Architecture
Launcher uses a control plane / data plane architecture that separates orchestration from execution.
Control Plane
The control plane is the brain of the system. It runs as a managed service and handles:
- API & Dashboard — RESTful API and web UI for managing all resources.
- Orchestration — Scheduling deployments, rolling updates, and health checks.
- Configuration — Environment variables, secrets, domain routing, and TLS certificates.
- State Management — Tracking the desired and actual state of all resources.
The control plane does not run your application workloads. It only sends instructions to agents.
Data Plane
The data plane is where your applications actually run. It consists of agents installed on your servers.
Each agent:
- Connects outbound to the control plane via gRPC (no inbound ports required).
- Receives deployment instructions and reports status back.
- Manages containers via Docker Swarm on the local machine.
- Handles local networking, log collection, and health monitoring.
Communication Flow
┌─────────────────┐ gRPC (outbound) ┌──────────────────┐
│ Your Server │ ────────────────────────────▶│ Control Plane │
│ (Agent) │◀──────────────────────────── │ (Hosted) │
│ │ Instructions │ │
│ ┌────────────┐ │ │ ┌────────────┐ │
│ │ Container │ │ │ │ API │ │
│ │ Container │ │ │ │ Dashboard │ │
│ │ Container │ │ │ │ Scheduler │ │
│ └────────────┘ │ │ └────────────┘ │
└─────────────────┘ └──────────────────┘Edge Routing
Traffic from the internet reaches your applications through an edge proxy layer. The edge proxy terminates TLS, routes requests by hostname, and forwards traffic to the appropriate server. This means your servers only need outbound connectivity — they never listen for inbound connections directly.
Security Model
- All communication is encrypted with mutual TLS.
- Agents authenticate to the control plane using per-tenant tokens.
- No ports are opened on customer servers.
- Secrets are encrypted at rest and only decrypted on the target server.
Last updated on