Apollo — Software Distribution & Fleet Management
Apollo — Software Distribution & Fleet Management
What is Apollo?
Palantir Apollo is the software delivery and lifecycle management platform that powers how Foundry, AIP, and other Palantir products are deployed, updated, and managed across diverse and often sensitive environments.
Apollo enables continuous software delivery to environments that may be air-gapped, classified, or under strict change control — including JWICS (Joint Worldwide Intelligence Communications System), SIPRNet, and commercial cloud environments.
Core Apollo Concepts
Software Distribution
Apollo uses a pull-based distribution model. Software packages are published to an Apollo Software Channel, and enrolled environments pull updates on their own schedule, with optional approval gates.
Apollo Software Channel
├── Channel: production-stable
├── Channel: staging
└── Channel: experimental
Enrolled Environments (pull from channels):
├── Environment: DoD-JWICS-1 (air-gapped, manual approval)
├── Environment: Commercial-Prod (auto-update on stable)
└── Environment: GovCloud-Stage (auto-update on staging)
Fleet Management
A Fleet is a logical grouping of environments with shared configuration policies. Fleet operators can:
- View health status of all environments
- Trigger software updates
- Apply configuration changes
- Set update schedules and approval workflows
- Monitor compliance status
Enrollment
Enrolling a new environment into Apollo:
# On the target environment (may require operator approval)
apollo-agent enroll \
--channel production-stable \
--environment-id "my-org-prod-01" \
--fleet "my-org-fleet"
Configuration Policies
Apollo policies define environment-specific configuration that overrides defaults:
# Example Apollo Configuration Policy
apiVersion: apollo/v1
kind: ConfigurationPolicy
metadata:
name: high-security-policy
spec:
network:
egress: deny-all
ingress:
allowedCIDRs:
- 10.0.0.0/8
storage:
encryption: AES-256-GCM
keyRotationDays: 30
auth:
sessionTimeoutMinutes: 15
mfaRequired: true
Air-Gapped Deployments
For environments with no internet connectivity (common in DoD classified networks):
- Software Bundle Export: Apollo generates a signed, compressed bundle of all required packages
- Physical Transfer: Bundle transferred via approved media (e.g., NSA-approved removable drive)
- Import & Install: Local Apollo agent validates the bundle signature and installs
- Update Cycle: Repeats on operator-defined schedule (weekly, monthly, or on demand)
Offline Update Flow:
[Palantir Apollo Cloud]
│ 1. Generate signed bundle
│ 2. Export to removable media
▼
[Physical Transport] ──────────────────────────
│ 3. Approved transfer (PKI-signed media) │
▼ │
[Air-Gapped Environment] │
│ 4. Validate signature │
│ 5. Import bundle │
│ 6. Health check & smoke test │
▼ │
[Reporting] → Health status queued for │
next data diode export ─────────────
Health Monitoring
Apollo tracks environment health across multiple dimensions:
| Metric | Description |
|---|---|
| Service Status | All Foundry services running and healthy |
| Disk Usage | Storage utilization and thresholds |
| Memory / CPU | Compute resource consumption |
| Certificate Expiry | TLS cert expiration countdown |
| Software Version | Current version vs available |
| Last Check-In | Time since last heartbeat |
Apollo CLI
# List all environments in your fleet
apollo fleet list --fleet my-org-fleet
# Check environment health
apollo env health --environment my-org-prod-01
# Trigger a software update
apollo env update --environment my-org-prod-01 --version 2024.12.1
# View update history
apollo env history --environment my-org-prod-01 --days 30
# Export offline bundle (air-gapped)
apollo bundle export \
--channel production-stable \
--version 2024.12.1 \
--output /media/approved-drive/apollo-bundle.tar.gz
Apollo in DoD Context
Apollo is central to Palantir's government contracts. It enables:
- USAF / Army / Navy deployments: Foundry in classified environments without internet exposure
- FedRAMP compliance: Apollo manages the delivery of FedRAMP-authorized software versions
- ATO (Authority to Operate): Apollo's audit trail supports ATO documentation
- STIG compliance: Configuration policies enforce DISA STIG requirements automatically
Apollo vs. Traditional Software Delivery
| Aspect | Traditional | Apollo |
|---|---|---|
| Update mechanism | Manual, version-by-version | Automated pull-based |
| Air-gapped support | Custom one-off solutions | Built-in bundle export |
| Configuration management | Scripts / Ansible / Terraform | Declarative policies |
| Audit trail | Manual logging | Automatic, cryptographically signed |
| Rollback | Manual restoration | One-command rollback |