Architecture Overview¶
MazeVault Enterprise Platform — High-Level Architecture
Document Version: 1.0.0
Last Updated: 2026-02-10
1. System Purpose¶
MazeVault is an enterprise-grade secrets management and PKI (Public Key Infrastructure) platform designed for organizations requiring:
- Centralized Secrets Management with encryption at rest and in transit
- Internal Certificate Authority with full certificate lifecycle management
- Zero-Knowledge Architecture ensuring the platform never accesses plaintext sensitive data
- Multi-Datacenter Deployment with automated conflict resolution
- Regulatory Compliance alignment with ISO 27001, SOC 2, PCI DSS, and GDPR
2. Architecture Diagram¶
graph TB
subgraph External["☁️ External Services"]
AzureAD["🆔 Azure Entra ID<br/>(SSO)"]
AzureKV["🔐 Azure Key Vault"]
ExtCA["🏢 External CA<br/>(DigiCert, Venafi)"]
Monitor["📊 Azure Monitor"]
end
subgraph Platform["🏦 MazeVault Platform"]
LB["🌐 Load Balancer / Ingress<br/>(TLS Termination)"]
subgraph App["Application Layer"]
FE["🖥️ Web Interface<br/>(SPA)"]
BE["⚙️ API Server"]
OCSP["📜 OCSP Responder"]
end
subgraph Data["Data Layer"]
PG["🗄️ PostgreSQL<br/>(Primary Store)"]
Redis["⚡ Redis<br/>(Cache & Sessions)"]
end
end
Users["🧑💻 Users / Operators"] -->|HTTPS| LB
Agents["🤖 MazeVault Agents"] -->|mTLS| LB
LB --> FE
LB --> BE
LB --> OCSP
BE --> PG
BE --> Redis
BE --> AzureAD
BE --> AzureKV
BE --> ExtCA
OCSP --> PG
BE --> Monitor
classDef external fill:#F5F5F5,stroke:#9E9E9E,stroke-width:2px,color:#424242
classDef lb fill:#FFF8E1,stroke:#FF9800,stroke-width:2px,color:#E65100
classDef app fill:#EBF5FB,stroke:#2196F3,stroke-width:2px,color:#1565C0
classDef data fill:#E8F5E9,stroke:#4CAF50,stroke-width:2px,color:#2E7D32
classDef user fill:#E8EAF6,stroke:#3F51B5,stroke-width:2px,color:#283593
class AzureAD,AzureKV,ExtCA,Monitor external
class LB lb
class FE,BE,OCSP app
class PG,Redis data
class Users,Agents user3. Design Principles¶
| Principle | Description |
|---|---|
| Defense in Depth | Multiple layers of security — TLS, application-level encryption, database encryption, HSM integration |
| Zero Trust | All internal communication is authenticated and encrypted; no implicit trust between components |
| High Availability | Designed for Kubernetes deployment with health checks, readiness probes, and automated recovery |
| Separation of Concerns | API Server, Web Interface, and OCSP Responder are independently deployable and scalable |
| Compliance by Design | Audit logging, key rotation, and access control built into the platform core |
4. Technology Summary¶
| Layer | Technology | Purpose |
|---|---|---|
| Web Interface | React + TypeScript | Single Page Application |
| API Server | Go (Gin framework) | REST API, business logic, encryption |
| Database | PostgreSQL 15+ | Primary persistent storage |
| Cache | Redis 7+ | Session management, secret caching |
| OCSP Responder | Go (custom) | Real-time certificate validation |
| Container Runtime | Docker / Kubernetes | Deployment and orchestration |
| Infrastructure as Code | Terraform / Helm | Automated provisioning |
5. Deployment Models¶
MazeVault supports the following deployment models:
Azure Kubernetes Service (AKS)¶
- Recommended for production workloads
- Integrated with Azure Key Vault, Azure Monitor, Azure Entra ID
- Helm charts provided for standardized deployment
- Horizontal Pod Autoscaling for the web interface and OCSP components
On-Premise (Rocky Linux / RHEL)¶
- Docker Compose-based deployment
- Nginx reverse proxy with TLS termination
- Suitable for air-gapped or restricted network environments
- Offline deployment packages available
Hybrid¶
- API Server and database on-premise
- Agents deployed across multiple sites
- Centralized management with distributed secret access
6. Communication Protocols¶
| Source | Target | Protocol | Authentication |
|---|---|---|---|
| Users | Web Interface | HTTPS (TLS 1.2+) | Session / JWT |
| Web Interface | API Server | HTTPS (TLS 1.2+) | JWT Bearer Token |
| Agents | API Server | mTLS | Client Certificate + API Key |
| API Server | PostgreSQL | TLS | Username/Password + SSL |
| API Server | Redis | TLS | Password + TLS |
| API Server | Azure Key Vault | HTTPS | Managed Identity / Service Principal |
| API Server | External CAs | HTTPS | API Key / Certificate |
| OCSP Clients | OCSP Responder | HTTP/HTTPS | None (public) / mTLS |
Related¶
- Components — Detailed component architecture
- Security Overview — Security architecture details
- Deployment Requirements — System requirements