Skip to content

Transport & security

Part of the self-contained SRE guide

This chapter restates the per-cluster auth model and the server-side query filter (FR-065) on the read path inline so the guide stands alone. Owned by PRD §35.4 / §4.4 / FR-065 / FR-071 — the PRD wins on conflict. The Reference collects every inlined contract with its provenance.

In plain words

Telemetry travels from the cluster to its regional stores inside one VPC, and — for cross-region dashboard reads only — over private peering; all on DigitalOcean's private network, which doesn't count as billable bandwidth, so your own monitoring costs nothing in ingest egress. Each cluster carries a token so one compromised cluster can't impersonate another.

How to build it

  • Network: the customer cluster and its regional telemetry VMs share one /16 regional VPC (§4.4), so ingest is intra-VPC at $0 — no peering on the ingest path. (VPC peering carries only the cross-region dashboard reads — see Reads below.)

  • Metrics (ingest): vmagent → Prometheus remote_write → a regional vmauth/vminsert front door → VictoriaMetrics (VM droplet). vmagent's on-disk queue buffers during sink outages and replays.

    vmagent flags · vmagent.values.yaml
    # customer workload series → regional VictoriaMetrics (the only destination)
-remoteWrite.url=https://vmauth.<region>.internal/insert/0/prometheus/api/v1/write
-remoteWrite.bearerTokenFile=/etc/vmagent/cluster.token
-remoteWrite.urlRelabelConfig=/etc/vmagent/customer.relabel.yml
# platform self-monitoring is a separate pipeline — a dedicated Grafana Alloy agent (ch.5)

  • Logs (ingest): Fluent Bit agent → forward → regional Vector aggregator → ClickHouse (VM droplet).

  • Reads (dashboard): Starbase queries the store in the project's region (pinned to one region → a single lookup via a region→store-endpoint registry, no fan-out). The control-plane VPC reaches each regional store over private cross-region VPC peering, through the existing front-doors — vmauth for VictoriaMetrics (ch.2 step 1), a read-only ClickHouse user for logs (ch.3 step 1) — never a public endpoint, no new service; Starbase injects the FR-065 filter. Only query results cross regions ($0.01/GiB); ingest stays intra-region at $0. (At MVP, single region = co-located, so there's no cross-region read at all.)
  • Auth: a per-cluster bearer token at vmauth (metrics) and the Vector aggregator's fluent source (logs), even over the private network. Stores are VPC-private; Starbase reads them through the authed front door and always injects the tenant filter (FR-065).

Gotchas & what lives elsewhere

All clusters are in Starform's own DO account (no BYOC) and share their region's VPC, so ingest stays on the private network with no second, public transport path to maintain — the only peering is the cross-region read path. Watch node-recycling on DOKS: re-verify the intra-VPC routes (and any cross-region peering routes) survive node-pool changes.

PRD reference & inlined contracts

Owned by §35.4 (telemetry transport), §6 (tech stack), §4.4 (per-region VPC); FR-066 / FR-071. The per-cluster auth model and the server-side read filter are restated above so this guide stands alone — if they ever diverge, the PRD wins. Canonical map: Canonical Sources.