Gitlab + Ansible Deploy/administrate multiple cluster

1
votes

I'd like to have some advises on how to organise my work in Git/Ansible.

Lets say I have a Gitlab project, with Ansible roles/playbooks inside. I am using gitlab-ci jobs with ansible to deploy my cluster (Elastic, Kubernetes, whatever).

How would you organise your project when you have dozens of clusters ?

On folder per cluster, Ansible style ? But in this case one modification would apply to all clusters, and you don't want to upgrade/patch all clusters at once.

One branch per cluster ? And rebase from master on each branch when you want to update ?

Or one project per cluster, forking from the main project ?

One more question : How would you authenticate your runner for Ansible to work ? Putting ssh key in secret variable in Gitlab, and setting it inside docker runner ? But anyone with dev access to the project could print the variable in a job and get the ssh key.

Thank you.

1
gitansiblegitlabgitlab-ci-runner

1 Answers

0
votes
  • A separate repository for each project ( k8s , elastic , ... ) per cluster
  • A separate branch for each environment , test , prod
  • Use proteted Secret variables in protected banches
  • Protect all the branches so that no one can push directly , and create a merge request instead
  • Accpet changes from developers as merge request , so that you review the changes , what they are doing before merging , so that you dont allow anyone to change the ci files to echo secrets
  • You can also use the file locking feature in EE version , but the protected branches approach is better
  • You can also get secrets from hashicorp vault instead , on the runner