Brac POC — demo scope (v2 from client)
Second message from BRAC Bank PLC narrowing the original POC scope to eight specific demonstration components, with a reference architecture diagram (MFE Router → WSO2 API GW → BFF router → Meshow → Identity → Product, and WSO2 IAM beside the mesh).
Source: second message from BRAC Bank PLC, captured 2026-05-11. The message tightens the original requirements email down to eight specific demonstration items and ships a reference architecture photo. Both are reproduced verbatim below.
BRAC Bank Demonstration Scope
Reference architecture image and requested demonstration components.
Requested demonstration items
| No. | Demonstration Component |
|---|---|
| 1 | API Gateway |
| 2 | IAM |
| 3 | MTLS (Commply MTLS / Service mesh) |
| 4 | Canary deployment using service mesh |
| 5 | Design robust Observability including Kafka — high level (High Priority) |
| 6 | Redis |
| 7 | SigNoz |
| 8 | Nexus OSS |
Note: Preserves the provided architecture image and demonstration scope text for the BRAC Bank discussion.
Reference architecture (re-rendered)
The client sent the architecture as a photo of a slide. Re-rendered here so the flow is navigable and searchable; the photo is preserved as a fallback below.
Reading the diagram:
- TLS terminates twice on the way in — once at the MFE Router (so the edge sees plaintext) and once at the WSO2 API Gateway. Each northbound hop is HTTPS; each southbound hop the API GW issues is HTTP (intra-cluster).
- The BFF router sits between the API GW and the service mesh — it’s the per-tenant aggregation layer, not the gateway.
- Meshow (the service mesh) hosts the workload pods and brokers mTLS between them. WSO2 IAM sits beside it (called out by IAM flow rather than in-mesh), implementing OIDC for the identity service.
- Behind the mesh: two services, Identity and Product. Identity is the auth service the apps consult; Product is the business service.
Mapping back to the eight demonstration items
A quick cross-walk so the demo cockpit panels line up with the client’s scope table:
| Client item | What the panel proves |
|---|---|
| API Gateway | WSO2 API GW box in the diagram — show route + transform + token validation. |
| IAM | WSO2 IAM box — OIDC login, token issued, session established for the SPA. |
| MTLS | Service mesh sidecar handshake — show the cert + identity per pod. |
| Canary using service mesh | VirtualService weight split (v1 / v2), live header override to a sticky lane. |
| Observability incl. Kafka (High Priority) | SigNoz traces across MFE → API GW → BFF → Identity → Product, with a Kafka topic showing producer/consumer span. |
| Redis | Sentinel-driven failover walkthrough; reads/writes during primary kill. |
| SigNoz | Native dashboard view + alert routing. |
| Nexus OSS | App-registry push + dev-pull endpoint shapes; image digest pinning. |
The demo cockpit (brac-poc.apps.sub.comptech-lab.com) carries one panel
per row above.