diff --git a/README.md b/README.md index 4e02df5..3ef6a21 100644 --- a/README.md +++ b/README.md @@ -1,635 +1,637 @@ [![Build Status](https://travis-ci.org/Icinga/puppet-icinga2.svg?branch=master)](https://travis-ci.org/Icinga/puppet-icinga2) # Icinga 2 Puppet Module ![Icinga Logo](https://www.icinga.com/wp-content/uploads/2014/06/icinga_logo.png) #### Table of Contents 1. [Overview](#overview) 2. [Module Description - What the module does and why it is useful](#module-description) 3. [Setup - The basics of getting started with icinga2](#setup) 4. [Usage - Configuration options and additional functionality](#usage) * [Installing Icinga](#installing-icinga) * [Clustering Icinga](#clustering-icinga) * [Config Objects](#config-objects) * [Reading objects from hiera](#Reading-objects-from-hiera) * [Apply Rules](#apply-rules) * [Custom configuration](#custom-configuration) 5. [How Configuration is parsed](#how-configuration-is-parsed) 6. [Reference](#reference) 7. [Release Notes](#release-notes) ## Overview Icinga 2 is a widely used open source monitoring software. This Puppet module helps with installing and managing configuration of Icinga 2 on multiple operating systems. ### What's new in version 3.0.0 * The current version now uses the icinga :: repos class from the new `icinga` module for the configuration of repositories including EPEL on RedHat and Backports on Debian. (see https://github.com/icinga/puppet-icinga) * `manage_repos` will replace `manage_repo` in the future * `manage_packages` will replace `manage_package` in the future * Since Icinga v2.12.0 the fingerprint to validate certificates is a sha256 instead of a sha1. Both is supported now. ## Module Description This module installs and configures Icinga 2 on your Linux or Windows hosts. By default it uses packages provided by your distribution's repository or [Chocolatey] on Windows. The module can also be configured to use [packages.icinga.com] as the primary repository, which enables you to install Icinga 2 versions that are newer than the ones provided by your distribution's vendor. All features and objects available in Icinga 2 can be enabled and configured with this module. ## Setup ### What the Icinga 2 Puppet module supports * Installation of packages * Configuration of features * Configuration of objects (also apply rules) * Service * MySQL / PostgreSQL Database Schema Import * Repository Management * Certification Authority ### Dependencies This module supports: * [puppet] >= 4.10 < 8.0.0 And depends on: * [puppetlabs/stdlib] >= 5.0.0 < 8.0.0 * If Puppet 6 is used a stdlib 5.1 or higher is required, see https://github.com/Icinga/puppet-icinga2/issues/505 * [puppetlabs/concat] >= 2.1.0 < 8.0.0 * [icinga/icinga] >= 1.0.0 < 3.0.0 * needed if `manage_repos` is set to `true` ### Limitations +The use of Icinga's own CA is recommended. If you still want to use the Puppet certificates, please note that Puppet 7 uses an intermediate CA by default and Icinga cannot handle its CA certificate, see [Icinga Issue](https://github.com/Icinga/icinga2/pull/8859). + This module has been tested on: * Ruby >= 1.9 * Debian 8, 9, 10 * Ubuntu 16.04, 18.04, 20.04 * CentOS/RHEL 6, 7, 8 * Fedora 31 * FreeBSD 10, 11 * SLES 12, 15 * Windows Server 2016 Other operating systems or versions may work but have not been tested. ## Usage ### Installing Icinga The default class `icinga2` installs and configures a basic installation of Icinga 2. The features `checker`, `mainlog` and `notification` are enabled by default. By default, your distribution's packages are used to install Icinga 2. On Windows systems we use the [Chocolatey] package manager. Use the `manage_repos` parameter to configure repositories by default the official and stable [packages.icinga.com]. To configure your own repositories, or use the official testing or nightly snapshot stage, see https://github.com/icinga/puppet-icinga. ``` puppet class { '::icinga2': manage_repos => true, } ``` If you want to manage the version of Icinga 2, you have to disable the package management of this module and handle packages in your own Puppet code. The attribute `manage_repos` is disabled by default and you have to manage a repository within icinga in front of the package resource. You can combine this one with the section before about repositories. ``` puppet # class of extra module icinga/icinga include ::icinga::repos package { 'icinga2': ensure => latest, notify => Class['icinga2'], } class { '::icinga2': manage_package => false, } ``` Note: Be careful with this option: Setting `manage_package` to false means that this module will not install any package at all, including IDO packages! ### Clustering Icinga Icinga 2 can run in three different roles: * in a master zone which is on top of the hierarchy * in a satellite zone which is a child of a satellite or master zone * a standalone client node/zone which works as an agent connected to master and/or satellite zones To learn more about Icinga 2 Clustering, follow the official docs on [distributed monitoring]. The following examples show how these roles can be configured using this Puppet module. #### Master A Master zone has no parent and is usually also the place where you enable the IDO and notification features. A master sends configurations over the Icinga 2 protocol to satellites and/or clients. More detailed examples can be found in the [examples] directory. This example creates the configuration for a master that has one satellite connected. A global zone is created for templates, and all features of a typical master are enabled. ``` puppet class { '::icinga2': confd => false, constants => { 'ZoneName' => 'master', 'TicketSalt' => '5a3d695b8aef8f18452fc494593056a4', }, } class { '::icinga2::feature::api': pki => 'none', accept_commands => true, # when having multiple masters, you have to enable: accept_config => true, endpoints => { 'master.example.org' => {}, 'satellite.example.org' => { 'host' => '172.16.2.11' }, }, zones => { 'master' => { 'endpoints' => ['master.example.org'], }, 'dmz' => { 'endpoints' => ['satellite.example.org'], 'parent' => 'master', }, } } # to enable a CA on this instance you have to declare. Only one instance is allowed to be a CA: include ::icinga2::pki::ca icinga2::object::zone { 'global-templates': global => true, } ``` #### Satellite A satellite has a parent zone and one or multiple child zones. Satellites are usually created to distribute the monitoring load or to reach delimited zones in the network. A satellite either executes checks itself or delegates them to a client. The satellite has fewer features enabled, but executes checks similar to a master. It connects to a master zone, and to a satellite or client below in the hierarchy. As parent acts either the master zone, or another satellite zone. ``` puppet class { '::icinga2': confd => false, # setting dedicated feature list to disable notification features => ['checker','mainlog'], constants => { 'ZoneName' => 'dmz', }, } class { '::icinga2::feature::api': accept_config => true, accept_commands => true, ca_host => '172.16.1.11', ticket_salt => '5a3d695b8aef8f18452fc494593056a4', # to increase your security set fingerprint to validate the certificate of ca_host # fingerprint => 'D8:98:82:1B:14:8A:6A:89:4B:7A:40:32:50:68:01:D8:98:82:1B:14:8A:6A:89:4B:7A:40:32:99:3D:96:72:72', endpoints => { 'satellite.example.org' => {}, 'master.example.org' => { 'host' => '172.16.1.11', }, }, zones => { 'master' => { 'endpoints' => ['master.example.org'], }, 'dmz' => { 'endpoints' => ['satellite.example.org'], 'parent' => 'master', }, } } icinga2::object::zone { 'global-templates': global => true, } ``` #### Agent Icinga 2 runs as a client usually on each of your servers. It receives config or commands from a satellite or master zones and runs the checks that have to be executed locally. The client is connected to the satellite, which is the direct parent zone. ``` puppet class { '::icinga2': confd => false, features => ['mainlog'], } class { '::icinga2::feature::api': accept_config => true, accept_commands => true, ticket_salt => '5a3d695b8aef8f18452fc494593056a4', # to increase your security set fingerprint to validate the certificate of ca_host # fingerprint => 'D8:98:82:1B:14:8A:6A:89:4B:7A:40:32:50:68:01:D8:98:82:1B:14:8A:6A:89:4B:7A:40:32:99:3D:96:72:72', endpoints => { 'NodeName' => {}, 'satellite.example.org' => { 'host' => '172.16.2.11', }, }, zones => { 'ZoneName' => { 'endpoints' => ['NodeName'], 'parent' => 'dmz', }, 'dmz' => { 'endpoints' => ['satellite.example.org'], }, } } icinga2::object::zone { 'global-templates': global => true, } ``` The parameter `fingerprint` is optional and new since v2.1.0. It's used to validate the certificate of the CA host. You can get the fingerprint via `openssl x509 -noout -fingerprint -sha256 -inform pem -in master.crt` on the master host. (Icinga2 versions before 2.12.0 require '-sha1' as digest algorithm.) ### Config Objects With this module you can create almost every object that Icinga 2 knows about. When creating objects some parameters are required. This module sets the same requirements as Icinga 2 does. When creating an object you must set a target for the configuration. Here are some examples for some object types: #### Host ``` puppet icinga2::object::host { 'srv-web1.fqdn.com': display_name => 'srv-web1.fqdn.com', address => '127.0.0.1', address6 => '::1', check_command => 'hostalive', target => '/etc/icinga2/conf.d/srv-web1.fqdn.com.conf', } ``` #### Service ``` puppet icinga2::object::service { 'uptime': host_name => 'srv-web1.fqdn.com', display_name => 'Uptime', check_command => 'check_uptime', check_interval => '600m', groups => ['uptime', 'linux'], target => '/etc/icinga2/conf.d/uptime.conf', } ``` #### Hostgroup ``` puppet icinga2::object::hostgroup { 'monitoring-hosts': display_name => 'Linux Servers', groups => [ 'linux-servers' ], target => '/etc/icinga2/conf.d/groups2.conf', assign => [ 'host.vars.os == linux' ], } ``` ### Reading objects from hiera The following example shows how icinga2 objects can be read from a hiera datastore. See also examples/objects_from_hiera.pp. ``` class { 'icinga2': manage_repos => true, } $defaults = lookup('monitoring::defaults', undef, undef, {}) lookup('monitoring::objects').each |String $object_type, Hash $content| { $content.each |String $object_name, Hash $object_config| { ensure_resource( $object_type, $object_name, deep_merge($defaults[$object_type], $object_config)) } } ``` The datastore could be like: ``` --- monitoring::objects: 'icinga2::object::host': centos7.localdomain: address: 127.0.0.1 vars: os: Linux 'icinga2::object::service': ping4: check_command: ping4 apply: true assign: - host.address ssh: check_command: ssh apply: true assign: - host.address && host.vars.os == Linux monitoring::defaults: 'icinga2::object::host': import: - generic-host target: /etc/icinga2/conf.d/hosts.conf 'icinga2::object::service': import: - generic-service target: /etc/icinga2/conf.d/services.conf ``` ### Apply Rules Some objects can be applied to other objects. To create a simple apply rule you must set the `apply` parameter to `true`. If this parameter is set to a string, this string will be used to build an `apply for` loop. A service object always targets a host object. All other objects need to explicitly set an `apply_target` Apply a SSH service to all Linux hosts: ``` icinga2::object::service { 'SSH': target => '/etc/icinga2/conf.d/test.conf', apply => true, assign => [ 'host.vars.os == Linux' ], ignore => [ 'host.vars.os == Windows' ], display_name => 'Test Service', check_command => 'ssh', } ``` Apply notifications to services: ``` icinga2::object::notification { 'testnotification': target => '/etc/icinga2/conf.d/test.conf', apply => true, apply_target => 'Service', assign => [ 'host.vars.os == Linux' ], ignore => [ 'host.vars.os == Windows' ], user_groups => ['icingaadmins'] } ``` Assign all Linux hosts to a hostgroup: ``` icinga2::object::hostgroup { 'monitoring-hosts': display_name => 'Linux Servers', groups => [ 'linux-servers' ], target => '/etc/icinga2/conf.d/groups2.conf', assign => [ 'host.vars.os == linux' ], } ``` A loop to create HTTP services for all vHosts of a host object: ``` icinga2::object::service { 'HTTP': target => '/etc/icinga2/conf.d/http.conf', apply => 'http_vhost => config in host.vars_http_vhost', assign => [ 'host.vars.os == Linux' ], display_name => 'HTTP Service', check_command => 'http', } ``` ### Custom Configuration Sometimes it's necessary to cover very special configurations, that you cannot handle with this module. In this case you can use the `icinga2::config::file` tag on your file resource. The module collects all file resource types with this tag and triggers a reload of Icinga 2 on a file change. ``` include ::icinga2 file { '/etc/icinga2/conf.d/for-loop.conf': ensure => file, source => '...', tag => 'icinga2::config::file', } ``` ## How Configuration is parsed To generate a valid Icinga 2 configuration all object attributes are parsed. This simple parsing algorithm takes a decision for each attribute, whether part of the string is to be quoted or not, and how an array or dictionary is to be formatted. Parsing of a single attribute can be disabled by tagging it with -: at the front of the string. ``` attr => '-:"unparsed string with quotes"' ``` An array, a hash or a string can be assigned to an object attribute. True and false are also valid values. Hashes and arrays are created recursively, and all parts – such as single items of an array, keys and its values are parsed separately as strings. Strings are parsed in chunks, by splitting the original string into separate substrings at specific keywords (operators) such as `+`, `-`, `in`, `&&`, `||`, etc. **NOTICE**: This splitting only works for keywords that are surrounded by whitespace, e.g.: ``` attr => 'string1 + string2 - string3' ``` The algorithm will loop over the parameter and start by splitting it into 'string1' and 'string2 - string3'. 'string1' will be passed to the sub function 'value_types' and then the algorithm will continue parsing the rest of the string ('string2 - string3'), splitting it, passing it to value_types, etc. Brackets are parsed for expressions: ``` attr => '3 * (value1 - value2) / 2' ``` The parser also detects function calls and will parse all parameters separately. ``` attr => 'function(param1, param2, ...)' ``` True and false can be used as either booleans or strings. ``` attrs => true or attr => 'true' ``` In Icinga you can write your own lambda functions with {{ ... }}. For Puppet use: ``` attrs => '{{ ... }}' ``` The parser analyzes which parts of the string have to be quoted and which do not. As a general rule, all fragments are quoted except for the following: * Boolean: `true`, `false` * Numbers: `3` or `2.5` * Time Intervals: `3m` or `2.5h` (s = seconds, m = minutes, h = hours, d = days) * Functions: `{{ ... }}` or function `()` `{}` * All constants, which are declared in the constants parameter in main class `icinga2` * `NodeName` * Names of attributes that belong to the same type of object: * e.g. `name` and `check_command` for a host object * All attributes or variables (custom attributes) from the host, service or user contexts: * `host.name`, `service.check_command`, `user.groups`, ... Assignment with += and -=: Now it's possible to build an Icinga DSL code snippet like ``` vars += config ``` simply use a string with the prefix '+ ', e.g. ``` vars => '+ config', ``` The blank between + and the proper string 'config' is imported for the parser because numbers ``` attr => '+ -14', ``` are also possible now. For numbers -= can be built, too: ``` attr => '- -14', ``` Arrays can also be marked to merge with '+' or reduce by '-' as the first item of the array: ``` attr => [ '+', item1, item2, ... ] ``` Result: attr += [ item1, item2, ... ] ``` attr => [ '-', item1, item2, ... ] ``` Result: attr -= [ item1, item2, ... ] That all works for attributes and custom attributes! Finally dictionaries can be merged when a key '+' is set: ``` attr => { '+' => true, 'key1' => 'val1', } ``` Result: ``` attr += { "key1" = "val1" } ``` If 'attr' is a custom attribute this just works since level 3 of the dictionary: ``` vars => { 'level1' => { 'level2' => { 'level3' => { '+' => true, ... }, }, }, }, ``` Parsed to: ``` vars.level1["level2"] += level3 ``` Now it's also possible to add multiple custom attributes: ``` vars => [ { 'a' => '1', 'b' => '2', }, 'config', { 'c' => { 'd' => { '+' => true, 'e' => '5', }, }, }, ], ``` And you'll get: ``` vars.a = "1" vars.b = "2" vars += config vars.c["d"] += { "e" = "5" } ``` Note: Using an Array always means merge '+=' all items to vars. ##### What isn't supported? It's not currently possible to use dictionaries in a string WITH nested array or hash, like ``` attr1 => 'hash1 + { item1 => value1, item2 => [ value1, value2 ], ... ]' attr2 => 'hash2 + { item1 => value1, item2 => { ... },... }' ``` ## Reference See [REFERENCE.md](https://github.com/Icinga/puppet-icinga2/blob/master/REFERENCE.md) ## Release Notes When releasing new versions we refer to [SemVer 1.0.0] for version numbers. All steps required when creating a new release are described in [RELEASE.md](https://github.com/Icinga/puppet-icinga2/blob/master/RELEASE.md) See also [CHANGELOG.md](https://github.com/Icinga/puppet-icinga2/blob/master/CHANGELOG.md) [distributed monitoring]: http://docs.icinga.com/icinga2/latest/doc/module/icinga2/chapter/distributed-monitoring [puppetlabs/stdlib]: https://github.com/puppetlabs/puppetlabs-stdlib [puppetlabs/concat]: https://github.com/puppetlabs/puppetlabs-concat [puppetlabs/apt]: https://github.com/puppetlabs/puppetlabs-apt [puppetlabs/chocolatey]: https://github.com/puppetlabs/puppetlabs-chocolatey [puppet/zypprepo]: https://forge.puppet.com/puppet/zypprepo [puppetlabs/mysql]: https://github.com/puppetlabs/puppetlabs-mysql [puppetlabs/puppetlabs-postgresql]: https://github.com/puppetlabs/puppetlabs-postgresql [puppet-icinga2]: https://github.com/icinga/puppet-icinga2 [packages.icinga.com]: https://packages.icinga.com [Chocolatey]: https://chocolatey.org [SemVer 1.0.0]: http://semver.org/spec/v1.0.0.html [CONTRIBUTING.md]: CONTRIBUTING.md [TESTING.md]: TESTING.md [RELEASE.md]: RELEASE.md [CHANGELOG.md]: CHANGELOG.md [AUTHORS]: AUTHORS diff --git a/manifests/feature/api.pp b/manifests/feature/api.pp index f225c22..cf16adf 100644 --- a/manifests/feature/api.pp +++ b/manifests/feature/api.pp @@ -1,376 +1,378 @@ # @summary # Configures the Icinga 2 feature api. # # @example Use the puppet certificates and key copy these files to the cert directory named to 'hostname.key', 'hostname.crt' and 'ca.crt' if the contant NodeName is set to 'hostname'. # include ::icinga2::feature::api # # @example To use your own certificates and key as file resources if the contant NodeName is set to fqdn (default) do: # class { 'icinga2::feature::api': # pki => 'none', # } # # File { # owner => 'icinga', # group => 'icinga', # } # # file { "/var/lib/icinga2/certs/${::fqdn}.key": # ensure => file, # tag => 'icinga2::config::file', # source => "puppet:///modules/profiles/private_keys/${::fqdn}.key", # } # ... # # @example If you like to manage the certificates and the key as strings in base64 encoded format: # class { 'icinga2::feature::api': # pki => 'none', # ssl_cacert => '-----BEGIN CERTIFICATE----- ...', # ssl_key => '-----BEGIN RSA PRIVATE KEY----- ...', # ssl_cert => '-----BEGIN CERTIFICATE----- ...', # } # # @example Fine tune TLS settings # class { '::icinga2::feature::api': # ssl_protocolmin => 'TLSv1.2', # ssl_cipher_list => 'HIGH:MEDIUM:!aNULL:!MD5:!RC4', # } # # @example Transfer a CA certificate and key from an existing CA by using the file resource: # include ::icinga2 # # file { '/var/lib/icinga2/ca/ca.crt': # source => '...', # tag => 'icinga2::config::file', # } # # file { '/var/lib/icinga2/ca/ca.key': # source => '...', # tag => 'icinga2::config::file', # } # # @param [Enum['absent', 'present']] ensure # Set to present enables the feature api, absent disabled it. # # @param [Enum['ca', 'icinga2', 'none', 'puppet']] pki # Provides multiple sources for the certificate, key and ca. # - puppet: Copies the key, cert and CAcert from the Puppet ssl directory to the cert directory # /var/lib/icinga2/certs on Linux and C:/ProgramData/icinga2/var/lib/icinga2/certs on Windows. +# Please note that Puppet 7 uses an intermediate CA by default and Icinga cannot handle +# its CA certificate, see [Icinga Issue](https://github.com/Icinga/icinga2/pull/8859). # - icinga2: Uses the icinga2 CLI to generate a Certificate Request and Key to obtain a signed # Certificate from 'ca_host' using the icinga2 ticket mechanism. # In case the 'ticket_salt' has been configured the ticket_id will be generated # by the module in a custom function that imitates the icinga ticket generation. # The 'ticket_id' parameter can be used to directly set an ticket_id. # - none: Does nothing and you either have to manage the files yourself as file resources # or use the ssl_key, ssl_cert, ssl_cacert parameters. # # @param [Optional[Stdlib::Base64]] ssl_key # The private key in a base64 encoded string to store in cert directory. This parameter # requires pki to be set to 'none'. # # @param [Optional[Stdlib::Base64]] ssl_cert # The certificate in a base64 encoded string to store in cert directory This parameter # requires pki to be set to 'none'. # # @param [Optional[Stdlib::Base64]] ssl_cacert # The CA root certificate in a base64 encoded string to store in cert directory. This parameter # requires pki to be set to 'none'. # # @param [Optional[Stdlib::Absolutepath]] ssl_crl # Optional location of the certificate revocation list. # # @param [Optional[Boolean]] accept_config # Accept zone configuration. # # @param [Optional[Boolean]] accept_commands # Accept remote commands. # # @param [Optional[Integer[0]]] max_anonymous_clients # Limit the number of anonymous client connections (not configured endpoints and signing requests). # # @param [Optional[Stdlib::Host]] ca_host # This host will be connected to request the certificate. Set this if you use the icinga2 pki. # # @param [Stdlib::Port::Unprivileged] ca_port # Port of the 'ca_host'. # # @param [Optional[Icinga2::Fingerprint]] fingerprint # Fingerprint of the CA host certificate for validation. Requires pki is set to `icinga2`. # You can get the fingerprint via 'openssl x509 -noout -fingerprint -sha256 -inform pem -in [certificate-file.crt]' # on your CA host. (Icinga2 versions before 2.12.0 require '-sha1' as digest algorithm.) # # @param [String] ticket_salt # Salt to use for ticket generation. The salt is stored to api.conf if none or ca is chosen for pki. # Defaults to constant TicketSalt. Keep in mind this parameter is parsed so please use only alpha numric # characters as salt or a constant. # # @param [Optional[String]] ticket_id # If a ticket_id is given it will be used instead of generating an ticket_id. # The ticket_id will be used only when requesting a certificate from the ca_host # in case the pki is set to 'icinga2'. # # @param [Hash[String, Hash]] endpoints # Hash to configure endpoint objects. `NodeName` is a icnga2 constant. # # @param [Hash[String, Hash]] zones # Hash to configure zone objects. `ZoneName` and `NodeName` are icinga2 constants. # # @param [Optional[Enum['TLSv1', 'TLSv1.1', 'TLSv1.2']]] ssl_protocolmin # Minimal TLS version to require. # # @param [Optional[Icinga2::Interval]] ssl_handshake_timeout # TLS Handshake timeout. # # @param [Optional[String]] ssl_cipher_list # List of allowed TLS ciphers, to finetune encryption. # # @param [Optional[Stdlib::Host]] bind_host # The IP address the api listener will be bound to. # # @param [Optional[Stdlib::Port::Unprivileged]] bind_port # The port the api listener will be bound to. # # @param [Optional[Array[String]]] access_control_allow_origin # Specifies an array of origin URLs that may access the API. # # @param [Optional[Boolean]] access_control_allow_credentials # Indicates whether or not the actual request can be made using credentials. # # @param [Optional[String]] access_control_allow_headers # Used in response to a preflight request to indicate which HTTP headers can be used when making the actual request. # # @param [Optional[Array[Enum['GET', 'POST', 'PUT', 'DELETE']]]] access_control_allow_methods # Used in response to a preflight request to indicate which HTTP methods can be used when making the actual request. # # @param [Optional[String]] environment # Used as suffix in TLS SNI extension name; default from constant ApiEnvironment, which is empty. # class icinga2::feature::api( Enum['absent', 'present'] $ensure = present, Enum['ca', 'icinga2', 'none', 'puppet'] $pki = 'icinga2', Optional[Stdlib::Absolutepath] $ssl_crl = undef, Optional[Boolean] $accept_config = undef, Optional[Boolean] $accept_commands = undef, Optional[Integer[0]] $max_anonymous_clients = undef, Optional[Stdlib::Host] $ca_host = undef, Stdlib::Port::Unprivileged $ca_port = 5665, String $ticket_salt = 'TicketSalt', Optional[String] $ticket_id = undef, Hash[String, Hash] $endpoints = { 'NodeName' => {} }, Hash[String, Hash] $zones = { 'ZoneName' => { endpoints => [ 'NodeName' ] } }, Optional[Stdlib::Base64] $ssl_key = undef, Optional[Stdlib::Base64] $ssl_cert = undef, Optional[Stdlib::Base64] $ssl_cacert = undef, Optional[Enum['TLSv1', 'TLSv1.1', 'TLSv1.2']] $ssl_protocolmin = undef, Optional[Icinga2::Interval] $ssl_handshake_timeout = undef, Optional[String] $ssl_cipher_list = undef, Optional[Stdlib::Host] $bind_host = undef, Optional[Stdlib::Port::Unprivileged] $bind_port = undef, Optional[Array[Enum['GET', 'POST', 'PUT', 'DELETE']]] $access_control_allow_methods = undef, Optional[Array[String]] $access_control_allow_origin = undef, Optional[Boolean] $access_control_allow_credentials = undef, Optional[String] $access_control_allow_headers = undef, Optional[Icinga2::Fingerprint] $fingerprint = undef, Optional[String] $environment = undef, ) { if ! defined(Class['::icinga2']) { fail('You must include the icinga2 base class before using any icinga2 feature class!') } # cert directory must exists and icinga binary is required for icinga2 pki require ::icinga2::install $icinga2_bin = $::icinga2::globals::icinga2_bin $conf_dir = $::icinga2::globals::conf_dir $cert_dir = $::icinga2::globals::cert_dir $ca_dir = $::icinga2::globals::ca_dir $user = $::icinga2::globals::user $group = $::icinga2::globals::group $node_name = $::icinga2::_constants['NodeName'] $_ssl_key_mode = $::facts['os']['family'] ? { 'windows' => undef, default => '0600', } $_notify = $ensure ? { 'present' => Class['::icinga2::service'], default => undef, } File { owner => $user, group => $group, } # Set defaults for certificate stuff $_ssl_key_path = "${cert_dir}/${node_name}.key" $_ssl_cert_path = "${cert_dir}/${node_name}.crt" $_ssl_csr_path = "${cert_dir}/${node_name}.csr" $_ssl_cacert_path = "${cert_dir}/ca.crt" # handle the certificate's stuff case $pki { 'puppet': { $_ticket_salt = undef file { $_ssl_key_path: ensure => file, mode => $_ssl_key_mode, source => $::facts['icinga2_puppet_hostprivkey'], tag => 'icinga2::config::file', show_diff => false, backup => false, } file { $_ssl_cert_path: ensure => file, source => $::facts['icinga2_puppet_hostcert'], tag => 'icinga2::config::file', } file { $_ssl_cacert_path: ensure => file, source => $::facts['icinga2_puppet_localcacert'], tag => 'icinga2::config::file', } } # puppet 'none': { # non means you manage the CA on your own and so # the salt has to be stored in api.conf $_ticket_salt = $ticket_salt if $ssl_key { $_ssl_key = $::facts['os']['family'] ? { 'windows' => regsubst($ssl_key, '\n', "\r\n", 'EMG'), default => $ssl_key, } file { $_ssl_key_path: ensure => file, mode => $_ssl_key_mode, content => $_ssl_key, tag => 'icinga2::config::file', show_diff => false, backup => false, } } if $ssl_cert { $_ssl_cert = $::facts['os']['family'] ? { 'windows' => regsubst($ssl_cert, '\n', "\r\n", 'EMG'), default => $ssl_cert, } file { $_ssl_cert_path: ensure => file, content => $_ssl_cert, tag => 'icinga2::config::file', } } if $ssl_cacert { $_ssl_cacert = $::facts['os']['family'] ? { 'windows' => regsubst($ssl_cacert, '\n', "\r\n", 'EMG'), default => $ssl_cacert, } file { $_ssl_cacert_path: ensure => file, content => $_ssl_cacert, tag => 'icinga2::config::file', } } } # none # icinga2 as default default: { $_ticket_salt = undef $trusted_cert = "${cert_dir}/trusted-cert.crt" $cmd_pki_get_cert = "\"${icinga2_bin}\" pki save-cert --host ${ca_host} --port ${ca_port} --key ${_ssl_key_path} --cert ${_ssl_cert_path} --trustedcert ${trusted_cert}" if($ticket_id) { $_ticket = "--ticket ${ticket_id}" } elsif($ticket_salt != 'TicketSalt') { $_ticket = "--ticket ${icinga2_ticket_id($node_name, $ticket_salt)}" } else { $_ticket = '' } if $fingerprint { $_fingerprint = upcase(regsubst($fingerprint, ':', ' ', 'G')) if $::facts['os']['family'] != 'Windows' { $_cmd_pki_get_cert = "${cmd_pki_get_cert} |grep '${_fingerprint}\s*$'" } else { $_cmd_pki_get_cert = "cmd.exe /c \"${cmd_pki_get_cert} |findstr /R /C:\"${_fingerprint}\"\"" } } else { $_cmd_pki_get_cert = $cmd_pki_get_cert } $_env = $::facts['kernel'] ? { 'windows' => undef, default => ["ICINGA2_USER=${user}", "ICINGA2_GROUP=${group}"], } Exec { environment => $_env, notify => Class['::icinga2::service'], } exec { 'icinga2 pki create key': command => "\"${icinga2_bin}\" pki new-cert --cn ${node_name} --key ${_ssl_key_path} --cert ${_ssl_cert_path}", creates => $_ssl_key_path, } -> exec { 'icinga2 pki get trusted-cert': path => $::facts['path'], command => $_cmd_pki_get_cert, creates => $trusted_cert, } -> exec { 'icinga2 pki request': command => "\"${icinga2_bin}\" pki request --host ${ca_host} --port ${ca_port} --ca ${_ssl_cacert_path} --key ${_ssl_key_path} --cert ${_ssl_cert_path} --trustedcert ${trusted_cert} ${_ticket}", # lint:ignore:140chars creates => $_ssl_cacert_path, } } # icinga2 } # case pki # compose attributes $attrs = { crl_path => $ssl_crl, accept_commands => $accept_commands, accept_config => $accept_config, max_anonymous_clients => $max_anonymous_clients, ticket_salt => $_ticket_salt, tls_protocolmin => $ssl_protocolmin, tls_handshake_timeout => $ssl_handshake_timeout, cipher_list => $ssl_cipher_list, bind_host => $bind_host, bind_port => $bind_port, access_control_allow_origin => $access_control_allow_origin, access_control_allow_credentials => $access_control_allow_credentials, access_control_allow_headers => $access_control_allow_headers, access_control_allow_methods => $access_control_allow_methods, environment => $environment, } # create endpoints and zones create_resources('icinga2::object::endpoint', $endpoints) create_resources('icinga2::object::zone', $zones) # create object icinga2::object { 'icinga2::object::ApiListener::api': object_name => 'api', object_type => 'ApiListener', attrs => delete_undef_values($attrs), attrs_list => keys($attrs), target => "${conf_dir}/features-available/api.conf", order => 10, notify => $_notify, } # manage feature icinga2::feature { 'api': ensure => $ensure, } }