Automation
-
Provisioning Baremetal OpenShift clusters using RHACM with GitOps leveraging on-premise Assisted Installer
Recently, I published the blog Provisioning OpenShift clusters using GitOps with ACM explaining how to create OpenShift clusters with RHACM using Gitops with ArgoCD. The OpenShift installation type was IPI, and valid for most of the platforms: Azure, AWS, GCP, vSphere… but not for baremetal. If you’ve ever installed an OpenShift cluster in baremetal and disconnected, you know how different it is from any other installation. In this blog, I’ll explain how to deploy a baremetal OpenShift cluster with Assisted Installer using RHACM and GitOps with ArgoCD. If you are not familiar with deploying OpenShift clusters with RHACM and Gitops, I recommend reading the article I wrote: GitOps for organizations:…
-
Configuring Openshift cluster with ApplicationSets using Helm, Kustomize and ACM Policies
There are multiple articles about GitOps describing how to use ArgoCD with Kustomize to configure multiple clusters or environments. They show a nice way to apply some kustomizations, but when you try you implement it in your organization, you’ll probably face the following “How can I” challenges: Maybe you also read a cool post about creating a kustomize plugin. But organizations don’t want to rely on a custom plugin which is not supported. And the answer to all these questions is a really nice combination: ApplicationSets + Helm + Kustomize. The big picture of this solution is: NoteCreating only an ApplicationSet with a plugin of kustomize+Helm can be an alternative…
-
Provisioning Openshift clusters using GitOps with ACM
In the introduction, we described a solution where ACM is used to provision Openshift clusters using Gitops. The users fill in the clusters parameters in a form, which are written to a yaml/json object and pushed to git. ArgoCD synchronizes these objects into the ACM cluster. The cluster is provisioned with ACM, which automatically adds the clusters to Openshift GitOps for Day 2. And then, the cluster is configured automatically with ArgoCD using Helm + Kustomize, and ACM policies. In this article, we’ll explain in more detail the first part of the solution: provisioning of Openshift clusters using GitOps with ACM. If you’re intested in the second part of the…
-
GitOps for organizations: provisioning and configuring Openshift clusters automatically
When the organizations started to adopt Kubernetes platforms, like Openhsift, many years ago, the most common scenario was a single cluster for all the workloads. However, as the rate of Openshift adoption got faster inside the organizations, more clusters were needed. And each organization started to work on its own automation: some of them used Ansible for the provisioning, others Terraform. Some of them used Ansible for the Day2 configuration and Cluster Life Cycle, others used GitOps tools like ArgoCD or Drone. Implementing the whole workflow of provisioning, day 2 configuration and Cluster Life Cycle in an automated way is not a simple task, and as there are no standards,…
-
Hardening ssh connections to managed hosts with Ansible Automation Platform
Ansible Automation Platform (AAP), as a platform for implementing enterprise-wide automation, is a central point in many organizations. From there, AAP can access any host for automation purposes. Security has many layers (see Zero Trust architecture), and this article focuses on one specific security layer: mitigate the ssh base attacks on managed hosts. We cannot eliminate all the security risks, but we can harden our managed hosts for eliminating some of them (brute force attack), and mitigating others (allowing ssh connections only from authorized hosts, setting up sudo password). Although this article’ s use case is around AAP, most of the hardening configuration is applied to the managed hosts (editing…
-
Running Ansible Jobs in AAP 2.4+ with EDA watching OpenShift events
In the article Kubernetes Meets Event-Driven Ansible (EDA), Andrew Block explained how Automation and Kubernetes go hand in hand and how Ansible already plays a role within this ecosystem. When the article was written, EDA was not included in Ansible Automation Platform (AAP) yet, and the rulebooks had to be executed in the CLI or packaged within custom solutions. With the release of AAP 2.4, EDA is now part of AAP, and the Ansible Rulebooks can be executed in AAP. In this article, I will describe the use case of running Ansible Jobs in AAP 2.4 with EDA watching OpenShift events: Register/unregister OpenShift machines in Service Now watching machine-api events…