Skip to content

Commit

Permalink
fix voxpupuli#325, ticket_salt ist stored to api.conf only if pki = n…
Browse files Browse the repository at this point in the history
…one|ca
  • Loading branch information
lbetz authored and n00by committed Apr 26, 2018
1 parent 0b54a48 commit a2d545c
Show file tree
Hide file tree
Showing 5 changed files with 24 additions and 14 deletions.
3 changes: 2 additions & 1 deletion README.md
Original file line number Diff line number Diff line change
Expand Up @@ -1224,7 +1224,8 @@ This host will be connected to request the certificate. Set this if you use the
Port of the 'ca_host'. Defaults to `5665`

##### `ticket_salt`
Salt to use for ticket generation. Defaults to icinga2 constant `TicketSalt`.
Salt to use for ticket generation. The salt is stored to api.conf if `none` or `ca` is chosen for `pki`.
Defaults to constant `TicketSalt`.

##### `endpoints`
Hash to configure endpoint objects. Defaults to `{ 'NodeName' => {} }`. `NodeName` is a Icinga 2 constant.
Expand Down
5 changes: 3 additions & 2 deletions examples/init_master.pp
Original file line number Diff line number Diff line change
Expand Up @@ -7,8 +7,6 @@
}
}

class { '::icinga2::pki::ca': }

class { '::icinga2::feature::api':
pki => 'none',
zones => {
Expand All @@ -17,3 +15,6 @@
},
}
}

class { '::icinga2::pki::ca': }

14 changes: 12 additions & 2 deletions manifests/feature/api.pp
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,8 @@
# Port of the 'ca_host'. Defaults to 5665
#
# [*ticket_salt*]
# Salt to use for ticket generation. Defaults to icinga2 constant TicketSalt.
# Salt to use for ticket generation. The salt is stored to api.conf if none or ca is chosen for pki.
# Defaults to constant TicketSalt.
#
# [*endpoints*]
# Hash to configure endpoint objects. Defaults to { 'NodeName' => {} }.
Expand Down Expand Up @@ -242,6 +243,8 @@
# handle the certificate's stuff
case $pki {
'puppet': {
$_ticket_salt = undef

file { $_ssl_key_path:
ensure => file,
mode => $_ssl_key_mode,
Expand All @@ -263,6 +266,10 @@
} # puppet

'none': {
# non means you manage the CA on your own and so
# the salt has to be stored in api.conf
$_ticket_salt = $ticket_salt

if $ssl_key {
$_ssl_key = $::osfamily ? {
'windows' => regsubst($ssl_key, '\n', "\r\n", 'EMG'),
Expand Down Expand Up @@ -305,6 +312,8 @@
} # none

'icinga2': {
$_ticket_salt = undef

validate_string($ca_host)
validate_integer($ca_port)

Expand Down Expand Up @@ -333,6 +342,7 @@
} # icinga2

'ca': {
$_ticket_salt = $ticket_salt
class { '::icinga2::pki::ca': }

warning('This parameter is deprecated and will be removed in future versions! Please use ::icinga2::pki::ca instead')
Expand All @@ -346,7 +356,7 @@
ca_path => $_ssl_cacert_path,
accept_commands => $accept_commands,
accept_config => $accept_config,
ticket_salt => $ticket_salt,
ticket_salt => $_ticket_salt,
tls_protocolmin => $ssl_protocolmin,
cipher_list => $ssl_cipher_list,
bind_host => $bind_host,
Expand Down
4 changes: 2 additions & 2 deletions manifests/pki/ca.pp
Original file line number Diff line number Diff line change
Expand Up @@ -64,6 +64,7 @@
include ::icinga2::params
require ::icinga2::config

$bin_dir = $::icinga2::params::bin_dir
$ca_dir = $::icinga2::params::ca_dir
$pki_dir = $::icinga2::params::pki_dir
$user = $::icinga2::params::user
Expand All @@ -76,8 +77,7 @@
}

Exec {
user => 'root',
path => $::path,
path => $bin_dir,
}

if $ssl_key_path {
Expand Down
12 changes: 5 additions & 7 deletions spec/classes/api_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -46,7 +46,6 @@
.with({ 'target' => '/etc/icinga2/features-available/api.conf' })
.with_content(/accept_config = false/)
.with_content(/accept_commands = false/)
.with_content(/ticket_salt = TicketSalt/)
.without_content(/bind_\w+ =/)
}

Expand Down Expand Up @@ -228,8 +227,8 @@
end


context "#{os} with ticket_salt => foo" do
let(:params) { {:ticket_salt => 'foo'} }
context "#{os} with pki => none, ticket_salt => foo" do
let(:params) { {:pki => 'none', :ticket_salt => 'foo'} }

it { is_expected.to contain_concat__fragment('icinga2::object::ApiListener::api')
.with({ 'target' => '/etc/icinga2/features-available/api.conf' })
Expand Down Expand Up @@ -347,8 +346,7 @@
it { is_expected.to contain_concat__fragment('icinga2::object::ApiListener::api')
.with({ 'target' => 'C:/ProgramData/icinga2/etc/icinga2/features-available/api.conf' })
.with_content(/accept_config = false/)
.with_content(/accept_commands = false/)
.with_content(/ticket_salt = TicketSalt/) }
.with_content(/accept_commands = false/) }

it { is_expected.to contain_file('C:/ProgramData/icinga2/etc/icinga2/pki/host.example.org.key') }
it { is_expected.to contain_file('C:/ProgramData/icinga2/etc/icinga2/pki/host.example.org.crt') }
Expand Down Expand Up @@ -498,8 +496,8 @@
end


context "Windows 2012 R2 with ticket_salt => foo" do
let(:params) { {:ticket_salt => 'foo'} }
context "Windows 2012 R2 with pki => none, ticket_salt => foo" do
let(:params) { {:pki => 'none', :ticket_salt => 'foo'} }

it { is_expected.to contain_concat__fragment('icinga2::object::ApiListener::api')
.with({ 'target' => 'C:/ProgramData/icinga2/etc/icinga2/features-available/api.conf' })
Expand Down

0 comments on commit a2d545c

Please sign in to comment.