Introducing Catapult: Tessian’s Very Own Release Tool

Today we’re excited to open source our internal release tool - Catapult.

At Tessian we run our CI/CD pipelines from Concourse. (Like many, we picked Concourse because it’s not Jenkins*, but we’ll save that for another blog post). Although Concourse is a fantastic build tool that cures a lot of headaches for us, as the creators will readily admit, it is not necessarily a tool with the most advanced security setup.

As a company that deals with some of the world’s most sensitive data, this was not good enough for us. We wanted a release tool with security features like two-factor authentication and an audit trail that we had come to expect from other tools we use day to day.

At Tessian we also empower our development teams to release and maintain their own services, so we wanted a system that allowed for permissioning. After some head scratching, it became apparent that we didn’t need to reinvent the wheel. By driving our releases from files stored in S3 and making use of Concourse resources, we could meet all of our requirements and more.

This was our list of demands:

  • Fine-grained permissioning
  • An extensive audit trail
  • Flexibility
  • Two-factor Authentication
  • High Speed & High Availability
  • Usability

So what exactly is Catapult?

Catapult is two things:

  • a command line tool that manages state in S3
  • a Concourse Resource, that consumes said S3 bucket

The permissioning is all managed on the AWS side and left as an exercise to the reader.

Command Line

The catapult command showing a new release

In the background this is doing a number of checks. It’s looking at S3, git and our docker repository. Assuming they have the correct permissions, this will update a file in S3, which our Catapult Concourse Resource is monitoring.

Concourse Resource

When the resource discovers a new version of the file, it will download it; create a new version of the Concourse resource; display all the above metadata; and - assuming it is set up to do so - trigger a new task.

From here you can do whatever you want with the version managed in Concourse.

What next?

We think there’s plenty of work left to do on Catapult but wanted to share what we’ve built thus far with the world.

We’re very keen to hear feedback, please send us a pull request or issue on Github!

https://github.com/Tessian/catapult

*We think TheNewStack give a nice summary of some issues we’ve had with Jenkins in past lives: https://thenewstack.io/many-problems-jenkins-continuous-delivery/