summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJan Dittberner <jandd@cacert.org>2019-07-21 16:29:15 +0200
committerJan Dittberner <jandd@cacert.org>2019-07-21 16:29:15 +0200
commit93ce031466058317b5bfdefc20412150449d8b3c (patch)
tree7a808a7f2990e74c532f28cfca31afe535f51720
parenta6f98d12beff0c2204cbb838c68020fcd8f0e950 (diff)
downloadcacert-puppet-93ce031466058317b5bfdefc20412150449d8b3c.tar.gz
cacert-puppet-93ce031466058317b5bfdefc20412150449d8b3c.tar.xz
cacert-puppet-93ce031466058317b5bfdefc20412150449d8b3c.zip
Modify icinga2 agent setup
- use ticket generated by icinga2 pki ticket on master - remove commented code from icinga2_master manifest - use icinga2 module for icinga2_agent
-rw-r--r--hieradata/common.yaml58
-rw-r--r--hieradata/nodes/puppet.yaml13
-rw-r--r--sitemodules/profiles/manifests/icinga2_agent.pp60
-rw-r--r--sitemodules/profiles/manifests/icinga2_common.pp16
-rw-r--r--sitemodules/profiles/manifests/icinga2_master.pp96
5 files changed, 80 insertions, 163 deletions
diff --git a/hieradata/common.yaml b/hieradata/common.yaml
index 6961942..9ea31c9 100644
--- a/hieradata/common.yaml
+++ b/hieradata/common.yaml
@@ -141,34 +141,34 @@ profiles::icinga2_agent::pki_api_password: >
RmIpGTBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBAAs0An2QOnxac51GTU
gCG3gDAX0FOzW/oWi8c1PDIFb+0B4cTQRi9gP2fzugKu0bp0FBB7akZV6Zx0
T5GP0WQAzU0=]
-profiles::icinga2_common::master_host: monitor.infra.cacert.org
-profiles::icinga2_common::master_certificate: |
+profiles::icinga2_agent::master_host: monitor.infra.cacert.org
+profiles::icinga2_agent::master_certificate: |
-----BEGIN CERTIFICATE-----
- MIIE+jCCAuKgAwIBAgIUKbBk4rIgCPf77noCKofD3WKBR6EwDQYJKoZIhvcNAQEL
- BQAwFDESMBAGA1UEAwwJSWNpbmdhIENBMB4XDTE5MDcyMTA5NTYzMVoXDTM0MDcx
- NzA5NTYzMVowIzEhMB8GA1UEAwwYbW9uaXRvci5pbmZyYS5jYWNlcnQub3JnMIIC
- IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA7Z9Yf0kd7Jo88QH/xhQNYvZr
- m3rL2nIz+B67HFgQu6Q1o6wqYvn6bccTjdQFhrHcDob9XpoCs18IwDIG9fBhNR5k
- ph7XjVzv40vh3tjjzfkvoKzPyEDxJI98DTTkDKK3UfsvTL0PwlS1xrBRW8IbbKmq
- NNA7p8VJJanzJCv0k7idpLmmyKeRoBF0HFaGynFcoOwjoLib9polUExD8kSRfemO
- Lwq46BGORX7id49J3DHPQv89dm4N0BPjnWGMd1x3puk+GgptEzFDNEigNmFerojM
- KqoIhNEi4+bB3tz/aU6Sn0vm4Jm0tnlkrdX7O1nBvTvrwBa6jt94v0n9amvFV+Lz
- Kde4ukvn8FRoEmJMaiHgSMjlU0KwawhCqC67Rf+L+nwhi4o916BcLzCMkEHbCAW0
- 4uBZJdj29BwvWkfd7rrydUMZuBJIsKydJ13H9/kWUlsgqXayWpMl7qrJSx7XiY0Z
- 909Nmu6+ZphlqesRcOFyZHB4hkBP8tZA9lYHOjSBFI340Fni38cMKrJQiyKAZXUQ
- mE/i3a1J5ZXuKmYjhha4A3MtEvxrXbWP7rokYCqShJO72ThGM6RRwnEmyL4J46eR
- GHta3apZjOqjHjY9Za+bGbQFjQ12/YanP8DeXh4Y3vxwxu3jkUnOf0VF//qav52i
- YXn9PnJlQ2GhRtTWoccCAwEAAaM1MDMwDAYDVR0TAQH/BAIwADAjBgNVHREEHDAa
- ghhtb25pdG9yLmluZnJhLmNhY2VydC5vcmcwDQYJKoZIhvcNAQELBQADggIBACTq
- 0WxyhdboNInC8xNDlA/gHdWXyDx6GfOwSt9C6VDtJ4h+khoI79QKJ37cWBnhihCH
- +evaTNo/LiXfGh41vZPKDMPrZeTJ6Zqhs/Fj5dXZ9cOh14ySDnSicHUrDvpeolE6
- AB4GA4vyDQ5FmtCb2ewpBgFHfoOqPWdcS9S2mTrdWHIvqEfam7A1lX32SfHY6HRc
- kf+S9z0/rk0sCOdmBuX/mcgEFtGuT23uVIJcWxWxiqW1W9BBd+ZKMXPk7A/9F3E1
- JtI6ZQ2ToF+uxPA79ZUZaYNMSg7kS0ZtayHnxzKOK5pIiUgWBPUVGNXlindw2TGJ
- RApS/QCanaIrxxqS1xSjahVowHD9EWcJJBxvfDX125k/FQ3gZbEvqrcSCoPClZbQ
- K+rjjG/7v/+kU6Ruj2jopPltuS2ERLJdQyvsU7t1cpEoQ/ZbiYO2hBTguZEfY1Ek
- BhyZWVak8Daxe/UgV7wPs8o4EsEphWie121C54a6kGmaqv+RoslWD+PzZfJA1ku+
- 5UnNaUuqg5bD/Gxx0YpMSk9UmLpa7EUeAYw8teGwqoRiQYq6zaxkSCS3i+MlNZ7p
- W5JiUD886njJsNu04yJObI9GVzukudVZ8SlwabM0I42aDfNpDN/AJY/ah00nTHL2
- RUVoXfI86h8Jq7YdRNqT5g2I0HgclOi1pjGwvAuK
+ MIIE+jCCAuKgAwIBAgIUakjWIH5VKmS7yZycSG7EzfIYWkswDQYJKoZIhvcNAQEL
+ BQAwFDESMBAGA1UEAwwJSWNpbmdhIENBMB4XDTE5MDcyMTE0MDYwMFoXDTM0MDcx
+ NzE0MDYwMFowIzEhMB8GA1UEAwwYbW9uaXRvci5pbmZyYS5jYWNlcnQub3JnMIIC
+ IjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEArjQIqs6zXncatT2luZImFAkx
+ XwUnApePQvxJ98cAyirNR6Ugh95syo9BP9PJvIojjxtuPK5FzZmLi3c5UO3ly72Q
+ Yxho/yZ/qLllmluhreiMAcofDdwyo9X9kAfexjeztopdY2flBT7LpQ7txuOgK91p
+ WmI2uH5Htjwtbumh4E2UO9NkenFpNpUVg58mBNZpnNDApYacj2zz1v2WBFgaM1/3
+ UABD+HicNd/aS1ji6eMOglgq5arYrfKZxpe2GgVZ50xfvWrIfg/C7HvU+GyghS7f
+ XgpyzjLQoR9gS4aAPIvb45hG4p2u3Fx14PR3IynYtaZV3KSh5RNKBkQSlu9hmVRS
+ y8aR5DqneDmTVX944lvlr1+x8+Xy37DZH9+6Bq0mBrnnlEc5y7ybcreuUm1Vx30l
+ /iZfnt8uwC1SyB2J3ZbtXK9vIPHG097rLl0l+Rw8eaObaWl8rn4PVjdAUaFI+q2B
+ hep8b4gfyF393Ih54OTYCI5QyEbBPP7syTCSgrWDUUnLv/ar2AvXTfzzydqmcKsz
+ Yliok3iZfjf61TETTpBjqkKHTpS+mE55L2DSS0R1X0JTbjwmkvANYQ80emKk49Xa
+ k7IqYJYT8+h2wDYambcTR+rhBV7c6QBS+phCPqO+7miYdyDeZCvPtQcO3lxMEnVv
+ y2nh6+8BvEveNfdTNOUCAwEAAaM1MDMwDAYDVR0TAQH/BAIwADAjBgNVHREEHDAa
+ ghhtb25pdG9yLmluZnJhLmNhY2VydC5vcmcwDQYJKoZIhvcNAQELBQADggIBADGz
+ W4rXl1xK5qNHRWVy6wqH8/2OkZCg1O8X1b3mEnYYXyXRB8L6OKDUDfNZaldACegT
+ aEmEzBL27+/7wW6SymWoL74ni9WOZPqJ3GsWtHDUWSsolvQWHmYFnIGTOm+8PsVw
+ L3X2ftPg1krXhTWevK4rZdLNh4KM4Gr6nFHxiuxiOV22xqLSaFh/rVd0TNlpgCIZ
+ oWOsKYrqx4Hudq4blDI0w0NLySgOVEgl1EJA/vED1DzOFmbmuvujODUhjm5sVvuN
+ x9Zm4G0KuZX7LgKc6VeGnAyAUzgrD/uhZvc3oAzmfUUC3dx7tWB7WUuI9ji9bL8v
+ 94oXsQ7Ig329RdSsE3AoH6w54cVgCEo3WZ7j7z+ejPPLI9DbvFFwM/JFEO+A1cPw
+ EEUG8bSHHo8Twe5tgTwr0t1Sch3D5Ur7qv0nBAjwphEVoIGiu5yudmFbscPgTz+i
+ /NPtJ1zZ2NCjLabeXmaSq8Zxy4dCJ0YJ6fuFz2SKd92RDO4okhDbRgnW1RT1+eAT
+ 2dNvOd3V878PS7BM3OAzZTfVnVD+/DTRyUHAz07iSB/1KNfEfn3qDSTapx9PL4aJ
+ X74w5WZ7FlNdQHRFvvjNI849fVb2MoLxeIwd7W5flv6gpLlMX49PMp62ZtfupbRJ
+ 5AtYgSC6FbF3WwkRKTz2/KZi5j0oCHqxl31HY1Hx
-----END CERTIFICATE-----
diff --git a/hieradata/nodes/puppet.yaml b/hieradata/nodes/puppet.yaml
index 6cb160e..502574b 100644
--- a/hieradata/nodes/puppet.yaml
+++ b/hieradata/nodes/puppet.yaml
@@ -15,4 +15,15 @@ profiles::puppet_server::git_pull_ssh_passphrase: >
72sBgDCNDoJmkzzjSfLIvN/Q2D0p2XBtKWrc7NkmVzZrzVZ6cLJCBornuJ72
fOJnmPqpFng=]
profiles::puppet_server::git_pull_tokens:
- - ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAWLS320bvmv2NSEtEFn5dFD5goJ2g3T2JDT8EylyZ5WDMdlW3w8kx4cQSju1TvjrUIRimkYMKIi9Ej2cXUEMZZoWXpdTbxBreBY5NNlzz0UWmzuwgx6qVy3Czlvhbqq2vb97W1/e30sKcaXe4Mly9UWy+pslH3KHEs4vwipZ+MaIlY76HOPVUmQBtNwaaIiY2KtBTfVGXGUp5VXYGQZsUL2K6DucT+xP3duYjK5iCPfk+w/iYz1bv3m2uT5GvsahZhCBGJNu81ZZ9MY4+WZfKwqfEN2fQz1X6mqBvpaXqE3w573SZo6K7ofhiK8q6+4QlNJ6qlLrsuetlgu8+aHYhcDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDoG8fxzhnn0Xp4Bk+Yg4RsgDDTTKABVrszTg2gZ1bZPm0ysvpoG6tSE0FVmexQjR814RSl81f7coXap/pnWwAhpPo=] \ No newline at end of file
+ - ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEwDQYJKoZIhvcNAQEBBQAEggEAWLS320bvmv2NSEtEFn5dFD5goJ2g3T2JDT8EylyZ5WDMdlW3w8kx4cQSju1TvjrUIRimkYMKIi9Ej2cXUEMZZoWXpdTbxBreBY5NNlzz0UWmzuwgx6qVy3Czlvhbqq2vb97W1/e30sKcaXe4Mly9UWy+pslH3KHEs4vwipZ+MaIlY76HOPVUmQBtNwaaIiY2KtBTfVGXGUp5VXYGQZsUL2K6DucT+xP3duYjK5iCPfk+w/iYz1bv3m2uT5GvsahZhCBGJNu81ZZ9MY4+WZfKwqfEN2fQz1X6mqBvpaXqE3w573SZo6K7ofhiK8q6+4QlNJ6qlLrsuetlgu8+aHYhcDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBDoG8fxzhnn0Xp4Bk+Yg4RsgDDTTKABVrszTg2gZ1bZPm0ysvpoG6tSE0FVmexQjR814RSl81f7coXap/pnWwAhpPo=]
+profiles::icinga2_agent::pki_ticket: >
+ ENC[PKCS7,MIIBmQYJKoZIhvcNAQcDoIIBijCCAYYCAQAxggEhMIIBHQIBADAFMAACAQEw
+ DQYJKoZIhvcNAQEBBQAEggEAdehEizEK2eAr85FD4XwS8dzDiIqKV2vanCjn
+ yJtnyX3IZ66tJkqtUUUMW5cWDY6I5eMmmmMOdqfXi+ZJ43aXmGNw9T6p05P6
+ mVIUG4opuW6Udug1eo9t0QTgtFKquuTJD+bqmvEtXvQ9JR2mKOH24OPi6kp9
+ jXbj6Gf9TNbGo9LXFEMuf4PaugOiIyW3rqBqpCX6MI3Fbt5BCkPFgRSl+yxG
+ 2fAdNzOz5aDVLptT5fGHCvUPUpTuVGGAToqs4JOVGob1EFfwGniWqYoyzxWq
+ 1g8bJ6OJ9w3oXYDm24lqmQB7U7enzrHEnP4wRRiuzXZasoeEjQumLdOmVgZd
+ sBBGGjBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBCixanHeFcVKKQc02XF
+ oewVgDB5dfRWbXLWJUcemnGSTPZWFh7Tb7zKl4X9ihJgMsM9NDb2syw4rAfU
+ DFxe1xKUOAo=]
diff --git a/sitemodules/profiles/manifests/icinga2_agent.pp b/sitemodules/profiles/manifests/icinga2_agent.pp
index 285ba74..178bdf8 100644
--- a/sitemodules/profiles/manifests/icinga2_agent.pp
+++ b/sitemodules/profiles/manifests/icinga2_agent.pp
@@ -6,10 +6,12 @@
# Parameters
# ----------
#
-# @param pki_api_user Icinga2 API user name for retrieving a
-# ticket for a certificate signing request
-# @param pki_api_password Icinga2 API password for retrieving a ticket
-# for a certificate signing request
+# @param pki_ticket Ticket for getting a signed certificate
+# from the master
+#
+# @param master_host Hostname of the master
+#
+# @param master_certificate TLS certificate of the master
#
# Examples
# --------
@@ -29,32 +31,44 @@
#
# Copyright 2019 Jan Dittberner
class profiles::icinga2_agent (
- String $pki_api_user,
- String $pki_api_password,
+ String $pki_ticket,
+ String $master_host,
+ String $master_certificate,
) {
include 'profiles::icinga2_common'
- file { '/var/lib/icinga2/setup_agent.sh':
+ file { "/var/lib/icinga2/certs/trusted-cert.crt":
ensure => file,
- content => epp('profiles/icinga2_agent/setup_agent.sh.epp', {
- pki_api_user => $pki_api_user,
- pki_api_password => $pki_api_password,
- master_host => $::profiles::icinga2_common::master_host,
- }),
+ content => $master_certificate,
owner => 'nagios',
group => 'nagios',
- mode => '0700',
+ mode => '0644',
+ require => File['/var/lib/icinga2/certs'],
}
- exec { '/bin/sh /var/lib/icinga2/setup_agent.sh':
- creates => "/etc/icinga2/pki/${::fqdn}.key",
- require => [
- File['/var/lib/icinga2/setup_agent.sh'],
- File['/var/lib/icinga2/certs/ca.crt'],
- File["/var/lib/icinga2/certs/${::profiles::icinga2_common::master_host}.crt"],
- Package['icinga2'],
- ],
+
+ class { '::icinga2':
+ manage_repo => false,
+ features => ['mainlog'],
+ }
+
+ class { '::icinga2::feature::api':
+ pki => 'none',
+ accept_config => true,
+ accept_commands => true,
+ ticket_id => $pki_ticket,
+ endpoints => {
+ 'NodeName' => {},
+ }
+ zones => {
+ 'ZoneName' => {
+ 'endpoints' => ['NodeName'],
+ 'parent' => $master_host,
+ },
+ $master_host => {
+ 'endpoints' => [$master_host],
+ }
+ }
}
- Exec['/bin/sh /var/lib/icinga2/setup_agent.sh'] ~> Service<| name == 'icinga2' |>
@@icinga2::object::endpoint { $::fqdn:
ensure => present,
@@ -64,7 +78,7 @@ class profiles::icinga2_agent (
@@icinga2::object::zone { $::fqdn:
ensure => present,
endpoints => [$::fqdn],
- parent => $::profiles::icinga2_common::master_host,
+ parent => $master_host,
target => "/etc/icinga2/zones.d/${::fqdn}.conf",
}
}
diff --git a/sitemodules/profiles/manifests/icinga2_common.pp b/sitemodules/profiles/manifests/icinga2_common.pp
index 56ac1d2..829994b 100644
--- a/sitemodules/profiles/manifests/icinga2_common.pp
+++ b/sitemodules/profiles/manifests/icinga2_common.pp
@@ -37,20 +37,4 @@ class profiles::icinga2_common (
}
Apt::Pin['icinga2_backports'] -> Package <| name == 'icinga2' or name == 'icinga2-ido-pgsql' |>
}
- #file { '/var/lib/icinga2/certs/ca.crt':
- # ensure => file,
- # content => $ca_certificate,
- # owner => 'nagios',
- # group => 'nagios',
- # mode => '0644',
- # require => File['/var/lib/icinga2/certs'],
- #}
- #file { "/var/lib/icinga2/certs/${master_host}.crt":
- # ensure => file,
- # content => $master_certificate,
- # owner => 'nagios',
- # group => 'nagios',
- # mode => '0644',
- # require => File['/var/lib/icinga2/certs'],
- #}
}
diff --git a/sitemodules/profiles/manifests/icinga2_master.pp b/sitemodules/profiles/manifests/icinga2_master.pp
index 274e3a8..e6db26d 100644
--- a/sitemodules/profiles/manifests/icinga2_master.pp
+++ b/sitemodules/profiles/manifests/icinga2_master.pp
@@ -7,14 +7,12 @@
# Parameters
# ----------
#
-# @param web2_database_name database name for IcingaWeb2 database
-# @param web2_database_user database user for IcingaWeb2 database
+# @param ido_database_password database password for Icinga2 IDO database
# @param web2_database_password database password for IcingaWeb2 database
# @param api_users Icinga2 API users
+# @param pki_ticket_salt Ticket salt for API endpoint
# @param ca_key Icinga2 CA private key content
# @param ca_certificate Icinga2 CA certificate content
-# @param master_key Icinga2 master private key content
-# @param master_csr Icinga2 master CSR
#
# Examples
# --------
@@ -40,8 +38,6 @@ class profiles::icinga2_master (
String $pki_ticket_salt,
String $ca_key,
String $ca_certificate,
- String $master_key,
- String $master_csr,
) {
include profiles::icinga2_common
include postgresql::server
@@ -81,101 +77,13 @@ class profiles::icinga2_master (
class { '::icinga2::feature::api':
pki => 'none',
- ssl_cacert => $ca_certificate,
- ssl_key => $master_key,
- ssl_cert => $::profiles::icinga2_common::master_certificate,
}
icinga2::object::zone { 'global-templates':
global => true,
}
- #file { '/etc/icinga2/conf.d/api-users.conf':
- # ensure => file,
- # content => epp('profiles/icinga2_master/conf.d/api-users.conf.epp', {
- # 'api_users' => $api_users
- # }),
- # owner => 'root',
- # group => 'nagios',
- # mode => '0640',
- # require => Package['icinga2'],
- #}
-
create_resources(icinga2::object::apiuser, $api_users)
- #file { "/var/lib/icinga2/certs/${::facts['fqdn']}.key":
- # ensure => file,
- # owner => 'nagios',
- # group => 'nagios',
- # mode => '0600',
- # content => $master_key,
- # require => File['/var/lib/icinga2/certs'],
- #}
- #file { "/var/lib/icinga2/certs/${::facts['fqdn']}.csr":
- # ensure => file,
- # owner => 'nagios',
- # group => 'nagios',
- # mode => '0644',
- # content => $master_csr,
- # require => File['/var/lib/icinga2/certs'],
- #}
- #file { '/var/lib/icinga2/ca':
- # ensure => directory,
- # owner => 'nagios',
- # group => 'nagios',
- # mode => '0700',
- # require => Package['icinga2'],
- #}
- #file { '/var/lib/icinga2/ca/ca.key':
- # ensure => file,
- # content => $ca_key,
- # owner => 'nagios',
- # group => 'nagios',
- # mode => '0600',
- # require => File['/var/lib/icinga2/ca'],
- #}
- #file { '/var/lib/icinga2/ca/ca.crt':
- # ensure => file,
- # content => $::profiles::icinga2_common::ca_certificate,
- # owner => 'nagios',
- # group => 'nagios',
- # mode => '0644',
- # require => File['/var/lib/icinga2/ca'],
- #}
- #exec { "/usr/sbin/icinga2 node setup --master":
- # creates => "/etc/icinga2/features-enabled/api.conf",
- # require => [
- # Package['icinga2'],
- # File['/var/lib/icinga2/ca/ca.key'],
- # File["/var/lib/icinga2/certs/${::facts['fqdn']}.key"]
- # ],
- # notify => Service['icinga2'],
- #}
- #exec { '/usr/sbin/icinga2 feature enable ido-pgsql':
- # creates => "/etc/icinga2/features-enabled/ido-pgsql.conf",
- # require => Package['icinga2-ido-pgsql'],
- # notify => Service['icinga2'],
- #}
- #service { 'icinga2':
- # ensure => 'running',
- # enable => true,
- # require => [
- # Package['icinga2'],
- # Package['icinga2-ido-pgsql'],
- # ],
- # subscribe => [
- # File['/etc/icinga2/icinga2.conf'],
- # File['/etc/icinga2/init.conf'],
- # File['/etc/icinga2/features-enabled/checker.conf'],
- # File['/etc/icinga2/features-enabled/mainlog.conf'],
- # File['/etc/icinga2/features-enabled/notification.conf'],
- # File['/etc/icinga2/zones.conf'],
- # File['/etc/icinga2/conf.d/api-users.conf'],
- # File['/var/lib/icinga2/ca'],
- # File['/var/lib/icinga2/ca/ca.key'],
- # File['/var/lib/icinga2/ca/ca.crt'],
- # File['/var/lib/icinga2/certs/ca.crt'],
- # ],
- #}
Icinga2::Object::Zone <<| |>> ~> Service['icinga2']
Icinga2::Object::Endpoint <<| |>> ~> Service['icinga2']