Hi all,
been using ansible for a while now and I'm trying to figure out a good way to do a couple of tricky items. They are not ansible-specific - but I need a solution that allows ansible to function securely.
I work on a team of many folks who need access to manage portions of a system. There could be as many as 20 or 30 people with commit access to the general tree of playbooks and configuration files/templates.
There is a specific group which has complete access to all servers - ultimately they are folks with root. 
Right now we are using puppet and as a part of a desire to get away from puppet I need to make something work in ansible.
We have two puppet repos. A public one and a private one.
the public one has most recipes/config files - this is available to anyone on the team
the private one has ssl certs/keys/passphrases for dbs/etc/etc - this is only available to the the root group.
In puppet you commit to either of those and they get pushed to a place where the puppetmaster can get to them.
Then the clients run puppet and fetch the files they need.
So here's what I need to do in ansible:
1. provide a separation of repos like above - public and private
2. provide a way for team members who are not in the root group to initiate or trigger a run of ansible on a set of systems (or on all)
w/o giving them access to the private repo
3. provide a sane-ish way of triggering ansible-playbook runs for maintenance playbooks on all systems.
What I've come up with is this:
private and public repos: obvious, really.
pre-update hooks which check for yaml correctness in the commit.
On push private ends up only readable by root, public is available.
On the central admin system we create an ssh key with a pass phrase.
This will be the key that is in root's authorized_keys on every system.
Then we allow non-root team members to run a sudo command which gives them access to run ansible-playbook and to see the ssh-agent set for that key.
Additionally, a cron job that runs the maintenance playbooks regularly and staggered on all systems.
My questions are:
1. is anyone else tangling with these types of systems and what are you doing to solve the issue?
2. is anyone already working on an ansible-delegator/cron job to run some maintenance playbooks on every system?
thanks,
-sv