#ansible (2019-07)

ansible

Discussions related to ansible configuration management

2019-07-17

Blaise Pabon avatar
Blaise Pabon
ARA Records Ansible | ara.recordsansible.org

ARA Records Ansible playbook runs and makes the recorded data available and intuitive for users and systems.

mrwacky avatar
mrwacky

Neat. Too bad we’re drifting towards a Dockerverse where we do not run Ansible much any more.

ARA Records Ansible | ara.recordsansible.org

ARA Records Ansible playbook runs and makes the recorded data available and intuitive for users and systems.

Jonathan Le avatar
Jonathan Le

…Yeah. I haven’t touched Ansible in ages.

2019-07-08

Abel Luck avatar
Abel Luck

what’s the draw of gomplate over confd?

Abel Luck avatar
Abel Luck

one issue we’ve had with this quasi-immutable amis + confd approach is dependency order.. a ssm value gets changed, but the instance isnt rebooted (or the service on it restarted)

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I would strongly caution against automatic restarts of services as one wrong value and you nuke your cluster

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

That’s why Kubernetes for example takes a rolling restart approach. Changes to config Maps are not immediate. Pods need to be explicitly restarted.

2019-07-01

Abel Luck avatar
Abel Luck

do you all bake amis with config secrets too? we’ve been deploying quasi-immmutable machines that pull config from ssm param store via confd

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Confd is a nice approach

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Gomplate also supports SSM.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Or you can just have your ansible scripts use environment variables and call ansible with chamber

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

All options support headless operation

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Definitely discourage baking secrets into images as rotation is painfully slow and keeping an immutable “log” of secrets is not advisable

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

(Also, goes without saying, all suggestions assume use of IAM instance profiles to obtain STS access credentials)

    keyboard_arrow_up