Add docs for 'ca' pki mode in api feature

erezzarum · Jan 31, 2017 · c133c3c · c133c3c
1 parent 4407bdd
commit c133c3c
Show file tree

Hide file tree

Showing 2 changed files with 29 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -490,7 +490,7 @@ requires SSL/TLS client certificates. This module offers multiple choices to con
 One of your Icinga master needs to behave as a CA. With the class `icinga2::pki::ca` you can do following to fulfil
 this requirement:
 
-* Use the ability of the icinga2 CLI to generate a complete new CA
+* Use the the `icinga2` CLI to generate a complete new CA
 ``` puppet
 include ::icinga2
 class { '::icinga2::pki::ca':
@@ -520,6 +520,30 @@ file { '/var/lib/icinga2/ca/ca.key':
 }
 ```
 
+* Create a new CA with the `icinga2` CLI command and a certificate signed by this new CA. This is especially useful when
+seting up a fresh Icinga 2 master from scratch.
+```
+class { '::icinga2':
+  constants => {
+    'TicketSalt'   => '5a3d695b8aef8f18452fc494593056a4',
+  }
+}
+
+class { '::icinga2::feature::api':
+  pki             => 'ca',
+  endpoints       => {
+    'localhost' => {
+      'host' => 'localhost',
+    }
+  },
+  zones           => {
+    'master' => {
+      'endpoints' => ['localhost']
+    }
+  }
+}
+```
+
 If you are looking for an option to use your Puppet CA, have a look to the
 [Client/Satellite Certificates](#clientsatellite-certificates) section.
 
@@ -1116,6 +1140,8 @@ Provides multiple sources for the certificate and key.
 the configured 'ticket_salt' in a custom function.
 * `none` Does nothing and you either have to manage the files yourself as file resources or use the `ssl_key`, `ssl_cert`,
 `ssl_ca` parameters.
+* `ca` Includes the `::icinga2::pki::ca` class to generate a fresh CA and generates an SSL certificate and key signed by
+this new CA.
 
 Defaults to `puppet`
 

diff --git a/manifests/feature/api.pp b/manifests/feature/api.pp
@@ -15,6 +15,8 @@
 #              Puppetmaster by using the configured 'ticket_salt' in a custom function.
 #   - none: Does nothing and you either have to manage the files yourself as file resources
 #           or use the ssl_key, ssl_cert, ssl_cacert parameters. Defaults to puppet.
+#   - ca: Includes the '::icinga2::pki::ca' class to generate a fresh CA and generates an SSL certificate and
+#         key signed by this new CA.
 #
 # [*ssl_key_path*]
 #   Location of the private key. Default depends on platform: