How It's Built
The platform is split across two distinct environments. Understanding this split is the foundation for everything else in these docs.
The Cogrion Side
Cogrion operates a shared SaaS layer that all tenants connect to:
| Component | Description |
|---|---|
| Control Plane | The brain. Owns the catalog of deployable applications, orchestrates what gets deployed and when, tracks the state of every resource across every tenant workspace. |
| Cogrion | The web UI. Where tenant users interact with the platform — running SQL, building dashboards, monitoring pipelines, managing ML models. |
| Keycloak | The identity provider. Every login and service-to-service call goes through it. Each tenant gets their own isolated realm. |
| Temporal | Handles long-running cloud provisioning workflows — creating VPCs, Kubernetes clusters, and IAM roles on the Cogrion side. |
The Tenant Side
Everything that runs inside the tenant's own cloud account:
| Component | Description |
|---|---|
| Cloud Provider | The tenant's AWS, AliCloud or other cloud provider account. All infrastructure is provisioned here — the tenant owns the account, the billing, and the data. |
| Kubernetes Cluster | A dedicated cluster provisioned by Cogrion into the tenant's cloud account. All tenant-side workloads run here. |
| Cluster Agent | A lightweight process running inside the cluster. Continuously polls the Control Plane for work, executes it locally (Helm installs, Kubernetes manifests, Terraform runs), and reports results back. The Control Plane never opens a connection inbound — the agent always reaches out. |
| BFF API | Runs inside the tenant cluster. The gateway between Cogrion and the tenant's running services. Handles request routing and token exchange so Cogrion does not communicate with each service directly. |
| Stacks | The applications deployed into the cluster — defined in the platform catalog and executed by the Cluster Agent. Examples: Trino, Airflow, Superset, Ranger, JupyterHub. See Platform Stacks for how these are authored and deployed. |
How They Connect
What This Means in Practice
- Data sovereignty — query results, pipeline outputs, and user data never leave the tenant's cloud.
- No inbound access — Cogrion cannot directly reach into a tenant cluster. All communication is initiated by the agent.
- Shared catalog, isolated infrastructure — all tenants share the same application catalog and control plane, but each runs on completely separate infrastructure.