Puppet’s maintainers have updated their infrastructure automation and management platform with additional security features and a way to run the server stack as a set of containers. The latter is called “Pupperware” and makes use of Docker Compose to set up a container-based deployment of the Puppet infrastructure.

As the Resource API has stabilized since its release back in April 2018, it is now officially included within Puppet agent packages. A separate download is therefore no longer needed. Other than that the agent codebase has seen some refactoring to help maintain the project: many types and providers can now be found split out into modules, which are recombined at packaging time. This way, small fixes in cron or mount types no longer require core patches.

Puppet agents are now able to query secret management services such as Vault or Conjur. They also now run a lookup function when applying a catalog. This provides end-to-end encryption and makes use of new data type “Deferred”, which describes a function call to be resolved in the future.

The Puppet team also turned the former recommendation to not sign everything off the root into the new default. If not otherwise configured Puppet Server 6.0 will now generate an intermediate signing CA cert along with the root certificate. Ops folks using an external certificate authority for issuing intermediate signing CA get help putting everything in place via the new subcommand puppetserver ca. Newly-installed CAs will now also keep keys and certificates separate from the agent installation, which should get rid of problems with people accidentally using remove commands on the wrong host.

Infrastructure configuration management and software delivery platform Puppet is available as an open source project (licensed under Apache License 2.0) as well as an enterprise version. Pricing for more than ten nodes is available upon request only. Below that it is free to try.