summaryrefslogtreecommitdiff
path: root/sitemodules
diff options
context:
space:
mode:
authorJan Dittberner <jandd@cacert.org>2019-07-21 16:29:15 +0200
committerJan Dittberner <jandd@cacert.org>2019-07-21 16:29:15 +0200
commit93ce031466058317b5bfdefc20412150449d8b3c (patch)
tree7a808a7f2990e74c532f28cfca31afe535f51720 /sitemodules
parenta6f98d12beff0c2204cbb838c68020fcd8f0e950 (diff)
downloadcacert-puppet-93ce031466058317b5bfdefc20412150449d8b3c.tar.gz
cacert-puppet-93ce031466058317b5bfdefc20412150449d8b3c.tar.xz
cacert-puppet-93ce031466058317b5bfdefc20412150449d8b3c.zip
Modify icinga2 agent setup
- use ticket generated by icinga2 pki ticket on master - remove commented code from icinga2_master manifest - use icinga2 module for icinga2_agent
Diffstat (limited to 'sitemodules')
-rw-r--r--sitemodules/profiles/manifests/icinga2_agent.pp60
-rw-r--r--sitemodules/profiles/manifests/icinga2_common.pp16
-rw-r--r--sitemodules/profiles/manifests/icinga2_master.pp96
3 files changed, 39 insertions, 133 deletions
diff --git a/sitemodules/profiles/manifests/icinga2_agent.pp b/sitemodules/profiles/manifests/icinga2_agent.pp
index 285ba74..178bdf8 100644
--- a/sitemodules/profiles/manifests/icinga2_agent.pp
+++ b/sitemodules/profiles/manifests/icinga2_agent.pp
@@ -6,10 +6,12 @@
# Parameters
# ----------
#
-# @param pki_api_user Icinga2 API user name for retrieving a
-# ticket for a certificate signing request
-# @param pki_api_password Icinga2 API password for retrieving a ticket
-# for a certificate signing request
+# @param pki_ticket Ticket for getting a signed certificate
+# from the master
+#
+# @param master_host Hostname of the master
+#
+# @param master_certificate TLS certificate of the master
#
# Examples
# --------
@@ -29,32 +31,44 @@
#
# Copyright 2019 Jan Dittberner
class profiles::icinga2_agent (
- String $pki_api_user,
- String $pki_api_password,
+ String $pki_ticket,
+ String $master_host,
+ String $master_certificate,
) {
include 'profiles::icinga2_common'
- file { '/var/lib/icinga2/setup_agent.sh':
+ file { "/var/lib/icinga2/certs/trusted-cert.crt":
ensure => file,
- content => epp('profiles/icinga2_agent/setup_agent.sh.epp', {
- pki_api_user => $pki_api_user,
- pki_api_password => $pki_api_password,
- master_host => $::profiles::icinga2_common::master_host,
- }),
+ content => $master_certificate,
owner => 'nagios',
group => 'nagios',
- mode => '0700',
+ mode => '0644',
+ require => File['/var/lib/icinga2/certs'],
}
- exec { '/bin/sh /var/lib/icinga2/setup_agent.sh':
- creates => "/etc/icinga2/pki/${::fqdn}.key",
- require => [
- File['/var/lib/icinga2/setup_agent.sh'],
- File['/var/lib/icinga2/certs/ca.crt'],
- File["/var/lib/icinga2/certs/${::profiles::icinga2_common::master_host}.crt"],
- Package['icinga2'],
- ],
+
+ class { '::icinga2':
+ manage_repo => false,
+ features => ['mainlog'],
+ }
+
+ class { '::icinga2::feature::api':
+ pki => 'none',
+ accept_config => true,
+ accept_commands => true,
+ ticket_id => $pki_ticket,
+ endpoints => {
+ 'NodeName' => {},
+ }
+ zones => {
+ 'ZoneName' => {
+ 'endpoints' => ['NodeName'],
+ 'parent' => $master_host,
+ },
+ $master_host => {
+ 'endpoints' => [$master_host],
+ }
+ }
}
- Exec['/bin/sh /var/lib/icinga2/setup_agent.sh'] ~> Service<| name == 'icinga2' |>
@@icinga2::object::endpoint { $::fqdn:
ensure => present,
@@ -64,7 +78,7 @@ class profiles::icinga2_agent (
@@icinga2::object::zone { $::fqdn:
ensure => present,
endpoints => [$::fqdn],
- parent => $::profiles::icinga2_common::master_host,
+ parent => $master_host,
target => "/etc/icinga2/zones.d/${::fqdn}.conf",
}
}
diff --git a/sitemodules/profiles/manifests/icinga2_common.pp b/sitemodules/profiles/manifests/icinga2_common.pp
index 56ac1d2..829994b 100644
--- a/sitemodules/profiles/manifests/icinga2_common.pp
+++ b/sitemodules/profiles/manifests/icinga2_common.pp
@@ -37,20 +37,4 @@ class profiles::icinga2_common (
}
Apt::Pin['icinga2_backports'] -> Package <| name == 'icinga2' or name == 'icinga2-ido-pgsql' |>
}
- #file { '/var/lib/icinga2/certs/ca.crt':
- # ensure => file,
- # content => $ca_certificate,
- # owner => 'nagios',
- # group => 'nagios',
- # mode => '0644',
- # require => File['/var/lib/icinga2/certs'],
- #}
- #file { "/var/lib/icinga2/certs/${master_host}.crt":
- # ensure => file,
- # content => $master_certificate,
- # owner => 'nagios',
- # group => 'nagios',
- # mode => '0644',
- # require => File['/var/lib/icinga2/certs'],
- #}
}
diff --git a/sitemodules/profiles/manifests/icinga2_master.pp b/sitemodules/profiles/manifests/icinga2_master.pp
index 274e3a8..e6db26d 100644
--- a/sitemodules/profiles/manifests/icinga2_master.pp
+++ b/sitemodules/profiles/manifests/icinga2_master.pp
@@ -7,14 +7,12 @@
# Parameters
# ----------
#
-# @param web2_database_name database name for IcingaWeb2 database
-# @param web2_database_user database user for IcingaWeb2 database
+# @param ido_database_password database password for Icinga2 IDO database
# @param web2_database_password database password for IcingaWeb2 database
# @param api_users Icinga2 API users
+# @param pki_ticket_salt Ticket salt for API endpoint
# @param ca_key Icinga2 CA private key content
# @param ca_certificate Icinga2 CA certificate content
-# @param master_key Icinga2 master private key content
-# @param master_csr Icinga2 master CSR
#
# Examples
# --------
@@ -40,8 +38,6 @@ class profiles::icinga2_master (
String $pki_ticket_salt,
String $ca_key,
String $ca_certificate,
- String $master_key,
- String $master_csr,
) {
include profiles::icinga2_common
include postgresql::server
@@ -81,101 +77,13 @@ class profiles::icinga2_master (
class { '::icinga2::feature::api':
pki => 'none',
- ssl_cacert => $ca_certificate,
- ssl_key => $master_key,
- ssl_cert => $::profiles::icinga2_common::master_certificate,
}
icinga2::object::zone { 'global-templates':
global => true,
}
- #file { '/etc/icinga2/conf.d/api-users.conf':
- # ensure => file,
- # content => epp('profiles/icinga2_master/conf.d/api-users.conf.epp', {
- # 'api_users' => $api_users
- # }),
- # owner => 'root',
- # group => 'nagios',
- # mode => '0640',
- # require => Package['icinga2'],
- #}
-
create_resources(icinga2::object::apiuser, $api_users)
- #file { "/var/lib/icinga2/certs/${::facts['fqdn']}.key":
- # ensure => file,
- # owner => 'nagios',
- # group => 'nagios',
- # mode => '0600',
- # content => $master_key,
- # require => File['/var/lib/icinga2/certs'],
- #}
- #file { "/var/lib/icinga2/certs/${::facts['fqdn']}.csr":
- # ensure => file,
- # owner => 'nagios',
- # group => 'nagios',
- # mode => '0644',
- # content => $master_csr,
- # require => File['/var/lib/icinga2/certs'],
- #}
- #file { '/var/lib/icinga2/ca':
- # ensure => directory,
- # owner => 'nagios',
- # group => 'nagios',
- # mode => '0700',
- # require => Package['icinga2'],
- #}
- #file { '/var/lib/icinga2/ca/ca.key':
- # ensure => file,
- # content => $ca_key,
- # owner => 'nagios',
- # group => 'nagios',
- # mode => '0600',
- # require => File['/var/lib/icinga2/ca'],
- #}
- #file { '/var/lib/icinga2/ca/ca.crt':
- # ensure => file,
- # content => $::profiles::icinga2_common::ca_certificate,
- # owner => 'nagios',
- # group => 'nagios',
- # mode => '0644',
- # require => File['/var/lib/icinga2/ca'],
- #}
- #exec { "/usr/sbin/icinga2 node setup --master":
- # creates => "/etc/icinga2/features-enabled/api.conf",
- # require => [
- # Package['icinga2'],
- # File['/var/lib/icinga2/ca/ca.key'],
- # File["/var/lib/icinga2/certs/${::facts['fqdn']}.key"]
- # ],
- # notify => Service['icinga2'],
- #}
- #exec { '/usr/sbin/icinga2 feature enable ido-pgsql':
- # creates => "/etc/icinga2/features-enabled/ido-pgsql.conf",
- # require => Package['icinga2-ido-pgsql'],
- # notify => Service['icinga2'],
- #}
- #service { 'icinga2':
- # ensure => 'running',
- # enable => true,
- # require => [
- # Package['icinga2'],
- # Package['icinga2-ido-pgsql'],
- # ],
- # subscribe => [
- # File['/etc/icinga2/icinga2.conf'],
- # File['/etc/icinga2/init.conf'],
- # File['/etc/icinga2/features-enabled/checker.conf'],
- # File['/etc/icinga2/features-enabled/mainlog.conf'],
- # File['/etc/icinga2/features-enabled/notification.conf'],
- # File['/etc/icinga2/zones.conf'],
- # File['/etc/icinga2/conf.d/api-users.conf'],
- # File['/var/lib/icinga2/ca'],
- # File['/var/lib/icinga2/ca/ca.key'],
- # File['/var/lib/icinga2/ca/ca.crt'],
- # File['/var/lib/icinga2/certs/ca.crt'],
- # ],
- #}
Icinga2::Object::Zone <<| |>> ~> Service['icinga2']
Icinga2::Object::Endpoint <<| |>> ~> Service['icinga2']