Closed JimMadge closed 2 years ago
I like the agentless feature of Ansible. From the sounds of it, we could have an Ansible config server, with NSG rules allowing only one-way connections from the config server to all the VMs it is enforcing the config for.
I think we should carefully consider what we want in terms of desired state configuration. Is idempotency enough or do we also want to be robust to changes in the client configuration (e.g. made by system updates or malicious actors)?
I think we should carefully consider what we want in terms of desired state configuration. Is idempotency enough or do we also want to be robust to changes in the client configuration (e.g. made by system updates or malicious actors)?
This is a really good point. You could even imagine a regular consistency check being part of our security procedures (in fact, do any of the certifications require this?).
When we have had a chance to assess each option, perhaps we should have a summary table outlining the features that are important or critical to us.
Closing as stale. Would be better placed in a discussion if this becomes relevant for v4.
:scroll: Description
This issue is for building an evaluation for each configuration management language/system we will consider.
Contributes to (supersedes?) #28 Related to #836
:strawberry: Desired behaviour
We are able to make a decision to adopt one of the proposals or to keep the status quo.
:page_facing_up: Tasks
Options we should consider, and write a report for in this issue's comments
Definitions
Client/controlled node
A system which is being managed by the configuration management software.
Agentless
Some systems require that a daemon is running on controlled nodes. Agentless systems, like Ansible, do not. This has the advantage that you do not need to install or manage the configuration management software on each client.
Idempotent
In this context, applying the same operation repeatedly results in no change.