Overview
System architecture and deployment model
Unkey runs on AWS across multiple regions, using Kubernetes for container orchestration. The architecture is split between the control plane that manages customer deployments and the data plane that serves traffic.
Core Services
Control Plane (Ctrl)
Orchestrates deployments, builds containers via Depot, provisions TLS certificates, and configures routing using durable Restate workflows
Krane
Kubernetes deployment abstraction that manages StatefulSets across multiple clusters and regions without replicating control plane logic
API
Handles key verification, analytics queries, and management operations in Go. Deployed to multiple AWS regions behind Global Accelerator
Gateway (GW)
Routes traffic to customer deployments by querying the partition database, terminating TLS, and proxying requests to Kubernetes pods
ClickHouse
Stores analytics events for key verification logs, API usage metrics, and audit trails with automatic scaling and replication
Vault
Encrypts sensitive data using envelope encryption with AWS KMS, decrypting on demand without storing plaintext secrets