Define Icinga2 CA on master

3 files changed, 40 insertions, 31 deletions

diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index 9a71926..6961942 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -142,35 +142,6 @@ profiles::icinga2_agent::pki_api_password: >
     gCG3gDAX0FOzW/oWi8c1PDIFb+0B4cTQRi9gP2fzugKu0bp0FBB7akZV6Zx0
     T5GP0WQAzU0=]
 profiles::icinga2_common::master_host: monitor.infra.cacert.org
-profiles::icinga2_common::ca_certificate: |
-    -----BEGIN CERTIFICATE-----
-    MIIEyjCCArKgAwIBAgIVAMGxGJbZJq/vXMuXAnAC8QvFtvhMMA0GCSqGSIb3DQEB
-    CwUAMBQxEjAQBgNVBAMMCUljaW5nYSBDQTAeFw0xOTA3MTkxODIwNDVaFw0zNDA3
-    MTUxODIwNDVaMBQxEjAQBgNVBAMMCUljaW5nYSBDQTCCAiIwDQYJKoZIhvcNAQEB
-    BQADggIPADCCAgoCggIBAMh+p0jach/6ICsP/o01nku28g0jFB/HSp5n/WZjzykW
-    MvgvYc/1lEaiuIeB93AobGB3EACNw2/Xfh1deRGP8UsIOIjeeUibfk0i4SOmFBRb
-    0ZmwUeNVygY7rmhO+fwTPi6bb2+AA50RkDP7jTpwaQFxppziTXUqW8mj0LBSLtNL
-    z8dC2YS/JLKSoNyHupQcL+pHVHO5S9QnFWTnhwIbnWSJTG13BOYw/RUz6WcxFDHl
-    Xi/lprjcorBUDsH5YBfy+/2WJ0MZFqRnCPQKb5oilR1/k+9XpmFz8W98KCujjpNm
-    BEantf7OaaYFIxxoWyrGC1RiMnkSQwa9Pcxgwflca5UC1fW0Jx2zsgDscdWp+Xeo
-    lhYtyHa6upgny66SvekjM9mAm6vtlsBplxYZtz6BgqoxXqk0AwAwiU/9nyXGekAp
-    FPMmENBLZvANuA6hdaMJQpOoyHBDOT8teoIJOut92ptk5bVE4gxwcWc1uFCP05nr
-    gA8iTXnabihXbm2Wb8kk/+34wEru5jpwMh1NEH/TvaqPnly/dBHkmEhJquYyoZFS
-    ttKl64XXdy9HGaTaA6b3dQPeZqHbmadRZzcsxjn+zP8Nu8OTZ4HXkAJ2e3nxlRKs
-    2EaZDJK4SoNBvvkYLScLLYH5X1uC2gs6AHiQDiczQYxMqai5pEnrLHO7B/pE+d/1
-    AgMBAAGjEzARMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAGYh
-    pqAK55ei8+S+rXt1wQbejAphJ2GtTft8XjlfVbpk7s7wd/Wt0gLAs4dvPPI1U0k9
-    N6E5WJrn31QbaXHFDwdxFw1ViLxDmepAp+Kp3pQE5bPNjo5e6iwgOGVB20R20ADo
-    foUfk5u6WfGGSJznDkTTdoYdSsHm1d1nsZKt0i2QFnLEIEBOJW4gwY4LiW7ArfYS
-    21Ji9VLgKxF9We4Y0ppY+7rU8r/aNDrYv0Ghe+IA0+k8KoTGuhBXzxfwUUZ+1+yA
-    JYSmxFzhPJCdwRX3IBn4uTVMRlugntgpmB7m5RyW18MUlAw52Ppe5EtOke1lxxh0
-    G5KYt+pKPnkOVj2LRLvOcAOO47i42q+3P4m2elkPHTrI2JmnTwWNjpkNNc4LeFXs
-    3HE3SoSvXvImabhBfioqThVMAEEjrtkAQSOFg281vaIgUPbwqcVmbOHv/2Cow0xw
-    gYrp+hB0hhf5rpYi1SMLTKIQUJT6CKnIgN9KHMwcz6Zq4WcshXQxZZrazXomJJ9k
-    WKBpvys1Mfn0Y+phqmCXW7D9Yh1T32pnyOTm8kUonBhIoDEwYN5v175ySw8jjiUD
-    Dlkc/kuv3szLVWx63FvOPc6ra9rmmdwmDaVTd9fGlo/NrquCQOGu59hiACPept+I
-    y+bP1kZ0Z+5qrmlX0zrcLspzXOyY0VX/YZ3unzyp
-    -----END CERTIFICATE-----
 profiles::icinga2_common::master_certificate: |
     -----BEGIN CERTIFICATE-----
     MIIE+jCCAuKgAwIBAgIUKbBk4rIgCPf77noCKofD3WKBR6EwDQYJKoZIhvcNAQEL
diff --git a/hieradata/nodes/monitor.yaml b/hieradata/nodes/monitor.yaml
index 2d8b10b..4872c67 100644
--- a/hieradata/nodes/monitor.yaml
+++ b/hieradata/nodes/monitor.yaml
@@ -70,6 +70,35 @@ profiles::icinga2_master::pki_ticket_salt: >
     wEtKajBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBC71KjJDv29zuAaxnyH
     o3uJgDDydzmhZKEQxhkFNW9TNquxCTXdfPZ/zYPb/TqWq3amcnQwoqNltz+5
     QoSf/2LDk4o=]
+profiles::icinga2_master::ca_certificate: |
+    -----BEGIN CERTIFICATE-----
+    MIIEyjCCArKgAwIBAgIVAMGxGJbZJq/vXMuXAnAC8QvFtvhMMA0GCSqGSIb3DQEB
+    CwUAMBQxEjAQBgNVBAMMCUljaW5nYSBDQTAeFw0xOTA3MTkxODIwNDVaFw0zNDA3
+    MTUxODIwNDVaMBQxEjAQBgNVBAMMCUljaW5nYSBDQTCCAiIwDQYJKoZIhvcNAQEB
+    BQADggIPADCCAgoCggIBAMh+p0jach/6ICsP/o01nku28g0jFB/HSp5n/WZjzykW
+    MvgvYc/1lEaiuIeB93AobGB3EACNw2/Xfh1deRGP8UsIOIjeeUibfk0i4SOmFBRb
+    0ZmwUeNVygY7rmhO+fwTPi6bb2+AA50RkDP7jTpwaQFxppziTXUqW8mj0LBSLtNL
+    z8dC2YS/JLKSoNyHupQcL+pHVHO5S9QnFWTnhwIbnWSJTG13BOYw/RUz6WcxFDHl
+    Xi/lprjcorBUDsH5YBfy+/2WJ0MZFqRnCPQKb5oilR1/k+9XpmFz8W98KCujjpNm
+    BEantf7OaaYFIxxoWyrGC1RiMnkSQwa9Pcxgwflca5UC1fW0Jx2zsgDscdWp+Xeo
+    lhYtyHa6upgny66SvekjM9mAm6vtlsBplxYZtz6BgqoxXqk0AwAwiU/9nyXGekAp
+    FPMmENBLZvANuA6hdaMJQpOoyHBDOT8teoIJOut92ptk5bVE4gxwcWc1uFCP05nr
+    gA8iTXnabihXbm2Wb8kk/+34wEru5jpwMh1NEH/TvaqPnly/dBHkmEhJquYyoZFS
+    ttKl64XXdy9HGaTaA6b3dQPeZqHbmadRZzcsxjn+zP8Nu8OTZ4HXkAJ2e3nxlRKs
+    2EaZDJK4SoNBvvkYLScLLYH5X1uC2gs6AHiQDiczQYxMqai5pEnrLHO7B/pE+d/1
+    AgMBAAGjEzARMA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAGYh
+    pqAK55ei8+S+rXt1wQbejAphJ2GtTft8XjlfVbpk7s7wd/Wt0gLAs4dvPPI1U0k9
+    N6E5WJrn31QbaXHFDwdxFw1ViLxDmepAp+Kp3pQE5bPNjo5e6iwgOGVB20R20ADo
+    foUfk5u6WfGGSJznDkTTdoYdSsHm1d1nsZKt0i2QFnLEIEBOJW4gwY4LiW7ArfYS
+    21Ji9VLgKxF9We4Y0ppY+7rU8r/aNDrYv0Ghe+IA0+k8KoTGuhBXzxfwUUZ+1+yA
+    JYSmxFzhPJCdwRX3IBn4uTVMRlugntgpmB7m5RyW18MUlAw52Ppe5EtOke1lxxh0
+    G5KYt+pKPnkOVj2LRLvOcAOO47i42q+3P4m2elkPHTrI2JmnTwWNjpkNNc4LeFXs
+    3HE3SoSvXvImabhBfioqThVMAEEjrtkAQSOFg281vaIgUPbwqcVmbOHv/2Cow0xw
+    gYrp+hB0hhf5rpYi1SMLTKIQUJT6CKnIgN9KHMwcz6Zq4WcshXQxZZrazXomJJ9k
+    WKBpvys1Mfn0Y+phqmCXW7D9Yh1T32pnyOTm8kUonBhIoDEwYN5v175ySw8jjiUD
+    Dlkc/kuv3szLVWx63FvOPc6ra9rmmdwmDaVTd9fGlo/NrquCQOGu59hiACPept+I
+    y+bP1kZ0Z+5qrmlX0zrcLspzXOyY0VX/YZ3unzyp
+    -----END CERTIFICATE-----
 profiles::icinga2_master::ca_key: >
     ENC[PKCS7,MIIOHQYJKoZIhvcNAQcDoIIODjCCDgoCAQAxggEhMIIBHQIBADAFMAACAQEw
     DQYJKoZIhvcNAQEBBQAEggEAndhxooQI/m9cfD6jfWVHSce7ePzRwpt8F4qy
diff --git a/sitemodules/profiles/manifests/icinga2_master.pp b/sitemodules/profiles/manifests/icinga2_master.pp
index eeb033d..e14879f 100644
--- a/sitemodules/profiles/manifests/icinga2_master.pp
+++ b/sitemodules/profiles/manifests/icinga2_master.pp
@@ -12,6 +12,7 @@
 # @param web2_database_password database password for IcingaWeb2 database
 # @param api_users              Icinga2 API users
 # @param ca_key                 Icinga2 CA private key content
+# @param ca_certificate         Icinga2 CA certificate content
 # @param master_key             Icinga2 master private key content
 # @param master_csr             Icinga2 master CSR
 #
@@ -38,6 +39,7 @@ class profiles::icinga2_master (
   Array[Hash[String, Variant[String, Tuple[String, 1]]]] $api_users,
   String $pki_ticket_salt,
   String $ca_key,
+  String $ca_certificate,
   String $master_key,
   String $master_csr,
 ) {
@@ -51,6 +53,11 @@ class profiles::icinga2_master (
     },
   }
 
+  class { '::icinga2::pki::ca':
+    ca_cert => $ca_certificate,
+    ca_key  => $ca_key,
+  }
+
   postgresql::server::db { 'icinga2':
     user     => 'icinga2',
     password => postgresql_password('icinga2', $ido_database_password),
@@ -65,10 +72,12 @@ class profiles::icinga2_master (
   }
 
   class { '::icinga2::feature::api':
-    endpoints => {
+    pki         => 'icinga2',
+    ticket_salt => $pki_ticket_salt,
+    endpoints   => {
       $::fqdn => {},
     },
-    zones     => {
+    zones       => {
       $::fqdn => {
         'endpoints' => [$::fqdn],
       },