Azhary Arliansyah

ID EN
Articles / Inside Lyrid's Architecture: Building a Production-Grade PaaS

Inside Lyrid's Architecture: Building a Production-Grade PaaS

Go Kubernetes Microservices System Architecture gRPC
Inside Lyrid's Architecture: Building a Production-Grade PaaS

Building a Platform-as-a-Service (PaaS) requires a robust, distributed architecture capable of managing infrastructure across multiple global regions. During my time engineering the core platform at Lyrid, I spearheaded major architectural transitions that allowed the platform to automate application deployments, manage Kubernetes clusters, and route traffic at incredible scale.

This case study is a deep dive into the engineering solutions across our decoupled microservices ecosystem.

Table of Contents

1. The PaaS Ecosystem Topology

The platform operates across several geographic regions (e.g., us-west, ap-southeast, eu-central). To handle the scale and separation of concerns, the architecture is divided into specialized decoupled services.

Zeta (Web UI) Next.js Console Lyra (REST API) Golang API Delta Engine Build / Async Tasks Theta (gRPC) Bridge Server dns-vega (Global) Primary Kubernetes Cluster Other Clusters x-vega (Proxy) Ingress Controller Vega Agent Cluster Operator App Pod API Pod

*Figure 1: High-level topology of the Lyrid platform, integrating the remote control plane with a managed client cluster.*

2. Lyra and Zeta: The Control Plane Experience

The core control plane consists of services that handle user interactions and orchestrate distributed state.

  • Zeta-v2 (Next.js): The front-facing console. I led the development of the core application orchestration interface. I implemented a comprehensive Kubernetes resource explorer, enabling users to safely audit Helm release values, manage multi-region deployments, and monitor application health in real-time through an interactive UI.
  • Lyra (Go): The primary REST API backend acting as the central nervous system. I engineered a complete Minimum Viable Product (MVP) integration for sophisticated automated CI/CD pipelines. To secure tenant trust, I built programmatic API hooks for rollback and patch deployments, and handled complex ACME order processes ensuring SSL certificates are cleanly renewed. Lyra acts as the main orchestrator, translating user intents into actionable jobs for the backend workers.

3. Deep Dive into Delta: Resolving Synchronous Bottlenecks

Synchronous REST APIs (like Lyra) are mathematically unsuited for resolving extensive compute anomalies over network connections. The Delta Asynchronous Worker is our architectural response. It represents a horizontally scalable builder network uncoupled from standard HTTP lifecycles.

Lyra (API) Async Dispatcher Publish Job Google / Redis Pub/Sub Queue Consume Delta Engine Docker v2 Builder Multi-platform Docker Build Servercore Provisioning Target Kubernetes Cluster

*Figure 2: Delta's asynchronous worker queue architecture bypassing synchronous bottlenecks for heavy pipeline compute.*

Within Delta, I took complete ownership of overhauling how we deploy applications. I implemented the "Docker v2 deployment" pipeline, significantly altering the container lifecycle algorithms to support dynamic, multi-platform Docker compilation natively triggered via our internal API layers.

I also discovered severe distributed deployment deadlocks during large-scale node migrations. To counter these, I designed custom handlers that allowed our system to intelligently bypass heavy installations like Knative and the Cluster API (CAPI) explicitly when we targeted lightweight 'servercore' execution environments. Handling the installation of the Calico Container Network Interface (CNI) entirely via Delta jobs cemented the robustness of our distributed build capabilities.

4. Theta and Vega: Masterminding Edge Cluster Management

Kubernetes clusters operated by end-users are largely secluded behind opaque corporate firewalls. Reaching inward from outside to manage clusters directly requires a specialized communication paradigm that purely HTTP-based webhooks categorically fail to deliver. This is why we engineered Vega, our edge Kubernetes agent, and Theta, the master gRPC nexus point bridging them all.

Lyra Gateway HTTP Endpoint Internal API Theta Server gRPC v2 Bridge gRPC gRPC gRPC Vega (Cluster A) Reads K8s Helm state Vega (Cluster B) Patching Deployment Vega (Cluster C) Streams Pod Logs

*Figure 3: Theta gRPC multiplexing architecture enabling bi-directional native Kubernetes cluster orchestration across multiple disconnected tenant sites.*

I rewrote Vega to natively interpret and inject advanced Kubernetes YAML manipulations. Specifically, I engineered a highly resilient "secret monitor loop", a persistent algorithmic state checker that continually synchronizes cluster credentials securely against rotated certificates. Additionally, I built mechanisms enabling Vega to retrieve raw Helm releases and stream raw Pod logs directly from inside the cluster traversing outwards to our dashboards.

Perhaps the largest transition in the Lyrid pipeline was driving the migration to "gRPC v2," gracefully degrading and shutting down older HTTP REST v1 pathways in Theta. By locking in a multiplexed gRPC environment mapped tightly to independent Vega agent instances, we dramatically decreased instruction latency. We demonstrated the ability to execute patch deployments directly from a developer's workstation into an isolated production cluster overseas in milliseconds.

5. Edge Resolvers: Visualizing dns-vega and x-vega Extensibility

Managing internal pipelines and gRPC tunnels ensures workloads turn on - but how does an external internet user securely connect strictly to "app.user.com" while completely avoiding "api.user.com" on the exact same server? Standard topologies normally ignore exact traffic interception. We explicitly decoupled our traffic routers to accommodate massive multi-tenancy.

GET app.lyrid.io POST api.lyrid.io dns-vega (Global) Resolves Domain Target Kubernetes Cluster App resolves IP x-vega (Ingress) L7 Reverse Proxy ? Frontend Service Target: app Backend API (Go) Target: api Host Match (app) Host Match (api)

*Figure 4: The Lyrid routing boundary. dns-vega resolves domains globally, while x-vega dynamically multiplexes application traffic inside the destination cluster based on Application Layer Host headers.*

The DNS Layer (dns-vega)
Before traffic targets a worker node, requests hit the DNS layer. Our specialized dns-vega controller resolves arbitrary DNS lookups dynamically based on user requests into exact Kubernetes Cluster A-Records. It ensures global fidelity, preventing unmapped domain traffic from slamming clusters directly.

Layer 7 Multiplexing (x-vega)
Once dns-vega routes HTTP traffic inward into the assigned cluster, x-vega assumes the mantle. As our native ingress proxy, x-vega analyzes Application Layer Host Headers. Since we expanded and utilized performant MongoDB v2 architectures, x-vega instantaneously pulls caching matrices to route tenant payloads.

It splits the stream precisely. A request aiming for a frontend Next.js interface gets immediately piped to its designated Pods, while a backend REST API call bound for the identical hardware node gets tunneled strictly into its own compute silo. This ensures tenant isolation and unparalleled multiplexing speed.

6. App Deployment: Orchestrating the Lifecycle from Source to Pod

The ultimate value of a PaaS is the frictionless transition from a developer's git push to a globally available endpoint. In the Lyrid ecosystem, this is a multi-stage orchestration involving nearly every microservice in the stack - from the user-facing Zeta console to the deep-cluster Vega agent.

The Deployment Pipeline Flow

Deployment begins when a user submits their intent via the Zeta Dashboard or the Lyrid CLI. The platform offers two primary modes of execution:

  • Distributed Deployment: Automatically spreading the workload across our managed regions (us-west, ap-southeast, eu-central).
  • Dedicated Cluster: Targeting a specific Kubernetes cluster owned by the tenant.

Developers can choose to define their environment using a standard Dockerfile or our optimized .lyrid-definition.yml, which allows for fine-grained control over build parameters without container expertise.

Zeta / CLI Source Code Lyra API Parser / Dispatch Delta Engine Builder Worker Jobs Registry Docker Images Push Image Theta gRPC Nexus Managed K8s Cluster Vega Agent Kubernetes Op Create Deployment App Pod App Pod Status & Log Streaming

*Figure 5: The end-to-end application deployment lifecycle. Lyra delegates heavy compute to Delta, which pushes artifacts to the registry before signaling Vega via the Theta bridge to materialize the Kubernetes resources.*

Once the code is uploaded to Lyra, the API parses the user intent and converts it into a series of tasks published to the Delta asychronous workers. Delta takes the heavy load: it performs the Docker build (or native language build like npm build), tags the image, and pushes the resulting artifact to our internal or external registry.

The final step is the most critical: bridging the gap to the target cluster. Delta issues a command through the Theta gRPC bridge to the specific Vega agent residing in the destination cluster. Vega then executes the Kubernetes mutation - creating or updating the Deployment, Service, and Ingress resources. Delta doesn't stop there; it periodically polls Vega for deployment health and streams real-time logs back to the Zeta UI, providing developers with immediate feedback on their rollout.

7. Kubernetes Cluster Provisioner: Automating Infrastructure at Scale

Managing a few clusters manually is feasible, but a true PaaS must handle the lifecycle of hundreds of disparate clusters across different cloud providers and regions. I engineered the Kubernetes Cluster Provisioner logic to automate this complex orchestration, turning a raw compute request into a fully operational, production-ready environment in minutes.

The Provisioning Lifecycle

A new cluster lifecycle begins at the Zeta Console. Once a user defines their cluster specifications (nodes, regions, provider), the platform initiates a distributed handshake:

  1. Job Dispatch: Lyra orchestrate the intent, creating a high-priority provisioning task for the Delta Engine.
  2. Infrastructure Interaction: Delta connects to a specialized Vega instance that serves as an infrastructure operator. This "bootstrap" Vega is integrated with Cluster API (CAPI) and vendor-specific drivers (e.g., AWS, GCP, or Bare Metal).
  3. Core Provisioning: Delta monitors the long-running CAPI jobs, tracking node health and availability until the base Kubernetes control plane is stable.
  4. Component Injection: Once the API server is reachable, Delta automatically injects the core Lyrid stack to ensure the cluster is immediately ready for multi-tenant workloads.
Zeta Lyra API Delta Job Queue Bootstrap Vega (Existing Cluster) CAPI Vendor SDK Provision Newly Created Cluster Calico ISCSi Istio Redis Knative Vega X-Vega cert-manager xxx.yyy.lyr.id Delta monitors node status & triggers service injection

*Figure 6: The Cluster Provisioning Lifecycle. Zeta dispatches a provisioning request through Lyra to Delta. Delta communicates with an existing Bootstrap Vega - which has CAPI and vendor-specific SDKs integrated - to create the new cluster. Once the nodes are live, Delta instructs the Bootstrap Vega to inject each platform service individually into the newly created cluster.*

Service Injection

Once Delta confirms the new cluster's nodes are healthy and the API server is reachable, it communicates back to the Bootstrap Vega to inject the full Lyrid platform stack into the newly created cluster:

  • Networking & Service Mesh: Delta instructs Vega to install Flannel/Calico for CNI networking and Istio as the service mesh.
  • Storage & Frameworks: We inject iscsi for persistent volumes and Knative for serverless workloads.
  • Lyrid Stack: Finally, Vega and X-Vega are installed to bridge the cluster back to the global control plane.
  • Connectivity: We use cert-manager to automatically provision and sign SSL certificates, generating a specialized *.lyr.id subdomain for the newly minted cluster, making it instantly reachably from the global internet.

Conclusion

A Platform-as-a-Service is an orchestra of conflicting demands. It must offer instantaneous interactions (Zeta) while simultaneously executing massive container builds entirely asynchronously (Delta). It demands absolute network security while still reaching past firewalls to modify isolated tenant applications (Theta/Vega). The systems I helped architect not only survived these brutal systemic pressures but provided a scalable foundation capable of absorbing rapid innovation metrics unnoticed by the client, maintaining the hallmark of stellar engineering.

Services Contributed

To execute this massive undertaking, I engineered and contributed heavily to the following decoupled microservices across the platform:

Service Description/Role Core Tech Stack
Zeta Core platform Web/UI where end-users interact with the service. Next.js, React
Lyra REST API Control Plane; orchestrates intents and interfaces with the backend. Go, REST
Delta Job Executor; handles long-running asynchronous processes (builds, deployments, cluster provisioning) via message queues. Go, Redis, GCP Pub/Sub
Theta Networking Bridge; manages bi-directional gRPC communication between Lyra and Edge clusters. Go, gRPC
Vega Edge Cluster Controller; provides Kubernetes management capabilities (CAPI, deployments) directly to the control plane. Go, Kubernetes CAPI
X-Vega Edge API Gateway; acts as a reverse proxy routing incoming external traffic to appropriate deployed applications. Go, Knative
dns-vega Global DNS Resolver; routes domain traffic dynamically from external DNS services to Lyrid endpoints. Go

Recommended Articles

Engineering the Data Science Lab: A Paradigm Shift in Autonomous Research

Engineering the Data Science Lab: A Paradigm Shift in Autonomous Research

An in-depth technical showcase of the Data Science Lab skill. Explore how I developed an autonomous agent capable of conducting end-to-end research on Indonesian socioeconomic data, featuring advanced engineering and strategic policy synthesis.

calendar_today Mar 16, 2026
Why ChatGPT is Possible: How Transformers Rebuilt the Modern World

Why ChatGPT is Possible: How Transformers Rebuilt the Modern World

Before ChatGPT, AI was remarkably forgetful. Take a journey through the evolution of 'Sequence Models', the engine under the hood of modern AI, and discover the single breakthrough that finally allowed machines to understand the context of the billion-word world we live in.

calendar_today Mar 1, 2026
Can AI Really Code? How We Measure if Machines are Actually Good at Programming

Can AI Really Code? How We Measure if Machines are Actually Good at Programming

When an AI writes code, how do we know if it actually works or just 'looks' right? Dive into CodeBLEU: the new scorecard that evaluates AI software not just by the text on the screen, but by its logic, structure, and real-world meaning.

calendar_today Mar 1, 2026