Skip to content
podmaker docs

Core concepts

A small, stable vocabulary runs through the whole platform.

Site

A deployable application: a Git repo or container image plus a runtime, domains, environment, a database and a deploy strategy. A site can target one or many servers. This is the thing you ship.

Service

Shared infrastructure — MySQL, PostgreSQL, Redis, RabbitMQ, or a custom image. Provisioned once and attached to as many sites as you need, injecting connection details into each site’s environment.

Registry

Credentials for a private container registry (host, username, password). Used by services and sites that pull private images.

Pipeline

A manifest-driven container job attached to a site — build, release, migrate, or anything else. Triggered from the panel, a webhook or the API, independent of the deploy flow. One run is in flight per pipeline at a time.

Deploy

A single execution of a site — webhook or panel button. It runs the site’s compose or script, streams logs over SSE, and produces a release.

Plan

The output of topology planning: a YAML document describing servers, domains, runtime and deploy strategy. Plans can be validated, cost-estimated, diffed, customised, published as a signed bundle, and replayed.

Topology

The applied infrastructure layout — servers, mesh, load balancers, cache and database nodes — generated from a plan and continuously reconciled by the controllers. A topology can be migrated to a new shape with zero downtime.

Release

One deploy plus its metadata: status, timing, and who or what triggered it. Releases are your rollback points.

Workspace

The tenant boundary. A control-plane install can host many workspaces; vault connections, bridge tokens and IAM are all scoped to a workspace.

Vault connection

A reference to a secret manager — either the managed control-plane vault or your own via a bridge agent. Workspace-scoped; stores a path reference, never a plaintext secret.

Agent & Server

A server is a provisioned or adopted compute node. Each one runs an agent — a daemon that enrolls with the internal CA, dials the agent-gateway over mTLS, and handles health, metrics and commands.