I need some guidance using Venafi for SSL deployment with Event-Driven Ansible (EDA) for SSL renewals.
We are working to automate our SSL processes using Venafi. Our goal is to automate certificate generation for hosts something.example.com and manage the renewal process. Specifically, I need a way to query Venafi for upcoming expirations, renew the certificates, and deploy the updated files to our Linux servers, with Windows support to follow.
I would like to use Event-Driven Ansible for this workflow, but I haven’t found much documentation or a solid foundation for this outside of OpenShift and Kafka. Since this is a new area for me, I have hit a bit of a wall.
If anyone has experience with this stack or can offer any guidance on a starting point, I would appreciate your insights.
Hi @Fracture7144 , what would be your signal to kick off the EDA>Ansible workflow? As in, does Venafi emit something when certificates are about to expire or does your monitoring system alert if it sees a local system with expiring certificates? With EDA, you need some kind of event/signal that you can take action on. If you don’t have that and are falling back to scheduled polling of your systems, EDA might not be worth the complexity for that task.
For context, I’m doing on a similar exercise on how we can take advantage of EDA.
Good deal, I agree with " NGinuity" from the Reddit post, you are probably better served by using a scheduled job rather than adding EDA into the mix. If you have some kind of monitoring system setup that looks at the certificates on your servers/apps/firewalls/etc… than I would say explore EDA since it would allow you process less data and target job runs to only those systems that need to be updated.
If you do want to explore EDA, you could split the tasks:
Scheduled job polls the systems for expiring certificates and adds the system details into a queue
EDA rulebook monitors the queue and does the renewal. Different endpoint host connection methods (ex: Linux server vs Cisco firewall) could go into different queues and allow for different workflows to trigger rather than having to account for all of this in a single playbook
Some ideas for EDA that we’re working on:
User self-service with our current ITSM as the frontend. EDA avoids us from having to expose/manage external webhooks and instead use a queue-based approach. Our security setup is much more friendly for outbound traffic so we only had to do one request to allow AAP outbound to the queue rather than a multi-team/multi-week effort to allow a new webhook inbound.
Data gathering and automatic remediation based on monitoring events