It’s been a long time since our previous release in November as we have been working on some major architectural changes and new features.
This is quite a big release but the majority of changes will not affect Puppet users today.
New Core Contributor
We have a new Core Contributor who some of you might recognise from MCollective days, please welcome Pieter Loubser.
New Docker Registry
Due to recent changes at the official Docker Hub we now have a new Docker Registry. Please read the announcement. No more containers will be pushed to the official Docker Hub.
While implementing this change we also activated automated nightly container builds for most components.
New Project Websites
We have documentation for our overall distribution of Choria at choria.io/docs but this documentation is slanted heavily to the Puppet user - in essence choria.io documents a distribution of Choria for Puppet users. For more in-depth looks into what the components can do and features not exposed to Puppet users we launched a number of new websites:
App Builder Experiments
App Builder is our little no-code tool to build admin command line tools. We are experimenting with a project-level task mode that allow you to place a file in a directory and then run abt
, which will then be a different command depending on where you are.
This is an experimental command, we’d love some feedback. It’s documented in the new Experiments page.
New Security Model and Protocol
We have introduced a new security model based on JWT files and ed25519 signatures that provide huge improvements for deployments at scale:
- Based on ed25519 signed JWT files
- A chain of trust between a new component called an Organization Issuer and various components allowing full delegation of credential issuance
- Strong set of role based permissions for clients, servers, provisioners and unprovisioned nodes
- Policy embedded in the JWT files for lighter touch server configuration - no more policy files on servers
- Strict deny-all security on the Choria Brokers for much improved security and privacy of traffic
- Vastly improved
choria jwt
command that includes monitoring of tokens and early integration with Hashicorp Vault - Redesigned the protocol moving on from some legacy decisions made in Marionette Collective
Longer term this will allow us to not rely on Certificate Authorities for identity and give us far greater control in how, when and for how long clients are enrolled.
In the process we had to do a lot of internal refactoring to the main Choria Framework and related systems like AAA Service, Provisioners, Replicators and more.
- We wrote an Architecture Decision Record describing the problems and goals of this work
- We have an in-depth guide on testing and exploring the feature V2 Protocol & Security
- We have a Docker Compose environment that fully demonstrates the new model
In time, as we complete some other efforts around delivery of RPC Agents into this system, we’ll slowly move all users over to this model. For now this should not concern Puppet users.
Minor Server Features
External Agents can now have multi-arch binaries allowing the same tar file to be deployed to a mix of servers when the agents require compilation.
We have a new output format in the choria req
command enabled using the --jsonl
flag, this will produce JSON Lines output for every major event. Using this high quality wrapper libraries can be created in any language quite rapidly. A ruby wrapper that supported progress bars, discovery and all other behaviors was less than 200 lines. We look forward to seeing what the Python users in our community do with this!
When a Choria Server is managed by the Choria Provisioner it now supports in-place over-the-air upgrades of itself at provisioning time.
We also landed many bug fixes and UX improvements to various choria
commands.
Thanks to Romain Tartière and Pieter Loubser for their contributions to this release
[Read More]