Skip to main content

Chef 360 Platform service overview

Chef 360 Platform is an integrated set of server services that provide DevSecOps, fleet management, job management, and other supporting services.

Fleet management enrolls and manages nodes within the customer’s IT environment, including public clouds and on-premises data centers. These services are provided by Node Management.

Job management allows you to plan ad-hoc or scheduled operations that Chef 360 Platform executes across sections of a “fleet” of nodes that have the Courier agent with specific skills installed. These services are provided by Chef Courier.

Supporting services provide identity and organization management, an Application Programming Interface (API) routing gateway, secrets management, and integrations to other services. These services are provided by the Chef Platform services.

Web application allows you to access several features such as organizational unit (OU) management and role management. It allows you to set your password and authorize the registration of a CLI device. The user interface for a logged-in user enables access to data maintained by Fleet management and Job management. These services are provided by the Chef Web UI Services.

A diagram of the three Chef 360 Platform services: Courier, Node Management, and Platforms

Chef Node Management services

Chef Node Management services work together to:

  • Manage nodes and node groups
  • Enroll new nodes for management by Chef 360 Platform

Node Management service

The Node Management service allows you to manage nodes and node groups.

The Node Management service provides an endpoint on each node that you can use to update and monitor the following:

  • Node identifiers
  • Enrollment statuses
  • Attributes
  • Tags
  • Installed skills
  • Skill settings
  • Check-ins (heartbeats)
  • Node certificates

The Node Management service interacts with the following services:

  • Platform node account management (during enrollment)
  • Chef Database (infrastructure)

Node Enrollment service

Use the Node Enrollment service to:

  • Enroll new nodes for management
  • Retrieve the status
  • Update the status

Node enrollment adds the Chef Node Management and Chef Courier agents onto a machine resource, installs skills on those nodes, and starts monitoring for jobs on the node and check-ins. Enrollment requires a method to communicate with the node that includes platform credentials and a mechanism such as WinRM or SSH.

The Node Enrollment service interacts with the Chef Database (infrastructure) service.

Chef Courier services

Chef Courier has six services that work together to:

  • Consume job requests
  • Schedule and plan jobs across nodes
  • Deliver jobs to the proper node set
  • Store job statuses and resulting artifacts centrally for visibility

Courier Scheduler

The Courier Scheduler provides endpoints to:

  • Create a new job
  • Estimate a future job’s schedule
  • Cancel an existing job in flight, and;
  • List pending and completed jobs.

The scheduler also manages schedule exceptions. Exceptions are windows of time where jobs aren’t permitted to run (also known as exclusions or blackout windows).

The job is a fundamental unit of work and represents the timing, steps, skills involved, nodes involved, and error compensations. The job is written as a JSON document. The technical format is described on the following page: Courier Jobs. Once a job has been submitted to the scheduler, it’s stored as a file and picked up by Courier Chronos.

The Courier Scheduler service interacts with the following Chef file system (infrastructure) service.

Courier Scheduler Worker service

Courier Scheduler Worker is a worker service that watches for new jobs submitted by Courier Scheduler.

When Courier Scheduler submits a new job, Courier Scheduler Worker parses the job specification and pushes the job for processing to Orchestrator Worker. This includes jobs that are scheduled to run immediately or jobs that are scheduled to run in the future.

The Courier Scheduler Worker service interacts with the following services:

  • Chef file system (infrastructure)
  • Chef Message Queueing (infrastructure)

Courier Orchestrator Worker service

The Courier Orchestrator Worker service handles the following tasks:

  • It accepts jobs that are scheduled to run immediately.
  • It validates the job steps and nodes.
  • It moves the state of the job to active.
  • It breaks the job into discrete steps to be sent to individual nodes.

Courier Orchestrator sends the discrete steps to the Courier Delivery service to be placed on the desired nodes’ inbound message queue.

The Courier Orchestrator service interacts with the following services:

  • Courier Delivery service
  • Chef Database (infrastructure)
  • Chef Message Queueing (infrastructure)

Courier Delivery service

The Courier Delivery service provides endpoints to submit a sub-job to a given node. A sub-job consists of one or more steps to be executed before returning an inbound message queue to the node. Courier Delivery also provides the ability to create channels (queues) for specific nodes, and lists available node associations to channels.

Designed as a zero-trust solution, agents pull from the channel rather than services pushing a job to the agent. The agent on the particular node listens to the channel and can authenticate jobs sent from the Courier Delivery service through separate platform services.

The Courier Delivery service interacts with the Chef Message Queueing (infrastructure) service.

Courier State service

The Courier State service:

  • Manages the persistent state of jobs over their lifecycle
  • Lists steps and attributes within a job
  • Reports overall job statuses
  • Retrieves results from a given job run

Chef agents report to the Courier State service when they have completed a discrete sub-job, which the Courier State service aggregates into an overall job status.

The results provided by the Courier State service include both the detailed status of the job by step and node involved, in addition to artifacts (or evidence) from the run, for example, an output log from a particular step in the job.

The Courier State service interacts with the Chef Database (infrastructure) service.

Courier Orchestration Sentry service

The Courier Orchestration Sentry service watches the jobs that the Orchestrator Workers are processing and the status of the workers. If an Orchestrator Worker is down, the Orchestration Sentry service retries the associated job.

The Orchestration Watchdog service interacts with the following services:

  • Courier Orchestrator Worker service (checking the job status)
  • Chef Database (infrastructure)
  • Chef Message Queueing (infrastructure)

Chef Platform Licensing

Chef Platform Licensing manages user licenses usage data.

Chef 360 Platform licenses are added and managed with the following services:

  • License Management service
  • License Proxy service

Chef 360 Platform license usage data is collected and aggregated with the following services:

  • License Consumption Collector service
  • License Consumption Auditor service
  • License Usage service

License Management service

The License Management service provides endpoints to perform administrative operations on licenses. A system administrator can use endpoints in the License Management service to load new licenses, view or download the license data, and evaluate the entitlements or assets for the added licenses.

The License Management service interacts with the following services:

  • Chef Database (infrastructure)
  • Progress License service

License Proxy service

The License Proxy service provides the endpoints to support the usage of the License Management service with other Chef products like Chef InSpec. As the name suggests, this service acts as a proxy layer and forwards requests to the License Management service in the correct format and then translates the received response to the expected format.

The License Proxy service interacts with the following services:

  • System Management service
  • License Management service

License Consumption Collector service

The License Consumption Collector service collects Chef License usage data. It reads the node check-in data from a message queue and updates the daily and monthly usage count. When it receives data for a new day, it notifies the License Consumption Auditor service through a message queue to create an audit for the previous day.

The License Consumption Collector service interacts with the following services:

  • Chef Message Queueing (infrastructure)
  • Chef Database (infrastructure)

License Consumption Auditor service

The License Consumption Auditor service aggregates and audits license usage data for each organizational unit when notified to by the License Consumption Collector service. In a non-airgap environment, it talks to the License Management service to get a list of added licenses, which are then added to the audit data and is then sent to Progress Telemetry service.

The License Consumption Auditor service interacts with the following services:

  • Chef Message Queueing (infrastructure)
  • Chef Database (infrastructure)
  • License Management service
  • Progress Telemetry service

License Usage service

The License Usage service provides the endpoints to list and view all the audits created for a particular day or service.

The License Usage service interacts with the following services:

  • Chef Database (infrastructure)

Chef Platform services

The Chef Platform services provide:

  • A real-time, secure gateway to all Chef services based on the role-based user and service access model.
  • An integration point for non-Chef services, such as notification.

Administrators of a Chef 360 Platform deployment can use the Chef Platform services to assign roles and policies to configure the gateway.

API Gateway service

The API Gateway service allows requests from:

  • Users
  • Agents on nodes
  • Third-party services to endpoints in Node Management and Courier

The API Gateway service also allows infrastructure requests to read message queues or data connectors.

It validates requests with an API token that contains the following:

  • The requesting user
  • The organizational unit
  • The tenant
  • A signature based on the caller’s secret

It compares the roles and specific policies that the caller has been granted against the policies required by the endpoint requested. The other services below modify the gateway rules in real time to provision new services and restrict access when needed.

The API Gateway service interacts with the following services:

  • Chef Platform Authorization service
  • Chef Platform System service
  • Chef Platform User Accounts service
  • Chef Platform Node Accounts service

Authorization service

The Authorization service manages the creation, modification, and assignment of roles and policies for callers of the API gateway. A role is assigned to a user, organizational unit (OU), or agent and is a mapping to one or more specific policies. These roles and policies may be enabled or disabled across the organizational unit or with individual users within the OU.

For example:

  • A user may have the operator role, which allows them to create jobs in Courier.
  • An agent may have the Node Management agent role, which allows them to check in periodically and receive skill updates.

Note that policies aren’t attribute-dependent, so a policy applied to a user in a specific tenant will enable a service endpoint for all possible data values that the user has OU access to.

Roles and policies are role-based access controls (RBAC) and aren’t attribute-based access controls (ABAC).

The authorization service interacts with the following services:

  • Chef Platform API gateway
  • Chef Database (infrastructure)

User Account service

The User Account service manages administrative operations for all users and self-service operations, and validates API gateway tokens. The User Account service authenticates users, either as an OAuth user through a provider like Azure Active Directory, or as a “local” user in the Chef Platform environment.

A system administrator can use endpoints in user account management to:

  • Assign users to a tenant and organizational unit (OU)
  • Manage passwords
  • Manage API tokens (including revocation of access)
  • Enable/disable users
  • Send one-time-passcodes over email to reset accounts
  • Add roles to users

Internally, the User Account service provides validation functions for the API gateway to verify a token’s attributes and authenticity. The API key and API secret are used to authorize a user or automation process through the API gateway to Chef Platform, Chef Node Management, and Chef Courier functionality. The User Account service can generate or revoke keys for any given user.

The User Account service interacts with the following services:

  • Chef Platform API gateway
  • Chef Platform Authorization service
  • Chef Platform System Management service
  • Chef Platform Notification service
  • Chef Database (infrastructure)

Node Account service

The Node Account service manages nodes (machine resources in an environment, typically running one of the Chef agents) and their role mappings. The service provides endpoints to register, find, enable, and disable nodes. The Node Account service also rotates associated credentials automatically, or on a custom rotation basis.

The Node Account service interacts with the following services:

  • Chef Platform API gateway
  • Chef Platform Authorization service
  • Chef Platform Node Management service
  • Chef Database (infrastructure)

System Management service

The System Management service creates, modifies, and assigns tenants and organizational units (OUs) for callers to the API gateway.

A tenant is the fundamental security boundary between users of the system. Often an organization only has one tenant. A tenant has one or more organizational units, which are internal groupings of users and node resources. For example, an organization may have one tenant in its data center with an organizational unit for each business unit. The tenant has special attributes for:

  • A fully qualified domain name (FQDN)
  • A slug (or common name for internal service routing)
  • The tenant secret which initially provisions the installation

The System Management service interacts with the following services:

  • Chef Platform API gateway
  • Chef Platform User Account service
  • Chef Database (infrastructure)

Notifications service

The Notifications service:

  • manages email integrations
  • can set up an SMTP gateway by tenant and;
  • send messages to external addresses.

The Notifications service interacts with the following services:

  • Customer-supplied SMTP gateway
  • Chef Database (infrastructure)

Bundled Tools service

The Bundled Tools service lets you to download the Chef 360 Platform CLIs and other tools that interact with the Chef 360 Platform services. This service hosts downloadable bundles compatible on Linux, Windows, and macOS, and support on 386, arm64, and amd64 architectures.

Chef Web UI Services

The Chef Web UI services provide:

  • A micro-frontend based secure interface to the Chef 360 Platform features.
  • The ability of an organization administrator to manage users and roles using this web application.

Thank you for your feedback!

×