Today I'm excited to announce the availability of the next major version of the Puppet Platform. Following the numbering true-up we introduced last year, PuppetDB, Puppet Server, and Puppet all get a major version bump to "6.0." Though there are some backwards-incompatible changes included, most of the testers who've been following along the release candidate process have had an easy time upgrading. And the benefits are pretty great!
The server stack can now run as a set of containers that come with a Docker Compose file for getting a up and running quickly and easily – an approach we're calling Pupperware. Check out the docs in the Pupperware GitHub repository to get started. (This even works on Windows!) We’d love feedback in the CPR project in JIRA or pull requests on GitHub.
Next, we've added the ability for the agent to query secret management services like HashiCorp Vault and Conjur by CyberArk. Previously, the master could retrieve secret data like database passwords or API keys when it was compiling a catalog, but the data would be unencrypted when the agent received it. Now, the agents run a lookup function when they're applying the catalog, providing end-to-end encryption. There are docs on how to use the new Deferred type and it's easy to add more integrations by adding a new function.
Keeping with the theme of improving operational security, Puppet Server 6.0 has a new workflow and API for certificate issuance. By default, the server will now generate a root and intermediate signing CA cert, rather than signing everything off the root. If you have an external certificate authority, you can generate an intermediate signing CA from it instead, and a new
puppetserver ca subcommand will put everything put into its proper place. There's a slew of additional improvements around the certificate issuance and revocation process; check out the Puppet Server documentation for more information.
Module developers have already started to adopt the Resource API, which we introduced back in April. Since then, the API has stabilized with bug fixes and additional functionality, so it's now included in the Puppet agent packages rather than requiring a separate download. Read the official API guide for the details. Under the hood of the Puppet agent codebase, many types and providers are now split out into modules and recombined at packaging time; this should enable faster updates and easier maintainership because fixing a bug in the
mount types no longer requires a patch into core Puppet. The distribution also got updates to various upstream components like Ruby 2.5.1, OpenSSL 1.1.0h, and JRuby 220.127.116.11.
In addition to these headlines, there's a giant roster of bug fixes and improvements across the whole platform. Make sure to read the release notes carefully before you upgrade. Check out the installation and upgrade instructions for your operating system, and please file issues in JIRA if you run into any problems upgrading.
- Installation instructions - https://puppet.com/docs/puppet/6.0/puppet_platform.html
- JIRA Puppet project - https://tickets.puppetlabs.com/projects/PUP/issues
Eric Sorenson is director of product management at Puppet.