I need some guidance using Venafi for SSL deployment with Event-Driven Ansible (EDA) for SSL renewals.
We are working to automate our SSL processes using Venafi. Our goal is to automate certificate generation for hosts something.example.com and manage the renewal process. Specifically, I need a way to query Venafi for upcoming expirations, renew the certificates, and deploy the updated files to our Linux servers, with Windows support to follow.
I would like to use Event-Driven Ansible for this workflow, but I haven’t found much documentation or a solid foundation for this outside of OpenShift and Kafka. Since this is a new area for me, I have hit a bit of a wall.
If anyone has experience with this stack or can offer any guidance on a starting point, I would appreciate your insights.
Hi @Fracture7144 , what would be your signal to kick off the EDA>Ansible workflow? As in, does Venafi emit something when certificates are about to expire or does your monitoring system alert if it sees a local system with expiring certificates? With EDA, you need some kind of event/signal that you can take action on. If you don’t have that and are falling back to scheduled polling of your systems, EDA might not be worth the complexity for that task.
For context, I’m doing on a similar exercise on how we can take advantage of EDA.
Good deal, I agree with " NGinuity" from the Reddit post, you are probably better served by using a scheduled job rather than adding EDA into the mix. If you have some kind of monitoring system setup that looks at the certificates on your servers/apps/firewalls/etc… than I would say explore EDA since it would allow you process less data and target job runs to only those systems that need to be updated.
If you do want to explore EDA, you could split the tasks:
Scheduled job polls the systems for expiring certificates and adds the system details into a queue
EDA rulebook monitors the queue and does the renewal. Different endpoint host connection methods (ex: Linux server vs Cisco firewall) could go into different queues and allow for different workflows to trigger rather than having to account for all of this in a single playbook
Some ideas for EDA that we’re working on:
User self-service with our current ITSM as the frontend. EDA avoids us from having to expose/manage external webhooks and instead use a queue-based approach. Our security setup is much more friendly for outbound traffic so we only had to do one request to allow AAP outbound to the queue rather than a multi-team/multi-week effort to allow a new webhook inbound.
Data gathering and automatic remediation based on monitoring events
EDA has been around for a while but, at least from my view, doesn’t get a ton of attention. Also, it used to be a struggle to get the full web/mgmt interface running under K8s if you didn’t have AAP. It may have gotten more stable but back about a year ago, it was a game of marrying the right image versions up to get a mostly working system and the documentation was sparse. Once our AAP instance had EDA baked in, I decommed our original EDA setup. While you’re evaluating EDA, I would start with running the ansible-runner process on a base system or inside a podman/docker container (both can be managed by SystemD if you want). The playbook it triggers can be either stored locally or on AAP/AWX.
One thing about the documentation I’ve found out is that mainstream event source plugins are listed but that is not the complete list of vendors that have an EDA plugin. Our monitoring system has an EDA plugin in their Ansible collection but you only know about it if you look at their docs, not the Ansible/EDA docs. This is just an effect of the project not being as mature as Ansible so we’ve had to adjust some expectations and plan on some extra research/testing time.
I would suggest first identifying what your event sources are, where they can send events to (webhook, AWS SQS, Azure Service Bus, Kafka, etc…) and what you can do with those events once they’re received. I appreciate this sounds a bit obvious but if you don’t have all three of those first, then there’s no point in wasting the cycles setting up EDA since it won’t be able to do any work until those are identified.
If you go down the EDA path and run into an issue, feel free to start a new forum post and tag me. I’m by no means an expert but will be happy to help
