Skip to content

Commit

Permalink
Merge branch 'fix/ca-ordering-236'
Browse files Browse the repository at this point in the history
fixes #236
fixes #239
  • Loading branch information
bobapple committed Feb 28, 2017
2 parents cea7819 + bf3c62d commit a80a97f
Show file tree
Hide file tree
Showing 3 changed files with 136 additions and 37 deletions.
60 changes: 50 additions & 10 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -523,17 +523,19 @@ file { '/var/lib/icinga2/ca/ca.key':
}
```

* Create a new CA with the `icinga2` CLI command and a certificate signed by this new CA. This is especially useful when
seting up a fresh Icinga 2 master from scratch.
```
* Create a new CA with the `icinga2` CLI command and a certificate signed by this new CA. This is useful especially when
seting up a new Icinga 2 master.
```puppet
class { '::icinga2':
constants => {
'TicketSalt' => '5a3d695b8aef8f18452fc494593056a4',
}
}
class { '::icinga2::pki::ca': }
class { '::icinga2::feature::api':
pki => 'ca',
pki => 'none',
endpoints => {
'localhost' => {
'host' => 'localhost',
Expand Down Expand Up @@ -1143,31 +1145,39 @@ Provides multiple sources for the certificate and key.
the configured 'ticket_salt' in a custom function.
* `none` Does nothing and you either have to manage the files yourself as file resources or use the `ssl_key`, `ssl_cert`,
`ssl_ca` parameters.
* `ca` Includes the `::icinga2::pki::ca` class to generate a fresh CA and generates an SSL certificate and key signed by
* `ca` (**deprecated**) Includes the `::icinga2::pki::ca` class to generate a fresh CA and generates an SSL certificate and key signed by
this new CA.

Defaults to `puppet`

##### `ssl_key_path`
Location of the private key. Default depends on platform:
Location of the private key. Default depends on your platform:

* Linux `/etc/icinga2/pki/NodeName.key`
* Windows `C:/ProgramData/icinga2/etc/icinga2/pki/NodeName.key`

The Value of `NodeName` comes from the corresponding constant.

##### `ssl_cert_path`
Location of the certificate. Default depends on platform:
Location of the certificate. Default depends on your platform:

* Linux `/etc/icinga2/pki/NodeName.crt`
* Windows `C:/ProgramData/icinga2/etc/icinga2/pki/NodeName.crt`

The Value of `NodeName` comes from the corresponding constant.

##### `ssl_ca_path`
Location of the CA certificate. Default depends on platform:
##### `ssl_csr_path`
Location of the certificate signing request. Default depends on your platform:

* Linux: `/etc/icinga2/pki/NodeName.csr`
* Windows `C:/ProgramData/icinga2/etc/icinga2/pki/NodeName.csr`

The Value of `NodeName` comes from the corresponding constant.

##### `ssl_cacert_path`
Location of the CA certificate. Default depends on your platform:

* Linux `/etc/icinga2/pki/ca.crt`
* Linux: `/etc/icinga2/pki/ca.crt`
* Windows `C:/ProgramData/icinga2/etc/icinga2/pki/ca.crt`

##### `accept_config`
Expand Down Expand Up @@ -1311,6 +1321,36 @@ Content of the CA certificate. If this is unset, a certificate will be generated
##### `ca_key`
Content of the CA key. If this is unset, a key will be generated with the Icinga 2 CLI.

##### `ssl_key_path`
Location of the private key. Default depends on your platform:

* Linux `/etc/icinga2/pki/NodeName.key`
* Windows `C:/ProgramData/icinga2/etc/icinga2/pki/NodeName.key`

The Value of `NodeName` comes from the corresponding constant.

##### `ssl_cert_path`
Location of the certificate. Default depends on your platform:

* Linux `/etc/icinga2/pki/NodeName.crt`
* Windows `C:/ProgramData/icinga2/etc/icinga2/pki/NodeName.crt`

The Value of `NodeName` comes from the corresponding constant.

##### `ssl_csr_path`
Location of the certificate signing request. Default depends on your platform:

* Linux: `/etc/icinga2/pki/NodeName.csr`
* Windows `C:/ProgramData/icinga2/etc/icinga2/pki/NodeName.csr`

The Value of `NodeName` comes from the corresponding constant.

##### `ssl_cacert_path`
Location of the CA certificate. Default depends on your platform:

* Linux: `/etc/icinga2/pki/ca.crt`
* Windows `C:/ProgramData/icinga2/etc/icinga2/pki/ca.crt`

### Private Classes

#### Class: `icinga2::repo`
Expand Down
29 changes: 3 additions & 26 deletions manifests/feature/api.pp
Original file line number Diff line number Diff line change
Expand Up @@ -175,7 +175,7 @@
validate_re($ensure, [ '^present$', '^absent$' ],
"${ensure} isn't supported. Valid values are 'present' and 'absent'.")
validate_re($pki, [ '^puppet$', '^none$', '^icinga2', '^ca' ],
"${pki} isn't supported. Valid values are 'puppet', 'none', 'icinga2' and 'ca'.")
"${pki} isn't supported. Valid values are 'puppet', 'none', 'icinga2' and 'ca (deprecated)'.")
validate_bool($accept_config)
validate_bool($accept_commands)
validate_string($ticket_salt)
Expand Down Expand Up @@ -310,32 +310,9 @@
} # icinga2

'ca': {
class { '::icinga2::pki::ca': } ->
class { '::icinga2::pki::ca': }

file { "${_ssl_cacert_path}":
source => "${ca_dir}/ca.crt",
} ->

exec { 'icinga2 pki create certificate signing request':
command => "icinga2 pki new-cert --cn '${::fqdn}' --key '${_ssl_key_path}' --csr '${_ssl_csr_path}'",
creates => $_ssl_key_path,
} ->
file {
$_ssl_key_path:
mode => '0600';
}

exec { 'icinga2 pki sign certificate':
command => "icinga2 pki sign-csr --csr '${_ssl_csr_path}' --cert '${_ssl_cert_path}'",
subscribe => Exec['icinga2 pki create certificate signing request'],
refreshonly => true,
notify => Class['::icinga2::service'],
} ->
file {
$_ssl_cert_path:;
$_ssl_csr_path:
ensure => absent;
}
notice("This parameter is deprecated and will be removed in future versions! Please use ::icinga2::pki::ca instead")
} # ca
} # pki

Expand Down
84 changes: 83 additions & 1 deletion manifests/pki/ca.pp
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,29 @@
# [*ca_key*]
# Content of the CA key. If this is unset, a key will be generated with the Icinga 2 CLI.
#
# [*ssl_key_path*]
# Location of the private key. Default depends on platform:
# /etc/icinga2/pki/NodeName.key on Linux
# C:/ProgramData/icinga2/etc/icinga2/pki/NodeName.key on Windows
# The Value of NodeName comes from the corresponding constant.
#
# [*ssl_cert_path*]
# Location of the certificate. Default depends on platform:
# /etc/icinga2/pki/NodeName.crt on Linux
# C:/ProgramData/icinga2/etc/icinga2/pki/NodeName.crt on Windows
# The Value of NodeName comes from the corresponding constant.
#
# [*ssl_csr_path*]
# Location of the certificate signing request. Default depends on platform:
# /etc/icinga2/pki/NodeName.csr on Linux
# C:/ProgramData/icinga2/etc/icinga2/pki/NodeName.csr on Windows
# The Value of NodeName comes from the corresponding constant.
#
# [*ssl_cacert_path*]
# Location of the CA certificate. Default is:
# /etc/icinga2/pki/ca.crt on Linux
# C:/ProgramData/icinga2/etc/icinga2/pki/ca.crt on Windows
#
# === Examples
#
# Let Icinga 2 generate a CA for you:
Expand All @@ -32,19 +55,52 @@
class icinga2::pki::ca(
$ca_cert = undef,
$ca_key = undef,
$ssl_key_path = undef,
$ssl_cert_path = undef,
$ssl_csr_path = undef,
$ssl_cacert_path = undef,
) {

include icinga2::params
include ::icinga2::params
require ::icinga2::config

$ca_dir = $::icinga2::params::ca_dir
$pki_dir = $::icinga2::params::pki_dir
$user = $::icinga2::params::user
$group = $::icinga2::params::group
$node_name = $::icinga2::_constants['NodeName']

File {
owner => $user,
group => $group,
}

Exec {
user => 'root',
path => $::path,
}

if $ssl_key_path {
validate_absolute_path($ssl_key_path)
$_ssl_key_path = $ssl_key_path }
else {
$_ssl_key_path = "${pki_dir}/${node_name}.key" }
if $ssl_cert_path {
validate_absolute_path($ssl_cert_path)
$_ssl_cert_path = $ssl_cert_path }
else {
$_ssl_cert_path = "${pki_dir}/${node_name}.crt" }
if $ssl_csr_path {
validate_absolute_path($ssl_csr_path)
$_ssl_csr_path = $ssl_csr_path }
else {
$_ssl_csr_path = "${pki_dir}/${node_name}.csr" }
if $ssl_cacert_path {
validate_absolute_path($ssl_cacert_path)
$_ssl_cacert_path = $ssl_cacert_path }
else {
$_ssl_cacert_path = "${pki_dir}/ca.crt" }

if !$ca_cert or !$ca_key {
$path = $::osfamily ? {
'windows' => 'C:/ProgramFiles/ICINGA2/sbin',
Expand Down Expand Up @@ -90,5 +146,31 @@
},
tag => 'icinga2::config::file',
}
} ->

file { "${_ssl_cacert_path}":
source => "${ca_dir}/ca.crt",
}

exec { 'icinga2 pki create certificate signing request':
command => "icinga2 pki new-cert --cn '${::fqdn}' --key '${_ssl_key_path}' --csr '${_ssl_csr_path}'",
creates => $_ssl_key_path,
require => File["${_ssl_cacert_path}"]
} ->
file {
$_ssl_key_path:
mode => '0600';
}

exec { 'icinga2 pki sign certificate':
command => "icinga2 pki sign-csr --csr '${_ssl_csr_path}' --cert '${_ssl_cert_path}'",
subscribe => Exec['icinga2 pki create certificate signing request'],
refreshonly => true,
notify => Class['::icinga2::service'],
} ->
file {
$_ssl_cert_path:;
$_ssl_csr_path:
ensure => absent;
}
}

0 comments on commit a80a97f

Please sign in to comment.