Bundle Format
The config bundle is a gzip-compressed tar archive namedmaverics.tar.gz. It contains everything the Orchestrator needs to run with the published configuration.
| File | Description |
|---|---|
maverics.json | The compiled Orchestrator configuration in JSON format |
| Service extension source files | Source files for any service extensions attached to the deployment |
| Asset files | Files referenced by user flows (HTML templates, static assets, etc.) |
signature.jwt | Cryptographic signature for tamper detection — see Bundle Signing |
Bundle Signing and Verification
Every config bundle is cryptographically signed to prevent tampering. The signing process uses ECDSA P-256 keys with SHA-256 hashes.Key Generation
When a deployment is created, the Console generates an ECDSA P-256 key pair:- Private key — Stored in the Console. Used to sign bundles at publish time. The private key is never exported or exposed through any API endpoint.
- Public key — Provided to the Orchestrator via
MAVERICS_BUNDLE_PUBLIC_KEY_FILE. Used to verify bundle signatures before applying configuration. The public key can be downloaded from the Console as a.pemfile.
Signing Process (Console)
When a bundle is published, the Console signs it using the following process:Hash each file
Compute a SHA-256 hash of every file in the bundle (
maverics.json, service extension source files, asset files).Build hash list
Package the file hashes into a hash list containing the filename, hex-encoded SHA-256 hash, and hash algorithm for each file.
Verification Process (Orchestrator)
When the Orchestrator downloads a new bundle, it verifies the signature before applying the configuration:Verify signature
Verify the ECDSA P-256 signature using the deployment’s public key (provided via
MAVERICS_BUNDLE_PUBLIC_KEY_FILE).Validate file count
Confirm that the number of files listed in the JWT matches the number of files in the bundle.
Deployment Lifecycle
Publishing a config bundle follows a 5-step lifecycle.Build configuration
The Console compiles the full Orchestrator configuration from all managed objects: applications and their attached user flows, identity fabrics (connectors), providers (OIDC, SAML, MCP, LDAP), TLS certificates, caches, session configuration, service extensions, startup/environment configuration, and custom override configuration.
Create revision
The compiled configuration is stored as a numbered revision in the Console. Each revision captures the complete configuration state at the time of publish.
Build bundle
The Console assembles the gzip-compressed tar bundle: serializes the configuration as
maverics.json, includes service extension source files and asset files, and signs the bundle with the deployment’s ECDSA private key.Deploy to provider
The signed bundle is uploaded to the deployment’s configured storage provider (S3, Azure Blob, GCS, GitHub, GitLab, or download-only).
Deployment Providers
The Console supports 7 deployment providers. Each provider determines where the signed bundle is stored and how the Orchestrator retrieves it.| Provider | Description |
|---|---|
| No Cloud Storage Service Configured | No-op deploy. The bundle is available for manual download from the Console UI only. Best for air-gapped environments where bundles are transferred manually. |
| Maverics Storage | Strata-managed storage for evaluation and trial deployments. No customer infrastructure required. Evaluation storage is automatically recycled every 90 days. |
| Amazon S3 Bucket | Customer’s S3 bucket with cross-account IAM role access. |
| Microsoft Azure Blob Storage | Customer’s Azure Blob container with SAS token authentication. |
| Google Cloud Storage Bucket | Customer’s GCS bucket with service account key authentication. |
| GitHub | Customer’s GitHub repository with personal access token. |
| GitLab | Customer’s GitLab repository with personal access token. |
maverics.tar.gz to the specified configurationFilePath within the storage location.
Storage Configuration
Each deployment provider requires specific configuration fields. Select your provider below for setup instructions, required fields, and IAM/access configuration.Maverics Storage
Strata-managed storage, no configuration required
Amazon S3 Bucket
Bucket name, IAM role, cross-account setup
Azure Blob Storage
Storage account, container, SAS token
Google Cloud Storage
Bucket name, service account key
GitHub
Repository owner, token
GitLab
Namespace, repository, branch, token
Publish Preview and Validation
At the bottom of each deployment’s Settings page, a sticky footer bar provides publishing controls:- Publish Preview — Opens the Deployment Manager dialog to review and publish changes.
- Version selector — Switch between the latest and older revisions.
- Download Deployment — Download the deployment bundle without publishing.
Deployment Manager
Clicking Publish Preview opens the Deployment Manager dialog, which contains:- Simulation Settings — Configure a “Simulate Continuity Strategy” toggle and a “Start After Time” field for testing deployment behavior.
- Revisions — Select an existing revision or create a new one. Add a note describing what changed.
- Diff view — Side-by-side comparison of
maverics.jsonshowing the current configuration versus the new configuration.
Revision History
Every publish creates a numbered revision that captures the complete configuration state. Revisions provide version control for your Orchestrator configuration.Revision Capabilities
- Diff between revisions — Compare any two revisions to see what changed.
- Revision notes — Add notes to each revision describing what changed and why.
- Rollback — Deploy a specific historical revision to revert to a known-good configuration.
Revision API
| Endpoint | Method | Description |
|---|---|---|
/deployments/{id}/revisions | GET | List all revisions for a deployment |
/deployments/{id}/revisions/{revisionNumber} | GET | View a specific revision with diff |
/deployments/{id}/deploy | POST | Deploy a revision. Include a revisionNumber field to deploy a specific historical revision instead of building a new one from current Console state. |
Orchestrator Polling Configuration
The Orchestrator polls its configured storage provider for new bundles at a regular interval. Configure polling behavior with the following environment variables.| Variable | Default | Description |
|---|---|---|
MAVERICS_RELOAD_CONFIG | false | Set to true to enable configuration hot-reload. Required for automatic bundle polling. |
MAVERICS_POLLING_INTERVAL_SECONDS | 30 | How often (in seconds) the Orchestrator checks for new bundles. |
MAVERICS_BUNDLE_PUBLIC_KEY_FILE | — | Path to the public key PEM file for verifying bundle signatures. |
MAVERICS_AWS_CONFIG | — | JSON configuration for AWS S3 access. Used with evaluation (aws_eval) deployments. |
The Orchestrator retrieves bundles using the same mechanism as the deployment provider’s config source type. See the config source references for provider-specific environment variables (e.g., S3 bucket configuration, Azure Blob credentials).
Example: Evaluation Deployment
For evaluation deployments, the Console generates an environment file with all required variables:Override Config
Override config provides a configuration override mechanism for deployments. When enabled for your organization, you can inject custom settings that are merged into the compiled configuration at build time.How It Works
- A
_customkey is added to the deployment’s startup configuration. - Custom settings in
_customare merged into the compiled configuration during the bundle build step. - Top-level keys in the override can replace or extend Console-managed configuration objects.
Use Cases
- Orchestrator features not yet in the Console — Some Orchestrator configuration options are not yet manageable through the Console UI. Override config lets you use these features without waiting for Console support to be added.
Common Errors
Failed to read public key
MAVERICS_BUNDLE_PUBLIC_KEY_FILE. Verify that the file path is correct and the file is readable by the Orchestrator process.