETO approval (status N→EP)
POST	`/api/v2/enrollment/{id}/admin-approve`	Admin approval (status EP→P)
POST	`/api/v2/enrollment/{id}/reject`	Reject enrollment
GET	`/api/v2/enrollment/pending`	Pending approvals for ETO/Admin

Kafka Events

Publishes: enrollment.submitted, enrollment.approved, enrollment.rejected
Consumes: student.registered (trigger enrollment workflow)

3.7 Examination Service SPRING BOOT

Container	`salt-exam-svc`
Port	8104
Source	Extracted from: `ExamService.java` (78KB — largest service), `ExamEnhancementService.java`
Database Tables	`tbl_exam_paper`, `tbl_questions`, `tbl_student_quiz`, `tbl_paper_answer`, `tbl_exam_dates`

Key Endpoints

Method	Path	Description
POST	`/api/v2/exam/papers`	Create exam paper (MCQ/Essay)
POST	`/api/v2/exam/papers/{id}/questions`	Add questions to paper
POST	`/api/v2/exam/papers/{id}/start`	Student starts exam attempt
POST	`/api/v2/exam/papers/{id}/submit`	Student submits exam
POST	`/api/v2/exam/papers/{id}/upload-pdf`	Upload downloadable exam
GET	`/api/v2/exam/papers/{id}/download`	Student downloads exam PDF
POST	`/api/v2/exam/oral-score`	Enter oral exam score

Kafka Events

Publishes: exam.created, exam.submitted, exam.marked, exam.failed-3x
Consumes: enrollment.approved (enable exam access)

Scheduling: Uses Quartz Scheduler for exam timers. Timer state stored in Redis for cross-instance consistency.

3.8 Assignment & Tutor Service SPRING BOOT

Container	`salt-assignment-svc`
Port	8105
Source	Extracted from: `AssignnementService.java` (50KB), `TutorService.java` (32KB)
Database Tables	`tbl_materials_upload`, `tbl_assignment_marking`, `tbl_tutor_subject_assigment`, `tbl_late_assignment`

Key Endpoints

Method	Path	Description
POST	`/api/v2/assignments/upload`	Student uploads assignment (max 3/month/subject)
POST	`/api/v2/assignments/{id}/mark`	Tutor marks assignment
POST	`/api/v2/materials/upload`	Tutor uploads reading material
GET	`/api/v2/assignments/pending`	Unmarked assignments for tutor

Kafka Events

Publishes: assignment.uploaded, assignment.marked, material.uploaded

3.9 Grading & Billing Service SPRING BOOT

Container	`salt-grading-svc`
Port	8106
Source	Extracted from: `GradingService.java`, `BillingService.java`
Database Tables	`tbl_grading_config`, `tbl_billing`, `tbl_billing_items`

Key Endpoints

Method	Path	Description
GET	`/api/v2/grading/config`	Get grading thresholds (6 tiers)
PUT	`/api/v2/grading/config`	Update grading config (Admin)
GET	`/api/v2/grading/student/{id}/summary`	Calculate all subject grades
POST	`/api/v2/billing/calculate/{studentId}`	Generate billing (sum subject costs)
GET	`/api/v2/billing/export`	Download billing Excel

Grading Formula

total = (AVG(assignments) * assignment_weight_pct / 100)
      + (exam_score * exam_weight_pct / 100)
grade = lookup(tbl_grading_config WHERE total BETWEEN min AND max)

Kafka Events

Consumes: exam.marked, assignment.marked (recalculate grades)
Publishes: grading.calculated, grading.level-completed

3.10 Notification Service FASTAPI

Technology	Python 3.12 + FastAPI + Celery
Container	`salt-notification-svc`
Port	8200
Database Tables	`tbl_sms_log` (PostgreSQL, shared DB)

Notification Channels (Admin-Configurable)

Channel	Technology	Default	Configuration
Email	SMTP (aiosmtplib)	Enabled (default)	SMTP host/port/credentials from `tbl_sys_settings`
SMS	HTTP Gateway (httpx)	Disabled	SMS API URL + credentials from `tbl_sys_settings`
Push (FCM)	Firebase Cloud Messaging	Disabled	FCM server key from `tbl_sys_settings`

Admin Control: The notification_channel column in tbl_sys_settings determines active channels. Values: EMAIL (default), SMS, PUSH, SMS_EMAIL, ALL. Admin can enable/disable channels via the Settings page. When multiple channels are active, the service dispatches to ALL active channels for each notification.

Endpoints

Method	Path	Description
POST	`/api/v2/notifications/send`	Send notification (internal, from other services)
GET	`/api/v2/notifications/channels`	Get active notification channels
PUT	`/api/v2/notifications/channels`	Admin updates active channels
GET	`/api/v2/notifications/log`	SMS/email send history

Kafka Consumer Topics

# Subscribes to all notification-triggering events
student.registered     → Welcome email
enrollment.approved    → "Your enrollment has been approved" (email + SMS if enabled)
enrollment.rejected    → Rejection notification
exam.created           → Exam availability alert
exam.submitted         → Submission confirmation
exam.failed-3x         → Suspension warning
assignment.marked      → Grade notification
grading.level-completed → Level completion congratulations

Architecture

# Internal structure
notification-service/
├── app/
│   ├── main.py              # FastAPI entry point
│   ├── config.py            # DB + Kafka config
│   ├── routers/
│   │   ├── notifications.py # REST endpoints
│   │   └── channels.py      # Channel management
│   ├── services/
│   │   ├── email_sender.py  # SMTP async sender
│   │   ├── sms_sender.py    # SMS HTTP gateway
│   │   ├── fcm_sender.py    # Firebase push
│   │   └── dispatcher.py    # Routes to active channels
│   ├── kafka/
│   │   └── consumer.py      # Kafka event listener
│   └── models/
│       └── schemas.py       # Pydantic models
├── Dockerfile
├── requirements.txt
└── .env

3.11 Chat Service NODE.JS

Technology	Node.js 20 + Express + Socket.IO + MongoDB
Container	`salt-chat-svc`
Port	8300
Database	MongoDB 7 (`salt-mongodb`, port 27017)

Why MongoDB for Chat?

Flexible document schema for message metadata (text, images, attachments)
Built-in TTL indexes for message expiration policies
High write throughput for real-time messaging
Change Streams for real-time event propagation

MongoDB Collections

// messages collection
{
  _id: ObjectId,
  roomId: "user_101_user_202",
  senderId: 101,        // Maps to tbl_sys_users.id
  recipientId: 202,
  content: "Hello!",
  type: "text",         // text | image | file
  filePath: null,       // MinIO path if file/image
  readAt: null,         // Timestamp when read
  createdAt: ISODate("2026-02-14T10:30:00Z")
}

// rooms collection
{
  _id: ObjectId,
  roomId: "user_101_user_202",
  participants: [101, 202],
  lastMessage: "Hello!",
  lastMessageAt: ISODate("2026-02-14T10:30:00Z"),
  unreadCount: { "202": 3 }
}

Endpoints & WebSocket

Type	Path	Description
WS	`/ws`	Socket.IO connection (JWT auth via handshake)
GET	`/api/v2/chat/rooms`	User's chat rooms
GET	`/api/v2/chat/messages/{roomId}`	Message history (paginated)
GET	`/api/v2/chat/unread-count`	Total unread messages

Migration from PostgreSQL

Existing chat data in tbl_chat, tbl_chat_room, tbl_chat_counter will be migrated to MongoDB via a one-time migration script. After migration, the PostgreSQL chat tables become read-only archives.

3.12 File Storage Service SPRING BOOT

Container	`salt-file-svc`
Port	8109
Source	Extracted from: `FileStorageService.java`, `FileHandlerService.java`

Dual-Read Strategy

READ:  Try MinIO (salt-files bucket) → Fallback to /opt/salt_files → 404
WRITE: Always MinIO

Endpoints

Method	Path	Description
POST	`/api/v2/files/upload`	Upload file to MinIO
GET	`/api/v2/files/{path}`	Download file (dual-read)
DELETE	`/api/v2/files/{id}`	Soft-delete file

3.13 Certificate & Transcript Service SPRING BOOT

Container	`salt-certificate-svc`
Port	8107
Source	Extracted from: `CertificateService.java`, `PdfGenerator.java`
Database Tables	`tbl_certificates`
Libraries	OpenPDF 2.0.3, ZXing 3.5.3

Endpoints

Method	Path	Description
POST	`/api/v2/certificates/generate/{studentId}/{levelId}`	Generate certificate PDF with QR
GET	`/api/v2/certificates/{serial}`	Download certificate PDF
GET	`/api/v2/certificates/verify/{serial}`	Public QR verification (no auth)
GET	`/api/v2/transcripts/{studentId}`	Generate transcript PDF

Kafka Events

Consumes: grading.level-completed (auto-generate certificate)

3.14 Reporting & Analytics Service SPRING BOOT

Container	`salt-reporting-svc`
Port	8108
Source	Extracted from: `AnalyticsService.java`, `ReportRepository.java` (complex native SQL)

Key Endpoints

Method	Path	Description
GET	`/api/v2/analytics/dashboard`	Executive dashboard stats
GET	`/api/v2/analytics/enrollment-trends`	Enrollment over time
GET	`/api/v2/analytics/territory-breakdown`	Territory-level analytics
GET	`/api/v2/reports/progressive`	Excel progressive report
GET	`/api/v2/reports/exam-register`	Excel exam register

Read-Only: This service only reads from the database. It can optionally use a read replica for zero production impact.

3.15 System Configuration Service SPRING BOOT

Container	`salt-config-svc`
Port	8110
Source	Extracted from: `SystemSettingService.java`, `SchemaManagementService.java`, `DataIntegrityService.java`
Database Tables	`tbl_sys_settings` (singleton ID=1), `tbl_event_logs`, `tbl_data_integrity_log`

Other services fetch settings from this service's REST API (cached in Redis, TTL: 30 min). This replaces the direct settingService.isRequestValid() call pattern.

3.16 Suspension & Intake Service SPRING BOOT

Container	`salt-suspension-svc`
Port	8111
Source	Extracted from: `SuspensionService.java`, `IntakeService.java`
Database Tables	`tbl_suspension_log`, `tbl_intake_config`

Kafka Events

Consumes: exam.failed-3x (auto-suspend student)
Publishes: suspension.created, suspension.lifted

3.17 Chatbot & FAQ Service SPRING BOOT

Container	`salt-chatbot-svc`
Port	8112
Database Tables	`tbl_chatbot_faq`, `tbl_chatbot_escalations`

Rule-based FAQ lookup with keyword matching. Supports 4 languages (en/fr/sw/pt). Escalation creates a chat room with an admin via the Chat Service.

4. Shared Database Strategy

All Spring Boot services connect to the same PostgreSQL 17 database (salvation). This is a pragmatic decision to avoid complex distributed transactions and data migration during the initial decomposition.

Table Ownership

Service	Owned Tables	Read-Only Access To
Student Mgmt	tbl_student, tbl_tbl_ranks, tbl_student_achievements	tbl_sys_users, tbl_territory
Enrollment	tbl_academic_level, tbl_student_subjects_selection, tbl_sessions	tbl_student, tbl_subjects
Curriculum	tbl_subjects, tbl_learning_level, tbl_countries, tbl_territory, tbl_announcements	—
Examination	tbl_exam_paper, tbl_questions, tbl_student_quiz, tbl_paper_answer, tbl_exam_dates	tbl_student_subjects_selection
Assignment	tbl_materials_upload, tbl_assignment_marking, tbl_tutor_subject_assigment, tbl_late_assignment	tbl_student_subjects_selection
Grading	tbl_grading_config, tbl_billing, tbl_billing_items	tbl_student_subjects_selection, tbl_subjects
Notification	tbl_sms_log	tbl_sys_settings
Certificate	tbl_certificates	tbl_student, tbl_academic_level
Reporting	— (read-only)	ALL tables (analytics queries)
Configuration	tbl_sys_settings, tbl_event_logs, tbl_data_integrity_log	—
Suspension	tbl_suspension_log, tbl_intake_config	tbl_student_subjects_selection
Chatbot	tbl_chatbot_faq, tbl_chatbot_escalations	—

Convention: Each service ONLY writes to its owned tables. Cross-service data is accessed read-only or through Kafka events. This prevents hidden coupling.

Connection Pooling

Each service gets its own HikariCP connection pool (max 20 per service vs. 80 in the monolith). Total: ~240 connections across all services. PostgreSQL max_connections should be set to 300+.

5. Event-Driven Communication (Kafka)

Topic Catalog

Topic	Producer	Consumers	Payload
`student.registered`	Student Svc	Enrollment, Notification	studentId, name, email, territory
`student.updated`	Student Svc	Enrollment, Reporting	studentId, changedFields
`enrollment.submitted`	Enrollment Svc	Notification	studentId, subjects[], level
`enrollment.approved`	Enrollment Svc	Student, Exam, Notification	studentId, status, approver
`enrollment.rejected`	Enrollment Svc	Student, Notification	studentId, reason, rejector
`exam.created`	Exam Svc	Notification	paperId, subjectId, examDate
`exam.submitted`	Exam Svc	Notification	studentId, paperId, score
`exam.marked`	Exam Svc	Grading, Notification	studentId, paperId, score
`exam.failed-3x`	Exam Svc	Suspension, Notification	studentId, subjectId, retakeCount
`assignment.uploaded`	Assignment Svc	Notification	studentId, subjectId, fileName
`assignment.marked`	Assignment Svc	Grading, Notification	studentId, assignmentId, score
`grading.calculated`	Grading Svc	Reporting	studentId, subjectId, grade
`grading.level-completed`	Grading Svc	Certificate, Notification	studentId, levelId, finalGrade
`suspension.created`	Suspension Svc	Notification	studentId, subjectId, deadline
`suspension.lifted`	Suspension Svc	Notification	studentId, liftedBy

Kafka Configuration

# Partitions: 3 per topic (allows 3x parallel consumers)
# Replication: 1 (single-node dev/staging), 3 (production)
# Retention: 7 days
# Consumer groups: one per service (e.g., notification-svc-group)

6. Docker Compose & Container Orchestration

Complete Container Map (17 Containers)

#	Container	Image	Port	Depends On
1	`salt-postgres`	postgres:17	5432	—
2	`salt-keycloak-db`	postgres:17	5433	—
3	`salt-redis`	redis:7-alpine	6379	—
4	`salt-mongodb`	mongo:7	27017	—
5	`salt-minio`	minio/minio:latest	9000/9001	—
6	`salt-zookeeper`	confluentinc/cp-zookeeper:7.6	2181	—
7	`salt-kafka`	confluentinc/cp-kafka:7.6	9092	zookeeper
8	`salt-keycloak`	quay.io/keycloak/keycloak:24	8180	keycloak-db, redis
9	`salt-eureka`	Custom (Spring Boot)	8761	—
10	`salt-gateway`	Custom (Spring Cloud Gateway)	8080	eureka, keycloak
11	`salt-student-svc`	Custom (Spring Boot)	8101	postgres, eureka, kafka
12	`salt-enrollment-svc`	Custom (Spring Boot)	8102	postgres, eureka, kafka
13	`salt-curriculum-svc`	Custom (Spring Boot)	8103	postgres, eureka, redis
14	`salt-exam-svc`	Custom (Spring Boot)	8104	postgres, eureka, kafka, redis, minio
15	`salt-notification-svc`	Custom (FastAPI)	8200	postgres, kafka
16	`salt-chat-svc`	Custom (Node.js)	8300	mongodb, redis, kafka
17	`salt-web-admin`	Custom (Next.js)	8081	gateway

Additional services (certificate, assignment, grading, reporting, config, suspension, chatbot, file-storage) follow the same pattern — each with its own container, port, Dockerfile, and Eureka registration. Total: ~25 containers.

7. Service Communication Matrix

From \ To	Student	Enroll	Curric	Exam	Assign	Grade	Notif	Chat	Cert	File
Student	—	Kafka	REST	—	—	—	Kafka	—	—	—
Enrollment	Kafka	—	REST	Kafka	—	—	Kafka	—	—	—
Exam	—	—	REST	—	—	Kafka	Kafka	—	—	REST
Assignment	—	—	REST	—	—	Kafka	Kafka	—	—	REST
Grading	—	—	—	—	—	—	Kafka	—	Kafka	—
Suspension	—	—	—	—	—	—	Kafka	—	—	—

REST = synchronous HTTP call (via Eureka service discovery). Kafka = asynchronous event via topic.

8. Decomposition Roadmap

Phase A: Infrastructure Foundation

Step	Task	Risk
A1	Deploy Kafka + Zookeeper + MongoDB containers	Low
A2	Deploy Keycloak, configure `salt` realm, migrate users from `tbl_sys_users`	Medium
A3	Deploy Eureka Server + Spring Cloud Gateway	Low
A4	Gateway routes ALL traffic to existing monolith (strangler fig pattern)	Low

Phase B: Extract Standalone Services (Low Coupling)

Step	Service	Why First
B1	Notification Service (FastAPI)	Cross-cutting, no business logic; event-driven makes it easy to decouple
B2	Chat Service (Node.js + MongoDB)	Clean WebSocket boundary; different DB (MongoDB)
B3	Chatbot & FAQ Service	Standalone lookup service, no external dependencies
B4	File Storage Service	Infrastructure adapter; clear API boundary

Phase C: Extract Domain Services (Medium Coupling)

Step	Service	Complexity
C1	Curriculum & Subject Service	Read-heavy reference data; low write coupling
C2	Certificate & Transcript Service	Isolated PDF generation; minimal dependencies
C3	Reporting & Analytics Service	Read-only; can use read replica
C4	Grading & Billing Service	Computational logic; events trigger recalculation
C5	Suspension & Intake Service	Small service; event-driven (Kafka consumer)
C6	System Configuration Service	Singleton pattern; provides config API to all services

Phase D: Extract Core Business Services (High Coupling)

Step	Service	Key Challenge
D1	Student Management Service	Shared `tbl_student`; used by enrollment, exam, grading
D2	Enrollment & Approval Service	Complex approval workflow (N→EP→P); touches student + subject data
D3	Assignment & Tutor Service	Shared `tbl_materials_upload`; tutor-student relationships
D4	Examination Service	Largest service (78KB); complex exam lifecycle; Quartz scheduling

Strangler Fig Pattern: During each phase, the API Gateway routes traffic to the NEW microservice for extracted endpoints and to the MONOLITH for everything else. The monolith shrinks incrementally until it's fully decomposed.

9. Monitoring & Observability

Aspect	Tool	Purpose
Logging	ELK Stack (Elasticsearch, Logstash, Kibana)	Centralized log aggregation from all 25 containers
Metrics	Prometheus + Grafana	Service health, request latency, JVM stats, Kafka lag
Tracing	Jaeger / Zipkin	Distributed request tracing across services
Health Checks	Spring Boot Actuator + Eureka	Service health endpoints + registration status
Alerting	Grafana Alerts	Notify on service down, high error rate, Kafka consumer lag

Spring Boot Actuator Endpoints (per service)

/actuator/health    # Health status + dependency checks
/actuator/metrics   # JVM, HTTP, custom metrics
/actuator/info      # Service version, git commit
/actuator/prometheus # Prometheus-compatible metrics export

10. Security Architecture

Authentication Flow

Client sends credentials to /auth/realms/salt/protocol/openid-connect/token (Keycloak)
Keycloak validates credentials, returns JWT access token + refresh token
Client includes Authorization: Bearer <token> on all API requests
API Gateway validates the JWT signature against Keycloak's public key (JWKS endpoint)
Gateway forwards request to target service with validated token claims
Service reads role/user info from token claims — no second auth call needed

Role Mapping

Keycloak Role	Legacy access_level	Services Access
`admin`	5	All services, all endpoints
`tutor`	8	Assignment (mark), Exam (create/mark), Materials (upload)
`eto`	9	Enrollment (approve), Students (territory-scoped), Reports
`student`	12	Own profile, subjects, assignments, exams, chat, performance

Service-to-Service Auth

Internal REST calls between services use a Keycloak service account (salt-internal-client) with client credentials grant. This ensures service-to-service calls are authenticated even within the Docker network.

Kafka Security

SASL/PLAIN authentication between services and Kafka broker. ACLs restrict which services can produce/consume from which topics.

Document ID: SALT-MSA-2026-001 | Prepared: 20th February 2026

Document ID:	SALT-MSA-2026-001
Version:	2.0
Date:	18th February 2026
Prepared By:	Sumba Group Limited
Developed By	Sumba Group Limited
Classification:	Internal — Confidential

Microservice Architecture

Table of Contents

1. Executive Summary

Key Architectural Decisions

2. Architecture Overview

2.1 High-Level Architecture Diagram

2.2 Infrastructure Components

2.3 Communication Patterns

3. Service Catalog

3.1 API Gateway INFRASTRUCTURE

Route Configuration

3.2 Authentication Service (Keycloak) INFRASTRUCTURE

Realm Configuration

User Migration

3.3 Service Discovery (Eureka) INFRASTRUCTURE

3.4 Student Management Service SPRING BOOT

Endpoints

Kafka Events

3.5 Curriculum & Subject Service SPRING BOOT

Key Endpoints

3.6 Enrollment & Approval Service SPRING BOOT

Key Endpoints

Kafka Events

3.7 Examination Service SPRING BOOT

Key Endpoints

Kafka Events

3.8 Assignment & Tutor Service SPRING BOOT

Key Endpoints

Kafka Events

3.9 Grading & Billing Service SPRING BOOT

Key Endpoints

Grading Formula

Kafka Events

3.10 Notification Service FASTAPI

Notification Channels (Admin-Configurable)

Endpoints

Kafka Consumer Topics

Architecture

3.11 Chat Service NODE.JS

Why MongoDB for Chat?

MongoDB Collections

Endpoints & WebSocket

Migration from PostgreSQL

3.12 File Storage Service SPRING BOOT

Dual-Read Strategy

Endpoints

3.13 Certificate & Transcript Service SPRING BOOT

Endpoints

Kafka Events

3.14 Reporting & Analytics Service SPRING BOOT

Key Endpoints

3.15 System Configuration Service SPRING BOOT

3.16 Suspension & Intake Service SPRING BOOT

Kafka Events

3.17 Chatbot & FAQ Service SPRING BOOT

4. Shared Database Strategy

Table Ownership

Connection Pooling

5. Event-Driven Communication (Kafka)

Topic Catalog

Kafka Configuration

6. Docker Compose & Container Orchestration

Complete Container Map (17 Containers)

7. Service Communication Matrix

8. Decomposition Roadmap

Phase A: Infrastructure Foundation

Phase B: Extract Standalone Services (Low Coupling)

Phase C: Extract Domain Services (Medium Coupling)

Phase D: Extract Core Business Services (High Coupling)

9. Monitoring & Observability

Spring Boot Actuator Endpoints (per service)

10. Security Architecture

Authentication Flow

Role Mapping

Service-to-Service Auth

Kafka Security