Suggested initially by @Rikairchy, I've been toying with it and think that Ansible in pull-mode might be perfect for our use-case:
We can make sure secrets are stored in a secrets store, or rely on network-level security, and then have a single public repository here responsible for the configuration of our boxes.
Then we can separately manage the docker+sidecar that NG brings, using simpler orchestration software like Nomad or something simplistic.
Note: It does make the job easier for profilers, but it's offset by the wealth of open-source security tooling and testing suites we'd have access to, i.e. CircleCI
I was thinking of using something like this as the cloudinit script: https://www.reddit.com/r/devops/comments/6fajam/ansible_in_pull_mode/
Let me know what you think.
Suggested initially by @Rikairchy, I've been toying with it and think that Ansible in pull-mode might be perfect for our use-case:
We can make sure secrets are stored in a secrets store, or rely on network-level security, and then have a single public repository here responsible for the configuration of our boxes.
Then we can separately manage the docker+sidecar that NG brings, using simpler orchestration software like Nomad or something simplistic.
Note: It does make the job easier for profilers, but it's offset by the wealth of open-source security tooling and testing suites we'd have access to, i.e. CircleCI
I was thinking of using something like this as the cloudinit script: https://www.reddit.com/r/devops/comments/6fajam/ansible_in_pull_mode/
Let me know what you think.