Chef is outfitting its popular namesake configuration management software with additional workflow and compliance tools designed to bring both DevOps and stricter controls to enterprise software development and deployment.
Chef announced Tuesday at its European Community Summit the general availability of Chef Delivery , the workflow management service it unveiled as an invitation-only program last April.
In addition, it’s adding to its portfolio Chef Compliance, incorporating technology from its summer acquisition of German security vendor VulcanoSec to bring compliance technology to the Chef platform.
It’s launching an enterprise transformation practice, led by Justin Arbuckle, former GE Capital CTO, to help companies successfully adopt DevOps practices and become “high-velocity software organizations,” according to Jay Wampold, Chef VPof Marketing.
In announcing $40 million in new funding just two months ago, CEO Barry Crist said the new investment would take Chef into the DevOps mainstream. He also pointed to containers and compliance as two areas on which the company would focus.
“What you’re seeing is really an expansion of Chef into workflow automation and change management. It’s taking the principles of infrastructure as code and applying them across the stack to everything as code, then providing that prescriptive workflow” — Jay Wampold, Chef VPof Marketing.
Wampold said growth is only accelerating in Chef’s core automation business, and that enterprises are just waking up to and embracing Chef.
Among the barriers to the adoption of DevOps, he saysthere are difficulties institching together disparate tool chains, thrashing about on workflow, and treating security and compliance as an afterthought.
Chef Deliveryautomates changes to infrastructure, runtime environments and applications, but also offers a framework for automated testing and continuous integration and delivery. It provides metrics, permissions management and a comprehensive change history for developers’ code.
Each individual change to Chef cookbooks, applications, or infrastructure goes into a shared pipeline space called “Union,” then to the pre-production staging area “Rehearsal” and ultimately to the “Delivered” production environment.
Chef Deliveryis about “allowing teams to collaborate across complex pipelines where change may affect multiple teams with multiple dependencies that may have governance around it – who can review the code, who can approve the code,” said Ken Cheney, Chef VPof Business Development. Infrastructure teams, application teams, compliance and security teams might all be involved in this collaboration.
“Also from the testing perspective, it’s making sure the code meets the requirements from a functional perspective, a unit perspective, performance perspective,” Cheney said. “Now we’re adding in a compliance perspective, weaving in the ability to look at in all these different ways and allow teams to collaborate at scale – that’s one of the things we were really going after.”
Since April, Chef has worked with a handful of very large enterprises such as GE on Chef Delivery. From their feedback, Chef has improved visibility for each code change through the pipeline, made UI and performance improvements, and is working on improving dependency management functionality, according to Alex Ethier, Chef vice president of product.
One of customers’ big concerns was integration with various source control and measurement platforms. To this end, Chef has added integrated Chef with GitHub and is working on integrations with Stash and other code repositories.Though it’s most tightly integrated with Chef, the Delivery workflow doesn’t require customers to use Chef, Ethier said. One of Delivery’s users isan Ansible shop, for instance.
Chef Delivery integrates with an extensive array of operating systems, runtime environments such as Docker and cloud platforms including Amazon Web Services and Microsoft Azure.
“It integrates with any kind of API, so you can integrate with ticket systems with Amazon, Google containers, you can reach it from a program inside Delivery. Delivery is the tool that lets you govern or manage the whole flow of changes,”Ethier explained.
“You might need to provision some nodes to Amazon, you might need to configure them using Puppet, Chef or whatever – there are many, many pieces in your pipeline. Delivery sits on top of all of that. I want to change my infrastructure, my containers, my application: all those changes go to Delivery,”Ethier explained. “With Delivery, you have visibility over the state of those changes – Who did what? Did it fail? Did it pass? You can govern who can accept a change to the system and who can deploy a change to the environment.”Comply
One of the big problems in IT is that security and compliance are handled at runtime and are not part of the workflow, according to Wampold.
“IT needs to move risk away from the production runtime and into the build process. IT needs to manage infrastructure, compliance, container runtimes all as code,” he said.
The VulcanoSec technology helps companies automate compliance as part of that build process. As part of Chef Compliance, the company is creating an open source project called Inspec that provides the runtime framework and language to allow developers to write rules to test for compliance and security.
Regulations such as HIPAA or PCI “usually have descriptive as well as prescriptive requirements that a company has to translate into [demonstrating] compliance,” Cheney explained.
Chef has been working with the major German compliance organization TÜVs ( Technischer Überwachungsverein or Technical Inspection Association) to apply rules to the TÜVs framework to allow customers to easily assess whether their infrastructure is compliant with the TÜVs policy.
“When you break it down to the components you can actually check physically, those become rules. From a PCI perspective, it becomes a set of rules that a server is actually secure. We provide, out of the box, a huge library of rules that will cover about 90 percent of your compliance requirements on Linux and Windows. Then you have to map those rules to the policy frameworks. The whole point of Inspec is to allow companies to write their own rules,” he said.
Chef Compliance provides the ability to take those rules and map them to policy. It could specify network ports that are open; it could specify compliance frameworks.
“Those PCI rules then are code, there’s version control, they can be tested – managed just like you manage all your other code. Using Chef Delivery, every time a change goes through – and companies like Facebook are submitting hundreds of changes a day – it can be assessed using Chef Compliance. Rather than having compliance being a moment in time or an afterthought, you can make compliance part of how you build and deliver infrastructure applications,” he said.
Docker is a sponsor of The New Stack.
Feature Image: “ Catselfie – Collaboration between id-iom and Sir George Raggett ” by id-iom , licensed under CC BY-SA 2.0 .