rework x509 to always use db credentials from monitoring module

voxpupuli · Nov 8, 2023 · b43e433 · b43e433
1 parent bdc8fbd
commit b43e433
Show file tree

Hide file tree

Showing 10 changed files with 451 additions and 185 deletions.
diff --git a/REFERENCE.md b/REFERENCE.md
@@ -31,7 +31,7 @@
 * [`icingaweb2::module::translation`](#icingaweb2--module--translation): Installs and configures the translation module.
 * [`icingaweb2::module::vspheredb`](#icingaweb2--module--vspheredb): Installs the vsphereDB plugin
 * [`icingaweb2::module::x509`](#icingaweb2--module--x509): Installs the x509 module
-* [`icingaweb2::module::x509::service`](#icingaweb2--module--x509--service): Installs and configures the x509 job scheduler.
+* [`icingaweb2::module::x509::install`](#icingaweb2--module--x509--install): Install the x509 module
 
 #### Private Classes
 
@@ -50,6 +50,8 @@
 * `icingaweb2::module::vspheredb::config`: Configure the VSphereDB module
 * `icingaweb2::module::vspheredb::install`: Install the VSphereDB module
 * `icingaweb2::module::vspheredb::service`: Manage the vspheredb service.
+* `icingaweb2::module::x509::config`: Configure the x509 module
+* `icingaweb2::module::x509::service`: Manage the x509 job scheduler.
 
 ### Defined types
 
@@ -3350,6 +3352,10 @@ The following parameters are available in the `icingaweb2::module::x509` class:
 * [`tls_noverify`](#-icingaweb2--module--x509--tls_noverify)
 * [`tls_cipher`](#-icingaweb2--module--x509--tls_cipher)
 * [`import_schema`](#-icingaweb2--module--x509--import_schema)
+* [`manage_service`](#-icingaweb2--module--x509--manage_service)
+* [`service_ensure`](#-icingaweb2--module--x509--service_ensure)
+* [`service_enable`](#-icingaweb2--module--x509--service_enable)
+* [`service_user`](#-icingaweb2--module--x509--service_user)
 
 ##### <a name="-icingaweb2--module--x509--ensure"></a>`ensure`
 
@@ -3359,15 +3365,15 @@ Ensures the state of the x509 module.
 
 ##### <a name="-icingaweb2--module--x509--module_dir"></a>`module_dir`
 
-Data type: `Optional[Stdlib::Absolutepath]`
+Data type: `Stdlib::Absolutepath`
 
 Target directory of the module.
 
-Default value: `undef`
+Default value: `"${icingaweb2::globals::default_module_path}/x509"`
 
 ##### <a name="-icingaweb2--module--x509--git_repository"></a>`git_repository`
 
-Data type: `String`
+Data type: `Stdlib::HTTPUrl`
 
 The upstream module repository.
 
@@ -3397,16 +3403,12 @@ Data type: `Enum['mysql', 'pgsql']`
 
 The database type. Either mysql or pgsql.
 
-Default value: `'mysql'`
-
 ##### <a name="-icingaweb2--module--x509--db_host"></a>`db_host`
 
 Data type: `Stdlib::Host`
 
 The host where the database will be running
 
-Default value: `'localhost'`
-
 ##### <a name="-icingaweb2--module--x509--db_port"></a>`db_port`
 
 Data type: `Optional[Stdlib::Port]`
@@ -3421,16 +3423,12 @@ Data type: `String`
 
 The name of the database this module should use.
 
-Default value: `'x509'`
-
 ##### <a name="-icingaweb2--module--x509--db_username"></a>`db_username`
 
 Data type: `String`
 
 The username needed to access the database.
 
-Default value: `'x509'`
-
 ##### <a name="-icingaweb2--module--x509--db_password"></a>`db_password`
 
 Data type: `Optional[Icingaweb2::Secret]`
@@ -3539,42 +3537,33 @@ whereas with mysql its different options.
 
 Default value: `false`
 
-### <a name="icingaweb2--module--x509--service"></a>`icingaweb2::module::x509::service`
-
-Installs and configures the x509 job scheduler.
-
-* **Note** Only systemd is supported by the Icinga Team and this module.
+##### <a name="-icingaweb2--module--x509--manage_service"></a>`manage_service`
 
-#### Examples
-
-##### 
+Data type: `Boolean`
 
-```puppet
-include icingaweb2::module::x509::service
-```
+If set to true the service (daemon) is managed.
 
-#### Parameters
+##### <a name="-icingaweb2--module--x509--service_ensure"></a>`service_ensure`
 
-The following parameters are available in the `icingaweb2::module::x509::service` class:
+Data type: `Stdlib::Ensure::Service`
 
-* [`ensure`](#-icingaweb2--module--x509--service--ensure)
-* [`enable`](#-icingaweb2--module--x509--service--enable)
+Wether the service is `running` or `stopped`.
 
-##### <a name="-icingaweb2--module--x509--service--ensure"></a>`ensure`
+##### <a name="-icingaweb2--module--x509--service_enable"></a>`service_enable`
 
-Data type: `Stdlib::Ensure::Service`
+Data type: `Boolean`
 
-Whether the x509 service should be running.
+Whether the service should be started at boot time.
 
-Default value: `'running'`
+##### <a name="-icingaweb2--module--x509--service_user"></a>`service_user`
 
-##### <a name="-icingaweb2--module--x509--service--enable"></a>`enable`
+Data type: `String`
 
-Data type: `Boolean`
+The user as which the service is running. Only valid if `install_method` is set to `git`.
 
-Enable or disable the service.
+### <a name="icingaweb2--module--x509--install"></a>`icingaweb2::module::x509::install`
 
-Default value: `true`
+Install the x509 module
 
 ## Defined types
 

diff --git a/data/Linux-kernel.yaml b/data/Linux-kernel.yaml
@@ -10,8 +10,6 @@ icingaweb2::globals::mysql_idoreports_slaperiods: /usr/share/icingaweb2/modules/
 icingaweb2::globals::mysql_idoreports_sla_percent: /usr/share/icingaweb2/modules/idoreports/schema/mysql/get_sla_ok_percent.sql
 icingaweb2::globals::pgsql_idoreports_slaperiods: /usr/share/icingaweb2/modules/idoreports/schema/postgresql/slaperiods.sql
 icingaweb2::globals::pgsql_idoreports_sla_percent: /usr/share/icingaweb2/modules/idoreports/schema/postgresql/get_sla_ok_percent.sql
-icingaweb2::globals::mysql_x509_schema: /usr/share/icingaweb2/modules/x509/schema/mysql.schema.sql
-icingaweb2::globals::pgsql_x509_schema: /usr/share/icingaweb2/modules/x509/schema/pgsql.schema.sql
 icingaweb2::globals::gettext_package_name: gettext
 icingaweb2::globals::icingacli_bin: /usr/bin/icingacli
 icingaweb2::globals::default_module_path: /usr/share/icingaweb2/modules
@@ -23,3 +21,4 @@ icingaweb2::module::director::package_name: icingaweb2-module-director
 icingaweb2::module::reporting::package_name: icingaweb2-module-reporting
 icingaweb2::module::idoreports::package_name: icingaweb2-module-idoreports
 icingaweb2::module::vspheredb::package_name: icingaweb2-module-vspheredb
+icingaweb2::module::x509::package_name: icingaweb2-module-x509
diff --git a/data/common.yaml b/data/common.yaml
@@ -14,10 +14,6 @@ icingaweb2::module::graphite::git_repository: https://github.com/Icinga/icingawe
 icingaweb2::module::incubator::git_repository: https://github.com/Icinga/icingaweb2-module-incubator.git
 icingaweb2::module::incubator::git_revision: v0.19.0
 icingaweb2::module::puppetdb::git_repository: https://github.com/Icinga/icingaweb2-module-puppetdb.git
-icingaweb2::module::x509::ensure: present
-icingaweb2::module::x509::install_method: git
-icingaweb2::module::x509::git_repository: https://github.com/Icinga/icingaweb2-module-x509.git
-icingaweb2::module::x509::package_name: icingaweb2-module-x509
 
 icingaweb2::module::monitoring::ensure: present
 icingaweb2::module::monitoring::protected_customvars:
@@ -64,6 +60,20 @@ icingaweb2::module::idoreports::ensure: present
 icingaweb2::module::idoreports::install_method: git
 icingaweb2::module::idoreports::git_repository: https://github.com/Icinga/icingaweb2-module-idoreports.git
 
+icingaweb2::globals::mysql_x509_schema: /schema/mysql.schema.sql
+icingaweb2::globals::pgsql_x509_schema: /schema/pgsql.schema.sql
+icingaweb2::module::x509::ensure: present
+icingaweb2::module::x509::install_method: git
+icingaweb2::module::x509::git_repository: https://github.com/Icinga/icingaweb2-module-x509.git
+icingaweb2::module::x509::package_name: icingaweb2-module-x509
+icingaweb2::module::x509::manage_service: true
+icingaweb2::module::x509::service_ensure: running
+icingaweb2::module::x509::service_enable: true
+icingaweb2::module::x509::service_user: icingax509
+icingaweb2::module::x509::db_host: localhost
+icingaweb2::module::x509::db_name: x509
+icingaweb2::module::x509::db_username: x509
+
 icingaweb2::globals::mysql_vspheredb_schema: /schema/mysql.sql
 icingaweb2::globals::pgsql_vspheredb_schema: /schema/pgsql.sql
 icingaweb2::module::vspheredb::ensure: present

diff --git a/manifests/globals.pp b/manifests/globals.pp
@@ -96,11 +96,13 @@
  'director' => 'utf8',
  'vspheredb' => 'utf8mb4',
  'reporting' => 'utf8mb4',
+ 'x509' => 'utf8',
  },
  'pgsql' => {
  'director' => 'UTF8',
  'vspheredb' => 'UTF8',
  'reporting' => 'UTF8',
+ 'x509' => 'UTF8',
  },
  }
 

diff --git a/manifests/module/x509.pp b/manifests/module/x509.pp
@@ -76,6 +76,18 @@
 # both means true. With mariadb its cli options are used for the import,
 # whereas with mysql its different options.
 #
+# @param manage_service
+# If set to true the service (daemon) is managed.
+#
+# @param service_ensure
+# Wether the service is `running` or `stopped`.
+#
+# @param service_enable
+# Whether the service should be started at boot time.
+#
+# @param service_user
+# The user as which the service is running. Only valid if `install_method` is set to `git`.
+#
 # @example
 # class { 'icingaweb2::module::x509':
 # ensure => present,
@@ -89,18 +101,22 @@
 class icingaweb2::module::x509 (
  Enum['absent', 'present'] $ensure,
  Enum['git', 'none', 'package'] $install_method,
- String  $git_repository,
+ Stdlib::HTTPUrl $git_repository,
  String $package_name,
- Optional[Stdlib::Absolutepath] $module_dir = undef,
- Optional[String] $git_revision = undef,
- Enum['mysql', 'pgsql'] $db_type = 'mysql',
- Stdlib::Host $db_host = 'localhost',
- Optional[Stdlib::Port] $db_port = undef,
- String $db_name = 'x509',
- String $db_username = 'x509',
+ Boolean $manage_service,
+ Stdlib::Ensure::Service $service_ensure,
+ Boolean $service_enable,
+ String $service_user,
+ Enum['mysql', 'pgsql'] $db_type,
+ Stdlib::Host $db_host,
+ String $db_name,
+ String $db_username,
  Optional[Icingaweb2::Secret] $db_password = undef,
+ Optional[Stdlib::Port] $db_port = undef,
  Optional[String] $db_charset = undef,
  Variant[Boolean, Enum['mariadb', 'mysql']] $import_schema = false,
+ Stdlib::Absolutepath $module_dir = "${icingaweb2::globals::default_module_path}/x509",
+ Optional[String] $git_revision = undef,
  Optional[Boolean] $use_tls = undef,
  Optional[Stdlib::Absolutepath] $tls_key_file = undef,
  Optional[Stdlib::Absolutepath] $tls_cert_file = undef,
@@ -114,116 +130,43 @@
 ) {
  icingaweb2::assert_module()
 
- $conf_dir = $icingaweb2::globals::conf_dir
- $mysql_x509_schema = $icingaweb2::globals::mysql_x509_schema
- $pgsql_x509_schema = $icingaweb2::globals::pgsql_x509_schema
- $module_conf_dir = "${conf_dir}/modules/x509"
- $_db_port = pick($db_port, $icingaweb2::globals::port[$db_type])
+ $module_conf_dir = "${icingaweb2::globals::conf_dir}/modules/x509"
+ $cert_dir = "${icingaweb2::globals::state_dir}/x509/certs"
 
- $_db_charset = if $db_charset {
- $db_charset
- } else {
- if $db_type == 'mysql' {
- 'utf8mb4'
- } else {
- 'UTF8'
- }
+ $db = {
+ type => $db_type,
+ database => $db_name,
+ host => $db_host,
+ port => $db_port,
+ username => $db_username,
+ password => $db_password,
  }
 
- $tls = delete($icingaweb2::config::tls, ['key', 'cert', 'cacert']) + delete_undef_values(icingaweb2::cert::files(
- 'client',
- $module_conf_dir,
- $tls_key_file,
- $tls_cert_file,
- $tls_cacert_file,
- $tls_key,
- $tls_cert,
- $tls_cacert,
- ), {
- capath => $tls_capath,
- noverify => $tls_noverify,
- cipher => $tls_cipher,
- })
+ $tls = icinga::cert::files(
+ $db_username,
+ $cert_dir,
+ $tls_key_file,
+ $tls_cert_file,
+ $tls_cacert_file,
+ $tls_key,
+ $tls_cert,
+ $tls_cacert,
+ )
 
- Exec {
- user => 'root',
- path => $facts['path'],
- provider => 'shell',
- require => [Icingaweb2::Module['x509'], Icingaweb2::Tls::Client['icingaweb2::module::x509 tls client config']],
- }
-
- icingaweb2::tls::client { 'icingaweb2::module::x509 tls client config':
- args => $tls,
- }
-
- icingaweb2::resource::database { 'x509':
- type => $db_type,
- host => $db_host,
- port => $_db_port,
- database => $db_name,
- username => $db_username,
- password => $db_password,
- charset => $_db_charset,
- use_tls => $use_tls,
- tls_noverify => $tls['noverify'],
- tls_key => $tls['key_file'],
- tls_cert => $tls['cert_file'],
- tls_cacert => $tls['cacert_file'],
- tls_capath => $tls['capath'],
- tls_cipher => $tls['cipher'],
- }
-
- icingaweb2::module { 'x509':
- ensure => $ensure,
- git_repository => $git_repository,
- git_revision => $git_revision,
- install_method => $install_method,
- module_dir => $module_dir,
- package_name => $package_name,
- settings => {
- 'icingaweb2-module-x509-backend' => {
- 'section_name' => 'backend',
- 'target' => "${module_conf_dir}/config.ini",
- 'settings' => {
- 'resource' => 'x509',
- },
+ $settings = {
+ 'icingaweb2-module-x509-backend' => {
+ 'section_name' => 'backend',
+ 'target' => "${module_conf_dir}/config.ini",
+ 'settings' => {
+ 'resource' => 'x509',
  },
  },
  }
 
- if $import_schema {
- $real_db_type = if $import_schema =~ Boolean {
- if $db_type == 'pgsql' { 'pgsql' } else { 'mariadb' }
- } else {
- $import_schema
- }
- $db_cli_options = icingaweb2::db::connect({
- type => $real_db_type,
- name => $db_name,
- host => $db_host,
- port => $_db_port,
- user => $db_username,
- pass => $db_password,
- }, $tls, $use_tls)
-
- case $db_type {
- 'mysql': {
- exec { 'import icingaweb2::module::x509 schema':
- command => "mysql ${db_cli_options} < '${mysql_x509_schema}'",
- unless => "mysql ${db_cli_options} -Ns -e 'SELECT * FROM report'",
- }
- }
- 'pgsql': {
- $_db_password = icingaweb2::unwrap($db_password)
- exec { 'import icingaweb2::module::x509 schema':
- environment => ["PGPASSWORD=${_db_password}"],
- command => "psql '${db_cli_options}' -w -f ${pgsql_x509_schema}",
- unless => "psql '${db_cli_options}' -w -c 'SELECT * FROM report'",
- }
- } # pgsql (not supported)
- default: {
- fail('The database type you provided is not supported.')
- }
- }
- } # schema import
+ class { 'icingaweb2::module::x509::install': }
+ -> class { 'icingaweb2::module::x509::config': }
+ ~> class { 'icingaweb2::module::x509::service': }
+ contain icingaweb2::module::x509::install
+ contain icingaweb2::module::x509::config
+ contain icingaweb2::module::x509::service
 }