Neuwerk

Control Plane

The control plane owns management, DNS proxying, cluster state, observability, and service-plane processing.

The control plane is the operational side of the Neuwerk.

It owns:

  • the management HTTPS API and web UI
  • metrics, health, and readiness surfaces
  • policy persistence and activation
  • DNS proxying for hostname-based policy
  • dynamic DNS allowlist maintenance
  • service accounts and SSO
  • integrations such as Kubernetes-backed source resolution
  • audit and wiretap aggregation
  • TLS interception runtime and CA management
  • cluster replication and leader-aware management behavior

Why DNS And TLS Interception Live Here

Both features require more than packet forwarding:

  • DNS policy needs query parsing, upstream resolution, and hostname-to-IP bookkeeping
  • TLS interception needs certificate management, HTTP parsing, and a service runtime

Keeping those concerns in the control plane preserves the dataplane boundary and makes it clearer which failures are packet-engine failures versus service failures.

The Main Operational Surfaces

Operators interact with the control plane through:

  • the main HTTPS listener for the UI and management API
  • the metrics listener
  • the DNS listener on the management address
  • cluster listeners when HA is enabled

The control plane is therefore broader than “the web API”. It is every runtime surface that turns configuration into behavior or provides higher-layer services around enforcement.

State Ownership

The control plane is the source of truth for control-plane records such as:

  • policies and active policy selection
  • service accounts
  • integrations
  • SSO configuration
  • management and intercept CA material
  • audit history

In single-node mode that state is local. In clustered mode it is replicated and leader-aware.

Operator Implications

  • If the management API is healthy but the node is not ready, the control plane may still be waiting for dataplane, DNS, service-plane, or cluster readiness.
  • Hostname-based policy failures should be investigated from the DNS proxy outward.
  • TLS interception depends on both policy and intercept CA availability.

Read Cluster Replication for the HA-specific control plane behavior.