Skip to content

bmurashin/ansible-agent

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

3 Commits
ansible-agent
ansible-agent
 
 
ansible-server
ansible-server
 
 
project-examples
project-examples
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
README.ru.md
README.ru.md
 
 
deploy-agent.yaml
deploy-agent.yaml
 
 
deploy-server.yaml
deploy-server.yaml
 
 

Repository files navigation

About

Ansible-agent is a way to run playbooks in a big infrastructure as fast as on a single host

Motivation: playbooks, executed centrally (e.g. by Tower/AWX), have to wait for task to be completed on every node in a run/slice before proceeding to next task. Slow hosts happen - and just one such host can dramatically slow down the whole playbook run
Ansible-agent works around this problem by offloading playbooks execution to hosts themselfs

One shortcoming of ansible-agent is that it downloads whole git project with all secrets to every node. Here ansible-server comes into play - it stands between git and agents and prepares minimally sufficient piece of project individually for every host, additionally reencrypting secrets, so that vault password used by ansible-agent can't be used to decrypt the git project.

Setup ansible-agent

  • set vault password in ./ansible-agent/ansible-agent.py (find VAULTSECRET = 'VAULTSECRET_TMP')
    • or build agent binary bash ./ansible-agent/BUILD/build.sh - recomended as it obfuscates vault password
  • edit ./ansible-agent/ansible-agent.conf.j2 - set git_url (for testing or if your project has no sensitive data) or server_url to use ansible-server (recommended)
  • and deploy using playbook:
ansible-playbook deploy-agent.yaml \
  -i host01.tld,host02.tld, \
  -e use_git=true -e GIT_USER=username -e GIT_TOKEN=token \
  -e ca_bundle=cabundle.crt \
  -e use_agent_binary=false
  • if you choose to use ansible-server, remove -e use_git=true -e GIT_USER=username -e GIT_TOKEN=token and use new_vault_password value from ansible-server configuration as vault password for agent
  • -e ca_bundle=cabundle.crt is intented for your corporate CA certs.
    Used for communication with ansible-server, can be removed if you go with git or if your server use certs from widely trusted CAs
  • if you choose to build agent binary, set -e use_agent_binary=true

Setup ansible-server

Main point is to provide ansible-agent with minimally sufficient piece of project, so that any compromised host exposes only configurations and secrets, that are already exist somewhere in /etc, and will not be of much help for an attacker.

  • edit ./ansible-server/ansible-server.conf.j2:
    • set git_url
    • if you want ansible-server to reencrypt secrets - set vault_password (to decrypt secrets from git project) and new_vault_password (to reencrypt secrets for agents)
  • and deploy:
ansible-playbook deploy-server.yaml \
  -i ansible-srv.tld, \
  -e GIT_USER=username -e GIT_TOKEN=token

note comma , in the -i parameter - it is requred for ansible to treat value as list, otherwise ansible will look for ansible-srv.tld file in current folder

About

No description, website, or topics provided.

Resources

Readme

License

Apache-2.0 license
Activity

Stars

29 stars

Watchers

2 watching

Forks

6 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages