SouthWinds Tech Ltd, March 2023
Keywords: Artisan, Automation Management, Endpoint Configuration
Abstract: Artisan is a next generation automation manager designed to release, transfer and deploy automation scripts and container images securely to private, edge and airgap networks ...
Also available in: Español
In the same way that Docker can package an application and its dependencies in an operating system level virtual container, Artisan can package a set of files into an encrypted archive and a signed manifest - i.e. Artisan Package. In contrast to a Docker container image however, an Artisan package is not a virtualization technology but a packaging and execution technology designed to aggregate, secure, transfer and deploy automation on networks with limited bandwidth and connectivity.
Artisan is a next generation automation manager designed to release, transfer and deploy automation scripts and container images securely to private, edge and air gap networks.
What problems does it solve?
Artisan addresses the following technology challenges:
Deployments in Air gap environments
Trying to deploy complex systems or run complex automation in air gap environments is challenging. Typically, there needs to be a way to collect all required dependencies and transfer them into the network where they should run. Then, there needs to be a way to execute the automation on a specific device therefore, ensuring all dependencies are available in the device. Finally, a cleanup is required to avoid leaving unwanted files on the device.
Artisan facilitates the packaging, transfer, deployment, execution and cleanup of all artefacts required to make an automation self-contained, into air gap or highly secured or locked down networks.
Opening ports on a device
From a security perspective, it is always more secure for a device which requires to run automation to initiate a connection to download such automation from a trusted and controlled registry, than to push the automation into the device from an external source.
For a start, if the device pulls instead of pushing, there is no need to open any ports on the device, therefore ensuring no-one else can exploit a vulnerability to connect to the device and perform unwanted actions.
Tampering
Injecting code into a device to manage it, can be very powerful but there needs to be a way to prevent a malicious actor to alter the original code and perform any kind to attack.
Artisan packages use cryptography to prevent such attacks: the package archive is encrypted and its manifest is digitally signed to detect changes.
Intellectual Property protection
In contrast to compiled and obfuscated code solutions, automation scripts are normally text based and can be read. By placing the automation in an encrypted package, nobody can peek the content of the package thus protecting the intellectual property of the automation vendor.
Similarly, Artisan can easily encrypt container images for transfer along with the automation, providing a one stop shop for creating self-contained releases of modern applications.
Trust
Artisan packages are signed by the author, and they can not be modified after the package has been created. Therefore, when running automation on a device, the origin of the package is always verifiable.
Access Controls
Artisan packages include policies that constrain who can run, open or seal packages. Anyone who gets hold of a package on a device cannot do anything with it unless they have been authorised by the appropriate policy.
Execution time
Artisan is a distributed command line interface sitting across a virtual network of peers. Each instance is capable of communicating with other instances in the peer network to launch automation in parallel.
This greatly reduces the deployment and configuration time for the whole cluster. Virtual peer network execution in Artisan does not require the use of SSH keys, and it is simple to set up.
Learning curve
Artisan packages provide a standard interface to any toolchain. Regardless of whether the task at hand is done using one or a combination of tools - e.g. terraform, ansible, bash, python, golang -, IT operations always run packages in the same way.
This means they do not need to understand the complexities of invoking the underlying toolchain to execute a job, just need to trigger the execution of the package.
Performance in poor network conditions
Artisan packages are generally tiny compared to container images or even micro containers. This ensures that deploying a package on a device is simpler in networks with high latency and / or low bandwidth. Artisan retries to pull packages if it detects network failures.
Ease of installation
Artisan is a very small binary that runs natively in Linux. It has no dependencies and therefore, it is easy to install.
Release management
Artisan provides functions to automate the entire release publication, transfer, ingestion and execution of complex software on devices in remote, semi-connected or air gap locations.
Kubernetes alignment
Artisan uses native cli extensions to augment its command interface. K is one such extension which adds Kubernetes deployment capabilities to Artisan.
In contrast to other tools such as kubectl, helm, etc.; Artisan automatically generates Kubernetes resource manifests for complex deployments out of simple configuration files. This eliminates the need to create K8S deployment scripts, accelerates time to market and reduces the need for in depth Kubernetes knowledge.
Can I see some use cases?
SouthWinds believes the sky is the limit in terms of what you can achieve using Artisan. So that you can see what we are currently doing, these are some interesting use cases:
Deploy Kubernetes at the edge
Using Artisan we can deploy an entire highly available Kubernetes cluster at the edge, in less than 3 minutes. The cluster is configured with highly available storage (i.e. Longhorn) and certificate management capabilities.
Deploy applications into an edge K8S
In the same way as above, we can deploy a complex Kubernetes application (50+ images) in a Kubernetes cluster at the network edge with zero connectivity to internet.
Patch Operating System in air gap networks
Once a vulnerability baseline over a certain number of devices is obtained, Artisan can create a patching package containing the OS packages that need to be applied.
Related Links:
©2023 SouthWinds Tech Ltd