From d4527882f44c4b58716ac6628708c5aedec7bff1 Mon Sep 17 00:00:00 2001 From: Lennart Betz Date: Fri, 22 Dec 2023 12:43:35 +0100 Subject: [PATCH] Replace icinga2::tls::client with icinga::cert from icinga module --- REFERENCE.md | 1 - manifests/feature/elasticsearch.pp | 22 ++++++++++--- manifests/feature/gelf.pp | 18 +++++++++-- manifests/feature/icingadb.pp | 32 +++++++++++++------ manifests/feature/idomysql.pp | 18 +++++++++-- manifests/feature/idopgsql.pp | 18 +++++++++-- manifests/feature/influxdb.pp | 22 ++++++++++--- manifests/feature/influxdb2.pp | 22 ++++++++++--- manifests/tls/client.pp | 51 ------------------------------ 9 files changed, 118 insertions(+), 86 deletions(-) delete mode 100644 manifests/tls/client.pp diff --git a/REFERENCE.md b/REFERENCE.md index 7b9e01ba..d076657c 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -70,7 +70,6 @@ start on boot and will be restarted if stopped. * `icinga2::feature`: Private define resource to used by this module only. * `icinga2::object`: Define resource to used by this module only. -* `icinga2::tls::client`: A class to generate tls key, cert and cacert paths. ### Functions diff --git a/manifests/feature/elasticsearch.pp b/manifests/feature/elasticsearch.pp index 8bc99d09..513cf1cc 100644 --- a/manifests/feature/elasticsearch.pp +++ b/manifests/feature/elasticsearch.pp @@ -85,7 +85,7 @@ fail('You must include the icinga2 base class before using any icinga2 feature class!') } - $user = $icinga2::globals::user + $owner = $icinga2::globals::user $group = $icinga2::globals::group $conf_dir = $icinga2::globals::conf_dir $ssl_dir = $icinga2::globals::cert_dir @@ -104,7 +104,7 @@ } File { - owner => $user, + owner => $owner, group => $group, } @@ -128,9 +128,21 @@ 'key_path' => $cert['key_file'], } - icinga2::tls::client { 'ElasticsearchWriter_elasticsearch': - args => $cert, - notify => $_notify, + # Workaround, icinga::cert doesn't accept undef values for owner and group! + if $facts['os']['family'] != 'windows' { + icinga::cert { 'ElasticsearchWriter_elasticsearch': + args => $cert, + owner => $owner, + group => $group, + notify => $_notify, + } + } else { + icinga::cert { 'ElasticsearchWriter_elasticsearch': + args => $cert, + owner => 'foo', + group => 'bar', + notify => $_notify, + } } } else { $attrs_ssl = { diff --git a/manifests/feature/gelf.pp b/manifests/feature/gelf.pp index c99d093f..e9f3116c 100644 --- a/manifests/feature/gelf.pp +++ b/manifests/feature/gelf.pp @@ -98,9 +98,21 @@ 'key_path' => $cert['key_file'], } - icinga2::tls::client { 'GelfWriter_gelf': - args => $cert, - notify => $_notify, + # Workaround, icinga::cert doesn't accept undef values for owner and group! + if $facts['os']['family'] != 'windows' { + icinga::cert { 'GelfWriter_gelf': + args => $cert, + owner => $owner, + group => $group, + notify => $_notify, + } + } else { + icinga::cert { 'GelfWriter_gelf': + args => $cert, + owner => 'foo', + group => 'bar', + notify => $_notify, + } } } else { $attrs_ssl = { diff --git a/manifests/feature/icingadb.pp b/manifests/feature/icingadb.pp index 62a65076..8cd1fab1 100644 --- a/manifests/feature/icingadb.pp +++ b/manifests/feature/icingadb.pp @@ -89,11 +89,11 @@ fail('You must include the icinga2 base class before using any icinga2 feature class!') } - $owner = $icinga2::globals::user - $group = $icinga2::globals::group - $conf_dir = $icinga2::globals::conf_dir - $data_dir = $icinga2::globals::data_dir - $ssl_dir = $icinga2::globals::cert_dir + $conf_dir = $icinga2::globals::conf_dir + $data_dir = $icinga2::globals::data_dir + $cert_dir = $icinga2::globals::cert_dir + $owner = $icinga2::globals::user + $group = $icinga2::globals::group $_password = if $password =~ Sensitive { $password @@ -103,7 +103,7 @@ undef } - $_notify = $ensure ? { + $_notify = $ensure ? { 'present' => Class['icinga2::service'], default => undef, } @@ -126,7 +126,7 @@ if $enable_tls { $cert = icinga::cert::files( 'IcingaDB-icingadb', - $ssl_dir, + $cert_dir, $tls_key_file, $tls_cert_file, $tls_cacert_file, @@ -146,9 +146,21 @@ 'tls_protocolmin' => $tls_protocolmin, } - icinga2::tls::client { 'IcingaDB-icingadb': - args => $cert, - notify => $_notify, + # Workaround, icinga::cert doesn't accept undef values for owner and group! + if $facts['os']['family'] != 'windows' { + icinga::cert { 'IcingaDB-icingadb': + args => $cert, + owner => $owner, + group => $group, + notify => $_notify, + } + } else { + icinga::cert { 'IcingaDB-icingadb': + args => $cert, + owner => 'foo', + group => 'bar', + notify => $_notify, + } } } # enable_tls else { diff --git a/manifests/feature/idomysql.pp b/manifests/feature/idomysql.pp index 77a3b8f0..bb5ace94 100644 --- a/manifests/feature/idomysql.pp +++ b/manifests/feature/idomysql.pp @@ -168,9 +168,21 @@ 'ssl_cipher' => $ssl_cipher, } - icinga2::tls::client { 'IdoMysqlConnection_ido-mysql': - args => $cert, - notify => $_notify, + # Workaround, icinga::cert doesn't accept undef values for owner and group! + if $facts['os']['family'] != 'windows' { + icinga::cert { 'IdoMysqlConnection_ido-mysql': + args => $cert, + owner => $owner, + group => $group, + notify => $_notify, + } + } else { + icinga::cert { 'IdoMysqlConnection_ido-mysql': + args => $cert, + owner => 'foo', + group => 'bar', + notify => $_notify, + } } } else { $attrs_ssl = { diff --git a/manifests/feature/idopgsql.pp b/manifests/feature/idopgsql.pp index fc0301c8..2a4ae992 100644 --- a/manifests/feature/idopgsql.pp +++ b/manifests/feature/idopgsql.pp @@ -152,9 +152,21 @@ 'ssl_key' => $cert['key_file'], } - icinga2::tls::client { 'IdoPgsqlConnection_ido-pgsql': - args => $cert, - notify => $_notify, + # Workaround, icinga::cert doesn't accept undef values for owner and group! + if $facts['os']['family'] != 'windows' { + icinga::cert { 'IdoPgsqlConnection_ido-pgsql': + args => $cert, + owner => $owner, + group => $group, + notify => $_notify, + } + } else { + icinga::cert { 'IdoPgsqlConnection_ido-pgsql': + args => $cert, + owner => 'foo', + group => 'bar', + notify => $_notify, + } } } else { $attrs_ssl = { diff --git a/manifests/feature/influxdb.pp b/manifests/feature/influxdb.pp index 9a15be29..1e56e7ab 100644 --- a/manifests/feature/influxdb.pp +++ b/manifests/feature/influxdb.pp @@ -111,7 +111,7 @@ fail('You must include the icinga2 base class before using any icinga2 feature class!') } - $user = $icinga2::globals::user + $owner = $icinga2::globals::user $group = $icinga2::globals::group $conf_dir = $icinga2::globals::conf_dir $ssl_dir = $icinga2::globals::cert_dir @@ -140,7 +140,7 @@ } File { - owner => $user, + owner => $owner, group => $group, } @@ -167,9 +167,21 @@ 'ssl_key' => $cert['key_file'], } - icinga2::tls::client { 'InfluxdbWriter_influxdb': - args => $cert, - notify => $_notify, + # Workaround, icinga::cert doesn't accept undef values for owner and group! + if $facts['os']['family'] != 'windows' { + icinga::cert { 'InfluxdbWriter_influxdb': + args => $cert, + owner => $owner, + group => $group, + notify => $_notify, + } + } else { + icinga::cert { 'InfluxdbWriter_influxdb': + args => $cert, + owner => 'foo', + group => 'bar', + notify => $_notify, + } } } else { $attrs_ssl = { diff --git a/manifests/feature/influxdb2.pp b/manifests/feature/influxdb2.pp index d357fdc5..f0fea9c7 100644 --- a/manifests/feature/influxdb2.pp +++ b/manifests/feature/influxdb2.pp @@ -107,7 +107,7 @@ fail('You must include the icinga2 base class before using any icinga2 feature class!') } - $user = $icinga2::globals::user + $owner = $icinga2::globals::user $group = $icinga2::globals::group $conf_dir = $icinga2::globals::conf_dir $ssl_dir = $icinga2::globals::cert_dir @@ -118,7 +118,7 @@ } File { - owner => $user, + owner => $owner, group => $group, } @@ -145,9 +145,21 @@ 'ssl_key' => $cert['key_file'], } - icinga2::tls::client { 'Influxdb2Writer_influxdb2': - args => $cert, - notify => $_notify, + # Workaround, icinga::cert doesn't accept undef values for owner and group! + if $facts['os']['family'] != 'windows' { + icinga::cert { 'Influxdb2Writer_influxdb2': + args => $cert, + owner => $owner, + group => $group, + notify => $_notify, + } + } else { + icinga::cert { 'Influxdb2Writer_influxdb2': + args => $cert, + owner => 'foo', + group => 'bar', + notify => $_notify, + } } } else { $attrs_ssl = { diff --git a/manifests/tls/client.pp b/manifests/tls/client.pp deleted file mode 100644 index 4b89bee3..00000000 --- a/manifests/tls/client.pp +++ /dev/null @@ -1,51 +0,0 @@ -# @summary -# A class to generate tls key, cert and cacert paths. -# -# @api private -# -# @param args -# A config hash with the keys: -# key_file, cert_file, cacert_file, key, cert and cacert -# -define icinga2::tls::client ( - Hash[String, Any] $args, -) { - assert_private() - - $owner = $icinga2::globals::user - $group = $icinga2::globals::group - - if $facts['os']['family'] == 'Windows' { - $key_mode = undef - } else { - File { - owner => $owner, - group => $group, - mode => '0640', - } - $key_mode = '0400' - } - - if unwrap($args[key]) { - file { $args['key_file']: - ensure => file, - content => icinga::newline(unwrap($args['key'])), - mode => $key_mode, - show_diff => false, - } - } - - if $args['cert'] { - file { $args['cert_file']: - ensure => file, - content => icinga::newline($args['cert']), - } - } - - if $args['cacert'] { - file { $args['cacert_file']: - ensure => file, - content => icinga::newline($args['cacert']), - } - } -}