telekom-mms / ansible-collection-icinga Goto Github PK

In the icinga_agent role during agent registration, there are a critical series of steps that create the agent certificate and send a pki request to the master:

    - name: generate ticket and save it as a variable
      ansible.builtin.shell: /usr/sbin/icinga2 pki ticket --cn {{ ansible_hostname }} --salt {{ icinga_agent_salt }}
      environment:
        LD_LIBRARY_PATH: "/usr/lib64"
      register: ticket

    - name: create certificate
      ansible.builtin.command: "/usr/sbin/icinga2 pki new-cert --cn {{ ansible_hostname }} --key /var/lib/icinga2/certs/{{ ansible_hostname }}.key --cert /var/lib/icinga2/certs/{{ ansible_hostname }}.crt"
      args:
        creates: "/var/lib/icinga2/certs/{{ ansible_hostname }}.crt"

    - name: save the icinga master's certificate to the host
      ansible.builtin.command: "/usr/sbin/icinga2 pki save-cert --key /var/lib/icinga2/certs/{{ ansible_hostname }}.key --cert /var/lib/icinga2/certs/{{ ansible_hostname }}.crt --trustedcert /var/lib/icinga2/certs/trusted-master.crt --host {{ icinga_agent_ca_host }}"
      args:
        creates: "/var/lib/icinga2/certs/trusted-master.crt"

    - name: generate ticket and save it as a variable
      ansible.builtin.command: "/usr/sbin/icinga2 pki ticket --cn {{ ansible_hostname }} --salt {{ icinga_agent_salt }}"
      register: ticket
      args:
        creates: "/var/lib/icinga2/certs/ca.crt"

    - name: send a pki request to the icinga master
      ansible.builtin.command: "/usr/sbin/icinga2 pki request --host {{ icinga_agent_ca_host }} --port {{ icinga_agent_ca_host_icinga_port }} --ticket {{ ticket.stdout }} --key /var/lib/icinga2/certs/{{ ansible_hostname }}.key --cert /var/lib/icinga2/certs/{{ ansible_hostname }}.crt --trustedcert /var/lib/icinga2/certs/trusted-master.crt --ca /var/lib/icinga2/certs/ca.crt"
      args:
        creates: "/var/lib/icinga2/certs/ca.crt"
      notify:
        - restart icinga2-agent

In my testing, it appears that the "generate ticket and save it as a variable" step (which is repeated twice for unknown reasons) generates a ticket that only the agent knows about. Thus, in the final step, when the agent sends a pki request to the icinga master, the request is rejected due to an unknown ticket:

critical/cli: !!! Invalid ticket for CN 'icinga-agent'.

When I removed the ticket generation from the above steps, the pki request registered properly with the Icinga master and I was able to subsequently approve it.

My question is, what is the intended purpose of the ticket generation? Are these tasks assumed to be ran on the master instead of the agent?

Thanks for maintaining such a useful library! Cheers!

All names should start with an uppercase letter.

At the moment fqcns are on the ansible-lint warn_list. we should implement fqcns in both roles and molecule tests.

I just wanted to use your collection/role to install and configure icinga2 agent for my Debian 10 server but the role is not compatible, maybe you could mention that somewhere?

also ansible galaxy links are broken:

icinga_agent role:
Examples on how to use the role can be found here https://github.com/T-Systems-MMS/ansible-collection-icinga/blob/improve_readme/roles/icinga_agent/README.md

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• chore(deps): update actions/checkout digest to 692973e
• chore(deps): update actions/setup-python digest to 39cd149
• chore(deps): update dependency telekom_mms.icinga_director to v2.1.2
• Click on this checkbox to rebase all open PRs at once

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

Do we want to fullfill this linting rule @xFuture603 ?

Example: Variables names from within roles should use role_name_ as a prefix. (set_fact: end_time)

Actually we implemented molecule tests only for centos7.

We should implement also support & tests for:

• ubuntu 20.04
• debian 11 - bullseye
• rocky linux 8

ansible-lint github action fails every day. We need to fix this.

I just tested the next role from the collection and also that one is not compatible with Debian :(

• at the moment the role installs nothing on debian10 because of this when condition:

- name: install icinga and nagios plugins
  ansible.builtin.package:
    name: "{{ item }}"
    state: present
  loop: "{{ icinga_install_plugins }}"
  when:
    - icinga_install_plugins is defined
    - icinga_install_plugins | length > 0
    - ansible_facts.distribution != "RedHat" and ansible_facts.distribution_major_version|int is version('8', '<')

there will be also the problem that package names between RedHat and Debian are different, like:

• monitoring-plugins in Debian
• nagios-plugins-all in RedHat

cheers

We should implement tests for:

• centos7
• ubuntu 20.04
• debian 11 - bullseye
• rocky linux 8

At the Moment it's possible to copy checks with ansible role from ansible repo to the target hosts.

It should be possible to use a git repository with check files.