Dracula at 14:14, 18 July 2024

2024-07-18T14:14:26Z

← Older revision		Revision as of 14:14, 18 July 2024
Line 99:		Line 99:
	** etc		** etc

	gotchas: - rhel 5 still in use (lots of hard-to-update edge devices) - required keeping a copy of Ansible 9.12 - handlers + roles + playbooks behavior was a surprise - idempotency is hard - slowly changing customer requests - disk mounts on existing servers		gotchas:
			* rhel 5 still in use (lots of hard-to-update edge devices)
			* required keeping a copy of Ansible 9.12
			* handlers + roles + playbooks behavior was a surprise
			* idempotency is hard
			* slowly changing customer requests
			* disk mounts on existing servers

	testing: - RHEL upgrades require playbooks to be reviewed + retested - getting other departments required managemnet buy-in - importance of culture of growth - replaced 800 line startup script with playbooks and roles		testing: - RHEL upgrades require playbooks to be reviewed + retested - getting other departments required managemnet buy-in - importance of culture of growth - replaced 800 line startup script with playbooks and roles

Dracula: Created page with " = Reliable Network Compliance with Ansible DevSecOps = # user changes template/script # change triggers pipeline # security analysis # build config # apply config # run validation tests # publish artifacts = Automated App Remediation using EDA = observe, evaluate, respond * Monitoring: something happened
* Observability: why something ha..."

2024-05-14T12:16:08Z

Created page with " = Reliable Network Compliance with Ansible DevSecOps = # user changes template/script # change triggers pipeline # security analysis # build config # apply config # run validation tests # publish artifacts = Automated App Remediation using EDA = observe, evaluate, respond * Monitoring: something happened * Observability: why something ha..."

New page

= Reliable Network Compliance with Ansible DevSecOps =

# user changes template/script
# change triggers pipeline
# security analysis
# build config
# apply config
# run validation tests
# publish artifacts


= Automated App Remediation using EDA =

observe, evaluate, respond

* Monitoring: something happened 

* Observability: why something happened

ansible rulebooks - use if-this-then-that rules - continuously running


= SSH CA Authentication w/ Hashicorp Vault and RH AAP =

* problem
** leveraging keys at scale
** key rotation is difficult
** mishandling private keys
* solution
** using an SSH CA
*** PKI-like infrastructure
*** designed for SSH
* SSH certs are signed with:
** SSH CA priv key
** TTL
** roles
** other SSH instructions
* Vault as SSH CA
* user authenticates to vault before auth’ing to server
* Vault integrates with AAP
** secrets lookup
** signed SSH


= Security-as-Code and Firewall Policy Automation =

* aims to add visibility
* move from spreadsheets to data structures
** direct translation to policy
* implmenetation + backout
* using servicenow + github + AAP
* request form + approve + implement

process: 1. discuss the design 2. create automation diagram 3. write individual playbooks

building automation: 1. write steps as playbook comments 2. replace comments with code

* use “set_facts” to label the current stage for debugging
* use “set_stats”
* use failure handling
* modular design
* custom python modules
* firewall config caching
* compliance enforcement


= Good Practices for Ansible =

* used in lint validated content

examples: - make big items out of smaller items - use “foo_package” instead of “package” - use snake case for vars - use two underscores for internal variables - use a single source of truth for inventory - filter at source, not inventory (so use API to filter) - treat inventory in controller as disposable - define inventory as dir structure instead of a single file - make script to gen inventory dynamically - split long lines into multiple lines - yaml-multiline.info

call to action: - read the GPA - apply and share - contribute to improve GPA


= Ansible Journey at Norfolk Southern =

* major rail company
* previously using bash + puppet + chef
* management wanted to improve automation skills
** made sure the team had the required time (1hr/wk_
* went through Ansible for DevOps
* learngitbranching.js.org
* learn to give/accept code review
* quality merges
* start developing standards
** naming conventions
** created internal docs
*** used for code reviews
* used mailing list support
* encouraged attending Ansible meetups
** useful to prove skills are transferrable
* create detailed inventories w/ tagging
** DC
** dev/prod
** hardware
** DR priority
** etc

gotchas: - rhel 5 still in use (lots of hard-to-update edge devices) - required keeping a copy of Ansible 9.12 - handlers + roles + playbooks behavior was a surprise - idempotency is hard - slowly changing customer requests - disk mounts on existing servers

testing: - RHEL upgrades require playbooks to be reviewed + retested - getting other departments required managemnet buy-in - importance of culture of growth - replaced 800 line startup script with playbooks and roles


= Ansible Keynote =


== southwest airlines ==

* ansible allows shorter maintenance windows
** SWA does not perform maintenances while planes are in the sky
* side note: presentation was very scripted. “''video of looking at SWA website for a flight'' Oh, didn’t realize you could see my screen”
* using ansible to create golden configs for network devices
* custom NOC solution using ansible?


== jp morgan chase ==

* 10k unique playbooks
* secured, controlled, auditable
* post-conference note: pretty sure they said they have ~65M executions


= Podman Desktop =

* supports k8s and OS bases
* support for compose and pods
* “kind” app as opposed to k8s or docker?


= RHEL Satellite Advanced Topics =

* using ansible to
** enable RH repos
** add custom repos
** create activation keys

Notes from RH Summit/Ansiblefest 2024 - Revision history

Dracula at 14:14, 18 July 2024