Infrastructure References — MIT Learn
Source-of-truth links for the systems and flows drawn in the architecture diagrams. This page is curated (not generated): update it when infrastructure definitions move.
Primary infrastructure definitions
| Concern | Location |
|---|---|
| Backend (Pulumi) | ol_infrastructure/applications/mit_learn/__main__.py |
| Next.js (Pulumi) | ol_infrastructure/applications/mit_learn_nextjs/__main__.py |
| OpenSearch (Pulumi) | infrastructure/aws/opensearch/__main__.py |
| Kubernetes secrets | applications/mit_learn/k8s_secrets.py |
| Vault policy | applications/mit_learn/mitlearn_policy.hcl |
| Backend Concourse pipeline | ol_concourse/.../k8s_apps/docker_pulumi.py |
| Pipeline meta-config | ol_concourse/.../k8s_apps/meta.py |
Local development (mit-learn repo)
| File | Purpose |
|---|---|
docker-compose.yml |
Base compose |
docker-compose.services.yml |
Postgres, Redis, OpenSearch, Qdrant, Tika, APISIX, Keycloak, Nginx |
docker-compose.apps.yml |
Django web, Celery worker (-Q default,edx_content,embeddings -B), Next.js |
config/apisix/apisix.yaml |
Gateway routes (Django, learn-ai /ai/*, MITx Online /mitxonline/*) |
Environments
Three environments deploy from distinct branches, each with separate RDS,
ElastiCache, OpenSearch, S3 buckets (-ci / -rc / -production), DNS, and
Fastly configuration:
| Env | Branch | Notes |
|---|---|---|
| CI | main |
Development/testing |
| QA / RC | release-candidate |
Pre-production staging |
| Production | release (version tags) |
learn.mit.edu |
Health checks
/health/startup/ (migrations, cache, Redis, DB) · /health/liveness/ (DB
heartbeat) · /health/readiness/ (cache, Redis, DB) · /health/full/ (+ Celery
ping).
Security & secrets
- Vault: KV-v2 mount
secret-mitlearn, AWS backendaws-mitx, Kubernetes service-account auth. DB roles:app(full) andreverse-etl(external schema, used by the Hightouch/Airbyte integration — see Dependencies & Cycles). - Auth: Keycloak SSO (realm
olapps); OIDC/OAuth2 enforced at APISIX; JWT for API access. - Postgres has public access enabled for Hightouch/Airbyte — a deliberate but notable exposure flagged in the dependencies analysis.