Platform Components¶
Detailed Component Architecture and Interactions
Document Version: 1.0.0
Last Updated: 2026-02-10
1. Component Overview¶
MazeVault consists of four core components, each independently deployable:
graph LR
subgraph Frontend["🖥️ Web Interface"]
UI["⭐ React SPA"]
end
subgraph Backend["⚙️ API Server"]
API["🌐 REST API"]
Crypto["🔐 Encryption Engine"]
PKI["📜 PKI Services"]
Sync["🔄 Sync Engine"]
Auth["🔑 Auth Provider"]
end
subgraph OCSP["🛡️ OCSP Responder"]
OCSPSvc["✅ OCSP Service"]
end
subgraph Data["🗄️ Data Layer"]
PG["🗃️ PostgreSQL"]
RD["⚡ Redis"]
end
UI --> API
API --> Crypto
API --> PKI
API --> Sync
API --> Auth
API --> PG
API --> RD
OCSPSvc --> PG
classDef frontend fill:#EBF5FB,stroke:#2196F3,stroke-width:2px,color:#1565C0
classDef backend fill:#E8EAF6,stroke:#3F51B5,stroke-width:2px,color:#283593
classDef ocsp fill:#FFF8E1,stroke:#FF9800,stroke-width:2px,color:#E65100
classDef data fill:#E8F5E9,stroke:#4CAF50,stroke-width:2px,color:#2E7D32
class UI frontend
class API,Crypto,PKI,Sync,Auth backend
class OCSPSvc ocsp
class PG,RD data2. Web Interface¶
The MazeVault Web Interface is a Single Page Application providing:
- Dashboard — Overview of secrets, certificates, sync status, and rotation schedules
- Secrets Manager — Create, read, update, and delete secrets with version history
- Certificate Manager — Request, approve, revoke, and manage certificates
- PKI Administration — Certificate Authority management, CRL distribution, OCSP configuration
- Access Control — Role-based access management, user and team administration
- Project Management — Organize secrets and certificates into isolated projects
- Agent Management — Register, monitor, and configure MazeVault agents
Key Features¶
| Feature | Description |
|---|---|
| Operational Dashboards | Focused views for certificates, secrets, discovered inventory, rotation status, and environment health |
| Lifecycle Workflows | Issue, approve, renew, deploy, archive, and restore workflows are surfaced directly in the UI with RBAC-aware actions |
| Discovery and Adoption | Operators can review discovered certificates and CSRs, assign them into managed projects, and track custody state before renewal or deployment |
| Integration Authoring | The UI drives configuration for external CAs, secret managers, Azure/Entra integrations, and policy-backed configuration discovery |
| Agent and Gateway Control | Registration, health visibility, environment routing, and delegated execution are managed from the same operational surface |
| Audit and Compliance Visibility | Audit evidence, approvals, role-scoped visibility, and compliance-oriented metadata remain visible without exposing sensitive secret material |
3. API Server¶
The API Server is the core of the MazeVault platform, handling all business logic, encryption operations, and external integrations.
Service Categories¶
Core Services¶
| Service | Responsibility |
|---|---|
| Secrets Management | Encrypted CRUD operations, versioning, sharing, rotation |
| Certificate Management | CSR processing, issuance, revocation, renewal, import/export |
| Certificate Authority | Root/Intermediate CA management, CRL generation, OCSP signing |
| Project Management | Multi-tenant project isolation, resource organization |
| RBAC | Role-based access control with granular permissions |
PKI Services¶
| Service | Responsibility |
|---|---|
| SCEP Provider | Simple Certificate Enrollment Protocol support |
| EST Provider | Enrollment over Secure Transport support |
| ACME Provider | Automated Certificate Management Environment support |
| CRL Distribution | Certificate Revocation List generation and distribution |
Integration Services¶
| Service | Responsibility |
|---|---|
| External CA Connectors | DigiCert, Venafi, Microsoft ADCS, SSL Market, PostSignum |
| Cloud Key Vaults | Azure Key Vault, AWS Secrets Manager |
| SSO Providers | Azure Entra ID, GitHub, GitLab, LDAP, SAML 2.0 |
| HSM Providers | AWS CloudHSM, Azure Managed HSM, Google Cloud HSM, PKCS#11, Hardware wallets |
Middleware Stack¶
All API requests pass through a security middleware chain:
- TLS Termination — Enforced at ingress/proxy level
- Rate Limiting — Configurable per-endpoint limits
- CORS Validation — Strict origin checking
- CSRF Protection — Double-submit cookie pattern
- Authentication — JWT validation, API key verification, or mTLS
- Authorization — RBAC permission check
- Audit Logging — All operations recorded with user context
- Request Validation — Input sanitization and schema validation
4. OCSP Responder¶
The OCSP Responder provides real-time certificate validation compliant with RFC 6960.
Capabilities¶
- Real-time certificate status checks (Good, Revoked, Unknown)
- Configurable response caching for performance
- Prometheus metrics for monitoring
- Independent scaling from the API Server
- Kubernetes readiness and liveness probes
Endpoints¶
| Endpoint | Method | Purpose |
|---|---|---|
/ocsp |
POST | OCSP request (DER-encoded) |
/health |
GET | Service health status |
/ready |
GET | Kubernetes readiness probe |
/live |
GET | Kubernetes liveness probe |
/metrics |
GET | Prometheus metrics |
5. Data Layer¶
PostgreSQL¶
PostgreSQL serves as the primary persistent store for all platform data:
- Secrets — Encrypted secret values, metadata, version history
- Certificates — Certificate records, CA chains, revocation data
- Access Control — Users, roles, permissions, project assignments
- Audit Trail — Comprehensive operation logs
- Configuration — System and project-level settings
All sensitive data is encrypted at the application level (AES-256-GCM) before database storage. Database-level SSL is enforced in production.
Redis¶
Redis provides high-performance caching and session management:
| Use Case | TTL | Description |
|---|---|---|
| Session Cache | 24h | Authenticated user sessions |
| Secret Cache | Configurable | Frequently accessed secrets (encrypted) |
| Rate Limit Counters | 1-60min | Per-IP and per-user rate limiting |
| CSRF Tokens | 30min | Cross-site request forgery prevention |
Resilience
MazeVault operates with a dual-mode cache: if Redis becomes unavailable, the system automatically falls back to an in-memory cache, ensuring continued operation with reduced performance.
6. Scalability Matrix¶
| Component | Min Replicas | Max Replicas | Scaling Method | Notes |
|---|---|---|---|---|
| Web Interface | 1 | 10+ | HPA (CPU/Memory) | Stateless, freely scalable |
| API Server | 1 | 1* | Vertical | *Single replica due to license enforcement; contact support for multi-replica licensing |
| OCSP Responder | 1 | 5+ | HPA (Request rate) | Stateless, read-only database access |
| PostgreSQL | 1 | 3 | Read replicas | Primary + read replicas for reporting |
| Redis | 1 | 3 | Sentinel/Cluster | Optional HA with Redis Sentinel |
Related¶
- Architecture Overview — High-level architecture
- Health Checks — Component health monitoring
- Scaling Guide — Scaling recommendations