Puppet Class: icinga2::pki::ca

Defined in:
manifests/pki/ca.pp

Summary

This class provides multiple ways to create the CA used by Icinga 2.

Overview

Examples:

Let Icinga 2 generate a CA for you:

include icinga2
include icinga2::pki::ca

Set the content of CA certificate and key:

include icinga2

class { 'icinga2::pki::ca':
  ca_cert => '-----BEGIN CERTIFICATE----- ...',
  ca_key  => '-----BEGIN RSA PRIVATE KEY----- ...',
}

Parameters:

  • ca_cert (Optional[String]) (defaults to: undef)

    Content of the CA certificate. If this is unset, a certificate will be generated with the Icinga 2 CLI.

  • ca_key (Optional[Icinga::Secret]) (defaults to: undef)

    Content of the CA key. If this is unset, a key will be generated with the Icinga 2 CLI.



23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
 
# File 'manifests/pki/ca.pp', line 23

class icinga2::pki::ca (
  Optional[String]         $ca_cert = undef,
  Optional[Icinga::Secret] $ca_key  = undef,
) {
  require icinga2::config

  $icinga2_bin = $icinga2::globals::icinga2_bin
  $ca_dir      = $icinga2::globals::ca_dir
  $cert_dir    = $icinga2::globals::cert_dir
  $user        = $icinga2::globals::user
  $group       = $icinga2::globals::group
  $node_name   = $icinga2::_constants['NodeName']

  $_ssl_key_path    = "${cert_dir}/${node_name}.key"
  $_ssl_csr_path    = "${cert_dir}/${node_name}.csr"
  $_ssl_cert_path   = "${cert_dir}/${node_name}.crt"
  $_ssl_cacert_path = "${cert_dir}/ca.crt"

  File {
    owner   => $user,
    group   => $group,
    seltype => 'icinga2_var_lib_t',
  }

  if $::facts['os']['family'] != 'windows' {
    $_ca_key_mode = '0600'
  } else {
    $_ca_key_mode = undef
  }

  if !$ca_cert or !$ca_key {
    exec { 'create-icinga2-ca':
      command     => "\"${icinga2_bin}\" pki new-ca",
      environment => ["ICINGA2_USER=${user}", "ICINGA2_GROUP=${group}"],
      creates     => "${ca_dir}/ca.crt",
      before      => File[$_ssl_cacert_path],
      notify      => Class['icinga2::service'],
    }
  } else {
    file { $ca_dir:
      ensure => directory,
    }

    file { "${ca_dir}/ca.crt":
      ensure  => file,
      content => icinga::newline($ca_cert),
      tag     => 'icinga2::config::file',
      before  => File[$_ssl_cacert_path],
    }

    file { "${ca_dir}/ca.key":
      ensure    => file,
      mode      => $_ca_key_mode,
      content   => icinga::newline($ca_key),
      tag       => 'icinga2::config::file',
      show_diff => false,
      backup    => false,
    }
  }

  file { $_ssl_cacert_path:
    ensure => file,
    source => if $facts['kernel'] == 'windows' {
      "file:///${ca_dir}/ca.crt"
    } else {
      "${ca_dir}/ca.crt"
    },
  }

  exec { 'icinga2 pki create certificate signing request':
    command     => "\"${icinga2_bin}\" pki new-cert --cn ${node_name} --key ${_ssl_key_path} --csr ${_ssl_csr_path}",
    environment => ["ICINGA2_USER=${user}", "ICINGA2_GROUP=${group}"],
    creates     => $_ssl_key_path,
    require     => File[$_ssl_cacert_path],
  }

  -> file { $_ssl_key_path:
    ensure    => file,
    mode      => $_ca_key_mode,
    show_diff => false,
    backup    => false,
  }

  exec { 'icinga2 pki sign certificate':
    command     => "\"${icinga2_bin}\" pki sign-csr --csr ${_ssl_csr_path} --cert ${_ssl_cert_path}",
    environment => ["ICINGA2_USER=${user}", "ICINGA2_GROUP=${group}"],
    subscribe   => Exec['icinga2 pki create certificate signing request'],
    refreshonly => true,
    notify      => Class['icinga2::service'],
  }

  -> file {
    $_ssl_cert_path:
      ensure => file;
    $_ssl_csr_path:
      ensure => absent;
  }
}