change default directory for certificates and keys (icingadb and redi…

…s databases)

manifests/module.pp

@@ -62,33 +62,36 @@
  icingaweb2::assert_module()
 
  $conf_dir = $icingaweb2::globals::conf_dir
+ $state_dir = $icingaweb2::globals::state_dir
  $conf_user = $icingaweb2::conf_user
  $conf_group = $icingaweb2::conf_group
 
- File {
- owner => $conf_user,
- group => $conf_group,
- }
-
  $enable_module = if $ensure == 'present' {
  'link'
  } else {
  'absent'
  }
 
- file { "${conf_dir}/enabledModules/${module}":
- ensure => $enable_module,
- target => $module_dir,
- }
-
- file { "${conf_dir}/modules/${module}":
- ensure => directory,
- mode => '2770',
+ file {
+ default:
+ owner => $conf_user,
+ group => $conf_group,
+ ;
+ "${conf_dir}/enabledModules/${module}":
+ ensure => $enable_module,
+ target => $module_dir,
+ ;
+ ["${conf_dir}/modules/${module}", "${state_dir}/${module}"]:
+ ensure => directory,
+ owner => 'root',
+ mode => '2770',
+ ;
  }
 
  create_resources('icingaweb2::inisection', $settings)
 
  case $install_method {
+ 'none': {}
  'git': {
  vcsrepo { $module_dir:
  ensure => present,
@@ -97,7 +100,6 @@
  revision => $git_revision,
  }
  }
- 'none': {}
  'package': {
  package { $package_name:
  ensure => installed,

manifests/module/icingadb.pp

@@ -155,13 +155,15 @@
 ) {
  icingaweb2::assert_module()
 
- $conf_dir = $icingaweb2::globals::conf_dir
- $module_conf_dir = "${conf_dir}/modules/icingadb"
+ $module_conf_dir = "${icingaweb2::globals::conf_dir}/modules/icingadb"
+ $cert_dir = "${icingaweb2::globals::state_dir}/icingadb/certs"
+ $conf_user = $icingaweb2::conf_user
+ $conf_group = $icingaweb2::conf_group
 
  if $redis_use_tls {
- $redis_tls_files = icingaweb2::cert::files(
+ $redis_tls_files = icinga::cert::files(
  'redis',
- $module_conf_dir,
+ $cert_dir,
  $redis_tls_key_file,
  $redis_tls_cert_file,
  $redis_tls_cacert_file,
@@ -175,7 +177,7 @@
  key => $redis_tls_files['key_file'],
  ca => $redis_tls_files['cacert_file'],
  })
- icingaweb2::tls::client { 'icingaweb2::module::icingadb redis client tls config':
+ icinga::cert { 'icingaweb2::module::icingadb redis client tls config':
  args => $redis_tls_files,
  }
  } else {
@@ -215,23 +217,28 @@
  },
  }
 
- $db_tls = delete($icingaweb2::config::tls, ['key', 'cert', 'cacert']) + delete_undef_values(icingaweb2::cert::files(
- 'client',
- $module_conf_dir,
+ $db_tls = delete_undef_values(icinga::cert::files(
+ $db_username,
+ $cert_dir,
  $db_tls_key_file,
  $db_tls_cert_file,
  $db_tls_cacert_file,
  $db_tls_key,
  $db_tls_cert,
  $db_tls_cacert,
- ), {
- capath => $db_tls_capath,
- noverify => $db_tls_noverify,
- cipher => $db_tls_cipher,
- })
+ ))
 
- icingaweb2::tls::client { 'icingaweb2::module::icingadb tls client config':
- args => $db_tls,
+ file { $cert_dir:
+ ensure => directory,
+ owner => 'root',
+ group => $conf_group,
+ mode => '2770',
+ }
+
+ icinga::cert { 'icingaweb2::module::icingadb tls client config':
+ owner => $conf_user,
+ group => $conf_group,
+ args => $db_tls,
  }
 
  icingaweb2::resource::database { 'icingaweb2-module-icingadb':
@@ -243,12 +250,12 @@
  password => $db_password,
  charset => $db_charset,
  use_tls => $db_use_tls,
- tls_noverify => $db_tls['noverify'],
+ tls_noverify => unless $db_tls_noverify { $icingaweb2::config::tls['noverify'] } else { $db_tls_noverify },
  tls_key => $db_tls['key_file'],
  tls_cert => $db_tls['cert_file'],
- tls_cacert => $db_tls['cacert_file'],
- tls_capath => $db_tls['capath'],
- tls_cipher => $db_tls['cipher'],
+ tls_cacert => unless $db_tls_cacert_file { $icingaweb2::config::tls['cacert_file'] } else { $db_tls_cacert_file },
+ tls_capath => unless $db_tls_capath { $icingaweb2::config::tls['capath'] } else { $db_tls_capath },
+ tls_cipher => unless $db_tls_cipher { $icingaweb2::config::tls['cipher'] } else { $db_tls_cipher },
  }
 
  create_resources('icingaweb2::module::icingadb::commandtransport', $commandtransports)

metadata.json

@@ -1,6 +1,6 @@
 {
  "name": "icinga-icingaweb2",
- "version": "3.9.1",
+ "version": "4.0.0",
  "author": "Icinga Team",
  "summary": "Icinga Web 2 Puppet Module",
  "license": "Apache-2.0",
@@ -18,7 +18,7 @@
  },
  {
  "name": "icinga/icinga",
- "version_requirement": ">= 2.1.0 < 5.0.0"
+ "version_requirement": ">= 2.9.0 < 5.0.0"
  },
  {
  "name": "puppetlabs/vcsrepo",

spec/classes/icingaweb2_spec.rb

@@ -131,7 +131,7 @@
  end
 
  context "with db_type 'mysql', import_schema 'true'" do
- let(:params) {{ import_schema: true, db_type: 'mysql' }}
+ let(:params) { { import_schema: true, db_type: 'mysql' } }
 
  it { is_expected.to contain_icingaweb2__resource__database('mysql-icingaweb2') }
  it { is_expected.to contain_icingaweb2__config__authmethod('mysql-auth') }
@@ -141,7 +141,7 @@
  end
 
  context "with db_type 'pgsql', import_schema 'true'" do
- let(:params) {{ import_schema: true, db_type: 'pgsql' }}
+ let(:params) { { import_schema: true, db_type: 'pgsql' } }
 
  it { is_expected.to contain_icingaweb2__resource__database('pgsql-icingaweb2') }
  it { is_expected.to contain_icingaweb2__config__authmethod('pgsql-auth') }
@@ -151,7 +151,7 @@
  end
 
  context 'with import_schema => true and admin_role => false' do
- let(:params) {{ import_schema: true, db_type: 'mysql', admin_role: false }}
+ let(:params) { { import_schema: true, db_type: 'mysql', admin_role: false } }
 
  it { is_expected.not_to contain_icingaweb2__config__role('default admin user') }
  end

spec/classes/icingadb_spec.rb → spec/classes/modules/icingadb_spec.rb

@@ -1,19 +1,19 @@
 require 'spec_helper'
 
 describe('icingaweb2::module::icingadb', type: :class) do
- let(:pre_condition) do
- [
- "class { 'icingaweb2': db_type => 'mysql' }",
- ]
- end
-
  on_supported_os.each do |os, facts|
  context "on #{os}" do
  let :facts do
  facts
  end
 
  context "#{os} with local MySQL and Redis" do
+ let(:pre_condition) do
+ [
+ "class { 'icingaweb2': db_type => 'mysql' }",
+ ]
+ end
+
  let(:params) do
  {
  db_type: 'mysql',
@@ -71,6 +71,12 @@
  end
 
  context "#{os} with local PostgreSQL and Redis" do
+ let(:pre_condition) do
+ [
+ "class { 'icingaweb2': db_type => 'mysql' }",
+ ]
+ end
+
  let(:params) do
  {
  db_type: 'pgsql',
@@ -126,6 +132,74 @@
  )
  }
  end
+
+ context "#{os} with db_use_tls 'true'" do
+ let(:pre_condition) do
+ [
+ "class { 'icingaweb2': db_type => 'mysql', tls_cacert_file => '/foo/bar', tls_capath => '/foo/bar', tls_noverify => true, tls_cipher => 'cipher' }",
+ ]
+ end
+
+ let(:params) do
+ {
+ db_type: 'mysql',
+ db_use_tls: true,
+ }
+ end
+
+ it {
+ is_expected.to contain_icingaweb2__resource__database('icingaweb2-module-icingadb').with(
+ {
+ 'type' => 'mysql',
+ 'host' => 'localhost',
+ 'port' => 3306,
+ 'database' => 'icingadb',
+ 'username' => 'icingadb',
+ 'use_tls' => true,
+ 'tls_cacert' => '/foo/bar',
+ 'tls_capath' => '/foo/bar',
+ 'tls_noverify' => true,
+ 'tls_cipher' => 'cipher',
+ },
+ )
+ }
+ end
+
+ context "#{os} with db_use_tls 'true', db_tls_cacert 'cacert', db_tls_capath '/foo/bar', db_tls_noverify 'true', db_tls_cipher 'cipher'" do
+ let(:pre_condition) do
+ [
+ "class { 'icingaweb2': db_type => 'pgsql' }",
+ ]
+ end
+
+ let(:params) do
+ {
+ db_type: 'pgsql',
+ db_use_tls: true,
+ db_tls_cacert_file: '/foo/bar',
+ db_tls_capath: '/foo/bar',
+ db_tls_noverify: true,
+ db_tls_cipher: 'cipher',
+ }
+ end
+
+ it {
+ is_expected.to contain_icingaweb2__resource__database('icingaweb2-module-icingadb').with(
+ {
+ 'type' => 'pgsql',
+ 'host' => 'localhost',
+ 'port' => 5432,
+ 'database' => 'icingadb',
+ 'username' => 'icingadb',
+ 'use_tls' => true,
+ 'tls_cacert' => '/foo/bar',
+ 'tls_capath' => '/foo/bar',
+ 'tls_noverify' => true,
+ 'tls_cipher' => 'cipher',
+ },
+ )
+ }
+ end
  end
  end
 end