Skip to content

ConfigHub Architecture

Multi-tenant SaaS core

At the core, ConfigHub is a multi-tenant SaaS following standard B2B SaaS practices. As a customer you have an organization in ConfigHub and your team members all collaborate with each other within the organization.

You can log in with your work account from Google Workspace and other providers and you can also set up SAML or OIDC based SSO.

The cloud instance of ConfigHub is responsible for storing all your config data and orchestrating all access and change workflows. All changes to config data are revisioned so you can track what caused the change, compare to past revisions, and revert changes when necessary.

ConfigHub does not store credentials or secrets for your software infrastructure. They are stored externally and only accessed by Workers.

Web UI, CLI, and API

ConfigHub offers a Web UI as well as a CLI. Generally all functionality is available in both the Web UI and CLI so you can choose which tool is most convenient for the task. Of course, ConfigHub also has an API.

Workers

A Worker is a software process that runs in your infrastructure and connects to ConfigHub. It is responsible for performing infrastructure operations on your infrastructure and also for executing function logic. In some ways it is similar to a Kubernetes GitOps Operator or a CI runner.

Even functions that do not need to connect to external systems are executed in Workers. This makes it possible for you to build and deploy your own functions without any limitation on programming language, libraries, or computational complexity. (As of right now, only Go is supported as programming language but all languages will be supported in the future.)

Workers are also responsible for incorporating secrets into config data when needed before it is used with your infrastructure APIs. This ensures that secrets are kept entirely separate from ConfigHub. You fully control how secrets are stored, retrieved and used.

The same is the case with credentials used to access your software infrastructure. They are never transmitted to or stored by ConfigHub.

Diagram

The diagram below illustrates the high level architecture of ConfigHub: