Hey everyone, I'm wearing a lot of hats at my agency, including development, DevOps, and sys admin. A colleague asked me for help with a TypeScript script that needs to run as a cron job on a customer-controlled RHEL VM, which is hosted on an on-premises server. My experience lies mainly in cloud and containerized environments, so I'm not too familiar with deploying non-containerized workloads on-prem. The server is accessible through SSH and is secured behind a VPN.
Here's what I'm thinking: I plan to use Ansible initiated from a CI/CD runner but I'm unsure whether it needs to connect directly to the VPN or if I can just request the runner be whitelisted. Given my lack of experience with Ansible, I'm wondering if there are any better options for deployment beyond what I've mentioned (and I'm not considering switching technologies like Chef or Puppet). Any guidance would be greatly appreciated!
4 Answers
There’s really no one-size-fits-all answer here. Temporary approaches you choose for scheduling might stick around longer than expected, which is fine! Also, consider using a GitHub workflow cron job for the script, but keep in mind it has to run on-prem due to database access requirements.
Ansible is actually a solid choice for this kind of deployment since it works well over SSH without the need for agents. If the VPN setup is troublesome, consider using a bastion host to facilitate access. As for the cron job, it’s straightforward; even Kubernetes allows for cron jobs for those scheduled tasks we can't escape!
Exactly! If it's just a single IP, you could simplify things with a one-liner command like `ansible-playbook -i
If the tasks are straightforward, just whip up a playbook for deploying scripts and setting up cron jobs. As your requirements grow, you could leverage tools like GitLab and integrate your playbook into a pipeline. Refactoring configuration into YAML with Jinja2 templates can also make the process smoother for users down the line.
For tasks like this, I usually use Ansible AWX because it streamlines things even further. Just makes life easier, you know?
Yup, it absolutely needs to stay on-prem. The previous decision to host it there was probably influenced by time constraints and the need for immediate results. Still, a site-to-site VPN would allow for more flexibility in the future.