Skip to content

Commit

Permalink
add installation for x509 module (#214)
Browse files Browse the repository at this point in the history
* add module x509 and mysql imports task

* Add documentation for x509 module

* Add documentation about database imports

* Continues working on x509 module installation

---------

Co-authored-by: Thilo W <[email protected]>
  • Loading branch information
mocdaniel and mkayontour committed Dec 7, 2023
1 parent bd3dc25 commit 5f2e504
Show file tree
Hide file tree
Showing 6 changed files with 212 additions and 1 deletion.
3 changes: 3 additions & 0 deletions changelogs/fragments/feature_add_x509_module_installation.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
---
major_changes:
- Added Installation of x509 certificate monitoring model
95 changes: 95 additions & 0 deletions doc/role-icingaweb2/module-x509.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,95 @@
## Module x509

### Variables and Configuration

The general module parameter like `enabled` and `source` can be applied here.

| Variable | Value |
|----------|------------|
| enabled | true/false |
| source | package |

#### Section configuration

The backend database for the module needs to be available and configured at the `icingaweb2_resources` variable.

```
icingaweb2_modules:
x509:
source: package
enabled: true
config:
backend:
resource: x509
```

#### Configure SNI Names.

To configure SNIs for a IP address, use the dictionary `sni`.

Example:

```
icingaweb2_modules:
x509:
source: package
enabled: true
config:
backend:
resource: x509
sni:
192.168.56.213:
hostnames:
- icinga.com
- test2.icinga.com
```

#### Import Certificates

To import certificates use the **list** `certificate_files` all files need to be
available locally beforehand.

```
icingaweb2_modules:
x509:
source: package
enabled: true
config:
backend:
resource: x509
certificate_files:
- /etc/ssl/certs/ca-certificates.crt
```

#### Database Schema Setup

To import the database schema use `database` dictionary with the following variables.

| Variable | Type | Description | Default |
|----------|------|-------------|---------|
| `import_schema` | `Boolean` | Defines wether the schema will be imported or not. | false |
| `host` | `String` | Defines database address to connect to. | `localhost` |
| `port` | `int` | Defines the database port to connect to. | `3306` or `5432` |
| `user` | `string` | Defines database user | `x509` |
| `name` | `String` | Defines the database to connect to. | `x509` |
| `password` | `String` | Defines the database password to connect with. | OMITTED |
| `ssl_mode` | `String` | Clients attempt to connect using encryption, falling back to an unencrypted connection if an encrypted connection cannot be established |**n/a** |
|`ssl_ca`| `String`| Defines the path to the ca certificate for client authentication. | **n/a** |
|`ssl_cert`|`String`| Defines the path to the certificate for client authentication. | **n/a** |
|`ssl_key`| `String` | Defines the path to the certificate key for client key authentication. | **n/a** |
|`ssl_cipher`|`String`| Ciphers for the client authentication. | **n/a** |
|`ssl_extra_options`|`String`| Extra options for the client authentication. | **n/a** |


```
icingaweb2_modules:
x509:
source: package
enabled: true
database:
import_schema: true
host: localhost
port: 3306
user: x509
password: secret
```
8 changes: 8 additions & 0 deletions roles/icingaweb2/tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -43,3 +43,11 @@
force: yes
when: icingaweb2_modules is defined
loop: "{{ icingaweb2_modules | dict2items }}"

# Many daemons fail before e.g. the resource is set up or the schema hasn't been migrated. This is a workaround.
- name: Manage enabled module daemons
ansible.builtin.service:
name: "icinga-{{ item.key }}"
state: restarted
when: icingaweb2_modules is defined and item.value.enabled|bool == true and item.key in ['vspheredb', 'x509']
loop: "{{ icingaweb2_modules | dict2items }}"
38 changes: 38 additions & 0 deletions roles/icingaweb2/tasks/manage_mysql_imports.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
---
- name: Check Database Credentials
ansible.builtin.assert:
that:
- _db['user'] is defined
- _db['password'] is defined
fail_msg: "No database credentials defined."

- name: Build mysql command
ansible.builtin.set_fact:
_tmp_mysqlcmd: >-
mysql {% if _db['host'] | default('localhost') != 'localhost' %} -h "{{ _db['host'] }}" {%- endif %}
{% if _db['port'] is defined %} -P "{{ _db['port'] }}" {%- endif %}
{% if _db['ssl_mode'] is defined %} --ssl-mode "{{ _db['ssl_mode'] }}" {%- endif %}
{% if _db['ssl_ca'] is defined %} --ssl-ca "{{ _db['ssl_ca'] }}" {%- endif %}
{% if _db['ssl_cert'] is defined %} --ssl-cert "{{ _db['ssl_cert'] }}" {%- endif %}
{% if _db['ssl_key'] is defined %} --ssl-key "{{ _db['ssl_key'] }}" {%- endif %}
{% if _db['ssl_cipher'] is defined %} --ssl-cipher "{{ _db['ssl_cipher'] }}" {%- endif %}
{% if _db['ssl_extra_options'] is defined %} {{ _db['ssl_extra_options'] }} {%- endif %}
-u "{{ _db['user'] }}"
-p"{{ _db['password'] }}"
"{{ _db['name'] }}"
- name: MySQL check for db schema
ansible.builtin.shell: >
{{ _tmp_mysqlcmd }}
-Ns -e "{{ _db['select_query'] }}"
failed_when: false
changed_when: false
check_mode: false
register: _db_schema

- name: MySQL import db schema
ansible.builtin.shell: >
{{ _tmp_mysqlcmd }}
< {{ _db['schema_path'] }}
when: _db_schema.rc != 0
run_once: yes
66 changes: 66 additions & 0 deletions roles/icingaweb2/tasks/modules/x509.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,66 @@
- name: Module x509 | Ensure config directory
ansible.builtin.file:
state: directory
dest: "{{ icingaweb2_modules_config_dir }}/{{ _module }}"
owner: "{{ icingaweb2_httpd_user }}"
group: "{{ icingaweb2_group }}"
mode: "2770"
vars:
_module: "{{ item.key }}"

- name: Module x509 | Manage config files
ansible.builtin.include_tasks: manage_module_config.yml
loop: "{{ _files }}"
loop_control:
loop_var: _file
when: vars['icingaweb2_modules'][_module][_file] is defined
vars:
_module: "{{ item.key }}"
_files:
- config
- sni

- name: Module x509 | Manage Schema
block:
- name: Module x509 | Prepare _db informations
ansible.builtin.set_fact:
_db:
host: "{{ vars['icingaweb2_modules'][_module]['database']['host'] | default('localhost') }}"
port: "{{ vars['icingaweb2_modules'][_module]['database']['port'] | default('3306') }}"
user: "{{ vars['icingaweb2_modules'][_module]['database']['user'] | default('x509') }}"
password: "{{ vars['icingaweb2_modules'][_module]['database']['password'] | default(omit) }}"
name: "{{ vars['icingaweb2_modules'][_module]['database']['name'] | default('x509') }}"
ssl_mode: "{{ vars['icingaweb2_modules'][_module]['database']['ssl_mode'] | default(omit) }}"
ssl_ca: "{{ vars['icingaweb2_modules'][_module]['database']['ssl_ca'] | default(omit) }}"
ssl_cert: "{{ vars['icingaweb2_modules'][_module]['database']['ssl_cert'] | default(omit) }}"
ssl_key: "{{ vars['icingaweb2_modules'][_module]['database']['ssl_key'] | default(omit) }}"
ssl_cipher: "{{ vars['icingaweb2_modules'][_module]['database']['ssl_cipher'] | default(omit) }}"
ssl_extra_options: "{{ vars['icingaweb2_modules'][_module]['database']['ssl_extra_options'] | default(omit) }}"
schema_path: /usr/share/icingaweb2/modules/x509/schema/mysql.schema.sql
select_query: "select * from x509_certificate"
when: vars['icingaweb2_modules'][_module]['database']['type'] | default('mysql') == 'mysql'

- ansible.builtin.fail:
fail_msg: "The Database type select is not supported, {{ vars['icingaweb2_modules'][_module]['database']['type'] }} [Supported=mysql]"
when: vars['icingaweb2_modules'][_module]['database']['type'] is defined and vars['icingaweb2_modules'][_module]['database']['type'] != 'mysql'

- name: Module x509 | Import Schema
ansible.builtin.include_tasks: ../manage_mysql_imports.yml

- name: Module x509 | empty _db var
ansible.builtin.set_fact:
_db: {}
when: vars['icingaweb2_modules'][_module]['database']['import_schema'] | default(false)
vars:
_module: "{{ item.key }}"

- name: Module x509 | Import Certificates
ansible.builtin.shell: >
icingacli {{ _module }} import --file {{ _file }}
loop: "{{ vars['icingaweb2_modules'][_module]['certificate_files'] }}"
loop_control:
loop_var: _file
vars:
_module: "{{ item.key }}"
when: vars['icingaweb2_modules'][_module]['certificate_files'] is defined
changed_when: false
3 changes: 2 additions & 1 deletion roles/icingaweb2/vars/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,5 @@
icingaweb2_module_packages:
icingadb: icingadb-web
director: icinga-director
businessprocess: icinga-businessprocess
x509: icinga-x509
businessprocess: icinga-businessprocess

0 comments on commit 5f2e504

Please sign in to comment.