Skip to content

Deployment Architecture

Overview

Fulcrum is designed to run as a set of containerized services, orchestrated via Docker Compose (development) or Kubernetes/Railway (production). The architecture emphasizes strict separation of concerns between the Control Plane (Management) and the Data Plane (Enforcement).

Topology

graph TD
    Client[Client Applications] --> LB[Load Balancer]

    subgraph "Fulcrum Platform"
        LB --> API[API Gateway / gRPC Server]

        subgraph "Core Services"
            API --> Engine[Policy Engine]
            API --> Budget[Budget Service]
            API --> Audit[Audit Service]
        end

        subgraph "Data Layer"
            Engine --> Cache[(Redis Cache)]
            Audit --> DB[(PostgreSQL)]
            Budget --> DB
            Audit --> CH[(ClickHouse - Telemetry)]
        end

        subgraph "Message Bus"
            API --> NATS[NATS JetStream]
            NATS --> Workers[Async Workers]
        end
    end

Components

1. API Server (Golang)

  • Role: Entry point for SDKs and Dashboard.
  • Protocols: gRPC (Agents), REST/Connect (Web Dashboard).
  • Scaling: Stateless, horizontally scalable.

2. Policy Engine (OPA/Rego)

  • Role: Evaluates governance policies against input context.
  • Implementation: Embedded OPA library or external OPA server.
  • State: Policies cached in-memory/Redis for low latency (<10ms).

3. Data Stores

  • PostgreSQL: Primary source of truth for configuration, users, policies, and low-volume relational data.
  • ClickHouse (Optional/Enterprise): High-volume storage for execution traces, audit logs, and analytics.
  • Redis: Hot cache for API keys, rate limits, and active policy definitions.

4. NATS JetStream

  • Role: Asynchronous event bus.
  • Use Cases: Decoupling audit logging from the critical path, processing analytics, distributing config updates.

Production Environment (Railway/Cloud)

In a typical cloud deployment (e.g., Railway): - Service: Runs as a single Docker container or replicated set. - Database: Managed PostgreSQL instance. - Variables: Configuration via Environment Variables (12-Factor App). - Security: mTLS between SDK and Server (Enterprise), TLS termination at the edge.

Local Development

The docker-compose.yml provides a localized replica of the production stack: - fulcrum-server: Core API - postgres: Config DB - redis: Cache - prometheus/grafana: Observability stack

See Deployment Guide for setup instructions.