diff --git a/manifests/feature/gelf.pp b/manifests/feature/gelf.pp index dddd765..bd7fd2a 100644 --- a/manifests/feature/gelf.pp +++ b/manifests/feature/gelf.pp @@ -1,72 +1,201 @@ # @summary # Configures the Icinga 2 feature gelf. # # @param [Enum['absent', 'present']] ensure # Set to present enables the feature gelf, absent disables it. # # @param [Optional[Stdlib::Host]] host # GELF receiver host address. # # @param [Optional[Stdlib::Port::Unprivileged]] port # GELF receiver port. # # @param [Optional[String]] source # Source name for this instance. # +# @param [Boolean] enable_ssl +# Either enable or disable SSL/TLS. Other SSL parameters are only affected if this is set to 'true'. +# +# @param [Optional[Stdlib::Absolutepath]] ssl_key_path +# Location of the private key. Only valid if ssl is enabled. +# +# @param [Optional[Stdlib::Absolutepath]] ssl_cert_path +# Location of the certificate. Only valid if ssl is enabled. +# +# @param [Optional[Stdlib::Absolutepath]] ssl_cacert_path +# Location of the CA certificate. Only valid if ssl is enabled. +# +# @param [Optional[Stdlib::Base64]] ssl_key +# The private key in a base64 encoded string to store in spicified ssl_key_path file. +# Only valid if ssl is enabled. +# +# @param [Optional[Stdlib::Base64]] ssl_cert +# The certificate in a base64 encoded string to store in spicified ssl_cert_path file. +# Only valid if ssl is enabled. +# +# @param [Optional[Stdlib::Base64]] ssl_cacert +# The CA root certificate in a base64 encoded string to store in spicified ssl_cacert_path file. +# Only valid if ssl is enabled. +# +# @param [Optional[Boolean]] ssl_noverify +# Disable TLS peer verification. +# # @param [Optional[Boolean]] enable_send_perfdata # Enable performance data for 'CHECK RESULT' events. # # @param [Optional[Boolean]] enable_ha # Enable the high availability functionality. Only valid in a cluster setup. # class icinga2::feature::gelf( Enum['absent', 'present'] $ensure = present, Optional[Stdlib::Host] $host = undef, Optional[Stdlib::Port::Unprivileged] $port = undef, Optional[String] $source = undef, + Boolean $enable_ssl = false, + Optional[Stdlib::Absolutepath] $ssl_key_path = undef, + Optional[Stdlib::Absolutepath] $ssl_cert_path = undef, + Optional[Stdlib::Absolutepath] $ssl_cacert_path = undef, + Optional[Stdlib::Base64] $ssl_key = undef, + Optional[Stdlib::Base64] $ssl_cert = undef, + Optional[Stdlib::Base64] $ssl_cacert = undef, + Optional[Boolean] $ssl_noverify = undef, Optional[Boolean] $enable_send_perfdata = undef, Optional[Boolean] $enable_ha = undef, ) { if ! defined(Class['::icinga2']) { fail('You must include the icinga2 base class before using any icinga2 feature class!') } + $owner = $::icinga2::globals::user + $group = $::icinga2::globals::group $conf_dir = $::icinga2::globals::conf_dir - $_notify = $ensure ? { + $ssl_dir = $::icinga2::globals::cert_dir + + $_ssl_key_mode = $::facts['os']['family'] ? { + 'windows' => undef, + default => '0600', + } + + $_notify = $ensure ? { 'present' => Class['::icinga2::service'], default => undef, } + File { + owner => $owner, + group => $group, + } + + + if $enable_ssl { + # Set defaults for certificate stuff + if $ssl_key { + if $ssl_key_path { + $_ssl_key_path = $ssl_key_path } + else { + $_ssl_key_path = "${ssl_dir}/GelfWriter_gelf.key" + } + + $_ssl_key = $::facts['os']['family'] ? { + 'windows' => regsubst($ssl_key, '\n', "\r\n", 'EMG'), + default => $ssl_key, + } + + file { $_ssl_key_path: + ensure => file, + mode => $_ssl_key_mode, + content => $ssl_key, + tag => 'icinga2::config::file', + } + } else { + $_ssl_key_path = $ssl_key_path + } + + if $ssl_cert { + if $ssl_cert_path { + $_ssl_cert_path = $ssl_cert_path } + else { + $_ssl_cert_path = "${ssl_dir}/GelfWriter_gelf.crt" + } + + $_ssl_cert = $::facts['os']['family'] ? { + 'windows' => regsubst($ssl_cert, '\n', "\r\n", 'EMG'), + default => $ssl_cert, + } + + file { $_ssl_cert_path: + ensure => file, + content => $ssl_cert, + tag => 'icinga2::config::file', + } + } else { + $_ssl_cert_path = $ssl_cert_path + } + + if $ssl_cacert { + if $ssl_cacert_path { + $_ssl_cacert_path = $ssl_cacert_path } + else { + $_ssl_cacert_path = "${ssl_dir}/GelfWriter_gelf_ca.crt" + } + + $_ssl_cacert = $::facts['os']['family'] ? { + 'windows' => regsubst($ssl_cacert, '\n', "\r\n", 'EMG'), + default => $ssl_cacert, + } + + file { $_ssl_cacert_path: + ensure => file, + content => $ssl_cacert, + tag => 'icinga2::config::file', + } + } else { + $_ssl_cacert_path = $ssl_cacert_path + } + + $attrs_ssl = { + enable_tls => $enable_ssl, + insecure_noverify => $ssl_noverify, + ca_path => $_ssl_cacert_path, + cert_path => $_ssl_cert_path, + key_path => $_ssl_key_path, + } + } # enable_ssl + else { + $attrs_ssl = { enable_tls => $enable_ssl } + } + + # compose attributes $attrs = { host => $host, port => $port, source => $source, enable_send_perfdata => $enable_send_perfdata, enable_ha => $enable_ha, } # create object icinga2::object { 'icinga2::object::GelfWriter::gelf': object_name => 'gelf', object_type => 'GelfWriter', - attrs => delete_undef_values($attrs), + attrs => delete_undef_values(merge($attrs, $attrs_ssl)), attrs_list => keys($attrs), target => "${conf_dir}/features-available/gelf.conf", order => 10, notify => $_notify, } # import library 'perfdata' concat::fragment { 'icinga2::feature::gelf': target => "${conf_dir}/features-available/gelf.conf", content => "library \"perfdata\"\n\n", order => '05', } # manage feature icinga2::feature { 'gelf': ensure => $ensure, } } diff --git a/spec/classes/gelf_spec.rb b/spec/classes/gelf_spec.rb index dbcd1c4..ae045fd 100644 --- a/spec/classes/gelf_spec.rb +++ b/spec/classes/gelf_spec.rb @@ -1,55 +1,142 @@ require 'spec_helper' describe('icinga2::feature::gelf', type: :class) do let(:pre_condition) do [ "class { 'icinga2': features => [] }", ] end on_supported_os.each do |os, facts| context "on #{os}" do let(:facts) do facts end case facts[:kernel] when 'windows' let(:icinga2_conf_dir) { 'C:/ProgramData/icinga2/etc/icinga2' } + let(:icinga2_pki_dir) { 'C:/ProgramData/icinga2/var/lib/icinga2/certs' } + let(:icinga2_sslkey_mode) { nil } + let(:icinga2_user) { nil } + let(:icinga2_group) { nil } when 'FreeBSD' let(:icinga2_conf_dir) { '/usr/local/etc/icinga2' } + let(:icinga2_pki_dir) { '/var/lib/icinga2/certs' } + let(:icinga2_sslkey_mode) { '0600' } + let(:icinga2_user) { 'icinga' } + let(:icinga2_group) { 'icinga' } else let(:icinga2_conf_dir) { '/etc/icinga2' } + let(:icinga2_pki_dir) { '/var/lib/icinga2/certs' } + let(:icinga2_sslkey_mode) { '0600' } + case facts[:os]['family'] + when 'Debian' + let(:icinga2_user) { 'nagios' } + let(:icinga2_group) { 'nagios' } + else + let(:icinga2_user) { 'icinga' } + let(:icinga2_group) { 'icinga' } + end end context 'with defaults' do it { is_expected.to contain_icinga2__feature('gelf').with({ 'ensure' => 'present' }) } it { is_expected.to contain_icinga2__object('icinga2::object::GelfWriter::gelf').with( { 'target' => "#{icinga2_conf_dir}/features-available/gelf.conf" }, ).that_notifies('Class[icinga2::service]') } it { is_expected.to contain_concat__fragment('icinga2::feature::gelf').with( { 'target' => "#{icinga2_conf_dir}/features-available/gelf.conf", 'order' => '05', }, ).with_content(%r{library \"perfdata\"$}) } end context 'with ensure => absent' do let(:params) do { ensure: 'absent', } end it { is_expected.to contain_icinga2__feature('gelf').with({ 'ensure' => 'absent' }) } end + + context "with enable_ssl => true, host => '127.0.0.1', ssl_key => 'foo', ssl_cert => 'bar', ssl_cacert => 'baz'" do + let(:params) do + { + enable_ssl: true, + ssl_key: 'foo', + ssl_cert: 'bar', + ssl_cacert: 'baz', + host: '127.0.0.1', + } + end + + it { + is_expected.to contain_file("#{icinga2_pki_dir}/GelfWriter_gelf.key").with( + { + 'mode' => icinga2_sslkey_mode, + 'owner' => icinga2_user, + 'group' => icinga2_group, + }, + ).with_content(%r{^foo}) + } + + it { + is_expected.to contain_file("#{icinga2_pki_dir}/GelfWriter_gelf.crt").with( + { + 'owner' => icinga2_user, + 'group' => icinga2_group, + }, + ).with_content(%r{^bar$}) + } + + it { + is_expected.to contain_file("#{icinga2_pki_dir}/GelfWriter_gelf_ca.crt").with( + { + 'owner' => icinga2_user, + 'group' => icinga2_group, + }, + ).with_content(%r{^baz$}) + } + end + + context 'with enable_ssl => true, ssl_key_path, ssl_cert_path and ssl_cacert_path set' do + let(:params) do + { + enable_ssl: true, + ssl_key_path: "#{icinga2_pki_dir}/GelfWriter_gelf.key", + ssl_cert_path: "#{icinga2_pki_dir}/GelfWriter_gelf.crt", + ssl_cacert_path: "#{icinga2_pki_dir}/GelfWriter_gelf_ca.crt", + } + end + + it { + is_expected.to contain_concat__fragment('icinga2::object::GelfWriter::gelf').with_content( + %r{key_path = "#{icinga2_pki_dir}/GelfWriter_gelf.key"}, + ) + } + + it { + is_expected.to contain_concat__fragment('icinga2::object::GelfWriter::gelf').with_content( + %r{cert_path = "#{icinga2_pki_dir}/GelfWriter_gelf.crt"}, + ) + } + + it { + is_expected.to contain_concat__fragment('icinga2::object::GelfWriter::gelf').with_content( + %r{ca_path = "#{icinga2_pki_dir}/GelfWriter_gelf_ca.crt"}, + ) + } + end end end end