SaltStack Enterprise system architecture

Overview

Most users find it helpful to understand what SaltStack Enterprise is and how it works before they begin the installation process. This page provides a high-level overview of the SaltStack Enterprise system architecture and its different components.

What is SaltStack Enterprise?

SaltStack Enterprise is powered by Salt, an open-source configuration management and orchestration system. If you are new to Salt and are unfamiliar with how it works, see Salt system architecture.

SaltStack Enterprise extends Salt’s automated, event-driven configuration management platform by providing additional features, such as:

  • Role-based access controls - Ensures that network engineers only have access to the resources and jobs that are necessary to fulfill their specific work responsibilities.
  • A user-friendly interface - In addition to the ability to execute commands from the command line, SaltStack Enterprise also provides a graphical user interface for ease of use.
  • Security automation - Optional add-ons bringing you automated vulnerability remediation and continuous compliance for hybrid IT systems.

The SaltStack Enterprise system architecture

The following diagram shows the primary components of the basic SaltStack Enterprise architecture that are relevant to installation:

../_images/sse-architecture.png

The following sections describe the core components of the SaltStack Enterprise architecture.

Salt Master(s) and the Salt Master plugin

The Salt Master is the main connection between SaltStack Enterprise and the rest of the nodes on your network (the Salt Minions). When you issue a command from SaltStack Enterprise (such as a job), the command goes to the Salt Master for distribution to the targeted Salt Minions.

The Salt Master plugin is installed on the Salt Master. It allows the Salt Master to communicate with the SaltStack Enterprise backend server, the Enterprise API (RaaS) node. The plugin allows the Salt Master to access jobs or processes initiated by SaltStack Enterprise, as well as external files and pillar data that are stored on the PostgreSQL database.

The plugin integrates with the existing extension points provided by Salt. For example, job returns are collected using a Master-side Salt external job cache, and the Enterprise API file server uses a Salt fileserver plugin.

Note

You can connect more than one Salt Master to SaltStack Enterprise. Each Salt Master that connects to SaltStack Enterprise needs to have the Salt Master plugin installed.

SaltStack Enterprise API (RaaS)

Also sometimes referred to as RaaS (Returner as a Service), the Enterprise API is the central component in SaltStack Enterprise. In fact, when some people refer to SaltStack Enterprise itself, they are often talking about the Enterprise API.

The Enterprise API provides RPC endpoints to receive management commands from Enterprise Console, as well as RPC control endpoints to interface with connected Salt Masters. All communication is sent using RPC API calls over WebSockets or HTTP(s).

Enterprise Console

The Enterprise Console is a web application that provides the graphical user interface front end for Enterprise API. Though SaltStack Enterprise is API-first, the Enterprise Console interfaces directly with Enterprise API to enable simple management of all systems in your environment. Different workspaces provide users with the ability to manage Salt Minions, users, roles, jobs, and more.

PostgreSQL Database

The Enterprise API uses a PostgreSQL database to store Salt Minion data, job returns, event data, files and pillar data, local user accounts, as well as additional settings for Enterprise Console.

Redis Database

The Enterprise API uses a Redis database to store certain types of data, such as cached data, in temporary storage. It also uses temporary data storage to distribute queued work to background workers.

Add-ons

SaltStack Comply and SaltStack Protect are add-ons to SaltStack Enterprise that harness event-driven automation technology to deliver security compliance and vulnerability remediation.

SaltStack Comply

SaltStack Comply is a SaltStack Enterprise add-on that provides automated compliance detection and remediation for your infrastructure. A SaltStack Comply license is required to view and use the SecOps Compliance workspace in the Enterprise Console and through the command line on the Enterprise API.

In contrast with the standalone SaltStack Enterprise architecture, SaltStack Comply includes regularly-updated content and can support custom compliance content. SaltStack Comply provides a library of compliance content. Customers can automatically or manually download new content as it is developed and released by SaltStack.

SaltStack Protect

SaltStack Protect is a SaltStack Enterprise add-on that provides automated vulnerability scanning and remediation for your infrastructure. A SaltStack Protect license is required to view and use the SecOps Vulnerability workspace in the Enterprise Console and through the command line on the Enterprise API.

Similar to the SaltStack Comply content library, SaltStack Protect includes content that is updated as security standards change and new security advisories are released. Customers can automatically or manually download new content as it is released by SaltStack.

Differences in system architecture by installation scenario

SaltStack Enterprise supports two core installation scenarios, which results in two different system architectures.

In the single-node installation scenario, a Salt Master, SaltStack Enterprise, a Redis database, and a PostgreSQL database all run on the same node.

In the multi-node installation scenario, a Salt Master, SaltStack Enterprise, a Redis database, and a PostgreSQL database are distributed across at least two nodes. Each service could run on a separate node, or you can combine two or more services on a given node.

It is possible to set up multiple Salt Masters or multiple Enterprise API (RaaS) nodes. High availability requirements may require consultation services.

For more information about the installation scenarios, see Installation overview.