From e45e821b617fbc86c2258393897b013a89949037 Mon Sep 17 00:00:00 2001 From: Lennart Betz Date: Thu, 2 Nov 2023 10:09:09 +0100 Subject: [PATCH 01/14] change default directory for certificates and keys (icingaweb2 database) --- manifests/config.pp | 36 ++---- manifests/init.pp | 22 ++++ manifests/install.pp | 15 ++- spec/classes/config_spec.rb | 81 ------------ spec/classes/icingaweb2_spec.rb | 117 ++++++++++++++++-- spec/defines/{ => config}/authmethod_spec.rb | 2 +- .../defines/{ => config}/groupbackend_spec.rb | 2 +- spec/defines/{ => config}/navigation_spec.rb | 8 +- spec/defines/{ => config}/role_spec.rb | 2 +- spec/defines/inisection_spec.rb | 28 ++++- spec/defines/resource/database_spec.rb | 87 +++++++++++++ spec/defines/resource/ldap_spec.rb | 63 ++++++++++ spec/defines/resource_database_spec.rb | 37 ------ spec/defines/resource_ldap_spec.rb | 73 ----------- 14 files changed, 334 insertions(+), 239 deletions(-) delete mode 100644 spec/classes/config_spec.rb rename spec/defines/{ => config}/authmethod_spec.rb (96%) rename spec/defines/{ => config}/groupbackend_spec.rb (97%) rename spec/defines/{ => config}/navigation_spec.rb (94%) rename spec/defines/{ => config}/role_spec.rb (94%) create mode 100644 spec/defines/resource/database_spec.rb create mode 100644 spec/defines/resource/ldap_spec.rb delete mode 100644 spec/defines/resource_database_spec.rb delete mode 100644 spec/defines/resource_ldap_spec.rb diff --git a/manifests/config.pp b/manifests/config.pp index c865eee4..e7aef665 100644 --- a/manifests/config.pp +++ b/manifests/config.pp @@ -6,6 +6,7 @@ class icingaweb2::config { $conf_dir = $icingaweb2::globals::conf_dir $default_module_path = $icingaweb2::globals::default_module_path + $ssl_dir = "${icingaweb2::globals::state_dir}/certs" $logging = $icingaweb2::logging $logging_file = $icingaweb2::logging_file @@ -27,14 +28,7 @@ $import_schema = $icingaweb2::import_schema $mysql_db_schema = $icingaweb2::globals::mysql_db_schema $pgsql_db_schema = $icingaweb2::globals::pgsql_db_schema - $db = { - type => $icingaweb2::db_type, - name => $icingaweb2::db_name, - host => $icingaweb2::db_host, - port => pick($icingaweb2::db_port, $icingaweb2::globals::port[$icingaweb2::db_type]), - user => $icingaweb2::db_username, - pass => $icingaweb2::db_password, - } + $db = $icingaweb2::db $default_domain = $icingaweb2::default_domain $admin_role = $icingaweb2::admin_role @@ -43,16 +37,7 @@ $config_resource = "${db['type']}-icingaweb2" $use_tls = $icingaweb2::use_tls - $tls = icingaweb2::cert::files( - 'client', - $conf_dir, - $icingaweb2::tls_key_file, - $icingaweb2::tls_cert_file, - $icingaweb2::tls_cacert_file, - $icingaweb2::tls_key, - $icingaweb2::tls_cert, - $icingaweb2::tls_cacert, - ) + { + $tls = $icingaweb2::tls + { capath => $icingaweb2::tls_capath, noverify => $icingaweb2::tls_noverify, cipher => $icingaweb2::tls_cipher, @@ -62,7 +47,6 @@ path => $facts['path'], provider => shell, user => 'root', - require => Icingaweb2::Tls::Client['icingaweb2 tls client config'], } icingaweb2::inisection { 'config-logging': @@ -149,17 +133,13 @@ } } - icingaweb2::tls::client { 'icingaweb2 tls client config': - args => $tls, - } - - -> icingaweb2::resource::database { "${db['type']}-icingaweb2": + icingaweb2::resource::database { "${db['type']}-icingaweb2": type => $db['type'], host => $db['host'], port => $db['port'], - database => $db['name'], - username => $db['user'], - password => $db['pass'], + database => $db['database'], + username => $db['username'], + password => $db['password'], use_tls => $use_tls, tls_noverify => $tls['noverify'], tls_key => $tls['key_file'], @@ -187,7 +167,7 @@ } else { $import_schema } - $db_cli_options = icingaweb2::db::connect($db + { type => $real_db_type }, $tls, $use_tls) + $db_cli_options = icinga::db::connect($db + { type => $real_db_type }, $tls, $use_tls) if $admin_role { icingaweb2::config::role { $admin_role['name']: diff --git a/manifests/init.pp b/manifests/init.pp index 1281fbbf..f85cd0b2 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -249,10 +249,32 @@ ) { require icingaweb2::globals + $cert_dir = "${icingaweb2::globals::state_dir}/certs" + if $manage_repos { require icinga::repos } + $db = { + type => $db_type, + database => $db_name, + host => $db_host, + port => pick($db_port, $icingaweb2::globals::port[$db_type]), + username => $db_username, + password => $db_password, + } + + $tls = icinga::cert::files( + $db_username, + $cert_dir, + $tls_key_file, + $tls_cert_file, + $tls_cacert_file, + $tls_key, + $tls_cert, + $tls_cacert, + ) + class { 'icingaweb2::install': } -> class { 'icingaweb2::config': } diff --git a/manifests/install.pp b/manifests/install.pp index ea362b44..30f43438 100644 --- a/manifests/install.pp +++ b/manifests/install.pp @@ -7,13 +7,16 @@ assert_private("You're not supposed to use this defined type manually.") $conf_dir = $icingaweb2::globals::conf_dir - $state_dir = $icingaweb2::globals::state_dir + $cert_dir = $icingaweb2::cert_dir $package_name = $icingaweb2::globals::package_name $data_dir = $icingaweb2::globals::data_dir $comp_dir = $icingaweb2::globals::comp_db_schema_dir $manage_package = $icingaweb2::manage_package $extra_packages = $icingaweb2::extra_packages + $conf_user = $icingaweb2::conf_user $conf_group = $icingaweb2::conf_group + $use_tls = $icingaweb2::use_tls + $tls = $icingaweb2::tls # # Packages @@ -45,11 +48,19 @@ prefix(['modules', 'enabledModules', 'navigation', 'preferences', 'dashboards'], "${conf_dir}/"): mode => '2770', ; - "${state_dir}/certs": + $cert_dir: mode => '2770', ; } + if $use_tls { + icinga::cert { 'icingaweb2 tls client config': + owner => $conf_user, + group => $conf_group, + args => $tls, + } + } + # # Compatmode: db schema files were moved in Icinga Web 2.11.0 # diff --git a/spec/classes/config_spec.rb b/spec/classes/config_spec.rb deleted file mode 100644 index 95458c8c..00000000 --- a/spec/classes/config_spec.rb +++ /dev/null @@ -1,81 +0,0 @@ -require 'spec_helper' - -describe('icingaweb2::config', type: :class) do - on_supported_os.each do |os, facts| - context "on #{os}" do - let :facts do - facts - end - - context 'with default parameters, db_type => mysql' do - let :pre_condition do - "class { 'icingaweb2': db_type => 'mysql' }" - end - - it { is_expected.to contain_icingaweb2__inisection('config-logging') } - it { - is_expected.to contain_icingaweb2__inisection('config-global') - .with_settings('show_stacktraces' => false, 'module_path' => '/usr/share/icingaweb2/modules', 'config_resource' => 'mysql-icingaweb2') - } - it { is_expected.to contain_icingaweb2__inisection('config-themes') } - it { is_expected.not_to contain_icingaweb2__inisection('config-cookie') } - - it { is_expected.to contain_icingaweb2__resource__database('mysql-icingaweb2') } - it { is_expected.not_to contain_exec('import schema') } - it { is_expected.not_to contain_exec('create default admin user') } - it { is_expected.not_to contain_icingaweb2__config__role('default admin user') } - end - - context 'with db_type => mysql, import_schema => true' do - let :pre_condition do - "class { 'icingaweb2': import_schema => true, db_type => 'mysql' }" - end - - it { is_expected.to contain_icingaweb2__resource__database('mysql-icingaweb2') } - it { is_expected.to contain_icingaweb2__config__authmethod('mysql-auth') } - it { is_expected.to contain_icingaweb2__config__role('default admin user') } - it { is_expected.to contain_exec('import schema') } - it { is_expected.to contain_exec('create default admin user') } - end - - context 'with db_type => pgsql, import_schema => true' do - let :pre_condition do - "class { 'icingaweb2': import_schema => true, db_type => 'pgsql' }" - end - - it { is_expected.to contain_icingaweb2__resource__database('pgsql-icingaweb2') } - it { is_expected.to contain_icingaweb2__config__authmethod('pgsql-auth') } - it { is_expected.to contain_icingaweb2__config__role('default admin user') } - it { is_expected.to contain_exec('import schema') } - it { is_expected.to contain_exec('create default admin user') } - end - - context 'with invalid db_type' do - let :pre_condition do - "class { 'icingaweb2': db_type => 'foobar' }" - end - - it { is_expected.to raise_error(Puppet::Error, %r{expects a match for Enum\['mysql', 'pgsql'\]}) } - end - - context 'with import_schema => true and admin_role => false' do - let :pre_condition do - "class { 'icingaweb2': import_schema => true, db_type => 'mysql', admin_role => false }" - end - - it { is_expected.not_to contain_icingaweb2__config__role('default admin user') } - end - - context 'with cookie_path => /' do - let :pre_condition do - "class { 'icingaweb2': cookie_path => '/', db_type => 'mysql' }" - end - - it { - is_expected.to contain_icingaweb2__inisection('config-cookie') - .with_settings('path' => '/') - } - end - end - end -end diff --git a/spec/classes/icingaweb2_spec.rb b/spec/classes/icingaweb2_spec.rb index 2cfae955..2d42ee2b 100644 --- a/spec/classes/icingaweb2_spec.rb +++ b/spec/classes/icingaweb2_spec.rb @@ -8,36 +8,109 @@ end context 'with defaults' do - let(:params) do - { - db_type: 'mysql', - db_password: 'secret', - } - end + let(:params) { { db_type: 'mysql' } } it { is_expected.to compile } it { is_expected.to contain_class('icingaweb2::config') } it { is_expected.to contain_class('icingaweb2::install') } + it { is_expected.not_to contain_class('icinga::repos') } + it { is_expected.to contain_package('icingaweb2').with('ensure' => 'installed') } + [ '/etc/icingaweb2/modules', + '/etc/icingaweb2/enabledModules', + '/etc/icingaweb2/navigation', + '/etc/icingaweb2/preferences', + '/etc/icingaweb2/dashboards', + '/var/lib/icingaweb2/certs' ].each do |file| + it { + is_expected.to contain_file(file) + .with_ensure('directory') + .with_mode('2770') + .with_owner('root') + .with_group('icingaweb2') + } + end + it { + is_expected.to contain_icingaweb2__inisection('config-logging') + .with_section_name('logging') + .with_target('/etc/icingaweb2/config.ini') + .with_settings( + { + 'log' => 'syslog', + 'file' => '/var/log/icingaweb2/icingaweb2.log', + 'level' => 'INFO', + 'facility' => 'user', + 'application' => 'icingaweb2', + }, + ) + } + it { + is_expected.to contain_icingaweb2__inisection('config-global') + .with_section_name('global') + .with_target('/etc/icingaweb2/config.ini') + .with_settings( + { + 'show_stacktraces' => false, + 'module_path' => '/usr/share/icingaweb2/modules', + 'config_resource' => 'mysql-icingaweb2', + }, + ) + } + it { + is_expected.to contain_icingaweb2__inisection('config-themes') + .with_section_name('themes') + .with_target('/etc/icingaweb2/config.ini') + .with_settings( + { + 'default' => 'Icinga', + 'disabled' => false, + }, + ) + } + it { is_expected.not_to contain_icingaweb2__inisection('config-authentication') } + it { is_expected.not_to contain_icingaweb2__inisection('config-cookie') } + it { + is_expected.to contain_icingaweb2__resource__database('mysql-icingaweb2') + .with_type('mysql') + .with_host('localhost') + .with_port(3306) + .with_database('icingaweb2') + .with_username('icingaweb2') + } + it { is_expected.not_to contain_exec('import schema') } + it { is_expected.not_to contain_exec('create default admin user') } + it { is_expected.not_to contain_icingaweb2__config__role('default admin user') } end - context 'with manage_package => false' do + context "with manage_package 'false', cookie_path '/foo/bar', default_domain 'foobar'" do let(:params) do { manage_package: false, + cookie_path: '/foo/bar', + default_domain: 'foobar', db_type: 'mysql', - db_password: 'secret', } end it { is_expected.not_to contain_package('icinga2').with('ensure' => 'installed') } + it { + is_expected.to contain_icingaweb2__inisection('config-cookie') + .with_section_name('cookie') + .with_target('/etc/icingaweb2/config.ini') + .with_settings({ 'path' => '/foo/bar' }) + } + it { + is_expected.to contain_icingaweb2__inisection('config-authentication') + .with_section_name('authentication') + .with_target('/etc/icingaweb2/config.ini') + .with_settings({ 'default_domain' => 'foobar' }) + } end context 'with additional resources, user and group backend' do let(:params) do { db_type: 'mysql', - db_password: 'secret', resources: { foo: { type: 'ldap' }, baz: { type: 'pgsql', host: 'localhost', database: 'baz', port: 5432 }, @@ -56,6 +129,32 @@ it { is_expected.to contain_icingaweb2__config__authmethod('bar').with('resource' => 'foo') } it { is_expected.to contain_icingaweb2__config__groupbackend('bar').with('resource' => 'foo') } end + + context "with db_type 'mysql', import_schema 'true'" do + let(:params) {{ import_schema: true, db_type: 'mysql' }} + + it { is_expected.to contain_icingaweb2__resource__database('mysql-icingaweb2') } + it { is_expected.to contain_icingaweb2__config__authmethod('mysql-auth') } + it { is_expected.to contain_icingaweb2__config__role('default admin user') } + it { is_expected.to contain_exec('import schema') } + it { is_expected.to contain_exec('create default admin user') } + end + + context "with db_type 'pgsql', import_schema 'true'" do + let(:params) {{ import_schema: true, db_type: 'pgsql' }} + + it { is_expected.to contain_icingaweb2__resource__database('pgsql-icingaweb2') } + it { is_expected.to contain_icingaweb2__config__authmethod('pgsql-auth') } + it { is_expected.to contain_icingaweb2__config__role('default admin user') } + it { is_expected.to contain_exec('import schema') } + it { is_expected.to contain_exec('create default admin user') } + end + + context 'with import_schema => true and admin_role => false' do + let(:params) {{ import_schema: true, db_type: 'mysql', admin_role: false }} + + it { is_expected.not_to contain_icingaweb2__config__role('default admin user') } + end end end end diff --git a/spec/defines/authmethod_spec.rb b/spec/defines/config/authmethod_spec.rb similarity index 96% rename from spec/defines/authmethod_spec.rb rename to spec/defines/config/authmethod_spec.rb index ee9388f6..3051dd9f 100644 --- a/spec/defines/authmethod_spec.rb +++ b/spec/defines/config/authmethod_spec.rb @@ -4,7 +4,7 @@ let(:title) { 'myauthmethod' } let(:pre_condition) do [ - "class { 'icingaweb2': db_type => 'mysql', db_password => 'secret' }", + "class { 'icingaweb2': db_type => 'mysql' }", ] end diff --git a/spec/defines/groupbackend_spec.rb b/spec/defines/config/groupbackend_spec.rb similarity index 97% rename from spec/defines/groupbackend_spec.rb rename to spec/defines/config/groupbackend_spec.rb index c0063c21..b209b86a 100644 --- a/spec/defines/groupbackend_spec.rb +++ b/spec/defines/config/groupbackend_spec.rb @@ -4,7 +4,7 @@ let(:title) { 'mygroupbackend' } let(:pre_condition) do [ - "class { 'icingaweb2': db_type => 'mysql', db_password => 'secret' }", + "class { 'icingaweb2': db_type => 'mysql' }", ] end diff --git a/spec/defines/navigation_spec.rb b/spec/defines/config/navigation_spec.rb similarity index 94% rename from spec/defines/navigation_spec.rb rename to spec/defines/config/navigation_spec.rb index bf4975bc..c5e5c9ec 100644 --- a/spec/defines/navigation_spec.rb +++ b/spec/defines/config/navigation_spec.rb @@ -4,7 +4,7 @@ let(:title) { 'myitem' } let(:pre_condition) do [ - "class { 'icingaweb2': db_type => 'mysql', db_password => 'secret' }", + "class { 'icingaweb2': db_type => 'mysql', conf_user => 'foo', conf_group => 'bar' }", ] end @@ -29,6 +29,9 @@ it { is_expected.to contain_file('/etc/icingaweb2/preferences/foobar') .with_ensure('directory') + .with_owner('foo') + .with_group('bar') + .with_mode('2770') } it { @@ -112,6 +115,9 @@ it { is_expected.to contain_file('/etc/icingaweb2/preferences/foobar') .with_ensure('directory') + .with_owner('foo') + .with_group('bar') + .with_mode('2770') } it { diff --git a/spec/defines/role_spec.rb b/spec/defines/config/role_spec.rb similarity index 94% rename from spec/defines/role_spec.rb rename to spec/defines/config/role_spec.rb index d8c463cb..50def0e6 100644 --- a/spec/defines/role_spec.rb +++ b/spec/defines/config/role_spec.rb @@ -4,7 +4,7 @@ let(:title) { 'myrole' } let(:pre_condition) do [ - "class { 'icingaweb2': db_type => 'mysql', db_password => 'secret' }", + "class { 'icingaweb2': db_type => 'mysql' }", ] end diff --git a/spec/defines/inisection_spec.rb b/spec/defines/inisection_spec.rb index 4fba6a68..cce1c18d 100644 --- a/spec/defines/inisection_spec.rb +++ b/spec/defines/inisection_spec.rb @@ -4,7 +4,11 @@ let(:title) { 'foo' } let(:pre_condition) do [ - "class { 'icingaweb2': db_type => 'mysql', db_password => 'secret' }", + "class { 'icingaweb2': + db_type => 'mysql', + conf_user => 'foo', + conf_group => 'bar', + }", ] end @@ -15,15 +19,29 @@ end context "#{os} with valid params" do - let(:params) { { target: '/foo/bar', section_name: 'test', settings: { 'setting1' => 'value1', 'setting2' => 'value2' } } } + let(:params) do + { + target: '/foo/bar', + section_name: 'test', settings: { 'setting1' => 'value1', 'setting2' => 'value2' }, + order: '02', + replace: false, + } + end - it { is_expected.to contain_concat('/foo/bar') } + it { + is_expected.to contain_concat('/foo/bar') + .with_owner('foo') + .with_group('bar') + .with_replace(false) + .with_mode('0640') + .with_warn(false) + } it { - is_expected.to contain_concat__fragment('foo-test-01') + is_expected.to contain_concat__fragment('foo-test-02') .with_target('/foo/bar') - .with_order('01') .with_content(%r{\[test\]\nsetting1 = \"value1\"\nsetting2 = \"value2\"\n\n}) + .with_order('02') } end end diff --git a/spec/defines/resource/database_spec.rb b/spec/defines/resource/database_spec.rb new file mode 100644 index 00000000..d9ac12ca --- /dev/null +++ b/spec/defines/resource/database_spec.rb @@ -0,0 +1,87 @@ +require 'spec_helper' + +describe('icingaweb2::resource::database', type: :define) do + let(:title) { 'myresource_db' } + let(:pre_condition) do + [ + "class { 'icingaweb2': db_type => 'mysql' }", + ] + end + + on_supported_os.each do |os, facts| + context "on #{os}" do + let :facts do + facts + end + + context "#{os} with required parameters" do + let(:params) do + { + type: 'pgsql', + host: 'host.icinga.com', + port: 5432, + database: 'foo', + } + end + + it { + is_expected.to contain_icingaweb2__inisection('resource-myresource_db') + .with_section_name('myresource_db') + .with_target('/etc/icingaweb2/resources.ini') + .with_settings( + 'type' => 'db', + 'db' => 'pgsql', + 'host' => 'host.icinga.com', + 'port' => 5432, + 'dbname' => 'foo', + ) + } + end + + context "#{os} with valid parameters" do + let(:params) do + { + type: 'mysql', + resource_name: 'newresource_db', + host: 'host.icinga.com', + port: 3306, + database: 'foo', + username: 'bar', + password: 'secret', + charset: 'utf8', + use_tls: true, + tls_noverify: true, + tls_key: '/foo/certs/bar.key', + tls_cert: '/foo/certs/bar.crt', + tls_cacert: '/foo/certs/ca.crt', + tls_capath: '/foo/bar', + tls_cipher: 'foobar', + } + end + + it { + is_expected.to contain_icingaweb2__inisection('resource-newresource_db') + .with_section_name('newresource_db') + .with_target('/etc/icingaweb2/resources.ini') + .with_settings( + 'type' => 'db', + 'db' => 'mysql', + 'host' => 'host.icinga.com', + 'port' => 3306, + 'dbname' => 'foo', + 'username' => 'bar', + 'password' => 'secret', + 'charset' => 'utf8', + 'use_ssl' => true, + 'ssl_do_not_verify_server_cert' => true, + 'ssl_cert' => '/foo/certs/bar.crt', + 'ssl_key' => '/foo/certs/bar.key', + 'ssl_ca' => '/foo/certs/ca.crt', + 'ssl_capath' => '/foo/bar', + 'ssl_cipher' => 'foobar', + ) + } + end + end + end +end diff --git a/spec/defines/resource/ldap_spec.rb b/spec/defines/resource/ldap_spec.rb new file mode 100644 index 00000000..a788a67b --- /dev/null +++ b/spec/defines/resource/ldap_spec.rb @@ -0,0 +1,63 @@ +require 'spec_helper' + +describe('icingaweb2::resource::ldap', type: :define) do + let(:title) { 'myresource_ldap' } + let(:pre_condition) do + [ + "class { 'icingaweb2': db_type => 'mysql' }", + ] + end + + on_supported_os.each do |os, facts| + context "on #{os}" do + let :facts do + facts + end + + context "#{os} with required parameters" do + it { + is_expected.to contain_icingaweb2__inisection('resource-myresource_ldap') + .with_section_name('myresource_ldap') + .with_target('/etc/icingaweb2/resources.ini') + .with_settings( + 'type' => 'ldap', + 'hostname' => 'localhost', + 'encryption' => 'none', + 'timeout' => 5, + ) + } + end + + context "#{os} with valid parameters" do + let(:params) do + { + resource_name: 'newresource_ldap', + host: 'host.icinga.com', + port: 3268, + root_dn: 'dc=icinga,dc=com', + bind_dn: 'read@icinga.com', + bind_pw: 'secret', + encryption: 'starttls', + timeout: 10, + } + end + + it { + is_expected.to contain_icingaweb2__inisection('resource-newresource_ldap') + .with_section_name('newresource_ldap') + .with_target('/etc/icingaweb2/resources.ini') + .with_settings( + 'type' => 'ldap', + 'hostname' => 'host.icinga.com', + 'port' => 3268, + 'root_dn' => 'dc=icinga,dc=com', + 'bind_dn' => 'read@icinga.com', + 'bind_pw' => 'secret', + 'encryption' => 'starttls', + 'timeout' => 10, + ) + } + end + end + end +end diff --git a/spec/defines/resource_database_spec.rb b/spec/defines/resource_database_spec.rb deleted file mode 100644 index 4068d8a0..00000000 --- a/spec/defines/resource_database_spec.rb +++ /dev/null @@ -1,37 +0,0 @@ -require 'spec_helper' - -describe('icingaweb2::resource::database', type: :define) do - let(:title) { 'myresource' } - let(:pre_condition) do - [ - "class { 'icingaweb2': db_type => 'mysql', db_password => 'secret' }", - ] - end - - on_supported_os.each do |os, facts| - context "on #{os}" do - let :facts do - facts - end - - context "#{os} with type db" do - let(:params) do - { - host: 'localhost', - port: 3306, - type: 'mysql', - database: 'foo', - username: 'bar', - password: 'secret', - } - end - - it { - is_expected.to contain_icingaweb2__inisection('resource-myresource') - .with_target('/etc/icingaweb2/resources.ini') - .with_settings('type' => 'db', 'db' => 'mysql', 'host' => 'localhost', 'port' => '3306', 'dbname' => 'foo', 'username' => 'bar', 'password' => 'secret') - } - end - end - end -end diff --git a/spec/defines/resource_ldap_spec.rb b/spec/defines/resource_ldap_spec.rb deleted file mode 100644 index ac045a97..00000000 --- a/spec/defines/resource_ldap_spec.rb +++ /dev/null @@ -1,73 +0,0 @@ -require 'spec_helper' - -describe('icingaweb2::resource::ldap', type: :define) do - let(:title) { 'myresource' } - let(:pre_condition) do - [ - "class { 'icingaweb2': db_type => 'mysql', db_password => 'secret' }", - ] - end - - on_supported_os.each do |os, facts| - context "on #{os}" do - let :facts do - facts - end - - context "#{os} with type ldap" do - let(:params) do - { - host: 'localhost', - port: 389, - root_dn: 'cn=foo,dc=bar', - bind_dn: 'cn=root,dc=bar', - bind_pw: 'secret', - } - end - - it { - is_expected.to contain_icingaweb2__inisection('resource-myresource') - .with_target('/etc/icingaweb2/resources.ini') - .with_settings( - 'type' => 'ldap', - 'hostname' => 'localhost', - 'port' => '389', - 'root_dn' => 'cn=foo,dc=bar', - 'bind_dn' => 'cn=root,dc=bar', - 'bind_pw' => 'secret', - 'encryption' => 'none', - 'timeout' => '5', - ) - } - end - - context "#{os} with type ldap and changed ldap timeout" do - let(:params) do - { - host: 'localhost', - port: 389, - root_dn: 'cn=foo,dc=bar', - bind_dn: 'cn=root,dc=bar', - bind_pw: 'secret', - timeout: 60, - } - end - - it { - is_expected.to contain_icingaweb2__inisection('resource-myresource') - .with_target('/etc/icingaweb2/resources.ini') - .with_settings( - 'type' => 'ldap', - 'hostname' => 'localhost', - 'port' => '389', - 'root_dn' => 'cn=foo,dc=bar', - 'bind_dn' => 'cn=root,dc=bar', - 'bind_pw' => 'secret', - 'encryption' => 'none', - 'timeout' => '60', - ) - } - end - end - end -end From 4674df9b015e2d79749413c4cbddabb5d8684fc2 Mon Sep 17 00:00:00 2001 From: Lennart Betz Date: Thu, 2 Nov 2023 10:30:06 +0100 Subject: [PATCH 02/14] change default directory for certificates and keys (icingadb and redis databases) --- manifests/module.pp | 30 +++---- manifests/module/icingadb.pp | 45 ++++++----- metadata.json | 4 +- spec/classes/icingaweb2_spec.rb | 6 +- spec/classes/{ => modules}/icingadb_spec.rb | 86 +++++++++++++++++++-- spec/defines/module_spec.rb | 86 ++++++++------------- 6 files changed, 158 insertions(+), 99 deletions(-) rename spec/classes/{ => modules}/icingadb_spec.rb (64%) diff --git a/manifests/module.pp b/manifests/module.pp index 1d5791f7..41e37ad2 100644 --- a/manifests/module.pp +++ b/manifests/module.pp @@ -62,33 +62,36 @@ icingaweb2::assert_module() $conf_dir = $icingaweb2::globals::conf_dir + $state_dir = $icingaweb2::globals::state_dir $conf_user = $icingaweb2::conf_user $conf_group = $icingaweb2::conf_group - File { - owner => $conf_user, - group => $conf_group, - } - $enable_module = if $ensure == 'present' { 'link' } else { 'absent' } - file { "${conf_dir}/enabledModules/${module}": - ensure => $enable_module, - target => $module_dir, - } - - file { "${conf_dir}/modules/${module}": - ensure => directory, - mode => '2770', + file { + default: + owner => $conf_user, + group => $conf_group, + ; + "${conf_dir}/enabledModules/${module}": + ensure => $enable_module, + target => $module_dir, + ; + ["${conf_dir}/modules/${module}", "${state_dir}/${module}"]: + ensure => directory, + owner => 'root', + mode => '2770', + ; } create_resources('icingaweb2::inisection', $settings) case $install_method { + 'none': {} 'git': { vcsrepo { $module_dir: ensure => present, @@ -97,7 +100,6 @@ revision => $git_revision, } } - 'none': {} 'package': { package { $package_name: ensure => installed, diff --git a/manifests/module/icingadb.pp b/manifests/module/icingadb.pp index 7c39cadf..8baa9b8e 100644 --- a/manifests/module/icingadb.pp +++ b/manifests/module/icingadb.pp @@ -155,13 +155,15 @@ ) { icingaweb2::assert_module() - $conf_dir = $icingaweb2::globals::conf_dir - $module_conf_dir = "${conf_dir}/modules/icingadb" + $module_conf_dir = "${icingaweb2::globals::conf_dir}/modules/icingadb" + $cert_dir = "${icingaweb2::globals::state_dir}/icingadb/certs" + $conf_user = $icingaweb2::conf_user + $conf_group = $icingaweb2::conf_group if $redis_use_tls { - $redis_tls_files = icingaweb2::cert::files( + $redis_tls_files = icinga::cert::files( 'redis', - $module_conf_dir, + $cert_dir, $redis_tls_key_file, $redis_tls_cert_file, $redis_tls_cacert_file, @@ -175,7 +177,7 @@ key => $redis_tls_files['key_file'], ca => $redis_tls_files['cacert_file'], }) - icingaweb2::tls::client { 'icingaweb2::module::icingadb redis client tls config': + icinga::cert { 'icingaweb2::module::icingadb redis client tls config': args => $redis_tls_files, } } else { @@ -215,23 +217,28 @@ }, } - $db_tls = delete($icingaweb2::config::tls, ['key', 'cert', 'cacert']) + delete_undef_values(icingaweb2::cert::files( - 'client', - $module_conf_dir, + $db_tls = delete_undef_values(icinga::cert::files( + $db_username, + $cert_dir, $db_tls_key_file, $db_tls_cert_file, $db_tls_cacert_file, $db_tls_key, $db_tls_cert, $db_tls_cacert, - ), { - capath => $db_tls_capath, - noverify => $db_tls_noverify, - cipher => $db_tls_cipher, - }) + )) - icingaweb2::tls::client { 'icingaweb2::module::icingadb tls client config': - args => $db_tls, + file { $cert_dir: + ensure => directory, + owner => 'root', + group => $conf_group, + mode => '2770', + } + + icinga::cert { 'icingaweb2::module::icingadb tls client config': + owner => $conf_user, + group => $conf_group, + args => $db_tls, } icingaweb2::resource::database { 'icingaweb2-module-icingadb': @@ -243,12 +250,12 @@ password => $db_password, charset => $db_charset, use_tls => $db_use_tls, - tls_noverify => $db_tls['noverify'], + tls_noverify => unless $db_tls_noverify { $icingaweb2::config::tls['noverify'] } else { $db_tls_noverify }, tls_key => $db_tls['key_file'], tls_cert => $db_tls['cert_file'], - tls_cacert => $db_tls['cacert_file'], - tls_capath => $db_tls['capath'], - tls_cipher => $db_tls['cipher'], + tls_cacert => unless $db_tls_cacert_file { $icingaweb2::config::tls['cacert_file'] } else { $db_tls_cacert_file }, + tls_capath => unless $db_tls_capath { $icingaweb2::config::tls['capath'] } else { $db_tls_capath }, + tls_cipher => unless $db_tls_cipher { $icingaweb2::config::tls['cipher'] } else { $db_tls_cipher }, } create_resources('icingaweb2::module::icingadb::commandtransport', $commandtransports) diff --git a/metadata.json b/metadata.json index 7498f8f0..913707f2 100644 --- a/metadata.json +++ b/metadata.json @@ -1,6 +1,6 @@ { "name": "icinga-icingaweb2", - "version": "3.9.1", + "version": "4.0.0", "author": "Icinga Team", "summary": "Icinga Web 2 Puppet Module", "license": "Apache-2.0", @@ -18,7 +18,7 @@ }, { "name": "icinga/icinga", - "version_requirement": ">= 2.1.0 < 5.0.0" + "version_requirement": ">= 2.9.0 < 5.0.0" }, { "name": "puppetlabs/vcsrepo", diff --git a/spec/classes/icingaweb2_spec.rb b/spec/classes/icingaweb2_spec.rb index 2d42ee2b..0b331533 100644 --- a/spec/classes/icingaweb2_spec.rb +++ b/spec/classes/icingaweb2_spec.rb @@ -131,7 +131,7 @@ end context "with db_type 'mysql', import_schema 'true'" do - let(:params) {{ import_schema: true, db_type: 'mysql' }} + let(:params) { { import_schema: true, db_type: 'mysql' } } it { is_expected.to contain_icingaweb2__resource__database('mysql-icingaweb2') } it { is_expected.to contain_icingaweb2__config__authmethod('mysql-auth') } @@ -141,7 +141,7 @@ end context "with db_type 'pgsql', import_schema 'true'" do - let(:params) {{ import_schema: true, db_type: 'pgsql' }} + let(:params) { { import_schema: true, db_type: 'pgsql' } } it { is_expected.to contain_icingaweb2__resource__database('pgsql-icingaweb2') } it { is_expected.to contain_icingaweb2__config__authmethod('pgsql-auth') } @@ -151,7 +151,7 @@ end context 'with import_schema => true and admin_role => false' do - let(:params) {{ import_schema: true, db_type: 'mysql', admin_role: false }} + let(:params) { { import_schema: true, db_type: 'mysql', admin_role: false } } it { is_expected.not_to contain_icingaweb2__config__role('default admin user') } end diff --git a/spec/classes/icingadb_spec.rb b/spec/classes/modules/icingadb_spec.rb similarity index 64% rename from spec/classes/icingadb_spec.rb rename to spec/classes/modules/icingadb_spec.rb index 031d6200..06877b7a 100644 --- a/spec/classes/icingadb_spec.rb +++ b/spec/classes/modules/icingadb_spec.rb @@ -1,12 +1,6 @@ require 'spec_helper' describe('icingaweb2::module::icingadb', type: :class) do - let(:pre_condition) do - [ - "class { 'icingaweb2': db_type => 'mysql' }", - ] - end - on_supported_os.each do |os, facts| context "on #{os}" do let :facts do @@ -14,6 +8,12 @@ end context "#{os} with local MySQL and Redis" do + let(:pre_condition) do + [ + "class { 'icingaweb2': db_type => 'mysql' }", + ] + end + let(:params) do { db_type: 'mysql', @@ -71,6 +71,12 @@ end context "#{os} with local PostgreSQL and Redis" do + let(:pre_condition) do + [ + "class { 'icingaweb2': db_type => 'mysql' }", + ] + end + let(:params) do { db_type: 'pgsql', @@ -126,6 +132,74 @@ ) } end + + context "#{os} with db_use_tls 'true'" do + let(:pre_condition) do + [ + "class { 'icingaweb2': db_type => 'mysql', tls_cacert_file => '/foo/bar', tls_capath => '/foo/bar', tls_noverify => true, tls_cipher => 'cipher' }", + ] + end + + let(:params) do + { + db_type: 'mysql', + db_use_tls: true, + } + end + + it { + is_expected.to contain_icingaweb2__resource__database('icingaweb2-module-icingadb').with( + { + 'type' => 'mysql', + 'host' => 'localhost', + 'port' => 3306, + 'database' => 'icingadb', + 'username' => 'icingadb', + 'use_tls' => true, + 'tls_cacert' => '/foo/bar', + 'tls_capath' => '/foo/bar', + 'tls_noverify' => true, + 'tls_cipher' => 'cipher', + }, + ) + } + end + + context "#{os} with db_use_tls 'true', db_tls_cacert 'cacert', db_tls_capath '/foo/bar', db_tls_noverify 'true', db_tls_cipher 'cipher'" do + let(:pre_condition) do + [ + "class { 'icingaweb2': db_type => 'pgsql' }", + ] + end + + let(:params) do + { + db_type: 'pgsql', + db_use_tls: true, + db_tls_cacert_file: '/foo/bar', + db_tls_capath: '/foo/bar', + db_tls_noverify: true, + db_tls_cipher: 'cipher', + } + end + + it { + is_expected.to contain_icingaweb2__resource__database('icingaweb2-module-icingadb').with( + { + 'type' => 'pgsql', + 'host' => 'localhost', + 'port' => 5432, + 'database' => 'icingadb', + 'username' => 'icingadb', + 'use_tls' => true, + 'tls_cacert' => '/foo/bar', + 'tls_capath' => '/foo/bar', + 'tls_noverify' => true, + 'tls_cipher' => 'cipher', + }, + ) + } + end end end end diff --git a/spec/defines/module_spec.rb b/spec/defines/module_spec.rb index 78a7b91f..3524cf14 100644 --- a/spec/defines/module_spec.rb +++ b/spec/defines/module_spec.rb @@ -4,7 +4,7 @@ let(:title) { 'mymodule' } let(:pre_condition) do [ - "class { 'icingaweb2': db_type => 'mysql', db_password => 'secret' }", + "class { 'icingaweb2': db_type => 'mysql', conf_user => 'foobaz' }", ] end @@ -16,16 +16,36 @@ context "#{os} with install_method 'none'" do let(:params) do - { module: 'foo', + { + module: 'foo', module_dir: '/usr/local/icingaweb2-modules/foo', install_method: 'none', - settings: { 'section1' => { 'target' => '/foo/bar', 'settings' => { 'setting1' => 'value1', 'setting2' => 'value2' } } } } + settings: { 'section1' => { 'target' => '/foo/bar', 'settings' => { 'setting1' => 'value1', 'setting2' => 'value2' } } } + } end - it { is_expected.to contain_file('/etc/icingaweb2/enabledModules') } - it { is_expected.to contain_file('/etc/icingaweb2/enabledModules/foo') } - it { is_expected.to contain_file('/etc/icingaweb2/modules') } - it { is_expected.to contain_file('/etc/icingaweb2/modules/foo') } + it { + is_expected.to contain_file('/etc/icingaweb2/enabledModules/foo') + .with_ensure('link') + .with_owner('foobaz') + .with_group('icingaweb2') + } + + it { + is_expected.to contain_file('/etc/icingaweb2/modules/foo') + .with_ensure('directory') + .with_mode('2770') + .with_owner('root') + .with_group('icingaweb2') + } + + it { + is_expected.to contain_file('/var/lib/icingaweb2/foo') + .with_ensure('directory') + .with_mode('2770') + .with_owner('root') + .with_group('icingaweb2') + } it { is_expected.to contain_icingaweb2__inisection('section1') @@ -39,26 +59,14 @@ { module: 'foo', module_dir: '/usr/local/icingaweb2-modules/foo', git_repository: 'https://github.com/icinga/foo.git', - git_revision: 'master', - settings: { 'section1' => { 'target' => '/foo/bar', 'settings' => { 'setting1' => 'value1', 'setting2' => 'value2' } } } } + git_revision: 'main' } end - it { is_expected.to contain_file('/etc/icingaweb2/enabledModules') } - it { is_expected.to contain_file('/etc/icingaweb2/enabledModules/foo') } - it { is_expected.to contain_file('/etc/icingaweb2/modules') } - it { is_expected.to contain_file('/etc/icingaweb2/modules/foo') } - it { is_expected.to contain_vcsrepo('/usr/local/icingaweb2-modules/foo') .with_provider('git') .with_source('https://github.com/icinga/foo.git') - .with_revision('master') - } - - it { - is_expected.to contain_icingaweb2__inisection('section1') - .with_target('/foo/bar') - .with_settings('setting1' => 'value1', 'setting2' => 'value2') + .with_revision('main') } end @@ -67,32 +75,10 @@ { module: 'foo', module_dir: '/usr/local/icingaweb2-modules/foo', install_method: 'package', - package_name: 'foo', - settings: { 'section1' => { 'target' => '/foo/bar', 'settings' => { 'setting1' => 'value1', 'setting2' => 'value2' } } } } + package_name: 'foo' } end - it { is_expected.to contain_file('/etc/icingaweb2/enabledModules') } - it { is_expected.to contain_file('/etc/icingaweb2/enabledModules/foo') } - it { is_expected.to contain_file('/etc/icingaweb2/modules') } - it { is_expected.to contain_file('/etc/icingaweb2/modules/foo') } - it { is_expected.to contain_package('foo').with('ensure' => 'installed') } - - it { - is_expected.to contain_icingaweb2__inisection('section1') - .with_target('/foo/bar') - .with_settings('setting1' => 'value1', 'setting2' => 'value2') - } - end - - context "#{os} with invalid installation_method" do - let(:params) do - { module: 'foor', - module_dir: '/usr/local/icingaweb2-modules/foo', - install_method: 'foobar' } - end - - it { is_expected.to raise_error(Puppet::Error, %r{expects a match for Enum\['git', 'none', 'package'\]}) } end context "#{os} with ensure => absent" do @@ -100,20 +86,10 @@ { module: 'foo', ensure: 'absent', module_dir: '/usr/local/icingaweb2-modules/foo', - install_method: 'none', - settings: { 'section1' => { 'target' => '/foo/bar', 'settings' => { 'setting1' => 'value1', 'setting2' => 'value2' } } } } + install_method: 'none' } end - it { is_expected.to contain_file('/etc/icingaweb2/enabledModules') } it { is_expected.to contain_file('/etc/icingaweb2/enabledModules/foo').with_ensure('absent') } - it { is_expected.to contain_file('/etc/icingaweb2/modules') } - it { is_expected.to contain_file('/etc/icingaweb2/modules/foo') } - - it { - is_expected.to contain_icingaweb2__inisection('section1') - .with_target('/foo/bar') - .with_settings('setting1' => 'value1', 'setting2' => 'value2') - } end end end From c6e78e6d403c5f0cc07e91443b3b2f54ec6e0c45 Mon Sep 17 00:00:00 2001 From: Lennart Betz Date: Thu, 2 Nov 2023 17:35:43 +0100 Subject: [PATCH 03/14] change default directory for certificates and keys (IDO database) --- REFERENCE.md | 12 ++-- manifests/module/monitoring.pp | 45 ++++++------ spec/classes/{ => modules}/monitoring_spec.rb | 68 +++++++++++++++++-- 3 files changed, 94 insertions(+), 31 deletions(-) rename spec/classes/{ => modules}/monitoring_spec.rb (75%) diff --git a/REFERENCE.md b/REFERENCE.md index 109feb39..d38ca443 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -2536,11 +2536,11 @@ Default value: `'mysql'` ##### `ido_host` -Data type: `Optional[Stdlib::Host]` +Data type: `Stdlib::Host` Hostname of the IDO database. -Default value: `undef` +Default value: `'localhost'` ##### `ido_port` @@ -2552,19 +2552,19 @@ Default value: `undef` ##### `ido_db_name` -Data type: `Optional[String]` +Data type: `String` Name of the IDO database. -Default value: `undef` +Default value: `'icinga2'` ##### `ido_db_username` -Data type: `Optional[String]` +Data type: `String` Username for IDO DB connection. -Default value: `undef` +Default value: `'icinga2'` ##### `ido_db_password` diff --git a/manifests/module/monitoring.pp b/manifests/module/monitoring.pp index ba9cd3c5..d39f03cc 100644 --- a/manifests/module/monitoring.pp +++ b/manifests/module/monitoring.pp @@ -91,10 +91,10 @@ Enum['absent', 'present'] $ensure = 'present', Variant[String, Array[String]] $protected_customvars = ['*pw*', '*pass*', 'community'], Enum['mysql', 'pgsql'] $ido_type = 'mysql', - Optional[Stdlib::Host] $ido_host = undef, + Stdlib::Host $ido_host = 'localhost', Optional[Stdlib::Port] $ido_port = undef, - Optional[String] $ido_db_name = undef, - Optional[String] $ido_db_username = undef, + String $ido_db_name = 'icinga2', + String $ido_db_username = 'icinga2', Optional[Icingaweb2::Secret] $ido_db_password = undef, Optional[String] $ido_db_charset = undef, Optional[Boolean] $use_tls = undef, @@ -111,26 +111,33 @@ ) { icingaweb2::assert_module() - $conf_dir = $icingaweb2::globals::conf_dir - $module_conf_dir = "${conf_dir}/modules/monitoring" + $module_conf_dir = "${icingaweb2::globals::conf_dir}/modules/monitoring" + $cert_dir = "${icingaweb2::globals::state_dir}/monitoring/certs" + $conf_user = $icingaweb2::conf_user + $conf_group = $icingaweb2::conf_group - $tls = delete($icingaweb2::config::tls, ['key', 'cert', 'cacert']) + delete_undef_values(icingaweb2::cert::files( - 'client', - $module_conf_dir, + $tls = delete_undef_values(icinga::cert::files( + $ido_db_username, + $cert_dir, $tls_key_file, $tls_cert_file, $tls_cacert_file, $tls_key, $tls_cert, $tls_cacert, - ) + { - capath => $tls_capath, - noverify => $tls_noverify, - cipher => $tls_cipher, - }) + )) - icingaweb2::tls::client { 'icingaweb2::module::monitoring tls client config': - args => $tls, + file { $cert_dir: + ensure => directory, + owner => 'root', + group => $conf_group, + mode => '2770', + } + + icinga::cert { 'icingaweb2::module::monitoring tls client config': + owner => $conf_user, + group => $conf_group, + args => $tls, } icingaweb2::resource::database { 'icingaweb2-module-monitoring': @@ -142,12 +149,12 @@ password => $ido_db_password, charset => $ido_db_charset, use_tls => $use_tls, - tls_noverify => $tls['noverify'], + tls_noverify => unless $tls_noverify { $icingaweb2::config::tls['noverify'] } else { $tls_noverify }, tls_key => $tls['key_file'], tls_cert => $tls['cert_file'], - tls_cacert => $tls['cacert_file'], - tls_capath => $tls['capath'], - tls_cipher => $tls['cipher'], + tls_cacert => unless $tls_cacert_file { $icingaweb2::config::tls['cacert_file'] } else { $tls_cacert_file }, + tls_capath => unless $tls_capath { $icingaweb2::config::tls['capath'] } else { $tls_capath }, + tls_cipher => unless $tls_cipher { $icingaweb2::config::tls['cipher'] } else { $tls_cipher }, } $backend_settings = { diff --git a/spec/classes/monitoring_spec.rb b/spec/classes/modules/monitoring_spec.rb similarity index 75% rename from spec/classes/monitoring_spec.rb rename to spec/classes/modules/monitoring_spec.rb index 45f4d74d..6cb004c7 100644 --- a/spec/classes/monitoring_spec.rb +++ b/spec/classes/modules/monitoring_spec.rb @@ -118,12 +118,6 @@ } end - context "#{os} with invalid ido_type" do - let(:params) { { ido_type: 'foobar' } } - - it { is_expected.to raise_error(Puppet::Error, %r{expects a match for Enum\['mysql', 'pgsql'\]}) } - end - context "#{os} with array protected_customvars" do let(:params) do { ido_type: 'mysql', @@ -158,6 +152,68 @@ }) } end + + context "#{os} with use_tls 'true', tls_cacert 'cacert', tls_capath '/foo/bar', tls_noverify 'true', tls_cipher 'cipher'" do + let(:params) do + { + ido_type: 'pgsql', + use_tls: true, + tls_cacert_file: '/foo/bar', + tls_capath: '/foo/bar', + tls_noverify: true, + tls_cipher: 'cipher', + } + end + + it { + is_expected.to contain_icingaweb2__resource__database('icingaweb2-module-monitoring').with( + { + 'type' => 'pgsql', + 'host' => 'localhost', + 'port' => 5432, + 'database' => 'icinga2', + 'username' => 'icinga2', + 'use_tls' => true, + 'tls_cacert' => '/foo/bar', + 'tls_capath' => '/foo/bar', + 'tls_noverify' => true, + 'tls_cipher' => 'cipher', + }, + ) + } + end + + context "#{os} with use_tls 'true'" do + let(:pre_condition) do + [ + "class { 'icingaweb2': db_type => 'mysql', tls_cacert_file => '/foo/bar', tls_capath => '/foo/bar', tls_noverify => true, tls_cipher => 'cipher' }", + ] + end + + let(:params) do + { + ido_type: 'mysql', + use_tls: true, + } + end + + it { + is_expected.to contain_icingaweb2__resource__database('icingaweb2-module-monitoring').with( + { + 'type' => 'mysql', + 'host' => 'localhost', + 'port' => 3306, + 'database' => 'icinga2', + 'username' => 'icinga2', + 'use_tls' => true, + 'tls_cacert' => '/foo/bar', + 'tls_capath' => '/foo/bar', + 'tls_noverify' => true, + 'tls_cipher' => 'cipher', + }, + ) + } + end end end end From 142b3f782d1534b7da47e3c07940a039d2b276d9 Mon Sep 17 00:00:00 2001 From: Lennart Betz Date: Thu, 2 Nov 2023 19:29:33 +0100 Subject: [PATCH 04/14] change default directory for certificates and keys (director database) --- manifests/module/director.pp | 41 +++++++----- .../{ => modules}/director_service_spec.rb | 0 spec/classes/{ => modules}/director_spec.rb | 62 +++++++++++++++++++ 3 files changed, 86 insertions(+), 17 deletions(-) rename spec/classes/{ => modules}/director_service_spec.rb (100%) rename spec/classes/{ => modules}/director_spec.rb (69%) diff --git a/manifests/module/director.pp b/manifests/module/director.pp index e1740c23..c50e0465 100644 --- a/manifests/module/director.pp +++ b/manifests/module/director.pp @@ -150,25 +150,23 @@ ) { icingaweb2::assert_module() - $conf_dir = $icingaweb2::globals::conf_dir + $module_conf_dir = "${icingaweb2::globals::conf_dir}/modules/director" + $cert_dir = "${icingaweb2::globals::state_dir}/director/certs" + $conf_user = $icingaweb2::conf_user + $conf_group = $icingaweb2::conf_group $icingacli_bin = $icingaweb2::globals::icingacli_bin - $module_conf_dir = "${conf_dir}/modules/director" $stdlib_version = $icingaweb2::globals::stdlib_version - $tls = delete($icingaweb2::config::tls, ['key', 'cert', 'cacert']) + delete_undef_values(icingaweb2::cert::files( - 'client', - $module_conf_dir, + $tls = delete_undef_values(icinga::cert::files( + $db_username, + $cert_dir, $tls_key_file, $tls_cert_file, $tls_cacert_file, $tls_key, $tls_cert, $tls_cacert, - ) + { - capath => $tls_capath, - noverify => $tls_noverify, - cipher => $tls_cipher, - }) + )) Exec { user => 'root', @@ -176,8 +174,17 @@ provider => 'shell', } - icingaweb2::tls::client { 'icingaweb2::module::director tls client config': - args => $tls, + file { $cert_dir: + ensure => directory, + owner => 'root', + group => $conf_group, + mode => '2770', + } + + icinga::cert { 'icingaweb2::module::director tls client config': + owner => $conf_user, + group => $conf_group, + args => $tls, } icingaweb2::resource::database { 'icingaweb2-module-director': @@ -189,12 +196,12 @@ password => $db_password, charset => $db_charset, use_tls => $use_tls, - tls_noverify => $tls['noverify'], + tls_noverify => unless $tls_noverify { $icingaweb2::config::tls['noverify'] } else { $tls_noverify }, tls_key => $tls['key_file'], tls_cert => $tls['cert_file'], - tls_cacert => $tls['cacert_file'], - tls_capath => $tls['capath'], - tls_cipher => $tls['cipher'], + tls_cacert => unless $tls_cacert_file { $icingaweb2::config::tls['cacert_file'] } else { $tls_cacert_file }, + tls_capath => unless $tls_capath { $icingaweb2::config::tls['capath'] } else { $tls_capath }, + tls_cipher => unless $tls_cipher { $icingaweb2::config::tls['cipher'] } else { $tls_cipher }, } $db_settings = { @@ -217,7 +224,7 @@ exec { 'director-migration': command => "${icingacli_bin} director migration run", onlyif => "${icingacli_bin} director migration pending", - require => [Icingaweb2::Tls::Client['icingaweb2::module::director tls client config'], Icingaweb2::Module['director'], Package['icingacli']], + require => [Icinga::Cert['icingaweb2::module::director tls client config'], Icingaweb2::Module['director'], Package['icingacli']], } if $kickstart { diff --git a/spec/classes/director_service_spec.rb b/spec/classes/modules/director_service_spec.rb similarity index 100% rename from spec/classes/director_service_spec.rb rename to spec/classes/modules/director_service_spec.rb diff --git a/spec/classes/director_spec.rb b/spec/classes/modules/director_spec.rb similarity index 69% rename from spec/classes/director_spec.rb rename to spec/classes/modules/director_spec.rb index 89ecbe45..469de2f3 100644 --- a/spec/classes/director_spec.rb +++ b/spec/classes/modules/director_spec.rb @@ -116,6 +116,68 @@ it { is_expected.not_to contain_exec('director-migration') } it { is_expected.not_to contain_exec('director-kickstart') } end + + context "#{os} with use_tls 'true', tls_cacert 'cacert', tls_capath '/foo/bar', tls_noverify 'true', tls_cipher 'cipher'" do + let(:params) do + { + db_type: 'pgsql', + use_tls: true, + tls_cacert_file: '/foo/bar', + tls_capath: '/foo/bar', + tls_noverify: true, + tls_cipher: 'cipher', + } + end + + it { + is_expected.to contain_icingaweb2__resource__database('icingaweb2-module-director').with( + { + 'type' => 'pgsql', + 'host' => 'localhost', + 'port' => 5432, + 'database' => 'director', + 'username' => 'director', + 'use_tls' => true, + 'tls_cacert' => '/foo/bar', + 'tls_capath' => '/foo/bar', + 'tls_noverify' => true, + 'tls_cipher' => 'cipher', + }, + ) + } + end + + context "#{os} with use_tls 'true'" do + let(:pre_condition) do + [ + "class { 'icingaweb2': db_type => 'mysql', tls_cacert_file => '/foo/bar', tls_capath => '/foo/bar', tls_noverify => true, tls_cipher => 'cipher' }", + ] + end + + let(:params) do + { + db_type: 'mysql', + use_tls: true, + } + end + + it { + is_expected.to contain_icingaweb2__resource__database('icingaweb2-module-director').with( + { + 'type' => 'mysql', + 'host' => 'localhost', + 'port' => 3306, + 'database' => 'director', + 'username' => 'director', + 'use_tls' => true, + 'tls_cacert' => '/foo/bar', + 'tls_capath' => '/foo/bar', + 'tls_noverify' => true, + 'tls_cipher' => 'cipher', + }, + ) + } + end end end end From f7aeb2cbe51e0eedad298f144e727ae830abf016 Mon Sep 17 00:00:00 2001 From: Lennart Betz Date: Sat, 4 Nov 2023 20:36:50 +0100 Subject: [PATCH 05/14] rework vspheredb, include service iprivate class, own certs directory --- REFERENCE.md | 125 +++++++---------- data/Linux-kernel.yaml | 4 +- data/common.yaml | 19 ++- functions/pick.pp | 19 +++ manifests/globals.pp | 7 + manifests/install.pp | 4 +- manifests/module/vspheredb.pp | 164 +++++++--------------- manifests/module/vspheredb/config.pp | 90 ++++++++++++ manifests/module/vspheredb/install.pp | 63 +++++++++ manifests/module/vspheredb/service.pp | 70 ++-------- manifests/resource/database.pp | 2 +- spec/classes/modules/vspheredb_spec.rb | 184 +++++++++++++++++++++++++ spec/classes/vspheredb_service_spec.rb | 46 ------- spec/classes/vspheredb_spec.rb | 80 ----------- 14 files changed, 487 insertions(+), 390 deletions(-) create mode 100644 functions/pick.pp create mode 100644 manifests/module/vspheredb/config.pp create mode 100644 manifests/module/vspheredb/install.pp create mode 100644 spec/classes/modules/vspheredb_spec.rb delete mode 100644 spec/classes/vspheredb_service_spec.rb delete mode 100644 spec/classes/vspheredb_spec.rb diff --git a/REFERENCE.md b/REFERENCE.md index d38ca443..bb4c9a3a 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -32,7 +32,6 @@ * [`icingaweb2::module::reporting::service`](#icingaweb2--module--reporting--service): Installs and configures the reporting scheduler. * [`icingaweb2::module::translation`](#icingaweb2--module--translation): Installs and configures the translation module. * [`icingaweb2::module::vspheredb`](#icingaweb2--module--vspheredb): Installs the vsphereDB plugin -* [`icingaweb2::module::vspheredb::service`](#icingaweb2--module--vspheredb--service): Installs and configures the vspheredb service. * [`icingaweb2::module::x509`](#icingaweb2--module--x509): Installs the x509 module * [`icingaweb2::module::x509::service`](#icingaweb2--module--x509--service): Installs and configures the x509 job scheduler. @@ -40,6 +39,9 @@ * `icingaweb2::config`: Configures Icinga Web 2. * `icingaweb2::install`: Installs Icinga Web 2 and extra packages. +* `icingaweb2::module::vspheredb::config`: Configure the VSphereDB module +* `icingaweb2::module::vspheredb::install`: Installs the VSphereDB module +* `icingaweb2::module::vspheredb::service`: Manage the vspheredb service. ### Defined types @@ -75,6 +77,7 @@ that store groups. * [`icingaweb2::cert::files`](#icingaweb2--cert--files): Choose the path of tls key, cert and ca file. * [`icingaweb2::db::connect`](#icingaweb2--db--connect): This function returns a string to connect databases with or without TLS information. +* [`icingaweb2::pick`](#icingaweb2--pick): This function returns first parameter if set. * [`icingaweb2::unwrap`](#icingaweb2--unwrap): This function returns an unwrap string if necessary. ### Data types @@ -3337,6 +3340,9 @@ The following parameters are available in the `icingaweb2::module::vspheredb` cl * [`tls_cipher`](#-icingaweb2--module--vspheredb--tls_cipher) * [`import_schema`](#-icingaweb2--module--vspheredb--import_schema) * [`manage_service`](#-icingaweb2--module--vspheredb--manage_service) +* [`service_ensure`](#-icingaweb2--module--vspheredb--service_ensure) +* [`service_enable`](#-icingaweb2--module--vspheredb--service_enable) +* [`service_user`](#-icingaweb2--module--vspheredb--service_user) ##### `ensure` @@ -3344,24 +3350,20 @@ Data type: `Enum['absent', 'present']` Ensur es the state of the vspheredb module. -Default value: `'present'` - ##### `module_dir` -Data type: `Optional[Stdlib::Absolutepath]` +Data type: `Stdlib::Absolutepath` Target directory of the module. -Default value: `undef` +Default value: `"${icingaweb2::globals::default_module_path}/vspheredb"` ##### `git_repository` -Data type: `String` +Data type: `Stdlib::HTTPUrl` The upstream module repository. -Default value: `'https://github.com/Icinga/icingaweb2-module-vspheredb.git'` - ##### `git_revision` Data type: `Optional[String]` @@ -3376,16 +3378,12 @@ Data type: `Enum['git', 'none', 'package']` Install methods are `git`, `package` and `none` is supported as installation method. -Default value: `'git'` - ##### `package_name` Data type: `String` Package name of the module. This setting is only valid in combination with the installation method `package`. -Default value: `'icingaweb2-module-vspheredb'` - ##### `db_type` Data type: `Enum['mysql']` @@ -3398,8 +3396,6 @@ Data type: `Stdlib::Host` The host where the vspheredb-database will be running -Default value: `'localhost'` - ##### `db_port` Data type: `Optional[Stdlib::Port]` @@ -3414,16 +3410,12 @@ Data type: `String` The name of the database this module should use. -Default value: `'vspheredb'` - ##### `db_username` Data type: `String` The username needed to access the database. -Default value: `'vspheredb'` - ##### `db_password` Data type: `Optional[Icingaweb2::Secret]` @@ -3434,11 +3426,11 @@ Default value: `undef` ##### `db_charset` -Data type: `String` +Data type: `Optional[String]` The charset the database is set to. -Default value: `'utf8mb4'` +Default value: `undef` ##### `use_tls` @@ -3536,76 +3528,25 @@ Default value: `false` Data type: `Boolean` -Also manage the service (daemon), running and enabled. Otherwise do your config via hiera. - -Default value: `true` - -### `icingaweb2::module::vspheredb::service` - -Installs and configures the vspheredb service. - -* **Note** Only systemd is supported by the Icinga Team and this module. +If set to true the service (daemon) is managed. -#### Examples - -##### - -```puppet -include icingaweb2::module::vspheredb::service -``` - -#### Parameters - -The following parameters are available in the `icingaweb2::module::vspheredb::service` class: - -* [`ensure`](#-icingaweb2--module--vspheredb--service--ensure) -* [`enable`](#-icingaweb2--module--vspheredb--service--enable) -* [`user`](#-icingaweb2--module--vspheredb--service--user) -* [`group`](#-icingaweb2--module--vspheredb--service--group) -* [`manage_user`](#-icingaweb2--module--vspheredb--service--manage_user) - -##### `ensure` +##### `service_ensure` Data type: `Stdlib::Ensure::Service` -Whether the vspheredb service should be running. - -Default value: `'running'` +Wether the service is `running` or `stopped`. -##### `enable` +##### `service_enable` Data type: `Boolean` -Enable or disable the service. - -Default value: `true` - -##### `user` - -Data type: `String` - -Specifies the user to run the vsphere service daemon as. -Only available if install_method package is not used. - -Default value: `'icingavspheredb'` +Whether the service should be started at boot time. -##### `group` +##### `service_user` Data type: `String` -Specifies the primary group to run the vspheredb service daemon as. -Only available if install_method package is not used. - -Default value: `'icingaweb2'` - -##### `manage_user` - -Data type: `Boolean` - -Whether to manage the server user resource. Only available if -install_method package is not used. - -Default value: `true` +The user as which the service is running. Only valid if `install_method` is set to `git`. ### `icingaweb2::module::x509` @@ -4741,10 +4682,12 @@ MySQL and the path to the unix domain socket and the directory for PostgreSQL. ##### `port` -Data type: `Stdlib::Port` +Data type: `Optional[Stdlib::Port]` Port number to use. +Default value: `undef` + ##### `database` Data type: `String` @@ -5053,6 +4996,30 @@ Data type: `Optional[Boolean]` +### `icingaweb2::pick` + +Type: Puppet Language + +This function returns first parameter if set. + +#### `icingaweb2::pick(Any $arg1, Any $arg2)` + +The icingaweb2::pick function. + +Returns: `Any` One of the two parameters. + +##### `arg1` + +Data type: `Any` + + + +##### `arg2` + +Data type: `Any` + + + ### `icingaweb2::unwrap` Type: Puppet Language diff --git a/data/Linux-kernel.yaml b/data/Linux-kernel.yaml index 78a0c00f..bbb367e6 100644 --- a/data/Linux-kernel.yaml +++ b/data/Linux-kernel.yaml @@ -6,8 +6,6 @@ icingaweb2::globals::data_dir: /usr/share/icingaweb2 icingaweb2::globals::comp_db_schema_dir: /usr/share/doc/icingaweb2 icingaweb2::globals::mysql_db_schema: /usr/share/doc/icingaweb2/schema/mysql.schema.sql icingaweb2::globals::pgsql_db_schema: /usr/share/doc/icingaweb2/schema/pgsql.schema.sql -icingaweb2::globals::mysql_vspheredb_schema: /usr/share/icingaweb2/modules/vspheredb/schema/mysql.sql -icingaweb2::globals::pgsql_vspheredb_schema: /usr/share/icingaweb2/modules/vspheredb/schema/pgsql.sql icingaweb2::globals::mysql_reporting_schema: /usr/share/icingaweb2/modules/reporting/schema/mysql.sql icingaweb2::globals::pgsql_reporting_schema: /usr/share/icingaweb2/modules/reporting/schema/postgresql.sql icingaweb2::globals::mysql_idoreports_slaperiods: /usr/share/icingaweb2/modules/idoreports/schema/mysql/slaperiods.sql @@ -21,4 +19,6 @@ icingaweb2::globals::icingacli_bin: /usr/bin/icingacli icingaweb2::globals::default_module_path: /usr/share/icingaweb2/modules icingaweb2::conf_group: icingaweb2 icingaweb2::logging_file: /var/log/icingaweb2/icingaweb2.log + icingaweb2::module::icingadb::package_name: icingadb-web +icingaweb2::module::vspheredb::package_name: icingaweb2-module-vspheredb diff --git a/data/common.yaml b/data/common.yaml index 40427eb2..393f7fe1 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -14,13 +14,7 @@ icingaweb2::module::generictts::git_repository: https://github.com/Icinga/icinga icingaweb2::module::graphite::git_repository: https://github.com/Icinga/icingaweb2-module-graphite.git icingaweb2::module::incubator::git_repository: https://github.com/Icinga/icingaweb2-module-incubator.git icingaweb2::module::incubator::git_revision: v0.19.0 -icingaweb2::module::ipl::git_repository: https://github.com/Icinga/icingaweb2-module-ipl.git -icingaweb2::module::ipl::git_revision: v0.5.0 icingaweb2::module::puppetdb::git_repository: https://github.com/Icinga/icingaweb2-module-puppetdb.git -icingaweb2::module::reactbundle::git_repository: https://github.com/Icinga/icingaweb2-module-reactbundle.git -icingaweb2::module::reactbundle::git_revision: v0.9.0 -icingaweb2::module::vsphere::git_repository: https://github.com/Icinga/icingaweb2-module-vsphere.git -icingaweb2::module::vspheredb::git_repository: https://github.com/Icinga/icingaweb2-module-vspheredb.git icingaweb2::module::reporting::ensure: present icingaweb2::module::reporting::install_method: git icingaweb2::module::reporting::git_repository: https://github.com/Icinga/icingaweb2-module-reporting.git @@ -33,3 +27,16 @@ icingaweb2::module::x509::ensure: present icingaweb2::module::x509::install_method: git icingaweb2::module::x509::git_repository: https://github.com/Icinga/icingaweb2-module-x509.git icingaweb2::module::x509::package_name: icingaweb2-module-x509 + +icingaweb2::globals::mysql_vspheredb_schema: /schema/mysql.sql +icingaweb2::globals::pgsql_vspheredb_schema: /schema/pgsql.sql +icingaweb2::module::vspheredb::ensure: present +icingaweb2::module::vspheredb::install_method: git +icingaweb2::module::vspheredb::git_repository: https://github.com/Icinga/icingaweb2-module-vspheredb.git +icingaweb2::module::vspheredb::manage_service: true +icingaweb2::module::vspheredb::service_ensure: running +icingaweb2::module::vspheredb::service_enable: true +icingaweb2::module::vspheredb::service_user: icingavspheredb +icingaweb2::module::vspheredb::db_host: localhost +icingaweb2::module::vspheredb::db_name: vspheredb +icingaweb2::module::vspheredb::db_username: vspheredb diff --git a/functions/pick.pp b/functions/pick.pp new file mode 100644 index 00000000..e40d3ada --- /dev/null +++ b/functions/pick.pp @@ -0,0 +1,19 @@ +# @summary +# This function returns first parameter if set. +# +# @return +# One of the two parameters. +# +function icingaweb2::pick($arg1, $arg2) { + # @param arg1 + # First argument. + # + # @param arg2 + # Second argument. + # + unless $arg1 { + $arg2 + } else { + $arg1 + } +} diff --git a/manifests/globals.pp b/manifests/globals.pp index d131b6ed..2685ff97 100644 --- a/manifests/globals.pp +++ b/manifests/globals.pp @@ -91,6 +91,13 @@ ) { $stdlib_version = load_module_metadata('stdlib')['version'] + $db_charset = { + 'mysql' => { + 'vspheredb' => 'utf8mb4', + }, + } + + # deprecated $port = { 'mysql' => 3306, 'pgsql' => 5432, diff --git a/manifests/install.pp b/manifests/install.pp index 30f43438..5352412a 100644 --- a/manifests/install.pp +++ b/manifests/install.pp @@ -7,6 +7,7 @@ assert_private("You're not supposed to use this defined type manually.") $conf_dir = $icingaweb2::globals::conf_dir + $stdlib_version = $icingaweb2::globals::stdlib_version $cert_dir = $icingaweb2::cert_dir $package_name = $icingaweb2::globals::package_name $data_dir = $icingaweb2::globals::data_dir @@ -28,8 +29,7 @@ } if $extra_packages { - $metadata = load_module_metadata('stdlib') - if versioncmp($metadata['version'], '9.0.0') < 0 { + if versioncmp($stdlib_version, '9.0.0') < 0 { ensure_packages($extra_packages, { 'ensure' => installed }) } else { stdlib::ensure_packages($extra_packages, { 'ensure' => installed }) diff --git a/manifests/module/vspheredb.pp b/manifests/module/vspheredb.pp index 96cd0974..a252fa54 100644 --- a/manifests/module/vspheredb.pp +++ b/manifests/module/vspheredb.pp @@ -77,7 +77,16 @@ # whereas with mysql its different options. # # @param manage_service -# Also manage the service (daemon), running and enabled. Otherwise do your config via hiera. +# If set to true the service (daemon) is managed. +# +# @param service_ensure +# Wether the service is `running` or `stopped`. +# +# @param service_enable +# Whether the service should be started at boot time. +# +# @param service_user +# The user as which the service is running. Only valid if `install_method` is set to `git`. # # @example # class { 'icingaweb2::module::vspheredb': @@ -90,21 +99,24 @@ # } # class icingaweb2::module::vspheredb ( + Enum['absent', 'present'] $ensure, + Enum['git', 'none', 'package'] $install_method, + Stdlib::HTTPUrl $git_repository, + String $package_name, + Boolean $manage_service, + Stdlib::Ensure::Service $service_ensure, + Boolean $service_enable, + String $service_user, Enum['mysql'] $db_type, - Enum['absent', 'present'] $ensure = 'present', - Optional[Stdlib::Absolutepath] $module_dir = undef, - String $git_repository = 'https://github.com/Icinga/icingaweb2-module-vspheredb.git', - Optional[String] $git_revision = undef, - Enum['git', 'none', 'package'] $install_method = 'git', - String $package_name = 'icingaweb2-module-vspheredb', - Stdlib::Host $db_host = 'localhost', - Optional[Stdlib::Port] $db_port = undef, - String $db_name = 'vspheredb', - String $db_username = 'vspheredb', + Stdlib::Host $db_host, + String $db_name, + String $db_username, Optional[Icingaweb2::Secret] $db_password = undef, - String $db_charset = 'utf8mb4', + Optional[Stdlib::Port] $db_port = undef, + Optional[String] $db_charset = undef, Variant[Boolean, Enum['mariadb', 'mysql']] $import_schema = false, - Boolean $manage_service = true, + Stdlib::Absolutepath $module_dir = "${icingaweb2::globals::default_module_path}/vspheredb", + Optional[String] $git_revision = undef, Optional[Boolean] $use_tls = undef, Optional[Stdlib::Absolutepath] $tls_key_file = undef, Optional[Stdlib::Absolutepath] $tls_cert_file = undef, @@ -118,110 +130,32 @@ ) { icingaweb2::assert_module() - $conf_dir = $icingaweb2::globals::conf_dir - $mysql_vspheredb_schema = $icingaweb2::globals::mysql_vspheredb_schema - $pgsql_vspheredb_schema = $icingaweb2::globals::pgsql_vspheredb_schema - $module_conf_dir = "${conf_dir}/modules/vspheredb" - $_db_port = pick($db_port, $icingaweb2::globals::port[$db_type]) - - $tls = delete($icingaweb2::config::tls, ['key', 'cert', 'cacert']) + delete_undef_values(icingaweb2::cert::files( - 'client', - $module_conf_dir, - $tls_key_file, - $tls_cert_file, - $tls_cacert_file, - $tls_key, - $tls_cert, - $tls_cacert, - ) + { - capath => $tls_capath, - noverify => $tls_noverify, - cipher => $tls_cipher, - }) + $cert_dir = "${icingaweb2::globals::state_dir}/vspheredb/certs" - Exec { - user => 'root', - path => $facts['path'], - provider => 'shell', - require => [Icingaweb2::Tls::Client['icingaweb2::module::vspheredb tls client config'], Icingaweb2::Module['vspheredb']], + $db = { + type => $db_type, + database => $db_name, + host => $db_host, + port => $db_port, + username => $db_username, + password => $db_password, } - icingaweb2::tls::client { 'icingaweb2::module::vspheredb tls client config': - args => $tls, - } - - icingaweb2::resource::database { 'icingaweb2-module-vspheredb': - type => $db_type, - host => $db_host, - port => $_db_port, - database => $db_name, - username => $db_username, - password => $db_password, - charset => $db_charset, - use_tls => $use_tls, - tls_noverify => $tls['noverify'], - tls_key => $tls['key_file'], - tls_cert => $tls['cert_file'], - tls_cacert => $tls['cacert_file'], - tls_capath => $tls['capath'], - tls_cipher => $tls['cipher'], - } - - icingaweb2::module { 'vspheredb': - ensure => $ensure, - git_repository => $git_repository, - git_revision => $git_revision, - install_method => $install_method, - module_dir => $module_dir, - package_name => $package_name, - settings => { - 'icingaweb2-module-vspheredb' => { - 'section_name' => 'db', - 'target' => "${module_conf_dir}/config.ini", - 'settings' => { - 'resource' => 'icingaweb2-module-vspheredb', - }, - }, - }, - } - - if $import_schema { - $real_db_type = if $import_schema =~ Boolean { - if $db_type == 'pgsql' { 'pgsql' } else { 'mariadb' } - } else { - $import_schema - } - $db_cli_options = icingaweb2::db::connect({ - type => $real_db_type, - name => $db_name, - host => $db_host, - port => $_db_port, - user => $db_username, - pass => $db_password, - }, $tls, $use_tls) + $tls = icinga::cert::files( + $db_username, + $cert_dir, + $tls_key_file, + $tls_cert_file, + $tls_cacert_file, + $tls_key, + $tls_cert, + $tls_cacert, + ) - case $db_type { - 'mysql': { - exec { 'import icingaweb2::module::vspheredb schema': - command => "mysql ${db_cli_options} < '${mysql_vspheredb_schema}'", - unless => "mysql ${db_cli_options} -Ns -e 'SELECT schema_version FROM vspheredb_schema_migration'", - } - } - 'pgsql': { - $_db_password = icingaweb2::unwrap($db_password) - exec { 'import icingaweb2::module::vspheredb schema': - environment => ["PGPASSWORD=${_db_password}"], - command => "psql '${db_cli_options}' -w -f ${pgsql_vspheredb_schema}", - unless => "psql '${db_cli_options}' -w -c 'SELECT schema_version FROM vspheredb_schema_migration'", - } - } # pgsql (not supported) - default: { - fail('The database type you provided is not supported.') - } - } - } # schema import - - if $manage_service { - include icingaweb2::module::vspheredb::service - } + class { 'icingaweb2::module::vspheredb::install': } + -> class { 'icingaweb2::module::vspheredb::config': } + ~> class { 'icingaweb2::module::vspheredb::service': } + contain icingaweb2::module::vspheredb::install + contain icingaweb2::module::vspheredb::config + contain icingaweb2::module::vspheredb::service } diff --git a/manifests/module/vspheredb/config.pp b/manifests/module/vspheredb/config.pp new file mode 100644 index 00000000..eddd623f --- /dev/null +++ b/manifests/module/vspheredb/config.pp @@ -0,0 +1,90 @@ +# @summary +# Configure the VSphereDB module +# +# @api private +# +class icingaweb2::module::vspheredb::config { + assert_private() + + $module_conf_dir = "${icingaweb2::globals::conf_dir}/modules/vspheredb" + $conf_group = $icingaweb2::conf_group + $mysql_vspheredb_schema = "${icingaweb2::module::vspheredb::module_dir}${icingaweb2::globals::mysql_vspheredb_schema}" + $pgsql_vspheredb_schema = "${icingaweb2::module::vspheredb::module_dir}${icingaweb2::globals::pgsql_vspheredb_schema}" + $db = $icingaweb2::module::vspheredb::db + $import_schema = $icingaweb2::module::vspheredb::import_schema + $use_tls = $icingaweb2::module::vspheredb::use_tls + $tls = $icingaweb2::module::vspheredb::tls + { + cacert_file => icingaweb2::pick($icingaweb2::module::vspheredb::tls['cacert_file'], $icingaweb2::config::tls['cacert_file']), + capath => icingaweb2::pick($icingaweb2::module::vspheredb::tls_capath, $icingaweb2::config::tls['capath']), + noverify => icingaweb2::pick($icingaweb2::module::vspheredb::tls_noverify, $icingaweb2::config::tls['noverify']), + cipher => icingaweb2::pick($icingaweb2::module::vspheredb::tls_cipher, $icingaweb2::config::tls['cipher']), + } + $icingacli_bin = $icingaweb2::globals::icingacli_bin + $service_user = $icingaweb2::module::vspheredb::service_user + $install_method = $icingaweb2::module::vspheredb::install_method + + Exec { + user => 'root', + path => $facts['path'], + provider => 'shell', + } + + if $install_method == 'git' { + systemd::tmpfile { 'icinga-vspheredb.conf': + content => "d /run/icinga-vspheredb 0755 ${service_user} ${conf_group} -", + } + systemd::unit_file { 'icinga-vspheredb.service': + ensure => 'present', + content => epp('icingaweb2/icinga-vspheredb.service.epp', { + 'conf_user' => $service_user, + 'icingacli_bin' => $icingacli_bin, + }), + } + } + + icingaweb2::resource::database { 'icingaweb2-module-vspheredb': + type => $db['type'], + host => $db['host'], + port => $db['port'], + database => $db['database'], + username => $db['username'], + password => $db['password'], + charset => pick($icingaweb2::module::vspheredb::db_charset, $icingaweb2::globals::db_charset[$db['type']]['vspheredb']), + use_tls => $use_tls, + tls_noverify => $tls['noverify'], + tls_key => $tls['key_file'], + tls_cert => $tls['cert_file'], + tls_cacert => $tls['cacert_file'], + tls_capath => $tls['capath'], + tls_cipher => $tls['cipher'], + } + + if $import_schema { + $real_db_type = if $import_schema =~ Boolean { + if $db['type'] == 'pgsql' { 'pgsql' } else { 'mariadb' } + } else { + $import_schema + } + $db_cli_options = icinga::db::connect($db + { type => $real_db_type }, $tls, $use_tls) + + case $db['type'] { + 'mysql': { + exec { 'import icingaweb2::module::vspheredb schema': + command => "mysql ${db_cli_options} < '${mysql_vspheredb_schema}'", + unless => "mysql ${db_cli_options} -Ns -e 'SELECT schema_version FROM vspheredb_schema_migration'", + } + } + 'pgsql': { + $_db_password = icingaweb2::unwrap($db['password']) + exec { 'import icingaweb2::module::vspheredb schema': + environment => ["PGPASSWORD=${_db_password}"], + command => "psql '${db_cli_options}' -w -f ${pgsql_vspheredb_schema}", + unless => "psql '${db_cli_options}' -w -c 'SELECT schema_version FROM vspheredb_schema_migration'", + } + } # pgsql (not supported) + default: { + fail('The database type you provided is not supported.') + } + } + } # schema import +} diff --git a/manifests/module/vspheredb/install.pp b/manifests/module/vspheredb/install.pp new file mode 100644 index 00000000..8dc7b5af --- /dev/null +++ b/manifests/module/vspheredb/install.pp @@ -0,0 +1,63 @@ +# @summary +# Installs the VSphereDB module +# +# @api private +# +class icingaweb2::module::vspheredb::install { + assert_private() + + $module_conf_dir = "${icingaweb2::globals::conf_dir}/modules/vspheredb" + $conf_user = $icingaweb2::conf_user + $conf_group = $icingaweb2::conf_group + $ensure = $icingaweb2::module::vspheredb::ensure + $git_repository = $icingaweb2::module::vspheredb::git_repository + $git_revision = $icingaweb2::module::vspheredb::git_revision + $install_method = $icingaweb2::module::vspheredb::install_method + $module_dir = $icingaweb2::module::vspheredb::module_dir + $package_name = $icingaweb2::module::vspheredb::package_name + $use_tls = $icingaweb2::module::vspheredb::use_tls + $tls = $icingaweb2::module::vspheredb::tls + $cert_dir = $icingaweb2::module::vspheredb::cert_dir + $service_user = $icingaweb2::module::vspheredb::service_user + + icingaweb2::module { 'vspheredb': + ensure => $ensure, + git_repository => $git_repository, + git_revision => $git_revision, + install_method => $install_method, + module_dir => $module_dir, + package_name => $package_name, + settings => { + 'icingaweb2-module-vspheredb' => { + 'section_name' => 'db', + 'target' => "${module_conf_dir}/config.ini", + 'settings' => { + 'resource' => 'icingaweb2-module-vspheredb', + }, + }, + }, + } + + if $use_tls { + file { $cert_dir: + ensure => directory, + owner => 'root', + group => $conf_group, + mode => '2770', + } + + icinga::cert { 'icingaweb2::module::vspheredb tls client config': + owner => $conf_user, + group => $conf_group, + args => $tls, + } + } + + if $install_method == 'git' { + user { $service_user: + ensure => 'present', + gid => $conf_group, + shell => '/bin/false', + } + } +} diff --git a/manifests/module/vspheredb/service.pp b/manifests/module/vspheredb/service.pp index 787e646c..96eefd9c 100644 --- a/manifests/module/vspheredb/service.pp +++ b/manifests/module/vspheredb/service.pp @@ -1,66 +1,18 @@ -# @summary Installs and configures the vspheredb service. +# @summary +# Manage the vspheredb service. # -# @note Only systemd is supported by the Icinga Team and this module. +# @api private # -# @param [Stdlib::Ensure::Service] ensure -# Whether the vspheredb service should be running. -# -# @param [Boolean] enable -# Enable or disable the service. -# -# @param [String] user -# Specifies the user to run the vsphere service daemon as. -# Only available if install_method package is not used. -# -# @param [String] group -# Specifies the primary group to run the vspheredb service daemon as. -# Only available if install_method package is not used. -# -# @param [Boolean] manage_user -# Whether to manage the server user resource. Only available if -# install_method package is not used. -# -# @example -# include icingaweb2::module::vspheredb::service -# -class icingaweb2::module::vspheredb::service ( - Stdlib::Ensure::Service $ensure = 'running', - Boolean $enable = true, - String $user = 'icingavspheredb', - String $group = 'icingaweb2', - Boolean $manage_user = true, -) { - require icingaweb2::module::vspheredb +class icingaweb2::module::vspheredb::service { + assert_private() - $install_method = $icingaweb2::module::vspheredb::install_method + if $icingaweb2::module::vspheredb::manage_service { + $ensure = $icingaweb2::module::vspheredb::service_ensure + $enable = $icingaweb2::module::vspheredb::service_enable - if $install_method != 'package' { - if $manage_user { - user { $user: - ensure => 'present', - gid => $group, - shell => '/bin/false', - before => [Systemd::Unit_file['icinga-vspheredb.service'], Systemd::Tmpfile['icinga-vspheredb.conf']], - } + service { 'icinga-vspheredb': + ensure => $ensure, + enable => $enable, } - - systemd::tmpfile { 'icinga-vspheredb.conf': - content => "d /run/icinga-vspheredb 0755 ${user} ${group} -", - before => Systemd::Unit_file['icinga-vspheredb.service'], - } - - systemd::unit_file { 'icinga-vspheredb.service': - ensure => 'present', - content => epp('icingaweb2/icinga-vspheredb.service.epp', { - 'conf_user' => $user, - 'icingacli_bin' => $icingaweb2::globals::icingacli_bin, - }), - notify => Service['icinga-vspheredb'], - } - } - - service { 'icinga-vspheredb': - ensure => $ensure, - enable => $enable, } } diff --git a/manifests/resource/database.pp b/manifests/resource/database.pp index 95c14bc3..86009da9 100644 --- a/manifests/resource/database.pp +++ b/manifests/resource/database.pp @@ -64,7 +64,7 @@ 'oci', 'oracle', 'ibm', 'sqlite'] $type, Stdlib::Host $host, String $database, - Stdlib::Port $port, + Optional[Stdlib::Port] $port = undef, String $resource_name = $title, Optional[String] $username = undef, Optional[Icingaweb2::Secret] $password = undef, diff --git a/spec/classes/modules/vspheredb_spec.rb b/spec/classes/modules/vspheredb_spec.rb new file mode 100644 index 00000000..3bd82cfb --- /dev/null +++ b/spec/classes/modules/vspheredb_spec.rb @@ -0,0 +1,184 @@ +require 'spec_helper' + +describe('icingaweb2::module::vspheredb', type: :class) do + let(:pre_condition) do + [ + "class { 'icingaweb2': db_type => 'mysql', conf_user => 'foo', conf_group => 'bar' }", + ] + end + + on_supported_os.each do |os, facts| + context "on #{os}" do + let :facts do + facts + end + + context "#{os} with git_revision 'v1.7.1', service_user 'foobaz'" do + let(:params) do + { + git_revision: 'v1.7.1', + db_type: 'mysql', + db_password: 'vspheredb', + service_user: 'foobaz', + } + end + + it { + is_expected.to contain_icingaweb2__resource__database('icingaweb2-module-vspheredb') + .with_type('mysql') + .with_host('localhost') + .with_database('vspheredb') + .with_username('vspheredb') + .with_password('vspheredb') + .with_charset('utf8mb4') + } + + it { + is_expected.to contain_icingaweb2__module('vspheredb') + .with_install_method('git') + .with_git_revision('v1.7.1') + .with_package_name('icingaweb2-module-vspheredb') + .with_settings('icingaweb2-module-vspheredb' => { + 'section_name' => 'db', + 'target' => '/etc/icingaweb2/modules/vspheredb/config.ini', + 'settings' => { + 'resource' => 'icingaweb2-module-vspheredb', + }, + }) + } + + it { + is_expected.to contain_user('foobaz') + .with_ensure('present') + .with_gid('bar') + .with_shell('/bin/false') + } + + it { + is_expected.to contain_systemd__tmpfile('icinga-vspheredb.conf') + .with_content(%r{/run/icinga-vspheredb 0755 foobaz bar -}) + } + + it { + is_expected.to contain_systemd__unit_file('icinga-vspheredb.service') + .with_content(%r{User=foobaz}) + .with_content(%r{ExecStart=/usr/bin/icingacli}) + } + + it { + is_expected.to contain_service('icinga-vspheredb') + .with_ensure('running') + .with_enable(true) + } + + it { is_expected.not_to contain_exec('import icingaweb2::module::vspheredb schema') } + end + + context "#{os} with db_type 'mysql', db_port '4711', install_method 'package', manage_service 'false', import_schema 'true'" do + let(:params) do + { + install_method: 'package', + manage_service: false, + db_type: 'mysql', + db_port: 4711, + import_schema: true, + } + end + + it { + is_expected.to contain_package('icingaweb2-module-vspheredb') + .with_ensure('installed') + } + + it { + is_expected.to contain_icingaweb2__resource__database('icingaweb2-module-vspheredb') + .with_type('mysql') + .with_host('localhost') + .with_port(4711) + .with_database('vspheredb') + .with_username('vspheredb') + .with_charset('utf8mb4') + } + + it { + is_expected.to contain_exec('import icingaweb2::module::vspheredb schema') + .with_command(%r{^mysql.*\< '/usr/share/icingaweb2/modules/vspheredb/schema/mysql.sql'$}) + .with_unless(%r{^mysql.*-Ns -e 'SELECT schema_version FROM vspheredb_schema_migration'$}) + } + + it { is_expected.not_to contain_user('icingavspheredb') } + it { is_expected.not_to contain_systemd__tmpfile('icinga-vspheredb.conf') } + it { is_expected.not_to contain_systemd__unit_file('icinga-vspheredb.service') } + it { is_expected.not_to contain_service('icinga-vspheredb') } + end + + context "#{os} with use_tls 'true', tls_cacert 'cacert', tls_capath '/foo/bar', tls_noverify 'true', tls_cipher 'cipher'" do + let(:params) do + { + db_type: 'mysql', + use_tls: true, + tls_cacert_file: '/foo/bar', + tls_capath: '/foo/bar', + tls_noverify: true, + tls_cipher: 'cipher', + } + end + + it { + is_expected.to contain_icingaweb2__resource__database('icingaweb2-module-vspheredb').with( + { + 'type' => 'mysql', + 'host' => 'localhost', + 'database' => 'vspheredb', + 'username' => 'vspheredb', + 'use_tls' => true, + 'tls_cacert' => '/foo/bar', + 'tls_capath' => '/foo/bar', + 'tls_noverify' => true, + 'tls_cipher' => 'cipher', + }, + ) + } + end + + context "#{os} with use_tls 'true', service_ensure 'stopped', service_enabe 'false'" do + let(:pre_condition) do + [ + "class { 'icingaweb2': db_type => 'mysql', tls_cacert_file => '/foo/bar', tls_capath => '/foo/bar', tls_noverify => true, tls_cipher => 'cipher' }", + ] + end + + let(:params) do + { + db_type: 'mysql', + use_tls: true, + service_ensure: 'stopped', + service_enable: false, + } + end + + it { + is_expected.to contain_icingaweb2__resource__database('icingaweb2-module-vspheredb').with( + { + 'type' => 'mysql', + 'host' => 'localhost', + 'database' => 'vspheredb', + 'username' => 'vspheredb', + 'use_tls' => true, + 'tls_cacert' => '/foo/bar', + 'tls_capath' => '/foo/bar', + 'tls_noverify' => true, + 'tls_cipher' => 'cipher', + }, + ) + } + + it { + is_expected.to contain_service('icinga-vspheredb') + .with_ensure('stopped') + .with_enable(false) + } + end + end + end +end diff --git a/spec/classes/vspheredb_service_spec.rb b/spec/classes/vspheredb_service_spec.rb deleted file mode 100644 index 3f7af32f..00000000 --- a/spec/classes/vspheredb_service_spec.rb +++ /dev/null @@ -1,46 +0,0 @@ -require 'spec_helper' - -describe('icingaweb2::module::vspheredb::service', type: :class) do - let(:pre_condition) do - [ - "class { 'icingaweb2': db_type => 'mysql' }", - "class { 'icingaweb2::module::vspheredb': db_type => 'mysql', manage_service => false }", - ] - end - - on_supported_os.each do |os, facts| - context "on #{os}" do - let :facts do - facts - end - - context "#{os} with defaults" do - it do - is_expected.to contain_user('icingavspheredb') - .with( - 'ensure' => 'present', - 'gid' => 'icingaweb2', - 'shell' => '/bin/false', - ).that_comes_before(['Systemd::Unit_file[icinga-vspheredb.service]', 'Systemd::Tmpfile[icinga-vspheredb.conf]']) - end - it do - is_expected.to contain_systemd__tmpfile('icinga-vspheredb.conf').with( - content: %r{/run/icinga-vspheredb}, - ).that_comes_before('Systemd::Unit_file[icinga-vspheredb.service]') - end - it do - is_expected.to contain_systemd__unit_file('icinga-vspheredb.service').with( - content: %r{[Unit]}, - ).that_notifies('Service[icinga-vspheredb]') - end - it do - is_expected.to contain_service('icinga-vspheredb') - .with( - 'ensure' => 'running', - 'enable' => true, - ) - end - end - end - end -end diff --git a/spec/classes/vspheredb_spec.rb b/spec/classes/vspheredb_spec.rb deleted file mode 100644 index 0916618b..00000000 --- a/spec/classes/vspheredb_spec.rb +++ /dev/null @@ -1,80 +0,0 @@ -require 'spec_helper' - -describe('icingaweb2::module::vspheredb', type: :class) do - let(:pre_condition) do - [ - "class { 'icingaweb2': db_type => 'mysql' }", - ] - end - - on_supported_os.each do |os, facts| - context "on #{os}" do - let :facts do - facts - end - - context "#{os} with git_revision 'v1.7.1'" do - let(:params) do - { git_revision: 'v1.7.1', - db_type: 'mysql', - db_host: 'localhost', - db_name: 'vspheredb', - db_username: 'vspheredb', - db_password: 'vspheredb' } - end - - it { - is_expected.to contain_icingaweb2__resource__database('icingaweb2-module-vspheredb') - .with_type('mysql') - .with_host('localhost') - .with_port('3306') - .with_database('vspheredb') - .with_username('vspheredb') - .with_password('vspheredb') - .with_charset('utf8mb4') - } - - it { - is_expected.to contain_icingaweb2__module('vspheredb') - .with_install_method('git') - .with_git_revision('v1.7.1') - .with_package_name('icingaweb2-module-vspheredb') - .with_settings('icingaweb2-module-vspheredb' => { - 'section_name' => 'db', - 'target' => '/etc/icingaweb2/modules/vspheredb/config.ini', - 'settings' => { - 'resource' => 'icingaweb2-module-vspheredb', - }, - }) - } - - it { - is_expected.to contain_class('icingaweb2::module::vspheredb::service') - .with_ensure('running') - .with_enable(true) - } - end - - context "#{os} with install_method 'package', manage_service 'false'" do - let(:params) do - { install_method: 'package', - manage_service: false, - db_type: 'mysql', - db_host: 'localhost', - db_name: 'vspheredb', - db_username: 'vspheredb', - db_password: 'vspheredb' } - end - - it { - is_expected.to contain_package('icingaweb2-module-vspheredb') - .with_ensure('installed') - } - - it { - is_expected.not_to contain_class('icingaweb2::module::vspheredb::service') - } - end - end - end -end From 3defff0e79d981fb74fdf8a73d64409a02d0fba3 Mon Sep 17 00:00:00 2001 From: Lennart Betz Date: Sun, 5 Nov 2023 14:18:48 +0100 Subject: [PATCH 06/14] rework reporting, include service private class, own certs directory --- REFERENCE.md | 84 ++--------- data/Linux-kernel.yaml | 3 +- data/common.yaml | 17 ++- manifests/globals.pp | 5 + manifests/module/reporting.pp | 169 ++++++--------------- manifests/module/reporting/config.pp | 87 +++++++++++ manifests/module/reporting/install.pp | 71 +++++++++ manifests/module/reporting/service.pp | 65 ++------- manifests/module/vspheredb/config.pp | 26 ++-- manifests/module/vspheredb/install.pp | 2 +- spec/classes/modules/reporting_spec.rb | 195 +++++++++++++++++++++++++ spec/classes/reporting_service_spec.rb | 41 ------ spec/classes/reporting_spec.rb | 120 --------------- 13 files changed, 456 insertions(+), 429 deletions(-) create mode 100644 manifests/module/reporting/config.pp create mode 100644 manifests/module/reporting/install.pp create mode 100644 spec/classes/modules/reporting_spec.rb delete mode 100644 spec/classes/reporting_service_spec.rb delete mode 100644 spec/classes/reporting_spec.rb diff --git a/REFERENCE.md b/REFERENCE.md index bb4c9a3a..42c7e35e 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -29,7 +29,6 @@ * [`icingaweb2::module::puppetdb`](#icingaweb2--module--puppetdb): Installs and configures the puppetdb module. * [`icingaweb2::module::reactbundle`](#icingaweb2--module--reactbundle): Installs and enables the reactbundle module. * [`icingaweb2::module::reporting`](#icingaweb2--module--reporting): Installs the reporting module -* [`icingaweb2::module::reporting::service`](#icingaweb2--module--reporting--service): Installs and configures the reporting scheduler. * [`icingaweb2::module::translation`](#icingaweb2--module--translation): Installs and configures the translation module. * [`icingaweb2::module::vspheredb`](#icingaweb2--module--vspheredb): Installs the vsphereDB plugin * [`icingaweb2::module::x509`](#icingaweb2--module--x509): Installs the x509 module @@ -39,8 +38,11 @@ * `icingaweb2::config`: Configures Icinga Web 2. * `icingaweb2::install`: Installs Icinga Web 2 and extra packages. +* `icingaweb2::module::reporting::config`: Configure the reporting module. +* `icingaweb2::module::reporting::install`: Install the reporting module. +* `icingaweb2::module::reporting::service`: Manage the reporting service. * `icingaweb2::module::vspheredb::config`: Configure the VSphereDB module -* `icingaweb2::module::vspheredb::install`: Installs the VSphereDB module +* `icingaweb2::module::vspheredb::install`: Install the VSphereDB module * `icingaweb2::module::vspheredb::service`: Manage the vspheredb service. ### Defined types @@ -3004,6 +3006,9 @@ The following parameters are available in the `icingaweb2::module::reporting` cl * [`import_schema`](#-icingaweb2--module--reporting--import_schema) * [`mail`](#-icingaweb2--module--reporting--mail) * [`manage_service`](#-icingaweb2--module--reporting--manage_service) +* [`service_ensure`](#-icingaweb2--module--reporting--service_ensure) +* [`service_enable`](#-icingaweb2--module--reporting--service_enable) +* [`service_user`](#-icingaweb2--module--reporting--service_user) ##### `ensure` @@ -3013,11 +3018,11 @@ Ensures the state of the reporting module. ##### `module_dir` -Data type: `Optional[Stdlib::Absolutepath]` +Data type: `Stdlib::Absolutepath` Target directory of the module. -Default value: `undef` +Default value: `"${icingaweb2::globals::default_module_path}/reporting"` ##### `git_repository` @@ -3057,8 +3062,6 @@ Data type: `Stdlib::Host` The host where the reporting database will be running -Default value: `'localhost'` - ##### `db_port` Data type: `Optional[Stdlib::Port]` @@ -3073,16 +3076,12 @@ Data type: `String` The name of the database this module should use. -Default value: `'reporting'` - ##### `db_username` Data type: `String` The username needed to access the database. -Default value: `'reporting'` - ##### `db_password` Data type: `Optional[Icingaweb2::Secret]` @@ -3203,76 +3202,25 @@ Default value: `undef` Data type: `Boolean` -Also manage the service (daemon), running and enabled. Otherwise do your config via hiera. - -Default value: `true` - -### `icingaweb2::module::reporting::service` - -Installs and configures the reporting scheduler. - -* **Note** Only systemd is supported by the Icinga Team and this module. - -#### Examples - -##### - -```puppet -include icingaweb2::module::reporting::service -``` - -#### Parameters - -The following parameters are available in the `icingaweb2::module::reporting::service` class: - -* [`ensure`](#-icingaweb2--module--reporting--service--ensure) -* [`enable`](#-icingaweb2--module--reporting--service--enable) -* [`user`](#-icingaweb2--module--reporting--service--user) -* [`group`](#-icingaweb2--module--reporting--service--group) -* [`manage_user`](#-icingaweb2--module--reporting--service--manage_user) +If set to true the service (daemon) is managed. -##### `ensure` +##### `service_ensure` Data type: `Stdlib::Ensure::Service` -Whether the reporting service should be running. - -Default value: `'running'` +Wether the service is `running` or `stopped`. -##### `enable` +##### `service_enable` Data type: `Boolean` -Enable or disable the service. - -Default value: `true` - -##### `user` - -Data type: `String` - -Specifies the user to run the reporting service daemon as. -Only available if install_method package is not used. - -Default value: `'icingareporting'` +Whether the service should be started at boot time. -##### `group` +##### `service_user` Data type: `String` -Specifies the primary group to run the reporting service daemon as. -Only available if install_method package is not used. - -Default value: `'icingaweb2'` - -##### `manage_user` - -Data type: `Boolean` - -Whether to manage the server user resource. Only available if -install_method package is not used. - -Default value: `true` +The user as which the service is running. Only valid if `install_method` is set to `git`. ### `icingaweb2::module::translation` diff --git a/data/Linux-kernel.yaml b/data/Linux-kernel.yaml index bbb367e6..e22127d0 100644 --- a/data/Linux-kernel.yaml +++ b/data/Linux-kernel.yaml @@ -6,8 +6,6 @@ icingaweb2::globals::data_dir: /usr/share/icingaweb2 icingaweb2::globals::comp_db_schema_dir: /usr/share/doc/icingaweb2 icingaweb2::globals::mysql_db_schema: /usr/share/doc/icingaweb2/schema/mysql.schema.sql icingaweb2::globals::pgsql_db_schema: /usr/share/doc/icingaweb2/schema/pgsql.schema.sql -icingaweb2::globals::mysql_reporting_schema: /usr/share/icingaweb2/modules/reporting/schema/mysql.sql -icingaweb2::globals::pgsql_reporting_schema: /usr/share/icingaweb2/modules/reporting/schema/postgresql.sql icingaweb2::globals::mysql_idoreports_slaperiods: /usr/share/icingaweb2/modules/idoreports/schema/mysql/slaperiods.sql icingaweb2::globals::mysql_idoreports_sla_percent: /usr/share/icingaweb2/modules/idoreports/schema/mysql/get_sla_ok_percent.sql icingaweb2::globals::pgsql_idoreports_slaperiods: /usr/share/icingaweb2/modules/idoreports/schema/postgresql/slaperiods.sql @@ -21,4 +19,5 @@ icingaweb2::conf_group: icingaweb2 icingaweb2::logging_file: /var/log/icingaweb2/icingaweb2.log icingaweb2::module::icingadb::package_name: icingadb-web +icingaweb2::module::reporting::package_name: icingaweb2-module-reporting icingaweb2::module::vspheredb::package_name: icingaweb2-module-vspheredb diff --git a/data/common.yaml b/data/common.yaml index 393f7fe1..a1d8c4a8 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -15,10 +15,6 @@ icingaweb2::module::graphite::git_repository: https://github.com/Icinga/icingawe icingaweb2::module::incubator::git_repository: https://github.com/Icinga/icingaweb2-module-incubator.git icingaweb2::module::incubator::git_revision: v0.19.0 icingaweb2::module::puppetdb::git_repository: https://github.com/Icinga/icingaweb2-module-puppetdb.git -icingaweb2::module::reporting::ensure: present -icingaweb2::module::reporting::install_method: git -icingaweb2::module::reporting::git_repository: https://github.com/Icinga/icingaweb2-module-reporting.git -icingaweb2::module::reporting::package_name: icingaweb2-module-reporting icingaweb2::module::idoreports::ensure: present icingaweb2::module::idoreports::install_method: git icingaweb2::module::idoreports::git_repository: https://github.com/Icinga/icingaweb2-module-idoreports.git @@ -28,6 +24,19 @@ icingaweb2::module::x509::install_method: git icingaweb2::module::x509::git_repository: https://github.com/Icinga/icingaweb2-module-x509.git icingaweb2::module::x509::package_name: icingaweb2-module-x509 +icingaweb2::globals::mysql_reporting_schema: /schema/mysql.sql +icingaweb2::globals::pgsql_reporting_schema: /schema/postgresql.sql +icingaweb2::module::reporting::ensure: present +icingaweb2::module::reporting::install_method: git +icingaweb2::module::reporting::git_repository: https://github.com/Icinga/icingaweb2-module-reporting.git +icingaweb2::module::reporting::manage_service: true +icingaweb2::module::reporting::service_ensure: running +icingaweb2::module::reporting::service_enable: true +icingaweb2::module::reporting::service_user: icingareporting +icingaweb2::module::reporting::db_host: localhost +icingaweb2::module::reporting::db_name: reporting +icingaweb2::module::reporting::db_username: reporting + icingaweb2::globals::mysql_vspheredb_schema: /schema/mysql.sql icingaweb2::globals::pgsql_vspheredb_schema: /schema/pgsql.sql icingaweb2::module::vspheredb::ensure: present diff --git a/manifests/globals.pp b/manifests/globals.pp index 2685ff97..5014818f 100644 --- a/manifests/globals.pp +++ b/manifests/globals.pp @@ -94,6 +94,11 @@ $db_charset = { 'mysql' => { 'vspheredb' => 'utf8mb4', + 'reporting' => 'utf8mb4', + }, + 'pgsql' => { + 'vspheredb' => 'UTF8', + 'reporting' => 'UTF8', }, } diff --git a/manifests/module/reporting.pp b/manifests/module/reporting.pp index 3a9953d0..46c157dd 100644 --- a/manifests/module/reporting.pp +++ b/manifests/module/reporting.pp @@ -80,7 +80,16 @@ # Mails are sent with this sender address. # # @param manage_service -# Also manage the service (daemon), running and enabled. Otherwise do your config via hiera. +# If set to true the service (daemon) is managed. +# +# @param service_ensure +# Wether the service is `running` or `stopped`. +# +# @param service_enable +# Whether the service should be started at boot time. +# +# @param service_user +# The user as which the service is running. Only valid if `install_method` is set to `git`. # # @example # class { 'icingaweb2::module::reporting': @@ -97,17 +106,20 @@ Enum['git', 'none', 'package'] $install_method, String $git_repository, String $package_name, + Boolean $manage_service, + Stdlib::Ensure::Service $service_ensure, + Boolean $service_enable, + String $service_user, Enum['mysql', 'pgsql'] $db_type, - Optional[Stdlib::Absolutepath] $module_dir = undef, - Optional[String] $git_revision = undef, - Stdlib::Host $db_host = 'localhost', + Stdlib::Host $db_host, + String $db_name, + String $db_username, Optional[Stdlib::Port] $db_port = undef, - String $db_name = 'reporting', - String $db_username = 'reporting', Optional[Icingaweb2::Secret] $db_password = undef, Optional[String] $db_charset = undef, Variant[Boolean, Enum['mariadb', 'mysql']] $import_schema = false, - Boolean $manage_service = true, + Stdlib::Absolutepath $module_dir = "${icingaweb2::globals::default_module_path}/reporting", + Optional[String] $git_revision = undef, Optional[Boolean] $use_tls = undef, Optional[Stdlib::Absolutepath] $tls_key_file = undef, Optional[Stdlib::Absolutepath] $tls_cert_file = undef, @@ -122,127 +134,32 @@ ) { icingaweb2::assert_module() - $conf_dir = $icingaweb2::globals::conf_dir - $mysql_reporting_schema = $icingaweb2::globals::mysql_reporting_schema - $pgsql_reporting_schema = $icingaweb2::globals::pgsql_reporting_schema - $module_conf_dir = "${conf_dir}/modules/reporting" - $_db_port = pick($db_port, $icingaweb2::globals::port[$db_type]) - - $_db_charset = if $db_charset { - $db_charset - } else { - if $db_type == 'mysql' { - 'utf8mb4' - } else { - 'UTF8' - } - } - - $tls = delete($icingaweb2::config::tls, ['key', 'cert', 'cacert']) + delete_undef_values(icingaweb2::cert::files( - 'client', - $module_conf_dir, - $tls_key_file, - $tls_cert_file, - $tls_cacert_file, - $tls_key, - $tls_cert, - $tls_cacert, - ) + { - capath => $tls_capath, - noverify => $tls_noverify, - cipher => $tls_cipher, - }) + $cert_dir = "${icingaweb2::globals::state_dir}/reporting/certs" - Exec { - user => 'root', - path => $facts['path'], - provider => 'shell', - require => [Icingaweb2::Module['reporting'], Icingaweb2::Tls::Client['icingaweb2::module::reporting tls client config']], + $db = { + type => $db_type, + database => $db_name, + host => $db_host, + port => $db_port, + username => $db_username, + password => $db_password, } - icingaweb2::tls::client { 'icingaweb2::module::reporting tls client config': - args => $tls, - } - - icingaweb2::resource::database { 'reporting': - type => $db_type, - host => $db_host, - port => $_db_port, - database => $db_name, - username => $db_username, - password => $db_password, - charset => $_db_charset, - use_tls => $use_tls, - tls_noverify => $tls['noverify'], - tls_key => $tls['key_file'], - tls_cert => $tls['cert_file'], - tls_cacert => $tls['cacert_file'], - tls_capath => $tls['capath'], - tls_cipher => $tls['cipher'], - } - - icingaweb2::module { 'reporting': - ensure => $ensure, - git_repository => $git_repository, - git_revision => $git_revision, - install_method => $install_method, - module_dir => $module_dir, - package_name => $package_name, - settings => { - 'icingaweb2-module-reporting-backend' => { - 'section_name' => 'backend', - 'target' => "${module_conf_dir}/config.ini", - 'settings' => { - 'resource' => 'reporting', - }, - }, - 'icingaweb2-module-reporting-mail' => { - 'section_name' => 'mail', - 'target' => "${module_conf_dir}/config.ini", - 'settings' => delete_undef_values({ - 'from' => $mail, - }), - }, - }, - } - - if $import_schema { - $real_db_type = if $import_schema =~ Boolean { - if $db_type == 'pgsql' { 'pgsql' } else { 'mariadb' } - } else { - $import_schema - } - $db_cli_options = icingaweb2::db::connect({ - type => $real_db_type, - name => $db_name, - host => $db_host, - port => $_db_port, - user => $db_username, - pass => $db_password, - }, $tls, $use_tls) + $tls = icinga::cert::files( + $db_username, + $cert_dir, + $tls_key_file, + $tls_cert_file, + $tls_cacert_file, + $tls_key, + $tls_cert, + $tls_cacert, + ) - case $db_type { - 'mysql': { - exec { 'import icingaweb2::module::reporting schema': - command => "mysql ${db_cli_options} < '${mysql_reporting_schema}'", - unless => "mysql ${db_cli_options} -Ns -e 'SELECT * FROM report'", - } - } - 'pgsql': { - $_db_password = icingaweb2::unwrap($db_password) - exec { 'import icingaweb2::module::reporting schema': - environment => ["PGPASSWORD=${_db_password}"], - command => "psql '${db_cli_options}' -w -f ${pgsql_reporting_schema}", - unless => "psql '${db_cli_options}' -w -c 'SELECT * FROM report'", - } - } # pgsql (not supported) - default: { - fail('The database type you provided is not supported.') - } - } - } # schema import - - if $manage_service { - include icingaweb2::module::reporting::service - } + class { 'icingaweb2::module::reporting::install': } + -> class { 'icingaweb2::module::reporting::config': } + ~> class { 'icingaweb2::module::reporting::service': } + contain icingaweb2::module::reporting::install + contain icingaweb2::module::reporting::config + contain icingaweb2::module::reporting::service } diff --git a/manifests/module/reporting/config.pp b/manifests/module/reporting/config.pp new file mode 100644 index 00000000..53cf189e --- /dev/null +++ b/manifests/module/reporting/config.pp @@ -0,0 +1,87 @@ +# @summary +# Configure the reporting module. +# +# @api private +# +class icingaweb2::module::reporting::config { + assert_private() + + $module_conf_dir = "${icingaweb2::globals::conf_dir}/modules/reporting" + $conf_group = $icingaweb2::conf_group + $mysql_schema = "${icingaweb2::module::reporting::module_dir}${icingaweb2::globals::mysql_reporting_schema}" + $pgsql_schema = "${icingaweb2::module::reporting::module_dir}${icingaweb2::globals::pgsql_reporting_schema}" + $db = $icingaweb2::module::reporting::db + $import_schema = $icingaweb2::module::reporting::import_schema + $use_tls = $icingaweb2::module::reporting::use_tls + $tls = $icingaweb2::module::reporting::tls + { + cacert_file => icingaweb2::pick($icingaweb2::module::reporting::tls['cacert_file'], $icingaweb2::config::tls['cacert_file']), + capath => icingaweb2::pick($icingaweb2::module::reporting::tls_capath, $icingaweb2::config::tls['capath']), + noverify => icingaweb2::pick($icingaweb2::module::reporting::tls_noverify, $icingaweb2::config::tls['noverify']), + cipher => icingaweb2::pick($icingaweb2::module::reporting::tls_cipher, $icingaweb2::config::tls['cipher']), + } + $icingacli_bin = $icingaweb2::globals::icingacli_bin + $service_user = $icingaweb2::module::reporting::service_user + $install_method = $icingaweb2::module::reporting::install_method + + Exec { + user => 'root', + path => $facts['path'], + provider => 'shell', + } + + if $install_method == 'git' { + systemd::unit_file { 'icinga-reporting.service': + ensure => 'present', + content => epp('icingaweb2/icinga-reporting.service.epp', { + 'conf_user' => $service_user, + 'icingacli_bin' => $icingaweb2::globals::icingacli_bin, + }), + } + } + + icingaweb2::resource::database { 'reporting': + type => $db['type'], + host => $db['host'], + port => $db['port'], + database => $db['database'], + username => $db['username'], + password => $db['password'], + charset => pick($icingaweb2::module::reporting::db_charset, $icingaweb2::globals::db_charset[$db['type']]['reporting']), + use_tls => $use_tls, + tls_noverify => $tls['noverify'], + tls_key => $tls['key_file'], + tls_cert => $tls['cert_file'], + tls_cacert => $tls['cacert_file'], + tls_capath => $tls['capath'], + tls_cipher => $tls['cipher'], + } + + if $import_schema { + $real_db_type = if $import_schema =~ Boolean { + if $db['type'] == 'pgsql' { 'pgsql' } else { 'mariadb' } + } else { + $import_schema + } + $db_cli_options = icinga::db::connect($db + { type => $real_db_type }, $tls, $use_tls) + + case $db['type'] { + 'mysql': { + exec { 'import icingaweb2::module::reporting schema': + command => "mysql ${db_cli_options} < '${mysql_schema}'", + unless => "mysql ${db_cli_options} -Ns -e 'SELECT * FROM report'", + } + } + 'pgsql': { + $_db_password = icingaweb2::unwrap($db['password']) + exec { 'import icingaweb2::module::reporting schema': + environment => ["PGPASSWORD=${_db_password}"], + command => "psql '${db_cli_options}' -w -f ${pgsql_schema}", + unless => "psql '${db_cli_options}' -w -c 'SELECT * FROM report'", + } + } # pgsql (not supported) + default: { + fail('The database type you provided is not supported.') + } + } + } # schema import +} diff --git a/manifests/module/reporting/install.pp b/manifests/module/reporting/install.pp new file mode 100644 index 00000000..d8427af0 --- /dev/null +++ b/manifests/module/reporting/install.pp @@ -0,0 +1,71 @@ +# @summary +# Install the reporting module. +# +# @api private +# +class icingaweb2::module::reporting::install { + assert_private() + + $module_conf_dir = "${icingaweb2::globals::conf_dir}/modules/reporting" + $conf_user = $icingaweb2::conf_user + $conf_group = $icingaweb2::conf_group + $ensure = $icingaweb2::module::reporting::ensure + $git_repository = $icingaweb2::module::reporting::git_repository + $git_revision = $icingaweb2::module::reporting::git_revision + $install_method = $icingaweb2::module::reporting::install_method + $module_dir = $icingaweb2::module::reporting::module_dir + $package_name = $icingaweb2::module::reporting::package_name + $use_tls = $icingaweb2::module::reporting::use_tls + $tls = $icingaweb2::module::reporting::tls + $cert_dir = $icingaweb2::module::reporting::cert_dir + $service_user = $icingaweb2::module::reporting::service_user + $mail = $icingaweb2::module::reporting::mail + + icingaweb2::module { 'reporting': + ensure => $ensure, + git_repository => $git_repository, + git_revision => $git_revision, + install_method => $install_method, + module_dir => $module_dir, + package_name => $package_name, + settings => { + 'icingaweb2-module-reporting-backend' => { + 'section_name' => 'backend', + 'target' => "${module_conf_dir}/config.ini", + 'settings' => { + 'resource' => 'reporting', + }, + }, + 'icingaweb2-module-reporting-mail' => { + 'section_name' => 'mail', + 'target' => "${module_conf_dir}/config.ini", + 'settings' => delete_undef_values({ + 'from' => $mail, + }), + }, + }, + } + + if $use_tls { + file { $cert_dir: + ensure => directory, + owner => 'root', + group => $conf_group, + mode => '2770', + } + + icinga::cert { 'icingaweb2::module::reporting tls client config': + owner => $conf_user, + group => $conf_group, + args => $tls, + } + } + + if $install_method == 'git' { + user { $service_user: + ensure => 'present', + gid => $conf_group, + shell => '/bin/false', + } + } +} diff --git a/manifests/module/reporting/service.pp b/manifests/module/reporting/service.pp index 74001ff5..15b27721 100644 --- a/manifests/module/reporting/service.pp +++ b/manifests/module/reporting/service.pp @@ -1,61 +1,18 @@ -# @summary Installs and configures the reporting scheduler. +# @summary +# Manage the reporting service. # -# @note Only systemd is supported by the Icinga Team and this module. +# @api private # -# @param [Stdlib::Ensure::Service] ensure -# Whether the reporting service should be running. -# -# @param [Boolean] enable -# Enable or disable the service. -# -# @param [String] user -# Specifies the user to run the reporting service daemon as. -# Only available if install_method package is not used. -# -# @param [String] group -# Specifies the primary group to run the reporting service daemon as. -# Only available if install_method package is not used. -# -# @param [Boolean] manage_user -# Whether to manage the server user resource. Only available if -# install_method package is not used. -# -# @example -# include icingaweb2::module::reporting::service -# -class icingaweb2::module::reporting::service ( - Stdlib::Ensure::Service $ensure = 'running', - Boolean $enable = true, - String $user = 'icingareporting', - String $group = 'icingaweb2', - Boolean $manage_user = true, -) { - require icingaweb2::module::reporting - - $install_method = $icingaweb2::module::reporting::install_method +class icingaweb2::module::reporting::service { + assert_private() - if $install_method != 'package' { - if $manage_user { - user { $user: - ensure => 'present', - gid => $group, - shell => '/bin/false', - before => Systemd::Unit_file['icinga-reporting.service'], - } - } + if $icingaweb2::module::reporting::manage_service { + $ensure = $icingaweb2::module::reporting::service_ensure + $enable = $icingaweb2::module::reporting::service_enable - systemd::unit_file { 'icinga-reporting.service': - ensure => 'present', - content => epp('icingaweb2/icinga-reporting.service.epp', { - 'conf_user' => $user, - 'icingacli_bin' => $icingaweb2::globals::icingacli_bin, - }), - notify => Service['icinga-reporting'], + service { 'icinga-reporting': + ensure => $ensure, + enable => $enable, } } - - service { 'icinga-reporting': - ensure => $ensure, - enable => $enable, - } } diff --git a/manifests/module/vspheredb/config.pp b/manifests/module/vspheredb/config.pp index eddd623f..201cacc0 100644 --- a/manifests/module/vspheredb/config.pp +++ b/manifests/module/vspheredb/config.pp @@ -6,22 +6,22 @@ class icingaweb2::module::vspheredb::config { assert_private() - $module_conf_dir = "${icingaweb2::globals::conf_dir}/modules/vspheredb" - $conf_group = $icingaweb2::conf_group - $mysql_vspheredb_schema = "${icingaweb2::module::vspheredb::module_dir}${icingaweb2::globals::mysql_vspheredb_schema}" - $pgsql_vspheredb_schema = "${icingaweb2::module::vspheredb::module_dir}${icingaweb2::globals::pgsql_vspheredb_schema}" - $db = $icingaweb2::module::vspheredb::db - $import_schema = $icingaweb2::module::vspheredb::import_schema - $use_tls = $icingaweb2::module::vspheredb::use_tls - $tls = $icingaweb2::module::vspheredb::tls + { + $module_conf_dir = "${icingaweb2::globals::conf_dir}/modules/vspheredb" + $conf_group = $icingaweb2::conf_group + $mysql_schema = "${icingaweb2::module::vspheredb::module_dir}${icingaweb2::globals::mysql_vspheredb_schema}" + $pgsql_schema = "${icingaweb2::module::vspheredb::module_dir}${icingaweb2::globals::pgsql_vspheredb_schema}" + $db = $icingaweb2::module::vspheredb::db + $import_schema = $icingaweb2::module::vspheredb::import_schema + $use_tls = $icingaweb2::module::vspheredb::use_tls + $tls = $icingaweb2::module::vspheredb::tls + { cacert_file => icingaweb2::pick($icingaweb2::module::vspheredb::tls['cacert_file'], $icingaweb2::config::tls['cacert_file']), capath => icingaweb2::pick($icingaweb2::module::vspheredb::tls_capath, $icingaweb2::config::tls['capath']), noverify => icingaweb2::pick($icingaweb2::module::vspheredb::tls_noverify, $icingaweb2::config::tls['noverify']), cipher => icingaweb2::pick($icingaweb2::module::vspheredb::tls_cipher, $icingaweb2::config::tls['cipher']), } - $icingacli_bin = $icingaweb2::globals::icingacli_bin - $service_user = $icingaweb2::module::vspheredb::service_user - $install_method = $icingaweb2::module::vspheredb::install_method + $icingacli_bin = $icingaweb2::globals::icingacli_bin + $service_user = $icingaweb2::module::vspheredb::service_user + $install_method = $icingaweb2::module::vspheredb::install_method Exec { user => 'root', @@ -70,7 +70,7 @@ case $db['type'] { 'mysql': { exec { 'import icingaweb2::module::vspheredb schema': - command => "mysql ${db_cli_options} < '${mysql_vspheredb_schema}'", + command => "mysql ${db_cli_options} < '${mysql_schema}'", unless => "mysql ${db_cli_options} -Ns -e 'SELECT schema_version FROM vspheredb_schema_migration'", } } @@ -78,7 +78,7 @@ $_db_password = icingaweb2::unwrap($db['password']) exec { 'import icingaweb2::module::vspheredb schema': environment => ["PGPASSWORD=${_db_password}"], - command => "psql '${db_cli_options}' -w -f ${pgsql_vspheredb_schema}", + command => "psql '${db_cli_options}' -w -f ${pgsql_schema}", unless => "psql '${db_cli_options}' -w -c 'SELECT schema_version FROM vspheredb_schema_migration'", } } # pgsql (not supported) diff --git a/manifests/module/vspheredb/install.pp b/manifests/module/vspheredb/install.pp index 8dc7b5af..24c47b27 100644 --- a/manifests/module/vspheredb/install.pp +++ b/manifests/module/vspheredb/install.pp @@ -1,5 +1,5 @@ # @summary -# Installs the VSphereDB module +# Install the VSphereDB module # # @api private # diff --git a/spec/classes/modules/reporting_spec.rb b/spec/classes/modules/reporting_spec.rb new file mode 100644 index 00000000..725fe9e6 --- /dev/null +++ b/spec/classes/modules/reporting_spec.rb @@ -0,0 +1,195 @@ +require 'spec_helper' + +describe('icingaweb2::module::reporting', type: :class) do + let(:pre_condition) do + [ + "class { 'icingaweb2': db_type => 'mysql', conf_user => 'foo', conf_group => 'bar' }", + ] + end + + on_supported_os.each do |os, facts| + context "on #{os}" do + let :facts do + facts + end + + context "#{os} with git_revision 'v1.0.0', service_user 'foobaz', mail 'foo@icinga.com'" do + let(:params) do + { + git_revision: 'v1.0.0', + db_type: 'mysql', + db_password: 'reporting', + service_user: 'foobaz', + mail: 'foo@icinga.com', + } + end + + it { + is_expected.to contain_icingaweb2__resource__database('reporting') + .with_type('mysql') + .with_host('localhost') + .with_database('reporting') + .with_username('reporting') + .with_password('reporting') + .with_charset('utf8mb4') + } + + it { + is_expected.to contain_icingaweb2__module('reporting') + .with_install_method('git') + .with_git_revision('v1.0.0') + .with_package_name('icingaweb2-module-reporting') + .with_settings('icingaweb2-module-reporting-backend' => { + 'section_name' => 'backend', + 'target' => '/etc/icingaweb2/modules/reporting/config.ini', + 'settings' => { + 'resource' => 'reporting', + }, + }, + 'icingaweb2-module-reporting-mail' => { + 'section_name' => 'mail', + 'target' => '/etc/icingaweb2/modules/reporting/config.ini', + 'settings' => { 'from' => 'foo@icinga.com' }, + }) + } + + it { + is_expected.to contain_user('foobaz') + .with_ensure('present') + .with_gid('bar') + .with_shell('/bin/false') + } + + it { + is_expected.to contain_systemd__unit_file('icinga-reporting.service') + .with_content(%r{User=foobaz}) + .with_content(%r{ExecStart=/usr/bin/icingacli}) + } + + it { + is_expected.to contain_service('icinga-reporting') + .with_ensure('running') + .with_enable(true) + } + + it { is_expected.not_to contain_exec('import icingaweb2::module::reporting schema') } + end + + context "#{os} with db_type 'mysql', db_port '4711', install_method 'package', manage_service 'false', import_schema 'true'" do + let(:params) do + { + install_method: 'package', + manage_service: false, + db_type: 'mysql', + db_port: 4711, + import_schema: true, + } + end + + it { + is_expected.to contain_package('icingaweb2-module-reporting') + .with_ensure('installed') + } + + it { + is_expected.to contain_icingaweb2__resource__database('reporting') + .with_type('mysql') + .with_host('localhost') + .with_port(4711) + .with_database('reporting') + .with_username('reporting') + .with_charset('utf8mb4') + } + + it { + is_expected.to contain_exec('import icingaweb2::module::reporting schema') + .with_command(%r{^mysql.*\< '/usr/share/icingaweb2/modules/reporting/schema/mysql.sql'$}) + .with_unless(%r{^mysql.* -Ns -e 'SELECT \* FROM report'$}) + } + + it { is_expected.not_to contain_user('icingareporting') } + it { is_expected.not_to contain_systemd__unit_file('icinga-reporting.service') } + it { is_expected.not_to contain_service('icinga-reporting') } + end + + context "#{os} with use_tls 'true', tls_cacert 'cacert', tls_capath '/foo/bar', tls_noverify 'true', tls_cipher 'cipher'" do + let(:params) do + { + db_type: 'mysql', + use_tls: true, + tls_cacert_file: '/foo/bar', + tls_capath: '/foo/bar', + tls_noverify: true, + tls_cipher: 'cipher', + } + end + + it { + is_expected.to contain_icingaweb2__resource__database('reporting').with( + { + 'type' => 'mysql', + 'host' => 'localhost', + 'database' => 'reporting', + 'username' => 'reporting', + 'use_tls' => true, + 'tls_cacert' => '/foo/bar', + 'tls_capath' => '/foo/bar', + 'tls_noverify' => true, + 'tls_cipher' => 'cipher', + }, + ) + } + end + + context "#{os} with db_type 'pgsql', use_tls 'true', import_schema 'true', service_ensure 'stopped', service_enabe 'false'" do + let(:pre_condition) do + [ + "class { 'icingaweb2': db_type => 'pgsql', tls_cacert_file => '/foo/bar', tls_capath => '/foo/bar', tls_noverify => true, tls_cipher => 'cipher' }", + ] + end + + let(:params) do + { + db_type: 'pgsql', + db_password: 'foo', + import_schema: true, + use_tls: true, + service_ensure: 'stopped', + service_enable: false, + } + end + + it { + is_expected.to contain_icingaweb2__resource__database('reporting').with( + { + 'type' => 'pgsql', + 'host' => 'localhost', + 'database' => 'reporting', + 'username' => 'reporting', + 'password' => 'foo', + 'use_tls' => true, + 'tls_cacert' => '/foo/bar', + 'tls_capath' => '/foo/bar', + 'tls_noverify' => true, + 'tls_cipher' => 'cipher', + 'charset' => 'UTF8', + }, + ) + } + + it { + is_expected.to contain_exec('import icingaweb2::module::reporting schema') + .with_environment(['PGPASSWORD=foo']) + .with_command(%r{^psql.*-w -f /usr/share/icingaweb2/modules/reporting/schema/postgresql.sql$}) + .with_unless(%r{^psql.*-w -c 'SELECT \* FROM report'$}) + } + + it { + is_expected.to contain_service('icinga-reporting') + .with_ensure('stopped') + .with_enable(false) + } + end + end + end +end diff --git a/spec/classes/reporting_service_spec.rb b/spec/classes/reporting_service_spec.rb deleted file mode 100644 index aafdc81b..00000000 --- a/spec/classes/reporting_service_spec.rb +++ /dev/null @@ -1,41 +0,0 @@ -require 'spec_helper' - -describe('icingaweb2::module::reporting::service', type: :class) do - let(:pre_condition) do - [ - "class { 'icingaweb2': db_type => 'mysql' }", - "class { 'icingaweb2::module::reporting': db_type => 'mysql', manage_service => false }", - ] - end - - on_supported_os.each do |os, facts| - context "on #{os}" do - let :facts do - facts - end - - context "#{os} with defaults" do - it do - is_expected.to contain_user('icingareporting') - .with( - 'ensure' => 'present', - 'gid' => 'icingaweb2', - 'shell' => '/bin/false', - ).that_comes_before('Systemd::Unit_file[icinga-reporting.service]') - end - it do - is_expected.to contain_systemd__unit_file('icinga-reporting.service').with( - content: %r{[Unit]}, - ).that_notifies('Service[icinga-reporting]') - end - it do - is_expected.to contain_service('icinga-reporting') - .with( - 'ensure' => 'running', - 'enable' => true, - ) - end - end - end - end -end diff --git a/spec/classes/reporting_spec.rb b/spec/classes/reporting_spec.rb deleted file mode 100644 index dc6601de..00000000 --- a/spec/classes/reporting_spec.rb +++ /dev/null @@ -1,120 +0,0 @@ -require 'spec_helper' - -describe('icingaweb2::module::reporting', type: :class) do - let(:pre_condition) do - [ - "class { 'icingaweb2': db_type => 'mysql' }", - ] - end - - on_supported_os.each do |os, facts| - context "on #{os}" do - let :facts do - facts - end - - context "#{os} with db_type 'mysql'" do - let(:params) do - { git_revision: 'foobar', - db_type: 'mysql' } - end - - it { - is_expected.to contain_icingaweb2__resource__database('reporting') - .with_type('mysql') - .with_host('localhost') - .with_database('reporting') - .with_username('reporting') - .with_charset('utf8mb4') - } - - it { - is_expected.to contain_icingaweb2__module('reporting') - .with_install_method('git') - .with_git_revision('foobar') - .with_module_dir('/usr/share/icingaweb2/modules/reporting') - .with_settings('icingaweb2-module-reporting-backend' => { - 'section_name' => 'backend', - 'target' => '/etc/icingaweb2/modules/reporting/config.ini', - 'settings' => { - 'resource' => 'reporting', - }, - }, - 'icingaweb2-module-reporting-mail' => { - 'section_name' => 'mail', - 'target' => '/etc/icingaweb2/modules/reporting/config.ini', - 'settings' => {}, - }) - } - - it { is_expected.not_to contain_exec('import icingaweb2::module::reporting schema') } - - it { - is_expected.to contain_class('icingaweb2::module::reporting::service') - .with_ensure('running') - .with_enable(true) - } - end - - context "#{os} with db_type 'mysql', import_schema 'true'" do - let(:params) do - { db_type: 'mysql', - import_schema: true } - end - - it { is_expected.to contain_exec('import icingaweb2::module::reporting schema') } - end - - context "#{os} with db_type 'pgsql', mail 'foobar@examle.com', manage_service 'false', install_method 'package'" do - let(:params) do - { install_method: 'package', - db_type: 'pgsql', - manage_service: false, - mail: 'foobar@example.com' } - end - - it { - is_expected.to contain_icingaweb2__resource__database('reporting') - .with_type('pgsql') - .with_host('localhost') - .with_database('reporting') - .with_username('reporting') - .with_charset('UTF8') - } - - it { - is_expected.to contain_icingaweb2__module('reporting') - .with_install_method('package') - .with_package_name('icingaweb2-module-reporting') - .with_module_dir('/usr/share/icingaweb2/modules/reporting') - .with_settings('icingaweb2-module-reporting-backend' => { - 'section_name' => 'backend', - 'target' => '/etc/icingaweb2/modules/reporting/config.ini', - 'settings' => { - 'resource' => 'reporting', - }, - }, - 'icingaweb2-module-reporting-mail' => { - 'section_name' => 'mail', - 'target' => '/etc/icingaweb2/modules/reporting/config.ini', - 'settings' => { - 'from' => 'foobar@example.com', - }, - }) - } - - it { is_expected.not_to contain_exec('import icingaweb2::module::reporting schema') } - it { is_expected.not_to contain_class('icingaweb2::module::reporting::service') } - end - - context "#{os} with db_type 'pgsql', import_schema 'true'" do - let(:params) do - { db_type: 'pgsql', - import_schema: true } - end - - it { is_expected.to contain_exec('import icingaweb2::module::reporting schema') } - end - end - end -end From a975e8a832fbf3d24daeb57d1e3744bdf02f1762 Mon Sep 17 00:00:00 2001 From: Lennart Betz Date: Mon, 6 Nov 2023 09:07:09 +0100 Subject: [PATCH 07/14] rework module icingadb --- REFERENCE.md | 12 +-- data/common.yaml | 6 ++ manifests/module/icingadb.pp | 106 +++++++------------- manifests/module/icingadb/config.pp | 47 +++++++++ manifests/module/icingadb/install.pp | 47 +++++++++ spec/classes/modules/icingadb_spec.rb | 137 +++++++++++++------------- 6 files changed, 202 insertions(+), 153 deletions(-) create mode 100644 manifests/module/icingadb/config.pp create mode 100644 manifests/module/icingadb/install.pp diff --git a/REFERENCE.md b/REFERENCE.md index 42c7e35e..4b7d4867 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -38,6 +38,8 @@ * `icingaweb2::config`: Configures Icinga Web 2. * `icingaweb2::install`: Installs Icinga Web 2 and extra packages. +* `icingaweb2::module::icingadb::config`: Configure the icingadb module. +* `icingaweb2::module::icingadb::install`: Install the icingadb module. * `icingaweb2::module::reporting::config`: Configure the reporting module. * `icingaweb2::module::reporting::install`: Install the reporting module. * `icingaweb2::module::reporting::service`: Manage the reporting service. @@ -1893,8 +1895,6 @@ Data type: `Enum['absent', 'present']` Enable or disable module. -Default value: `'present'` - ##### `package_name` Data type: `String` @@ -1913,8 +1913,6 @@ Data type: `Stdlib::Host` Hostname of the IcingaDB database. -Default value: `'localhost'` - ##### `db_port` Data type: `Optional[Stdlib::Port]` @@ -1929,16 +1927,12 @@ Data type: `String` Name of the IcingaDB database. -Default value: `'icingadb'` - ##### `db_username` Data type: `String` Username for IcingaDB database connection. -Default value: `'icingadb'` - ##### `db_password` Data type: `Optional[Icingaweb2::Secret]` @@ -2043,8 +2037,6 @@ Data type: `Stdlib::Host` Redis host to connect. -Default value: `'localhost'` - ##### `redis_port` Data type: `Optional[Stdlib::Port]` diff --git a/data/common.yaml b/data/common.yaml index a1d8c4a8..1644a548 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -24,6 +24,12 @@ icingaweb2::module::x509::install_method: git icingaweb2::module::x509::git_repository: https://github.com/Icinga/icingaweb2-module-x509.git icingaweb2::module::x509::package_name: icingaweb2-module-x509 +icingaweb2::module::icingadb::ensure: present +icingaweb2::module::icingadb::redis_host: localhost +icingaweb2::module::icingadb::db_host: localhost +icingaweb2::module::icingadb::db_name: icingadb +icingaweb2::module::icingadb::db_username: icingadb + icingaweb2::globals::mysql_reporting_schema: /schema/mysql.sql icingaweb2::globals::pgsql_reporting_schema: /schema/postgresql.sql icingaweb2::module::reporting::ensure: present diff --git a/manifests/module/icingadb.pp b/manifests/module/icingadb.pp index 8baa9b8e..b691e45f 100644 --- a/manifests/module/icingadb.pp +++ b/manifests/module/icingadb.pp @@ -116,13 +116,14 @@ # A hash of command transports. # class icingaweb2::module::icingadb ( + Enum['absent', 'present'] $ensure, String $package_name, + Stdlib::Host $redis_host, + Stdlib::Host $db_host, Enum['mysql', 'pgsql'] $db_type, - Enum['absent', 'present'] $ensure = 'present', - Stdlib::Host $db_host = 'localhost', + String $db_name, + String $db_username, Optional[Stdlib::Port] $db_port = undef, - String $db_name = 'icingadb', - String $db_username = 'icingadb', Optional[Icingaweb2::Secret] $db_password = undef, Optional[String] $db_charset = undef, Optional[Boolean] $db_use_tls = undef, @@ -135,7 +136,6 @@ Optional[Stdlib::Absolutepath] $db_tls_capath = undef, Optional[Boolean] $db_tls_noverify = undef, Optional[String] $db_tls_cipher = undef, - Stdlib::Host $redis_host = 'localhost', Optional[Stdlib::Port] $redis_port = undef, Optional[Icingaweb2::Secret] $redis_password = undef, Stdlib::Host $redis_primary_host = $redis_host, @@ -157,29 +157,36 @@ $module_conf_dir = "${icingaweb2::globals::conf_dir}/modules/icingadb" $cert_dir = "${icingaweb2::globals::state_dir}/icingadb/certs" - $conf_user = $icingaweb2::conf_user - $conf_group = $icingaweb2::conf_group + + $redis_tls = icinga::cert::files( + 'redis', + $cert_dir, + $redis_tls_key_file, + $redis_tls_cert_file, + $redis_tls_cacert_file, + $redis_tls_key, + $redis_tls_cert, + $redis_tls_cacert, + ) + + $db_tls = icinga::cert::files( + $db_username, + $cert_dir, + $db_tls_key_file, + $db_tls_cert_file, + $db_tls_cacert_file, + $db_tls_key, + $db_tls_cert, + $db_tls_cacert, + ) if $redis_use_tls { - $redis_tls_files = icinga::cert::files( - 'redis', - $cert_dir, - $redis_tls_key_file, - $redis_tls_cert_file, - $redis_tls_cacert_file, - $redis_tls_key, - $redis_tls_cert, - $redis_tls_cacert, - ) $redis_settings = delete_undef_values({ tls => true, - cert => $redis_tls_files['cert_file'], - key => $redis_tls_files['key_file'], - ca => $redis_tls_files['cacert_file'], + cert => $redis_tls['cert_file'], + key => $redis_tls['key_file'], + ca => icingaweb2::pick($redis_tls['cacert_file'], $icingaweb2::config::tls['cacert_file']), }) - icinga::cert { 'icingaweb2::module::icingadb redis client tls config': - args => $redis_tls_files, - } } else { $redis_settings = {} } @@ -217,53 +224,8 @@ }, } - $db_tls = delete_undef_values(icinga::cert::files( - $db_username, - $cert_dir, - $db_tls_key_file, - $db_tls_cert_file, - $db_tls_cacert_file, - $db_tls_key, - $db_tls_cert, - $db_tls_cacert, - )) - - file { $cert_dir: - ensure => directory, - owner => 'root', - group => $conf_group, - mode => '2770', - } - - icinga::cert { 'icingaweb2::module::icingadb tls client config': - owner => $conf_user, - group => $conf_group, - args => $db_tls, - } - - icingaweb2::resource::database { 'icingaweb2-module-icingadb': - type => $db_type, - host => $db_host, - port => pick($db_port, $icingaweb2::globals::port[$db_type]), - database => $db_name, - username => $db_username, - password => $db_password, - charset => $db_charset, - use_tls => $db_use_tls, - tls_noverify => unless $db_tls_noverify { $icingaweb2::config::tls['noverify'] } else { $db_tls_noverify }, - tls_key => $db_tls['key_file'], - tls_cert => $db_tls['cert_file'], - tls_cacert => unless $db_tls_cacert_file { $icingaweb2::config::tls['cacert_file'] } else { $db_tls_cacert_file }, - tls_capath => unless $db_tls_capath { $icingaweb2::config::tls['capath'] } else { $db_tls_capath }, - tls_cipher => unless $db_tls_cipher { $icingaweb2::config::tls['cipher'] } else { $db_tls_cipher }, - } - - create_resources('icingaweb2::module::icingadb::commandtransport', $commandtransports) - - icingaweb2::module { 'icingadb': - ensure => $ensure, - install_method => 'package', - package_name => $package_name, - settings => $settings, - } + class { 'icingaweb2::module::icingadb::install': } + -> class { 'icingaweb2::module::icingadb::config': } + contain icingaweb2::module::icingadb::install + contain icingaweb2::module::icingadb::config } diff --git a/manifests/module/icingadb/config.pp b/manifests/module/icingadb/config.pp new file mode 100644 index 00000000..6b5e4820 --- /dev/null +++ b/manifests/module/icingadb/config.pp @@ -0,0 +1,47 @@ +# @summary +# Configure the icingadb module. +# +# @api private +# +class icingaweb2::module::icingadb::config { + assert_private() + + $ensure = $icingaweb2::module::icingadb::ensure + $module_conf_dir = "${icingaweb2::globals::conf_dir}/modules/icingadb" + $db_type = $icingaweb2::module::icingadb::db_type + $db_host = $icingaweb2::module::icingadb::db_host + $db_port = $icingaweb2::module::icingadb::db_port + $db_name = $icingaweb2::module::icingadb::db_name + $db_username = $icingaweb2::module::icingadb::db_username + $db_password = $icingaweb2::module::icingadb::db_password + $db_charset = $icingaweb2::module::icingadb::db_charset + $db_use_tls = $icingaweb2::module::icingadb::db_use_tls + $db_tls = $icingaweb2::module::icingadb::db_tls + { + cacert_file => icingaweb2::pick($icingaweb2::module::icingadb::db_tls['cacert_file'], $icingaweb2::config::tls['cacert_file']), + capath => icingaweb2::pick($icingaweb2::module::icingadb::db_tls_capath, $icingaweb2::config::tls['capath']), + noverify => icingaweb2::pick($icingaweb2::module::icingadb::db_tls_noverify, $icingaweb2::config::tls['noverify']), + cipher => icingaweb2::pick($icingaweb2::module::icingadb::db_tls_cipher, $icingaweb2::config::tls['cipher']), + } + $settings = $icingaweb2::module::icingadb::settings + $commandtransports = $icingaweb2::module::icingadb::commandtransports + + icingaweb2::resource::database { 'icingaweb2-module-icingadb': + type => $db_type, + host => $db_host, + port => $db_port, + database => $db_name, + username => $db_username, + password => $db_password, + charset => $db_charset, + use_tls => $db_use_tls, + tls_noverify => icingaweb2::pick($db_tls['noverify'], $icingaweb2::config::tls['noverify']), + tls_key => $db_tls['key_file'], + tls_cert => $db_tls['cert_file'], + tls_cacert => icingaweb2::pick($db_tls['cacert_file'], $icingaweb2::config::tls['cacert_file']), + tls_capath => icingaweb2::pick($db_tls['capath'], $icingaweb2::config::tls['capath']), + tls_cipher => icingaweb2::pick($db_tls['cipher'], $icingaweb2::config::tls['cipher']), + } + + create_resources('icingaweb2::inisection', $settings) + create_resources('icingaweb2::module::icingadb::commandtransport', $commandtransports) +} diff --git a/manifests/module/icingadb/install.pp b/manifests/module/icingadb/install.pp new file mode 100644 index 00000000..c42a2edc --- /dev/null +++ b/manifests/module/icingadb/install.pp @@ -0,0 +1,47 @@ +# @summary +# Install the icingadb module. +# +# @api private +# +class icingaweb2::module::icingadb::install { + assert_private() + + $conf_user = $icingaweb2::conf_user + $conf_group = $icingaweb2::conf_group + $ensure = $icingaweb2::module::icingadb::ensure + $package_name = $icingaweb2::module::icingadb::package_name + $cert_dir = $icingaweb2::module::icingadb::cert_dir + $redis_use_tls = $icingaweb2::module::icingadb::redis_use_tls + $redis_tls = $icingaweb2::module::icingadb::redis_tls + $db_use_tls = $icingaweb2::module::icingadb::db_use_tls + $db_tls = $icingaweb2::module::icingadb::db_tls + + icingaweb2::module { 'icingadb': + ensure => $ensure, + install_method => 'package', + package_name => $package_name, + } + + file { $cert_dir: + ensure => directory, + owner => 'root', + group => $conf_group, + mode => '2770', + } + + if $redis_use_tls { + icinga::cert { 'icingaweb2::module::icingadb redis client tls config': + owner => $conf_user, + group => $conf_group, + args => $redis_tls, + } + } + + if $db_use_tls { + icinga::cert { 'icingaweb2::module::icingadb database tls client config': + owner => $conf_user, + group => $conf_group, + args => $db_tls, + } + } +} diff --git a/spec/classes/modules/icingadb_spec.rb b/spec/classes/modules/icingadb_spec.rb index 06877b7a..6ddff919 100644 --- a/spec/classes/modules/icingadb_spec.rb +++ b/spec/classes/modules/icingadb_spec.rb @@ -17,42 +17,43 @@ let(:params) do { db_type: 'mysql', + db_password: 'secret', } end it { - is_expected.to contain_icingaweb2__module('icingadb').with( - { - 'ensure' => 'present', - 'install_method' => 'package', - 'settings' => { - 'icingaweb2-module-icingadb-config' => { - 'section_name' => 'icingadb', - 'target' => '/etc/icingaweb2/modules/icingadb/config.ini', - 'settings' => { - 'resource' => 'icingaweb2-module-icingadb', - }, - }, - 'icingaweb2-module-icingadb-redis' => { - 'section_name' => 'redis', - 'target' => '/etc/icingaweb2/modules/icingadb/config.ini', - 'settings' => {}, - }, - 'icingaweb2-module-icingadb-redis1' => { - 'section_name' => 'redis1', - 'target' => '/etc/icingaweb2/modules/icingadb/redis.ini', - 'settings' => { - 'host' => 'localhost', - }, - }, - 'icingaweb2-module-icingadb-redis2' => { - 'section_name' => 'redis2', - 'target' => '/etc/icingaweb2/modules/icingadb/redis.ini', - 'settings' => {}, - }, - }, - }, - ) + is_expected.to contain_icingaweb2__module('icingadb') + .with_ensure('present') + .with_install_method('package') + .with_settings({}) + } + + it { + is_expected.to contain_icingaweb2__inisection('icingaweb2-module-icingadb-config') + .with_section_name('icingadb') + .with_target('/etc/icingaweb2/modules/icingadb/config.ini') + .with_settings({ 'resource' => 'icingaweb2-module-icingadb' }) + } + + it { + is_expected.to contain_icingaweb2__inisection('icingaweb2-module-icingadb-redis') + .with_section_name('redis') + .with_target('/etc/icingaweb2/modules/icingadb/config.ini') + .with_settings({}) + } + + it { + is_expected.to contain_icingaweb2__inisection('icingaweb2-module-icingadb-redis1') + .with_section_name('redis1') + .with_target('/etc/icingaweb2/modules/icingadb/redis.ini') + .with_settings({ 'host' => 'localhost' }) + } + + it { + is_expected.to contain_icingaweb2__inisection('icingaweb2-module-icingadb-redis2') + .with_section_name('redis2') + .with_target('/etc/icingaweb2/modules/icingadb/redis.ini') + .with_settings({}) } it { @@ -60,9 +61,9 @@ { 'type' => 'mysql', 'host' => 'localhost', - 'port' => 3306, 'database' => 'icingadb', 'username' => 'icingadb', + 'password' => 'secret', 'charset' => nil, 'use_tls' => nil, }, @@ -70,52 +71,45 @@ } end - context "#{os} with local PostgreSQL and Redis" do + context "#{os} with local PostgreSQL and two Redis with TLS, different ports and own passwords" do let(:pre_condition) do [ - "class { 'icingaweb2': db_type => 'mysql' }", + "class { 'icingaweb2': db_type => 'pgsql', tls_cacert_file => '/foo/bar' }", ] end let(:params) do { db_type: 'pgsql', + redis_use_tls: true, + redis_primary_host: 'redis1.icinga.com', + redis_primary_port: 4711, + redis_primary_password: 'secret1', + redis_secondary_host: 'redis2.icinga.com', + redis_secondary_port: 4712, + redis_secondary_password: 'secret2', } end it { - is_expected.to contain_icingaweb2__module('icingadb').with( - { - 'ensure' => 'present', - 'install_method' => 'package', - 'settings' => { - 'icingaweb2-module-icingadb-config' => { - 'section_name' => 'icingadb', - 'target' => '/etc/icingaweb2/modules/icingadb/config.ini', - 'settings' => { - 'resource' => 'icingaweb2-module-icingadb', - }, - }, - 'icingaweb2-module-icingadb-redis' => { - 'section_name' => 'redis', - 'target' => '/etc/icingaweb2/modules/icingadb/config.ini', - 'settings' => {}, - }, - 'icingaweb2-module-icingadb-redis1' => { - 'section_name' => 'redis1', - 'target' => '/etc/icingaweb2/modules/icingadb/redis.ini', - 'settings' => { - 'host' => 'localhost', - }, - }, - 'icingaweb2-module-icingadb-redis2' => { - 'section_name' => 'redis2', - 'target' => '/etc/icingaweb2/modules/icingadb/redis.ini', - 'settings' => {}, - }, - }, - }, - ) + is_expected.to contain_icingaweb2__inisection('icingaweb2-module-icingadb-redis') + .with_section_name('redis') + .with_target('/etc/icingaweb2/modules/icingadb/config.ini') + .with_settings({ 'tls' => true, 'ca' => '/foo/bar' }) + } + + it { + is_expected.to contain_icingaweb2__inisection('icingaweb2-module-icingadb-redis1') + .with_section_name('redis1') + .with_target('/etc/icingaweb2/modules/icingadb/redis.ini') + .with_settings({ 'host' => 'redis1.icinga.com', 'port' => 4711, 'password' => 'secret1' }) + } + + it { + is_expected.to contain_icingaweb2__inisection('icingaweb2-module-icingadb-redis2') + .with_section_name('redis2') + .with_target('/etc/icingaweb2/modules/icingadb/redis.ini') + .with_settings({ 'host' => 'redis2.icinga.com', 'port' => 4712, 'password' => 'secret2' }) } it { @@ -123,7 +117,6 @@ { 'type' => 'pgsql', 'host' => 'localhost', - 'port' => 5432, 'database' => 'icingadb', 'username' => 'icingadb', 'charset' => nil, @@ -133,7 +126,7 @@ } end - context "#{os} with db_use_tls 'true'" do + context "#{os} with db_use_tls 'true', db_port '4711', db_charset 'foo'" do let(:pre_condition) do [ "class { 'icingaweb2': db_type => 'mysql', tls_cacert_file => '/foo/bar', tls_capath => '/foo/bar', tls_noverify => true, tls_cipher => 'cipher' }", @@ -143,6 +136,8 @@ let(:params) do { db_type: 'mysql', + db_port: 4711, + db_charset: 'foo', db_use_tls: true, } end @@ -152,9 +147,10 @@ { 'type' => 'mysql', 'host' => 'localhost', - 'port' => 3306, + 'port' => 4711, 'database' => 'icingadb', 'username' => 'icingadb', + 'charset' => 'foo', 'use_tls' => true, 'tls_cacert' => '/foo/bar', 'tls_capath' => '/foo/bar', @@ -188,7 +184,6 @@ { 'type' => 'pgsql', 'host' => 'localhost', - 'port' => 5432, 'database' => 'icingadb', 'username' => 'icingadb', 'use_tls' => true, From 87c8ce7c65a83231db2fca0a450702e2624a9b63 Mon Sep 17 00:00:00 2001 From: Lennart Betz Date: Mon, 6 Nov 2023 11:14:55 +0100 Subject: [PATCH 08/14] rework module monitoring --- REFERENCE.md | 16 +--- data/common.yaml | 9 +++ manifests/module/monitoring.pp | 82 +++++++------------- manifests/module/monitoring/config.pp | 40 ++++++++++ manifests/module/monitoring/install.pp | 35 +++++++++ spec/classes/modules/monitoring_spec.rb | 99 +++++++++---------------- 6 files changed, 152 insertions(+), 129 deletions(-) create mode 100644 manifests/module/monitoring/config.pp create mode 100644 manifests/module/monitoring/install.pp diff --git a/REFERENCE.md b/REFERENCE.md index 4b7d4867..2383a5fe 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -24,7 +24,7 @@ * [`icingaweb2::module::idoreports`](#icingaweb2--module--idoreports): Installs, configures and enables the idoreports module. * [`icingaweb2::module::incubator`](#icingaweb2--module--incubator): Installs and enables the incubator module. * [`icingaweb2::module::ipl`](#icingaweb2--module--ipl): Installs and enables the ipl module. -* [`icingaweb2::module::monitoring`](#icingaweb2--module--monitoring): Manages the monitoring module. This module is mandatory for probably every setup. +* [`icingaweb2::module::monitoring`](#icingaweb2--module--monitoring): Manages the monitoring module. This module is deprecated. * [`icingaweb2::module::pdfexport`](#icingaweb2--module--pdfexport): Installs, configures and enables the pdfexport module. * [`icingaweb2::module::puppetdb`](#icingaweb2--module--puppetdb): Installs and configures the puppetdb module. * [`icingaweb2::module::reactbundle`](#icingaweb2--module--reactbundle): Installs and enables the reactbundle module. @@ -40,6 +40,8 @@ * `icingaweb2::install`: Installs Icinga Web 2 and extra packages. * `icingaweb2::module::icingadb::config`: Configure the icingadb module. * `icingaweb2::module::icingadb::install`: Install the icingadb module. +* `icingaweb2::module::monitoring::config`: Configure the monitoring module. +* `icingaweb2::module::monitoring::install`: Installs the monitoring module. * `icingaweb2::module::reporting::config`: Configure the reporting module. * `icingaweb2::module::reporting::install`: Install the reporting module. * `icingaweb2::module::reporting::service`: Manage the reporting service. @@ -2512,8 +2514,6 @@ Data type: `Enum['absent', 'present']` Enable or disable module. -Default value: `'present'` - ##### `protected_customvars` Data type: `Variant[String, Array[String]]` @@ -2521,24 +2521,18 @@ Data type: `Variant[String, Array[String]]` Custom variables in Icinga 2 may contain sensible information. Set patterns for custom variables that should be hidden in the web interface. -Default value: `['*pw*', '*pass*', 'community']` - ##### `ido_type` Data type: `Enum['mysql', 'pgsql']` Type of your IDO database. Either `mysql` or `pgsql`. -Default value: `'mysql'` - ##### `ido_host` Data type: `Stdlib::Host` Hostname of the IDO database. -Default value: `'localhost'` - ##### `ido_port` Data type: `Optional[Stdlib::Port]` @@ -2553,16 +2547,12 @@ Data type: `String` Name of the IDO database. -Default value: `'icinga2'` - ##### `ido_db_username` Data type: `String` Username for IDO DB connection. -Default value: `'icinga2'` - ##### `ido_db_password` Data type: `Optional[Icingaweb2::Secret]` diff --git a/data/common.yaml b/data/common.yaml index 1644a548..269da002 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -24,6 +24,15 @@ icingaweb2::module::x509::install_method: git icingaweb2::module::x509::git_repository: https://github.com/Icinga/icingaweb2-module-x509.git icingaweb2::module::x509::package_name: icingaweb2-module-x509 +icingaweb2::module::monitoring::ensure: present +icingaweb2::module::monitoring::protected_customvars: + - '*pw*' + - '*pass*' + - 'community' +icingaweb2::module::monitoring::ido_host: localhost +icingaweb2::module::monitoring::ido_db_name: icinga2 +icingaweb2::module::monitoring::ido_db_username: icinga2 + icingaweb2::module::icingadb::ensure: present icingaweb2::module::icingadb::redis_host: localhost icingaweb2::module::icingadb::db_host: localhost diff --git a/manifests/module/monitoring.pp b/manifests/module/monitoring.pp index d39f03cc..e090fb9a 100644 --- a/manifests/module/monitoring.pp +++ b/manifests/module/monitoring.pp @@ -1,5 +1,5 @@ # @summary -# Manages the monitoring module. This module is mandatory for probably every setup. +# Manages the monitoring module. This module is deprecated. # # @note At first have a look at the [Monitoring module documentation](https://www.icinga.com/docs/icingaweb2/latest/modules/monitoring/doc/01-About/). # @@ -88,13 +88,13 @@ # } # class icingaweb2::module::monitoring ( - Enum['absent', 'present'] $ensure = 'present', - Variant[String, Array[String]] $protected_customvars = ['*pw*', '*pass*', 'community'], - Enum['mysql', 'pgsql'] $ido_type = 'mysql', - Stdlib::Host $ido_host = 'localhost', + Enum['absent', 'present'] $ensure, + Variant[String, Array[String]] $protected_customvars, + Enum['mysql', 'pgsql'] $ido_type, + Stdlib::Host $ido_host, + String $ido_db_name, + String $ido_db_username, Optional[Stdlib::Port] $ido_port = undef, - String $ido_db_name = 'icinga2', - String $ido_db_username = 'icinga2', Optional[Icingaweb2::Secret] $ido_db_password = undef, Optional[String] $ido_db_charset = undef, Optional[Boolean] $use_tls = undef, @@ -113,49 +113,26 @@ $module_conf_dir = "${icingaweb2::globals::conf_dir}/modules/monitoring" $cert_dir = "${icingaweb2::globals::state_dir}/monitoring/certs" - $conf_user = $icingaweb2::conf_user - $conf_group = $icingaweb2::conf_group - $tls = delete_undef_values(icinga::cert::files( - $ido_db_username, - $cert_dir, - $tls_key_file, - $tls_cert_file, - $tls_cacert_file, - $tls_key, - $tls_cert, - $tls_cacert, - )) - - file { $cert_dir: - ensure => directory, - owner => 'root', - group => $conf_group, - mode => '2770', - } - - icinga::cert { 'icingaweb2::module::monitoring tls client config': - owner => $conf_user, - group => $conf_group, - args => $tls, + $db = { + type => $ido_type, + database => $ido_db_name, + host => $ido_host, + port => $ido_port, + username => $ido_db_username, + password => $ido_db_password, } - icingaweb2::resource::database { 'icingaweb2-module-monitoring': - type => $ido_type, - host => $ido_host, - port => pick($ido_port, $icingaweb2::globals::port[$ido_type]), - database => $ido_db_name, - username => $ido_db_username, - password => $ido_db_password, - charset => $ido_db_charset, - use_tls => $use_tls, - tls_noverify => unless $tls_noverify { $icingaweb2::config::tls['noverify'] } else { $tls_noverify }, - tls_key => $tls['key_file'], - tls_cert => $tls['cert_file'], - tls_cacert => unless $tls_cacert_file { $icingaweb2::config::tls['cacert_file'] } else { $tls_cacert_file }, - tls_capath => unless $tls_capath { $icingaweb2::config::tls['capath'] } else { $tls_capath }, - tls_cipher => unless $tls_cipher { $icingaweb2::config::tls['cipher'] } else { $tls_cipher }, - } + $tls = icinga::cert::files( + $ido_db_username, + $cert_dir, + $tls_key_file, + $tls_cert_file, + $tls_cacert_file, + $tls_key, + $tls_cert, + $tls_cacert, + ) $backend_settings = { 'type' => 'ido', @@ -182,11 +159,8 @@ }, } - create_resources('icingaweb2::module::monitoring::commandtransport', $commandtransports) - - icingaweb2::module { 'monitoring': - ensure => $ensure, - install_method => 'none', - settings => $settings, - } + class { 'icingaweb2::module::monitoring::install': } + -> class { 'icingaweb2::module::monitoring::config': } + contain icingaweb2::module::monitoring::install + contain icingaweb2::module::monitoring::config } diff --git a/manifests/module/monitoring/config.pp b/manifests/module/monitoring/config.pp new file mode 100644 index 00000000..80a10360 --- /dev/null +++ b/manifests/module/monitoring/config.pp @@ -0,0 +1,40 @@ +# @summary +# Configure the monitoring module. +# +# @api private +# +class icingaweb2::module::monitoring::config { + assert_private() + + $settings = $icingaweb2::module::monitoring::settings + $db = $icingaweb2::module::monitoring::db + $db_charset = $icingaweb2::module::monitoring::ido_db_charset + $commandtransports = $icingaweb2::module::monitoring::commandtransports + $use_tls = $icingaweb2::module::monitoring::use_tls + $tls = $icingaweb2::module::monitoring::tls + { + cacert_file => icingaweb2::pick($icingaweb2::module::monitoring::tls['cacert_file'], $icingaweb2::config::tls['cacert_file']), + capath => icingaweb2::pick($icingaweb2::module::monitoring::tls_capath, $icingaweb2::config::tls['capath']), + noverify => icingaweb2::pick($icingaweb2::module::monitoring::tls_noverify, $icingaweb2::config::tls['noverify']), + cipher => icingaweb2::pick($icingaweb2::module::monitoring::tls_cipher, $icingaweb2::config::tls['cipher']), + } + + icingaweb2::resource::database { 'icingaweb2-module-monitoring': + type => $db['type'], + host => $db['host'], + port => $db['port'], + database => $db['database'], + username => $db['username'], + password => $db['password'], + charset => $db_charset, + use_tls => $use_tls, + tls_noverify => $tls['noverify'], + tls_key => $tls['key_file'], + tls_cert => $tls['cert_file'], + tls_cacert => $tls['cacert_file'], + tls_capath => $tls['capath'], + tls_cipher => $tls['cipher'], + } + + create_resources('icingaweb2::inisection', $settings) + create_resources('icingaweb2::module::monitoring::commandtransport', $commandtransports) +} diff --git a/manifests/module/monitoring/install.pp b/manifests/module/monitoring/install.pp new file mode 100644 index 00000000..bb6923bf --- /dev/null +++ b/manifests/module/monitoring/install.pp @@ -0,0 +1,35 @@ +# @summary +# Installs the monitoring module. +# +# @api private +# +class icingaweb2::module::monitoring::install { + assert_private() + + $conf_user = $icingaweb2::conf_user + $conf_group = $icingaweb2::conf_group + $cert_dir = $icingaweb2::module::monitoring::cert_dir + $ensure = $icingaweb2::module::monitoring::ensure + $use_tls = $icingaweb2::module::monitoring::use_tls + $tls = $icingaweb2::module::monitoring::tls + + icingaweb2::module { 'monitoring': + ensure => $ensure, + install_method => 'none', + } + + if $use_tls { + file { $cert_dir: + ensure => directory, + owner => 'root', + group => $conf_group, + mode => '2770', + } + + icinga::cert { 'icingaweb2::module::monitoring tls client config': + owner => $conf_user, + group => $conf_group, + args => $tls, + } + } +} diff --git a/spec/classes/modules/monitoring_spec.rb b/spec/classes/modules/monitoring_spec.rb index 6cb004c7..a1df884b 100644 --- a/spec/classes/modules/monitoring_spec.rb +++ b/spec/classes/modules/monitoring_spec.rb @@ -16,9 +16,7 @@ context "#{os} with ido_type 'mysql' and commandtransport 'api'" do let(:params) do { ido_type: 'mysql', - ido_host: 'localhost', - ido_db_name: 'icinga2', - ido_db_username: 'icinga2', + ido_port: 4711, ido_db_password: 'icinga2', commandtransports: { 'foo' => { @@ -30,30 +28,31 @@ it { is_expected.to contain_icingaweb2__module('monitoring') + .with_ensure('present') .with_install_method('none') .with_module_dir('/usr/share/icingaweb2/modules/monitoring') - .with_settings('module-monitoring-backends' => { - 'section_name' => 'backends', - 'target' => '/etc/icingaweb2/modules/monitoring/backends.ini', - 'settings' => { - 'type' => 'ido', - 'resource' => 'icingaweb2-module-monitoring', - }, - }, - 'module-monitoring-security' => { - 'section_name' => 'security', - 'target' => '/etc/icingaweb2/modules/monitoring/config.ini', - 'settings' => { - 'protected_customvars' => '*pw*,*pass*,community', - }, - }) + .with_settings({}) + } + + it { + is_expected.to contain_icingaweb2__inisection('module-monitoring-backends') + .with_section_name('backends') + .with_target('/etc/icingaweb2/modules/monitoring/backends.ini') + .with_settings({ 'type' => 'ido', 'resource' => 'icingaweb2-module-monitoring' }) + } + + it { + is_expected.to contain_icingaweb2__inisection('module-monitoring-security') + .with_section_name('security') + .with_target('/etc/icingaweb2/modules/monitoring/config.ini') + .with_settings({ 'protected_customvars' => '*pw*,*pass*,community', }) } it { is_expected.to contain_icingaweb2__resource__database('icingaweb2-module-monitoring') .with_type('mysql') .with_host('localhost') - .with_port('3306') + .with_port(4711) .with_database('icinga2') .with_username('icinga2') .with_password('icinga2') @@ -70,7 +69,6 @@ let(:params) do { ido_type: 'pgsql', ido_host: 'localhost', - ido_port: 5432, ido_db_name: 'icinga2', ido_db_username: 'icinga2', ido_db_password: 'icinga2', @@ -81,32 +79,10 @@ } } end - it do - is_expected.to contain_icingaweb2__module('monitoring') - .with_install_method('none') - .with_module_dir('/usr/share/icingaweb2/modules/monitoring') - .with_settings('module-monitoring-backends' => { - 'section_name' => 'backends', - 'target' => '/etc/icingaweb2/modules/monitoring/backends.ini', - 'settings' => { - 'type' => 'ido', - 'resource' => 'icingaweb2-module-monitoring', - }, - }, - 'module-monitoring-security' => { - 'section_name' => 'security', - 'target' => '/etc/icingaweb2/modules/monitoring/config.ini', - 'settings' => { - 'protected_customvars' => '*pw*,*pass*,community', - }, - }) - end - it { is_expected.to contain_icingaweb2__resource__database('icingaweb2-module-monitoring') .with_type('pgsql') .with_host('localhost') - .with_port(5432) .with_database('icinga2') .with_username('icinga2') .with_password('icinga2') @@ -118,7 +94,7 @@ } end - context "#{os} with array protected_customvars" do + context "#{os} with array protected_customvars and API commandtransport" do let(:params) do { ido_type: 'mysql', ido_host: 'localhost', @@ -127,29 +103,30 @@ ido_db_password: 'icinga2', commandtransports: { 'foo' => { - 'transport' => 'local', + 'transport' => 'api', + 'host' => 'api.icinga.com', + 'port' => 4711, + 'username' => 'icingaweb2', + 'password' => 'secret', }, }, protected_customvars: ['foo', 'bar', '*baz*'] } end it { - is_expected.to contain_icingaweb2__module('monitoring') - .with_settings('module-monitoring-backends' => { - 'section_name' => 'backends', - 'target' => '/etc/icingaweb2/modules/monitoring/backends.ini', - 'settings' => { - 'type' => 'ido', - 'resource' => 'icingaweb2-module-monitoring', - }, - }, - 'module-monitoring-security' => { - 'section_name' => 'security', - 'target' => '/etc/icingaweb2/modules/monitoring/config.ini', - 'settings' => { - 'protected_customvars' => 'foo,bar,*baz*', - }, - }) + is_expected.to contain_icingaweb2__module__monitoring__commandtransport('foo') + .with_transport('api') + .with_host('api.icinga.com') + .with_port(4711) + .with_username('icingaweb2') + .with_password('secret') + } + + it { + is_expected.to contain_icingaweb2__inisection('module-monitoring-security') + .with_section_name('security') + .with_target('/etc/icingaweb2/modules/monitoring/config.ini') + .with_settings({ 'protected_customvars' => 'foo,bar,*baz*' }) } end @@ -170,7 +147,6 @@ { 'type' => 'pgsql', 'host' => 'localhost', - 'port' => 5432, 'database' => 'icinga2', 'username' => 'icinga2', 'use_tls' => true, @@ -202,7 +178,6 @@ { 'type' => 'mysql', 'host' => 'localhost', - 'port' => 3306, 'database' => 'icinga2', 'username' => 'icinga2', 'use_tls' => true, From 8af8ff2af5f08c2f9cbc3533fba857b77d274167 Mon Sep 17 00:00:00 2001 From: Lennart Betz Date: Mon, 6 Nov 2023 14:38:56 +0100 Subject: [PATCH 09/14] rework idoreports to always use db credentials from monitoring module --- REFERENCE.md | 127 ++------------------------------- manifests/module/idoreports.pp | 105 +++------------------------ 2 files changed, 15 insertions(+), 217 deletions(-) diff --git a/REFERENCE.md b/REFERENCE.md index 2383a5fe..3694c014 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -21,7 +21,7 @@ * [`icingaweb2::module::generictts`](#icingaweb2--module--generictts): Installs and enables the generictts module. * [`icingaweb2::module::graphite`](#icingaweb2--module--graphite): The Graphite module draws graphs out of time series data stored in Graphite. * [`icingaweb2::module::icingadb`](#icingaweb2--module--icingadb): Manages the icingadb module. This module is still optional at the moment. -* [`icingaweb2::module::idoreports`](#icingaweb2--module--idoreports): Installs, configures and enables the idoreports module. +* [`icingaweb2::module::idoreports`](#icingaweb2--module--idoreports): Installs, configures and enables the idoreports module. The module is deprecated. * [`icingaweb2::module::incubator`](#icingaweb2--module--incubator): Installs and enables the incubator module. * [`icingaweb2::module::ipl`](#icingaweb2--module--ipl): Installs and enables the ipl module. * [`icingaweb2::module::monitoring`](#icingaweb2--module--monitoring): Manages the monitoring module. This module is deprecated. @@ -2171,7 +2171,7 @@ Default value: `{}` ### `icingaweb2::module::idoreports` -Installs, configures and enables the idoreports module. +Installs, configures and enables the idoreports module. The module is deprecated. * **Note** If you want to use `git` as `install_method`, the CLI `git` command has to be installed. You can manage it yourself as package resource or declare the package name in icingaweb2 class parameter `extra_packages`. @@ -2196,18 +2196,6 @@ The following parameters are available in the `icingaweb2::module::idoreports` c * [`install_method`](#-icingaweb2--module--idoreports--install_method) * [`package_name`](#-icingaweb2--module--idoreports--package_name) * [`import_schema`](#-icingaweb2--module--idoreports--import_schema) -* [`ido_db_username`](#-icingaweb2--module--idoreports--ido_db_username) -* [`ido_db_password`](#-icingaweb2--module--idoreports--ido_db_password) -* [`use_tls`](#-icingaweb2--module--idoreports--use_tls) -* [`tls_key_file`](#-icingaweb2--module--idoreports--tls_key_file) -* [`tls_cert_file`](#-icingaweb2--module--idoreports--tls_cert_file) -* [`tls_cacert_file`](#-icingaweb2--module--idoreports--tls_cacert_file) -* [`tls_key`](#-icingaweb2--module--idoreports--tls_key) -* [`tls_cert`](#-icingaweb2--module--idoreports--tls_cert) -* [`tls_cacert`](#-icingaweb2--module--idoreports--tls_cacert) -* [`tls_capath`](#-icingaweb2--module--idoreports--tls_capath) -* [`tls_noverify`](#-icingaweb2--module--idoreports--tls_noverify) -* [`tls_cipher`](#-icingaweb2--module--idoreports--tls_cipher) ##### `ensure` @@ -2217,11 +2205,11 @@ Enable or disable module. ##### `module_dir` -Data type: `Optional[Stdlib::Absolutepath]` +Data type: `Stdlib::Absolutepath` Target directory of the module. -Default value: `undef` +Default value: `"${icingaweb2::globals::default_module_path}/idoreports"` ##### `git_repository` @@ -2259,113 +2247,6 @@ whereas with mysql its different options. Default value: `false` -##### `ido_db_username` - -Data type: `Optional[String]` - -An alternative username to login into the database. By default, the user from -the `monitoring` module is used. - -Default value: `$icingaweb2::module::monitoring::ido_db_username` - -##### `ido_db_password` - -Data type: `Optional[Icingaweb2::Secret]` - -The password for the alternative user. By default, the password from -the `monitoring` module is used. - -Default value: `$icingaweb2::module::monitoring::ido_db_password` - -##### `use_tls` - -Data type: `Optional[Boolean]` - -Either enable or disable TLS encryption to the database. Other TLS parameters -are only affected if this is set to 'true'. By default, same value from -the `monitoring` module is used. - -Default value: `$icingaweb2::module::monitoring::use_tls` - -##### `tls_key_file` - -Data type: `Optional[Stdlib::Absolutepath]` - -Location of the private key for client authentication. Only valid if tls is enabled. -By default, same value from the `monitoring` module is used. - -Default value: `$icingaweb2::module::monitoring::tls_key_file` - -##### `tls_cert_file` - -Data type: `Optional[Stdlib::Absolutepath]` - -Location of the certificate for client authentication. Only valid if tls is enabled. -By default, same value from the `monitoring` module is used. - -Default value: `$icingaweb2::module::monitoring::tls_cert_file` - -##### `tls_cacert_file` - -Data type: `Optional[Stdlib::Absolutepath]` - -Location of the ca certificate. Only valid if tls is enabled. -By default, same value from the `monitoring` module is used. - -Default value: `$icingaweb2::module::monitoring::tls_cacert_file` - -##### `tls_key` - -Data type: `Optional[Icingaweb2::Secret]` - -The private key to store in spicified `tls_key_file` file. Only valid if tls is enabled. -By default, same value from the `monitoring` module is used. - -Default value: `$icingaweb2::module::monitoring::tls_key` - -##### `tls_cert` - -Data type: `Optional[String]` - -The certificate to store in spicified `tls_cert_file` file. Only valid if tls is enabled. -By default, same value from the `monitoring` module is used. - -Default value: `$icingaweb2::module::monitoring::tls_cert` - -##### `tls_cacert` - -Data type: `Optional[String]` - -The ca certificate to store in spicified `tls_cacert_file` file. Only valid if tls is enabled. -By default, same value from the `monitoring` module is used. - -Default value: `$icingaweb2::module::monitoring::tls_cacert` - -##### `tls_capath` - -Data type: `Optional[Stdlib::Absolutepath]` - -The file path to the directory that contains the trusted SSL CA certificates, which are stored in PEM format. -Only available for the mysql database. By default, same value from the `monitoring` module is used. - -Default value: `$icingaweb2::module::monitoring::tls_capath` - -##### `tls_noverify` - -Data type: `Optional[Boolean]` - -Disable validation of the server certificate. By default, same value from the `monitoring` module is used. - -Default value: `$icingaweb2::module::monitoring::tls_noverify` - -##### `tls_cipher` - -Data type: `Optional[String]` - -Cipher to use for the encrypted database connection. By default, same value from the `monitoring` module is used. - -Default value: `$icingaweb2::module::monitoring::tls_cipher` - ### `icingaweb2::module::incubator` Installs and enables the incubator module. diff --git a/manifests/module/idoreports.pp b/manifests/module/idoreports.pp index cccb7b8a..78c9d3f4 100644 --- a/manifests/module/idoreports.pp +++ b/manifests/module/idoreports.pp @@ -1,5 +1,5 @@ # @summary -# Installs, configures and enables the idoreports module. +# Installs, configures and enables the idoreports module. The module is deprecated. # # @note If you want to use `git` as `install_method`, the CLI `git` command has to be installed. You can manage it yourself as package resource or declare the package name in icingaweb2 class parameter `extra_packages`. # @@ -26,53 +26,6 @@ # Options `mariadb` and `mysql`, both means true. With mariadb its cli options are used for the import, # whereas with mysql its different options. # -# @param ido_db_username -# An alternative username to login into the database. By default, the user from -# the `monitoring` module is used. -# -# @param ido_db_password -# The password for the alternative user. By default, the password from -# the `monitoring` module is used. -# -# @param use_tls -# Either enable or disable TLS encryption to the database. Other TLS parameters -# are only affected if this is set to 'true'. By default, same value from -# the `monitoring` module is used. -# -# @param tls_key_file -# Location of the private key for client authentication. Only valid if tls is enabled. -# By default, same value from the `monitoring` module is used. -# -# @param tls_cert_file -# Location of the certificate for client authentication. Only valid if tls is enabled. -# By default, same value from the `monitoring` module is used. -# -# @param tls_cacert_file -# Location of the ca certificate. Only valid if tls is enabled. -# By default, same value from the `monitoring` module is used. -# -# @param tls_key -# The private key to store in spicified `tls_key_file` file. Only valid if tls is enabled. -# By default, same value from the `monitoring` module is used. -# -# @param tls_cert -# The certificate to store in spicified `tls_cert_file` file. Only valid if tls is enabled. -# By default, same value from the `monitoring` module is used. -# -# @param tls_cacert -# The ca certificate to store in spicified `tls_cacert_file` file. Only valid if tls is enabled. -# By default, same value from the `monitoring` module is used. -# -# @param tls_capath -# The file path to the directory that contains the trusted SSL CA certificates, which are stored in PEM format. -# Only available for the mysql database. By default, same value from the `monitoring` module is used. -# -# @param tls_noverify -# Disable validation of the server certificate. By default, same value from the `monitoring` module is used. -# -# @param tls_cipher -# Cipher to use for the encrypted database connection. By default, same value from the `monitoring` module is used. -# # @example # class { 'icingaweb2::module::idoreports': # git_revision => 'v0.10.0', @@ -83,34 +36,22 @@ Enum['git', 'none', 'package'] $install_method, String $git_repository, String $package_name, - Optional[Stdlib::Absolutepath] $module_dir = undef, - Optional[String] $git_revision = undef, - Variant[Boolean, Enum['mariadb', 'mysql']] $import_schema = false, - Optional[String] $ido_db_username = $icingaweb2::module::monitoring::ido_db_username, - Optional[Icingaweb2::Secret] $ido_db_password = $icingaweb2::module::monitoring::ido_db_password, - Optional[Boolean] $use_tls = $icingaweb2::module::monitoring::use_tls, - Optional[Stdlib::Absolutepath] $tls_key_file = $icingaweb2::module::monitoring::tls_key_file, - Optional[Stdlib::Absolutepath] $tls_cert_file = $icingaweb2::module::monitoring::tls_cert_file, - Optional[Stdlib::Absolutepath] $tls_cacert_file = $icingaweb2::module::monitoring::tls_cacert_file, - Optional[Stdlib::Absolutepath] $tls_capath = $icingaweb2::module::monitoring::tls_capath, - Optional[Icingaweb2::Secret] $tls_key = $icingaweb2::module::monitoring::tls_key, - Optional[String] $tls_cert = $icingaweb2::module::monitoring::tls_cert, - Optional[String] $tls_cacert = $icingaweb2::module::monitoring::tls_cacert, - Optional[Boolean] $tls_noverify = $icingaweb2::module::monitoring::tls_noverify, - Optional[String] $tls_cipher = $icingaweb2::module::monitoring::tls_cipher, + Stdlib::Absolutepath $module_dir = "${icingaweb2::globals::default_module_path}/idoreports", + Optional[String] $git_revision = undef, + Variant[Boolean, Enum['mariadb', 'mysql']] $import_schema = false, ) { unless defined(Class['icingaweb2::module::monitoring']) { fail('You must declare the icingaweb2::module::monitoring class before using icingaweb2::module::idoreports!') } - $conf_dir = $icingaweb2::globals::conf_dir - $module_conf_dir = "${conf_dir}/modules/idoreports" + $conf_dir = $icingaweb2::globals::conf_dir + $module_conf_dir = "${conf_dir}/modules/idoreports" Exec { path => $facts['path'], provider => shell, user => 'root', - require => Icingaweb2::Module['idoreports'], + require => Class['icingaweb2::module::monitoring'], } icingaweb2::module { 'idoreports': @@ -128,33 +69,9 @@ } if $import_schema { - $db = { - type => $icingaweb2::module::monitoring::ido_type, - host => $icingaweb2::module::monitoring::ido_host, - port => pick($icingaweb2::module::monitoring::ido_port, $icingaweb2::globals::port[$icingaweb2::module::monitoring::ido_type]), - name => $icingaweb2::module::monitoring::ido_db_name, - user => $ido_db_username, - pass => $ido_db_password, - } - - $tls = delete($icingaweb2::config::tls, ['key', 'cert', 'cacert']) + delete_undef_values(icingaweb2::cert::files( - 'client', - $module_conf_dir, - $tls_key_file, - $tls_cert_file, - $tls_cacert_file, - $tls_key, - $tls_cert, - $tls_cacert, - ) + { - capath => $tls_capath, - noverify => $tls_noverify, - cipher => $tls_cipher, - }) - - icingaweb2::tls::client { 'icingaweb2::module::idoreports tls client config': - args => $tls, - } + $db = $icingaweb2::module::monitoring::db + $use_tls = $icingaweb2::module::monitoring::use_tls + $tls = $icingaweb2::module::monitoring::config::tls # determine the real dbms, because there are some differnces between # the mysql and mariadb client @@ -163,7 +80,7 @@ } else { $import_schema } - $db_cli_options = icingaweb2::db::connect($db + { type => $real_db_type }, $tls, $use_tls) + $db_cli_options = icinga::db::connect($db + { type => $real_db_type }, $tls, $use_tls) case $db['type'] { 'mysql': { From 72a45672c30b21537fa954a1428a20bb206ee657 Mon Sep 17 00:00:00 2001 From: Lennart Betz Date: Mon, 6 Nov 2023 15:49:25 +0100 Subject: [PATCH 10/14] reporting, vspheredb modules: move config setting to config sub class --- manifests/module/reporting.pp | 20 +++++++++++++++++++- manifests/module/reporting/config.pp | 3 +++ manifests/module/reporting/install.pp | 18 ------------------ manifests/module/vspheredb.pp | 13 ++++++++++++- manifests/module/vspheredb/config.pp | 3 +++ manifests/module/vspheredb/install.pp | 10 ---------- spec/classes/modules/reporting_spec.rb | 26 ++++++++++++++------------ spec/classes/modules/vspheredb_spec.rb | 14 +++++++------- 8 files changed, 58 insertions(+), 49 deletions(-) diff --git a/manifests/module/reporting.pp b/manifests/module/reporting.pp index 46c157dd..b02d332e 100644 --- a/manifests/module/reporting.pp +++ b/manifests/module/reporting.pp @@ -134,7 +134,8 @@ ) { icingaweb2::assert_module() - $cert_dir = "${icingaweb2::globals::state_dir}/reporting/certs" + $module_conf_dir = "${icingaweb2::globals::conf_dir}/modules/reporting" + $cert_dir = "${icingaweb2::globals::state_dir}/reporting/certs" $db = { type => $db_type, @@ -156,6 +157,23 @@ $tls_cacert, ) + $settings = { + 'icingaweb2-module-reporting-backend' => { + 'section_name' => 'backend', + 'target' => "${module_conf_dir}/config.ini", + 'settings' => { + 'resource' => 'reporting', + }, + }, + 'icingaweb2-module-reporting-mail' => { + 'section_name' => 'mail', + 'target' => "${module_conf_dir}/config.ini", + 'settings' => delete_undef_values({ + 'from' => $mail, + }), + }, + } + class { 'icingaweb2::module::reporting::install': } -> class { 'icingaweb2::module::reporting::config': } ~> class { 'icingaweb2::module::reporting::service': } diff --git a/manifests/module/reporting/config.pp b/manifests/module/reporting/config.pp index 53cf189e..7be86175 100644 --- a/manifests/module/reporting/config.pp +++ b/manifests/module/reporting/config.pp @@ -22,6 +22,7 @@ $icingacli_bin = $icingaweb2::globals::icingacli_bin $service_user = $icingaweb2::module::reporting::service_user $install_method = $icingaweb2::module::reporting::install_method + $settings = $icingaweb2::module::reporting::settings Exec { user => 'root', @@ -56,6 +57,8 @@ tls_cipher => $tls['cipher'], } + create_resources('icingaweb2::inisection', $settings) + if $import_schema { $real_db_type = if $import_schema =~ Boolean { if $db['type'] == 'pgsql' { 'pgsql' } else { 'mariadb' } diff --git a/manifests/module/reporting/install.pp b/manifests/module/reporting/install.pp index d8427af0..22d62fbd 100644 --- a/manifests/module/reporting/install.pp +++ b/manifests/module/reporting/install.pp @@ -6,7 +6,6 @@ class icingaweb2::module::reporting::install { assert_private() - $module_conf_dir = "${icingaweb2::globals::conf_dir}/modules/reporting" $conf_user = $icingaweb2::conf_user $conf_group = $icingaweb2::conf_group $ensure = $icingaweb2::module::reporting::ensure @@ -19,7 +18,6 @@ $tls = $icingaweb2::module::reporting::tls $cert_dir = $icingaweb2::module::reporting::cert_dir $service_user = $icingaweb2::module::reporting::service_user - $mail = $icingaweb2::module::reporting::mail icingaweb2::module { 'reporting': ensure => $ensure, @@ -28,22 +26,6 @@ install_method => $install_method, module_dir => $module_dir, package_name => $package_name, - settings => { - 'icingaweb2-module-reporting-backend' => { - 'section_name' => 'backend', - 'target' => "${module_conf_dir}/config.ini", - 'settings' => { - 'resource' => 'reporting', - }, - }, - 'icingaweb2-module-reporting-mail' => { - 'section_name' => 'mail', - 'target' => "${module_conf_dir}/config.ini", - 'settings' => delete_undef_values({ - 'from' => $mail, - }), - }, - }, } if $use_tls { diff --git a/manifests/module/vspheredb.pp b/manifests/module/vspheredb.pp index a252fa54..13f22aa4 100644 --- a/manifests/module/vspheredb.pp +++ b/manifests/module/vspheredb.pp @@ -130,7 +130,8 @@ ) { icingaweb2::assert_module() - $cert_dir = "${icingaweb2::globals::state_dir}/vspheredb/certs" + $module_conf_dir = "${icingaweb2::globals::conf_dir}/modules/vspheredb" + $cert_dir = "${icingaweb2::globals::state_dir}/vspheredb/certs" $db = { type => $db_type, @@ -152,6 +153,16 @@ $tls_cacert, ) + $settings = { + 'icingaweb2-module-vspheredb' => { + 'section_name' => 'db', + 'target' => "${module_conf_dir}/config.ini", + 'settings' => { + 'resource' => 'icingaweb2-module-vspheredb', + }, + }, + } + class { 'icingaweb2::module::vspheredb::install': } -> class { 'icingaweb2::module::vspheredb::config': } ~> class { 'icingaweb2::module::vspheredb::service': } diff --git a/manifests/module/vspheredb/config.pp b/manifests/module/vspheredb/config.pp index 201cacc0..9dea0155 100644 --- a/manifests/module/vspheredb/config.pp +++ b/manifests/module/vspheredb/config.pp @@ -22,6 +22,7 @@ $icingacli_bin = $icingaweb2::globals::icingacli_bin $service_user = $icingaweb2::module::vspheredb::service_user $install_method = $icingaweb2::module::vspheredb::install_method + $settings = $icingaweb2::module::vspheredb::settings Exec { user => 'root', @@ -59,6 +60,8 @@ tls_cipher => $tls['cipher'], } + create_resources('icingaweb2::inisection', $settings) + if $import_schema { $real_db_type = if $import_schema =~ Boolean { if $db['type'] == 'pgsql' { 'pgsql' } else { 'mariadb' } diff --git a/manifests/module/vspheredb/install.pp b/manifests/module/vspheredb/install.pp index 24c47b27..5bec3f5d 100644 --- a/manifests/module/vspheredb/install.pp +++ b/manifests/module/vspheredb/install.pp @@ -6,7 +6,6 @@ class icingaweb2::module::vspheredb::install { assert_private() - $module_conf_dir = "${icingaweb2::globals::conf_dir}/modules/vspheredb" $conf_user = $icingaweb2::conf_user $conf_group = $icingaweb2::conf_group $ensure = $icingaweb2::module::vspheredb::ensure @@ -27,15 +26,6 @@ install_method => $install_method, module_dir => $module_dir, package_name => $package_name, - settings => { - 'icingaweb2-module-vspheredb' => { - 'section_name' => 'db', - 'target' => "${module_conf_dir}/config.ini", - 'settings' => { - 'resource' => 'icingaweb2-module-vspheredb', - }, - }, - }, } if $use_tls { diff --git a/spec/classes/modules/reporting_spec.rb b/spec/classes/modules/reporting_spec.rb index 725fe9e6..d58c1962 100644 --- a/spec/classes/modules/reporting_spec.rb +++ b/spec/classes/modules/reporting_spec.rb @@ -39,18 +39,20 @@ .with_install_method('git') .with_git_revision('v1.0.0') .with_package_name('icingaweb2-module-reporting') - .with_settings('icingaweb2-module-reporting-backend' => { - 'section_name' => 'backend', - 'target' => '/etc/icingaweb2/modules/reporting/config.ini', - 'settings' => { - 'resource' => 'reporting', - }, - }, - 'icingaweb2-module-reporting-mail' => { - 'section_name' => 'mail', - 'target' => '/etc/icingaweb2/modules/reporting/config.ini', - 'settings' => { 'from' => 'foo@icinga.com' }, - }) + } + + it { + is_expected.to contain_icingaweb2__inisection('icingaweb2-module-reporting-backend') + .with_section_name('backend') + .with_target('/etc/icingaweb2/modules/reporting/config.ini') + .with_settings({ 'resource' => 'reporting' }) + } + + it { + is_expected.to contain_icingaweb2__inisection('icingaweb2-module-reporting-mail') + .with_section_name('mail') + .with_target('/etc/icingaweb2/modules/reporting/config.ini') + .with_settings({ 'from' => 'foo@icinga.com' }) } it { diff --git a/spec/classes/modules/vspheredb_spec.rb b/spec/classes/modules/vspheredb_spec.rb index 3bd82cfb..5a79b046 100644 --- a/spec/classes/modules/vspheredb_spec.rb +++ b/spec/classes/modules/vspheredb_spec.rb @@ -38,13 +38,13 @@ .with_install_method('git') .with_git_revision('v1.7.1') .with_package_name('icingaweb2-module-vspheredb') - .with_settings('icingaweb2-module-vspheredb' => { - 'section_name' => 'db', - 'target' => '/etc/icingaweb2/modules/vspheredb/config.ini', - 'settings' => { - 'resource' => 'icingaweb2-module-vspheredb', - }, - }) + } + + it { + is_expected.to contain_icingaweb2__inisection('icingaweb2-module-vspheredb') + .with_section_name('db') + .with_target('/etc/icingaweb2/modules/vspheredb/config.ini') + .with_settings({ 'resource' => 'icingaweb2-module-vspheredb' }) } it { From bdc8fbd85793d5fb155617a49d1f91580c613bc3 Mon Sep 17 00:00:00 2001 From: Lennart Betz Date: Tue, 7 Nov 2023 10:28:45 +0100 Subject: [PATCH 11/14] rework module director --- 3 | 74 ++++++++ REFERENCE.md | 96 ++-------- data/Linux-kernel.yaml | 2 + data/common.yaml | 22 ++- manifests/globals.pp | 2 + manifests/module/director.pp | 176 +++++++----------- manifests/module/director/config.pp | 73 ++++++++ manifests/module/director/install.pp | 63 +++++++ manifests/module/director/service.pp | 58 +----- spec/classes/modules/director_service_spec.rb | 41 ---- spec/classes/modules/director_spec.rb | 50 ++--- ...ervice.erb => icinga-director.service.epp} | 8 +- 12 files changed, 351 insertions(+), 314 deletions(-) create mode 100644 3 create mode 100644 manifests/module/director/config.pp create mode 100644 manifests/module/director/install.pp delete mode 100644 spec/classes/modules/director_service_spec.rb rename templates/{icinga-director.service.erb => icinga-director.service.epp} (76%) diff --git a/3 b/3 new file mode 100644 index 00000000..ac2694bc --- /dev/null +++ b/3 @@ -0,0 +1,74 @@ +# @summary +# Configure the director module. +# +# @api private +# +class icingaweb2::module::director::config { + assert_private() + + $stdlib_version = $icingaweb2::globals::stdlib_version + $icingacli_bin = $icingaweb2::globals::icingacli_bin + $install_method = $icingaweb2::module::director::install_method + $db = $icingaweb2::module::director::db + $import_schema = $icingaweb2::module::director::import_schema + $use_tls = $icingaweb2::module::director::use_tls + $tls = $icingaweb2::module::director::tls + { + cacert_file => icingaweb2::pick($icingaweb2::module::director::tls['cacert_file'], $icingaweb2::config::tls['cacert_file']), + capath => icingaweb2::pick($icingaweb2::module::director::tls_capath, $icingaweb2::config::tls['capath']), + noverify => icingaweb2::pick($icingaweb2::module::director::tls_noverify, $icingaweb2::config::tls['noverify']), + cipher => icingaweb2::pick($icingaweb2::module::director::tls_cipher, $icingaweb2::config::tls['cipher']), + } + $settings = $icingaweb2::module::director::db_settings + $icingaweb2::module::director::kickstart_settings + $service_user = $icingaweb2::module::director::service_user + $import_schema = $icingaweb2::module::director::import_schema + $kickstart = $icingaweb2::module::director::kickstart + + Exec { + user => 'root', + path => $facts['path'], + provider => 'shell', + } + + icingaweb2::resource::database { 'icingaweb2-module-director': + type => $db['type'], + host => $db['host'], + port => $db['port'], + database => $db['database'], + username => $db['username'], + password => $db['password'], + charset => pick($icingaweb2::module::director::db_charset, $icingaweb2::globals::db_charset[$db['type']]['director']), + use_tls => $use_tls, + tls_noverify => $tls['noverify'], + tls_key => $tls['key_file'], + tls_cert => $tls['cert_file'], + tls_cacert => $tls['cacert_file'], + tls_capath => $tls['capath'], + tls_cipher => $tls['cipher'], + } + + create_resources('icingaweb2::inisection', $settings) + + if $install_method == 'git' { + systemd::unit_file { 'icinga-director.service': + content => epp('icingaweb2/icinga-director.service.epp', { + 'conf_user' => $service_user, + 'icingacli_bin' => $icingacli_bin, + }), + } + } + + if $import_schema { + exec { 'director-migration': + command => "${icingacli_bin} director migration run", + onlyif => "${icingacli_bin} director migration pending", + } + + if $kickstart { + exec { 'director-kickstart': + command => "${icingacli_bin} director kickstart run", + onlyif => "${icingacli_bin} director kickstart required", + require => Exec['director-migration'], + } + } + } +} diff --git a/REFERENCE.md b/REFERENCE.md index 3694c014..dbf52896 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -13,8 +13,7 @@ * [`icingaweb2::module::audit`](#icingaweb2--module--audit): Installs and enables the audit module. * [`icingaweb2::module::businessprocess`](#icingaweb2--module--businessprocess): Installs and enables the businessprocess module. * [`icingaweb2::module::cube`](#icingaweb2--module--cube): Installs and enables the cube module. -* [`icingaweb2::module::director`](#icingaweb2--module--director): Installs and configures the director module. -* [`icingaweb2::module::director::service`](#icingaweb2--module--director--service): Installs and configures the director service. +* [`icingaweb2::module::director`](#icingaweb2--module--director): Install and configure the director module. * [`icingaweb2::module::doc`](#icingaweb2--module--doc): The doc module provides an interface to the Icinga 2 and Icinga Web 2 documentation. * [`icingaweb2::module::elasticsearch`](#icingaweb2--module--elasticsearch): The Elasticsearch module displays events from data stored in Elasticsearch. * [`icingaweb2::module::fileshipper`](#icingaweb2--module--fileshipper): The fileshipper module extends the Director. It offers import sources to deal with CSV, JSON, YAML and XML files. @@ -38,6 +37,9 @@ * `icingaweb2::config`: Configures Icinga Web 2. * `icingaweb2::install`: Installs Icinga Web 2 and extra packages. +* `icingaweb2::module::director::config`: Configure the director module. +* `icingaweb2::module::director::install`: Install the director module. +* `icingaweb2::module::director::service`: Manage the director service. * `icingaweb2::module::icingadb::config`: Configure the icingadb module. * `icingaweb2::module::icingadb::install`: Install the icingadb module. * `icingaweb2::module::monitoring::config`: Configure the monitoring module. @@ -989,7 +991,7 @@ Default value: `'icingaweb2-module-cube'` ### `icingaweb2::module::director` -Installs and configures the director module. +Install and configure the director module. * **Note** If you want to use `git` as `install_method`, the CLI `git` command has to be installed. You can manage it yourself as package resource or declare the package name in icingaweb2 class parameter `extra_packages`. @@ -1048,6 +1050,9 @@ The following parameters are available in the `icingaweb2::module::director` cla * [`api_username`](#-icingaweb2--module--director--api_username) * [`api_password`](#-icingaweb2--module--director--api_password) * [`manage_service`](#-icingaweb2--module--director--manage_service) +* [`service_ensure`](#-icingaweb2--module--director--service_ensure) +* [`service_enable`](#-icingaweb2--module--director--service_enable) +* [`service_user`](#-icingaweb2--module--director--service_user) ##### `ensure` @@ -1055,24 +1060,20 @@ Data type: `Enum['absent', 'present']` Enable or disable module. -Default value: `'present'` - ##### `module_dir` -Data type: `Optional[Stdlib::Absolutepath]` +Data type: `Stdlib::Absolutepath` Target directory of the module. -Default value: `undef` +Default value: `"${icingaweb2::globals::default_module_path}/director"` ##### `git_repository` -Data type: `String` +Data type: `Stdlib::HTTPUrl` Set a git repository URL. -Default value: `'https://github.com/Icinga/icingaweb2-module-director.git'` - ##### `git_revision` Data type: `Optional[String]` @@ -1087,16 +1088,12 @@ Data type: `Enum['git', 'package', 'none']` Install methods are `git`, `package` and `none` is supported as installation method. -Default value: `'git'` - ##### `package_name` Data type: `String` Package name of the module. This setting is only valid in combination with the installation method `package`. -Default value: `'icingaweb2-module-director'` - ##### `db_type` Data type: `Enum['mysql', 'pgsql']` @@ -1109,8 +1106,6 @@ Data type: `Stdlib::Host` Hostname of the database. -Default value: `'localhost'` - ##### `db_port` Data type: `Optional[Stdlib::Port]` @@ -1125,16 +1120,12 @@ Data type: `String` Name of the database. -Default value: `'director'` - ##### `db_username` Data type: `String` Username for DB connection. -Default value: `'director'` - ##### `db_password` Data type: `Optional[Icingaweb2::Secret]` @@ -1145,11 +1136,11 @@ Default value: `undef` ##### `db_charset` -Data type: `String` +Data type: `Optional[String]` Character set to use for the database. -Default value: `'utf8'` +Default value: `undef` ##### `use_tls` @@ -1263,16 +1254,12 @@ Data type: `Stdlib::Host` Icinga 2 API hostname. This setting is only valid if `kickstart` is `true`. -Default value: `'localhost'` - ##### `api_port` Data type: `Stdlib::Port` Icinga 2 API port. This setting is only valid if `kickstart` is `true`. -Default value: `5665` - ##### `api_username` Data type: `Optional[String]` @@ -1293,68 +1280,25 @@ Default value: `undef` Data type: `Boolean` -Also manage the service (daemon), running and enabled. Otherwise do your config via hiera. - -Default value: `true` - -### `icingaweb2::module::director::service` - -Installs and configures the director service. - -* **Note** Only systemd is supported by the Icinga Team and this module. - -#### Parameters - -The following parameters are available in the `icingaweb2::module::director::service` class: - -* [`ensure`](#-icingaweb2--module--director--service--ensure) -* [`enable`](#-icingaweb2--module--director--service--enable) -* [`user`](#-icingaweb2--module--director--service--user) -* [`group`](#-icingaweb2--module--director--service--group) -* [`manage_user`](#-icingaweb2--module--director--service--manage_user) +If set to true the service (daemon) is managed. -##### `ensure` +##### `service_ensure` Data type: `Stdlib::Ensure::Service` -Whether the director service should be running. - -Default value: `'running'` +Wether the service is `running` or `stopped`. -##### `enable` +##### `service_enable` Data type: `Boolean` -Enable or disable the service. - -Default value: `true` - -##### `user` - -Data type: `String` - -Specifies user to run director service daemon. Only available if -install_method package is not used. - -Default value: `'icingadirector'` +Whether the service should be started at boot time. -##### `group` +##### `service_user` Data type: `String` -Specifies primary group for user to run director service daemon. - Only available if install_method package is not used. - -Default value: `'icingaweb2'` - -##### `manage_user` - -Data type: `Boolean` - -Whether to manage the server user resource. Only available if -install_method package is not used. - -Default value: `true` +The user as which the service is running. Only valid if `install_method` is set to `git`. ### `icingaweb2::module::doc` diff --git a/data/Linux-kernel.yaml b/data/Linux-kernel.yaml index e22127d0..1e621f2c 100644 --- a/data/Linux-kernel.yaml +++ b/data/Linux-kernel.yaml @@ -19,5 +19,7 @@ icingaweb2::conf_group: icingaweb2 icingaweb2::logging_file: /var/log/icingaweb2/icingaweb2.log icingaweb2::module::icingadb::package_name: icingadb-web +icingaweb2::module::director::package_name: icingaweb2-module-director icingaweb2::module::reporting::package_name: icingaweb2-module-reporting +icingaweb2::module::idoreports::package_name: icingaweb2-module-idoreports icingaweb2::module::vspheredb::package_name: icingaweb2-module-vspheredb diff --git a/data/common.yaml b/data/common.yaml index 269da002..ffc7b4f4 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -7,7 +7,6 @@ icingaweb2::default_admin_password: icinga icingaweb2::globals::role_replace: true icingaweb2::module::businessprocess::git_repository: https://github.com/Icinga/icingaweb2-module-businessprocess.git icingaweb2::module::cube::git_repository: https://github.com/Icinga/icingaweb2-module-cube.git -icingaweb2::module::director::git_repository: https://github.com/Icinga/icingaweb2-module-director.git icingaweb2::module::elasticsearch::git_repository: https://github.com/Icinga/icingaweb2-module-elasticsearch.git icingaweb2::module::fileshipper::git_repository: https://github.com/Icinga/icingaweb2-module-fileshipper.git icingaweb2::module::generictts::git_repository: https://github.com/Icinga/icingaweb2-module-generictts.git @@ -15,10 +14,6 @@ icingaweb2::module::graphite::git_repository: https://github.com/Icinga/icingawe icingaweb2::module::incubator::git_repository: https://github.com/Icinga/icingaweb2-module-incubator.git icingaweb2::module::incubator::git_revision: v0.19.0 icingaweb2::module::puppetdb::git_repository: https://github.com/Icinga/icingaweb2-module-puppetdb.git -icingaweb2::module::idoreports::ensure: present -icingaweb2::module::idoreports::install_method: git -icingaweb2::module::idoreports::git_repository: https://github.com/Icinga/icingaweb2-module-idoreports.git -icingaweb2::module::idoreports::package_name: icingaweb2-module-idoreports icingaweb2::module::x509::ensure: present icingaweb2::module::x509::install_method: git icingaweb2::module::x509::git_repository: https://github.com/Icinga/icingaweb2-module-x509.git @@ -39,6 +34,19 @@ icingaweb2::module::icingadb::db_host: localhost icingaweb2::module::icingadb::db_name: icingadb icingaweb2::module::icingadb::db_username: icingadb +icingaweb2::module::director::ensure: present +icingaweb2::module::director::install_method: git +icingaweb2::module::director::git_repository: https://github.com/Icinga/icingaweb2-module-director.git +icingaweb2::module::director::api_host: localhost +icingaweb2::module::director::api_port: 5665 +icingaweb2::module::director::manage_service: true +icingaweb2::module::director::service_ensure: running +icingaweb2::module::director::service_enable: true +icingaweb2::module::director::service_user: icingadirector +icingaweb2::module::director::db_host: localhost +icingaweb2::module::director::db_name: director +icingaweb2::module::director::db_username: director + icingaweb2::globals::mysql_reporting_schema: /schema/mysql.sql icingaweb2::globals::pgsql_reporting_schema: /schema/postgresql.sql icingaweb2::module::reporting::ensure: present @@ -52,6 +60,10 @@ icingaweb2::module::reporting::db_host: localhost icingaweb2::module::reporting::db_name: reporting icingaweb2::module::reporting::db_username: reporting +icingaweb2::module::idoreports::ensure: present +icingaweb2::module::idoreports::install_method: git +icingaweb2::module::idoreports::git_repository: https://github.com/Icinga/icingaweb2-module-idoreports.git + icingaweb2::globals::mysql_vspheredb_schema: /schema/mysql.sql icingaweb2::globals::pgsql_vspheredb_schema: /schema/pgsql.sql icingaweb2::module::vspheredb::ensure: present diff --git a/manifests/globals.pp b/manifests/globals.pp index 5014818f..2fb9a206 100644 --- a/manifests/globals.pp +++ b/manifests/globals.pp @@ -93,10 +93,12 @@ $db_charset = { 'mysql' => { + 'director' => 'utf8', 'vspheredb' => 'utf8mb4', 'reporting' => 'utf8mb4', }, 'pgsql' => { + 'director' => 'UTF8', 'vspheredb' => 'UTF8', 'reporting' => 'UTF8', }, diff --git a/manifests/module/director.pp b/manifests/module/director.pp index c50e0465..8ef7b94a 100644 --- a/manifests/module/director.pp +++ b/manifests/module/director.pp @@ -1,5 +1,5 @@ # @summary -# Installs and configures the director module. +# Install and configure the director module. # # @note If you want to use `git` as `install_method`, the CLI `git` command has to be installed. You can manage it yourself as package resource or declare the package name in icingaweb2 class parameter `extra_packages`. # @@ -96,7 +96,16 @@ # Icinga 2 API password. This setting is only valid if `kickstart` is `true`. # # @param manage_service -# Also manage the service (daemon), running and enabled. Otherwise do your config via hiera. +# If set to true the service (daemon) is managed. +# +# @param service_ensure +# Wether the service is `running` or `stopped`. +# +# @param service_enable +# Whether the service should be started at boot time. +# +# @param service_user +# The user as which the service is running. Only valid if `install_method` is set to `git`. # # @note Please checkout the [Director module documentation](https://www.icinga.com/docs/director/latest/) for requirements. # @@ -116,20 +125,27 @@ # } # class icingaweb2::module::director ( + Enum['absent', 'present'] $ensure, + Enum['git', 'package', 'none'] $install_method, + Stdlib::HTTPUrl $git_repository, + String $package_name, + Boolean $manage_service, + Stdlib::Ensure::Service $service_ensure, + Boolean $service_enable, + String $service_user, + Stdlib::Host $api_host, + Stdlib::Port $api_port, Enum['mysql', 'pgsql'] $db_type, - Enum['absent', 'present'] $ensure = 'present', - Optional[Stdlib::Absolutepath] $module_dir = undef, - String $git_repository = 'https://github.com/Icinga/icingaweb2-module-director.git', - Optional[String] $git_revision = undef, - Enum['git', 'package', 'none'] $install_method = 'git', - String $package_name = 'icingaweb2-module-director', - Stdlib::Host $db_host = 'localhost', + Stdlib::Host $db_host, + String $db_name, + String $db_username, Optional[Stdlib::Port] $db_port = undef, - String $db_name = 'director', - String $db_username = 'director', Optional[Icingaweb2::Secret] $db_password = undef, - String $db_charset = 'utf8', - Boolean $manage_service = true, + Optional[String] $db_charset = undef, + Boolean $import_schema = false, + Boolean $kickstart = false, + Stdlib::Absolutepath $module_dir = "${icingaweb2::globals::default_module_path}/director", + Optional[String] $git_revision = undef, Optional[Boolean] $use_tls = undef, Optional[Stdlib::Absolutepath] $tls_key_file = undef, Optional[Stdlib::Absolutepath] $tls_cert_file = undef, @@ -140,11 +156,7 @@ Optional[String] $tls_cacert = undef, Optional[Boolean] $tls_noverify = undef, Optional[String] $tls_cipher = undef, - Boolean $import_schema = false, - Boolean $kickstart = false, Optional[String] $endpoint = undef, - Stdlib::Host $api_host = 'localhost', - Stdlib::Port $api_port = 5665, Optional[String] $api_username = undef, Optional[Icingaweb2::Secret] $api_password = undef, ) { @@ -152,57 +164,26 @@ $module_conf_dir = "${icingaweb2::globals::conf_dir}/modules/director" $cert_dir = "${icingaweb2::globals::state_dir}/director/certs" - $conf_user = $icingaweb2::conf_user - $conf_group = $icingaweb2::conf_group - $icingacli_bin = $icingaweb2::globals::icingacli_bin - $stdlib_version = $icingaweb2::globals::stdlib_version - - $tls = delete_undef_values(icinga::cert::files( - $db_username, - $cert_dir, - $tls_key_file, - $tls_cert_file, - $tls_cacert_file, - $tls_key, - $tls_cert, - $tls_cacert, - )) - - Exec { - user => 'root', - path => $facts['path'], - provider => 'shell', - } - file { $cert_dir: - ensure => directory, - owner => 'root', - group => $conf_group, - mode => '2770', + $db = { + type => $db_type, + database => $db_name, + host => $db_host, + port => $db_port, + username => $db_username, + password => $db_password, } - icinga::cert { 'icingaweb2::module::director tls client config': - owner => $conf_user, - group => $conf_group, - args => $tls, - } - - icingaweb2::resource::database { 'icingaweb2-module-director': - type => $db_type, - host => $db_host, - port => pick($db_port, $icingaweb2::globals::port[$db_type]), - database => $db_name, - username => $db_username, - password => $db_password, - charset => $db_charset, - use_tls => $use_tls, - tls_noverify => unless $tls_noverify { $icingaweb2::config::tls['noverify'] } else { $tls_noverify }, - tls_key => $tls['key_file'], - tls_cert => $tls['cert_file'], - tls_cacert => unless $tls_cacert_file { $icingaweb2::config::tls['cacert_file'] } else { $tls_cacert_file }, - tls_capath => unless $tls_capath { $icingaweb2::config::tls['capath'] } else { $tls_capath }, - tls_cipher => unless $tls_cipher { $icingaweb2::config::tls['cipher'] } else { $tls_cipher }, - } + $tls = icinga::cert::files( + $db_username, + $cert_dir, + $tls_key_file, + $tls_cert_file, + $tls_cacert_file, + $tls_key, + $tls_cert, + $tls_cacert, + ) $db_settings = { 'module-director-db' => { @@ -214,57 +195,28 @@ }, } - if $import_schema { - if versioncmp($stdlib_version, '9.0.0') < 0 { - ensure_packages(['icingacli'], { 'ensure' => 'present' }) - } else { - stdlib::ensure_packages(['icingacli'], { 'ensure' => 'present' }) - } - - exec { 'director-migration': - command => "${icingacli_bin} director migration run", - onlyif => "${icingacli_bin} director migration pending", - require => [Icinga::Cert['icingaweb2::module::director tls client config'], Icingaweb2::Module['director'], Package['icingacli']], - } - - if $kickstart { - $kickstart_settings = { - 'module-director-config' => { - 'section_name' => 'config', - 'target' => "${module_conf_dir}/kickstart.ini", - 'settings' => { - 'endpoint' => $endpoint, - 'host' => $api_host, - 'port' => $api_port, - 'username' => $api_username, - 'password' => icingaweb2::unwrap($api_password), - }, + if $kickstart { + $kickstart_settings = { + 'module-director-config' => { + 'section_name' => 'config', + 'target' => "${module_conf_dir}/kickstart.ini", + 'settings' => { + 'endpoint' => $endpoint, + 'host' => $api_host, + 'port' => $api_port, + 'username' => $api_username, + 'password' => icingaweb2::unwrap($api_password), }, - } - - exec { 'director-kickstart': - command => "${icingacli_bin} director kickstart run", - onlyif => "${icingacli_bin} director kickstart required", - require => Exec['director-migration'], - } - } else { - $kickstart_settings = {} + }, } } else { $kickstart_settings = {} } - icingaweb2::module { 'director': - ensure => $ensure, - git_repository => $git_repository, - git_revision => $git_revision, - install_method => $install_method, - module_dir => $module_dir, - package_name => $package_name, - settings => $db_settings + $kickstart_settings, - } - - if $manage_service { - include icingaweb2::module::director::service - } + class { 'icingaweb2::module::director::install': } + -> class { 'icingaweb2::module::director::config': } + ~> class { 'icingaweb2::module::director::service': } + contain icingaweb2::module::director::install + contain icingaweb2::module::director::config + contain icingaweb2::module::director::service } diff --git a/manifests/module/director/config.pp b/manifests/module/director/config.pp new file mode 100644 index 00000000..4af5ea08 --- /dev/null +++ b/manifests/module/director/config.pp @@ -0,0 +1,73 @@ +# @summary +# Configure the director module. +# +# @api private +# +class icingaweb2::module::director::config { + assert_private() + + $stdlib_version = $icingaweb2::globals::stdlib_version + $icingacli_bin = $icingaweb2::globals::icingacli_bin + $install_method = $icingaweb2::module::director::install_method + $db = $icingaweb2::module::director::db + $import_schema = $icingaweb2::module::director::import_schema + $kickstart = $icingaweb2::module::director::kickstart + $use_tls = $icingaweb2::module::director::use_tls + $tls = $icingaweb2::module::director::tls + { + cacert_file => icingaweb2::pick($icingaweb2::module::director::tls['cacert_file'], $icingaweb2::config::tls['cacert_file']), + capath => icingaweb2::pick($icingaweb2::module::director::tls_capath, $icingaweb2::config::tls['capath']), + noverify => icingaweb2::pick($icingaweb2::module::director::tls_noverify, $icingaweb2::config::tls['noverify']), + cipher => icingaweb2::pick($icingaweb2::module::director::tls_cipher, $icingaweb2::config::tls['cipher']), + } + $settings = $icingaweb2::module::director::db_settings + $icingaweb2::module::director::kickstart_settings + $service_user = $icingaweb2::module::director::service_user + + Exec { + user => 'root', + path => $facts['path'], + provider => 'shell', + } + + icingaweb2::resource::database { 'icingaweb2-module-director': + type => $db['type'], + host => $db['host'], + port => $db['port'], + database => $db['database'], + username => $db['username'], + password => $db['password'], + charset => pick($icingaweb2::module::director::db_charset, $icingaweb2::globals::db_charset[$db['type']]['director']), + use_tls => $use_tls, + tls_noverify => $tls['noverify'], + tls_key => $tls['key_file'], + tls_cert => $tls['cert_file'], + tls_cacert => $tls['cacert_file'], + tls_capath => $tls['capath'], + tls_cipher => $tls['cipher'], + } + + create_resources('icingaweb2::inisection', $settings) + + if $install_method == 'git' { + systemd::unit_file { 'icinga-director.service': + content => epp('icingaweb2/icinga-director.service.epp', { + 'conf_user' => $service_user, + 'icingacli_bin' => $icingacli_bin, + }), + } + } + + if $import_schema { + exec { 'director-migration': + command => "${icingacli_bin} director migration run", + onlyif => "${icingacli_bin} director migration pending", + } + + if $kickstart { + exec { 'director-kickstart': + command => "${icingacli_bin} director kickstart run", + onlyif => "${icingacli_bin} director kickstart required", + require => Exec['director-migration'], + } + } + } +} diff --git a/manifests/module/director/install.pp b/manifests/module/director/install.pp new file mode 100644 index 00000000..462af7a9 --- /dev/null +++ b/manifests/module/director/install.pp @@ -0,0 +1,63 @@ +# @summary +# Install the director module. +# +# @api private +# +class icingaweb2::module::director::install { + assert_private() + + $stdlib_version = $icingaweb2::globals::stdlib_version + $conf_user = $icingaweb2::conf_user + $conf_group = $icingaweb2::conf_group + $ensure = $icingaweb2::module::director::ensure + $cert_dir = $icingaweb2::module::director::cert_dir + $git_repository = $icingaweb2::module::director::git_repository + $git_revision = $icingaweb2::module::director::git_revision + $install_method = $icingaweb2::module::director::install_method + $import_schema = $icingaweb2::module::director::import_schema + $module_dir = $icingaweb2::module::director::module_dir + $package_name = $icingaweb2::module::director::package_name + $use_tls = $icingaweb2::module::director::use_tls + $tls = $icingaweb2::module::director::tls + $service_user = $icingaweb2::module::director::service_user + + icingaweb2::module { 'director': + ensure => $ensure, + git_repository => $git_repository, + git_revision => $git_revision, + install_method => $install_method, + module_dir => $module_dir, + package_name => $package_name, + } + + if $install_method == 'git' { + user { $service_user: + ensure => present, + gid => $conf_group, + shell => '/bin/false', + } + } + + if $use_tls { + file { $cert_dir: + ensure => directory, + owner => 'root', + group => $conf_group, + mode => '2770', + } + + icinga::cert { 'icingaweb2::module::director tls client config': + owner => $conf_user, + group => $conf_group, + args => $tls, + } + } + + if $import_schema { + if versioncmp($stdlib_version, '9.0.0') < 0 { + ensure_packages(['icingacli'], { 'ensure' => 'present' }) + } else { + stdlib::ensure_packages(['icingacli'], { 'ensure' => 'present' }) + } + } +} diff --git a/manifests/module/director/service.pp b/manifests/module/director/service.pp index deb711ea..ec66f9e2 100644 --- a/manifests/module/director/service.pp +++ b/manifests/module/director/service.pp @@ -1,56 +1,18 @@ # @summary -# Installs and configures the director service. +# Manage the director service. # -# @note Only systemd is supported by the Icinga Team and this module. +# @api private # -# @param ensure -# Whether the director service should be running. -# -# @param enable -# Enable or disable the service. -# -# @param user -# Specifies user to run director service daemon. Only available if -# install_method package is not used. -# -# @param group -# Specifies primary group for user to run director service daemon. -# Only available if install_method package is not used. -# -# @param manage_user -# Whether to manage the server user resource. Only available if -# install_method package is not used. -# -class icingaweb2::module::director::service ( - Stdlib::Ensure::Service $ensure = 'running', - Boolean $enable = true, - String $user = 'icingadirector', - String $group = 'icingaweb2', - Boolean $manage_user = true, -) { - require icingaweb2::module::director +class icingaweb2::module::director::service { + assert_private() - $icingacli_bin = $icingaweb2::globals::icingacli_bin - $install_method = $icingaweb2::module::director::install_method + if $icingaweb2::module::director::manage_service { + $ensure = $icingaweb2::module::director::service_ensure + $enable = $icingaweb2::module::director::service_enable - if $install_method != 'package' { - if $manage_user { - user { $user: - ensure => present, - gid => $group, - shell => '/bin/false', - before => Systemd::Unit_file['icinga-director.service'], - } + service { 'icinga-director': + ensure => $ensure, + enable => $enable, } - - systemd::unit_file { 'icinga-director.service': - content => template('icingaweb2/icinga-director.service.erb'), - notify => Service['icinga-director'], - } - } - - service { 'icinga-director': - ensure => $ensure, - enable => $enable, } } diff --git a/spec/classes/modules/director_service_spec.rb b/spec/classes/modules/director_service_spec.rb deleted file mode 100644 index 8b22f8a1..00000000 --- a/spec/classes/modules/director_service_spec.rb +++ /dev/null @@ -1,41 +0,0 @@ -require 'spec_helper' - -describe('icingaweb2::module::director::service', type: :class) do - let(:pre_condition) do - [ - "class { 'icingaweb2': db_type => 'mysql' }", - "class { 'icingaweb2::module::director': db_type => 'mysql', manage_service => false }", - ] - end - - on_supported_os.each do |os, facts| - context "on #{os}" do - let :facts do - facts - end - - context "#{os} with defaults" do - it do - is_expected.to contain_user('icingadirector') - .with( - 'ensure' => 'present', - 'gid' => 'icingaweb2', - 'shell' => '/bin/false', - ).that_comes_before('Systemd::Unit_file[icinga-director.service]') - end - it do - is_expected.to contain_systemd__unit_file('icinga-director.service').with( - content: %r{[Unit]}, - ).that_notifies('Service[icinga-director]') - end - it do - is_expected.to contain_service('icinga-director') - .with( - 'ensure' => 'running', - 'enable' => true, - ) - end - end - end - end -end diff --git a/spec/classes/modules/director_spec.rb b/spec/classes/modules/director_spec.rb index 469de2f3..4d77e4c9 100644 --- a/spec/classes/modules/director_spec.rb +++ b/spec/classes/modules/director_spec.rb @@ -43,28 +43,24 @@ .with_install_method('git') .with_git_revision('foobar') .with_module_dir('/usr/share/icingaweb2/modules/director') - .with_settings('module-director-db' => { - 'section_name' => 'db', - 'target' => '/etc/icingaweb2/modules/director/config.ini', - 'settings' => { - 'resource' => 'icingaweb2-module-director', - }, - }, - 'module-director-config' => { - 'section_name' => 'config', - 'target' => '/etc/icingaweb2/modules/director/kickstart.ini', - 'settings' => { - 'endpoint' => 'foobar', - 'host' => 'localhost', - 'port' => '5665', - 'username' => 'root', - 'password' => 'secret', - }, - }) } it { - is_expected.to contain_class('icingaweb2::module::director::service') + is_expected.to contain_icingaweb2__inisection('module-director-db') + .with_section_name('db') + .with_target('/etc/icingaweb2/modules/director/config.ini') + .with_settings({ 'resource' => 'icingaweb2-module-director' }) + } + + it { + is_expected.to contain_icingaweb2__inisection('module-director-config') + .with_section_name('config') + .with_target('/etc/icingaweb2/modules/director/kickstart.ini') + .with_settings({ 'endpoint' => 'foobar', 'host' => 'localhost', 'port' => '5665', 'username' => 'root', 'password' => 'secret' }) + } + + it { + is_expected.to contain_service('icinga-director') .with_ensure('running') .with_enable(true) } @@ -100,17 +96,10 @@ .with_install_method('git') .with_git_revision('foobar') .with_module_dir('/usr/share/icingaweb2/modules/director') - .with_settings('module-director-db' => { - 'section_name' => 'db', - 'target' => '/etc/icingaweb2/modules/director/config.ini', - 'settings' => { - 'resource' => 'icingaweb2-module-director', - }, - }) } it { - is_expected.not_to contain_class('icingaweb2::module::director::service') + is_expected.not_to contain_service('icinga-director') } it { is_expected.not_to contain_exec('director-migration') } @@ -134,9 +123,9 @@ { 'type' => 'pgsql', 'host' => 'localhost', - 'port' => 5432, 'database' => 'director', 'username' => 'director', + 'charset' => 'UTF8', 'use_tls' => true, 'tls_cacert' => '/foo/bar', 'tls_capath' => '/foo/bar', @@ -147,7 +136,7 @@ } end - context "#{os} with use_tls 'true'" do + context "#{os} with use_tls 'true', db_port '4711'" do let(:pre_condition) do [ "class { 'icingaweb2': db_type => 'mysql', tls_cacert_file => '/foo/bar', tls_capath => '/foo/bar', tls_noverify => true, tls_cipher => 'cipher' }", @@ -157,6 +146,7 @@ let(:params) do { db_type: 'mysql', + db_port: 4711, use_tls: true, } end @@ -166,7 +156,7 @@ { 'type' => 'mysql', 'host' => 'localhost', - 'port' => 3306, + 'port' => 4711, 'database' => 'director', 'username' => 'director', 'use_tls' => true, diff --git a/templates/icinga-director.service.erb b/templates/icinga-director.service.epp similarity index 76% rename from templates/icinga-director.service.erb rename to templates/icinga-director.service.epp index 915b472c..73eaee0e 100644 --- a/templates/icinga-director.service.erb +++ b/templates/icinga-director.service.epp @@ -1,3 +1,7 @@ +<%- | + String $conf_user, + String $icingacli_bin, +| -%> [Unit] Description=Icinga Director - Monitoring Configuration Documentation=https://icinga.com/docs/director/latest/ @@ -6,9 +10,9 @@ Wants=network.target [Service] EnvironmentFile=-/etc/default/icinga-director EnvironmentFile=-/etc/sysconfig/icinga-director -ExecStart=<%= @icingacli_bin %> director daemon run +ExecStart=<%= $icingacli_bin %> director daemon run ExecReload=/bin/kill -HUP ${MAINPID} -User=<%= @user %> +User=<%= $conf_user %> SyslogIdentifier=icingadirector Type=notify From b43e433391fc4693c4881b41e57ecdaf88641060 Mon Sep 17 00:00:00 2001 From: Lennart Betz Date: Wed, 8 Nov 2023 17:07:24 +0100 Subject: [PATCH 12/14] rework x509 to always use db credentials from monitoring module --- REFERENCE.md | 59 ++++------ data/Linux-kernel.yaml | 3 +- data/common.yaml | 18 ++- manifests/globals.pp | 2 + manifests/module/x509.pp | 167 +++++++++----------------- manifests/module/x509/config.pp | 88 ++++++++++++++ manifests/module/x509/install.pp | 51 ++++++++ manifests/module/x509/service.pp | 43 ++----- spec/classes/modules/x509_spec.rb | 189 ++++++++++++++++++++++++++++++ templates/icinga-x509.service.epp | 16 +++ 10 files changed, 451 insertions(+), 185 deletions(-) create mode 100644 manifests/module/x509/config.pp create mode 100644 manifests/module/x509/install.pp create mode 100644 spec/classes/modules/x509_spec.rb create mode 100644 templates/icinga-x509.service.epp diff --git a/REFERENCE.md b/REFERENCE.md index dbf52896..1bf46902 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -31,7 +31,7 @@ * [`icingaweb2::module::translation`](#icingaweb2--module--translation): Installs and configures the translation module. * [`icingaweb2::module::vspheredb`](#icingaweb2--module--vspheredb): Installs the vsphereDB plugin * [`icingaweb2::module::x509`](#icingaweb2--module--x509): Installs the x509 module -* [`icingaweb2::module::x509::service`](#icingaweb2--module--x509--service): Installs and configures the x509 job scheduler. +* [`icingaweb2::module::x509::install`](#icingaweb2--module--x509--install): Install the x509 module #### Private Classes @@ -50,6 +50,8 @@ * `icingaweb2::module::vspheredb::config`: Configure the VSphereDB module * `icingaweb2::module::vspheredb::install`: Install the VSphereDB module * `icingaweb2::module::vspheredb::service`: Manage the vspheredb service. +* `icingaweb2::module::x509::config`: Configure the x509 module +* `icingaweb2::module::x509::service`: Manage the x509 job scheduler. ### Defined types @@ -3350,6 +3352,10 @@ The following parameters are available in the `icingaweb2::module::x509` class: * [`tls_noverify`](#-icingaweb2--module--x509--tls_noverify) * [`tls_cipher`](#-icingaweb2--module--x509--tls_cipher) * [`import_schema`](#-icingaweb2--module--x509--import_schema) +* [`manage_service`](#-icingaweb2--module--x509--manage_service) +* [`service_ensure`](#-icingaweb2--module--x509--service_ensure) +* [`service_enable`](#-icingaweb2--module--x509--service_enable) +* [`service_user`](#-icingaweb2--module--x509--service_user) ##### `ensure` @@ -3359,15 +3365,15 @@ Ensures the state of the x509 module. ##### `module_dir` -Data type: `Optional[Stdlib::Absolutepath]` +Data type: `Stdlib::Absolutepath` Target directory of the module. -Default value: `undef` +Default value: `"${icingaweb2::globals::default_module_path}/x509"` ##### `git_repository` -Data type: `String` +Data type: `Stdlib::HTTPUrl` The upstream module repository. @@ -3397,16 +3403,12 @@ Data type: `Enum['mysql', 'pgsql']` The database type. Either mysql or pgsql. -Default value: `'mysql'` - ##### `db_host` Data type: `Stdlib::Host` The host where the database will be running -Default value: `'localhost'` - ##### `db_port` Data type: `Optional[Stdlib::Port]` @@ -3421,16 +3423,12 @@ Data type: `String` The name of the database this module should use. -Default value: `'x509'` - ##### `db_username` Data type: `String` The username needed to access the database. -Default value: `'x509'` - ##### `db_password` Data type: `Optional[Icingaweb2::Secret]` @@ -3539,42 +3537,33 @@ whereas with mysql its different options. Default value: `false` -### `icingaweb2::module::x509::service` - -Installs and configures the x509 job scheduler. - -* **Note** Only systemd is supported by the Icinga Team and this module. +##### `manage_service` -#### Examples - -##### +Data type: `Boolean` -```puppet -include icingaweb2::module::x509::service -``` +If set to true the service (daemon) is managed. -#### Parameters +##### `service_ensure` -The following parameters are available in the `icingaweb2::module::x509::service` class: +Data type: `Stdlib::Ensure::Service` -* [`ensure`](#-icingaweb2--module--x509--service--ensure) -* [`enable`](#-icingaweb2--module--x509--service--enable) +Wether the service is `running` or `stopped`. -##### `ensure` +##### `service_enable` -Data type: `Stdlib::Ensure::Service` +Data type: `Boolean` -Whether the x509 service should be running. +Whether the service should be started at boot time. -Default value: `'running'` +##### `service_user` -##### `enable` +Data type: `String` -Data type: `Boolean` +The user as which the service is running. Only valid if `install_method` is set to `git`. -Enable or disable the service. +### `icingaweb2::module::x509::install` -Default value: `true` +Install the x509 module ## Defined types diff --git a/data/Linux-kernel.yaml b/data/Linux-kernel.yaml index 1e621f2c..f5d1df39 100644 --- a/data/Linux-kernel.yaml +++ b/data/Linux-kernel.yaml @@ -10,8 +10,6 @@ icingaweb2::globals::mysql_idoreports_slaperiods: /usr/share/icingaweb2/modules/ icingaweb2::globals::mysql_idoreports_sla_percent: /usr/share/icingaweb2/modules/idoreports/schema/mysql/get_sla_ok_percent.sql icingaweb2::globals::pgsql_idoreports_slaperiods: /usr/share/icingaweb2/modules/idoreports/schema/postgresql/slaperiods.sql icingaweb2::globals::pgsql_idoreports_sla_percent: /usr/share/icingaweb2/modules/idoreports/schema/postgresql/get_sla_ok_percent.sql -icingaweb2::globals::mysql_x509_schema: /usr/share/icingaweb2/modules/x509/schema/mysql.schema.sql -icingaweb2::globals::pgsql_x509_schema: /usr/share/icingaweb2/modules/x509/schema/pgsql.schema.sql icingaweb2::globals::gettext_package_name: gettext icingaweb2::globals::icingacli_bin: /usr/bin/icingacli icingaweb2::globals::default_module_path: /usr/share/icingaweb2/modules @@ -23,3 +21,4 @@ icingaweb2::module::director::package_name: icingaweb2-module-director icingaweb2::module::reporting::package_name: icingaweb2-module-reporting icingaweb2::module::idoreports::package_name: icingaweb2-module-idoreports icingaweb2::module::vspheredb::package_name: icingaweb2-module-vspheredb +icingaweb2::module::x509::package_name: icingaweb2-module-x509 diff --git a/data/common.yaml b/data/common.yaml index ffc7b4f4..d4672793 100644 --- a/data/common.yaml +++ b/data/common.yaml @@ -14,10 +14,6 @@ icingaweb2::module::graphite::git_repository: https://github.com/Icinga/icingawe icingaweb2::module::incubator::git_repository: https://github.com/Icinga/icingaweb2-module-incubator.git icingaweb2::module::incubator::git_revision: v0.19.0 icingaweb2::module::puppetdb::git_repository: https://github.com/Icinga/icingaweb2-module-puppetdb.git -icingaweb2::module::x509::ensure: present -icingaweb2::module::x509::install_method: git -icingaweb2::module::x509::git_repository: https://github.com/Icinga/icingaweb2-module-x509.git -icingaweb2::module::x509::package_name: icingaweb2-module-x509 icingaweb2::module::monitoring::ensure: present icingaweb2::module::monitoring::protected_customvars: @@ -64,6 +60,20 @@ icingaweb2::module::idoreports::ensure: present icingaweb2::module::idoreports::install_method: git icingaweb2::module::idoreports::git_repository: https://github.com/Icinga/icingaweb2-module-idoreports.git +icingaweb2::globals::mysql_x509_schema: /schema/mysql.schema.sql +icingaweb2::globals::pgsql_x509_schema: /schema/pgsql.schema.sql +icingaweb2::module::x509::ensure: present +icingaweb2::module::x509::install_method: git +icingaweb2::module::x509::git_repository: https://github.com/Icinga/icingaweb2-module-x509.git +icingaweb2::module::x509::package_name: icingaweb2-module-x509 +icingaweb2::module::x509::manage_service: true +icingaweb2::module::x509::service_ensure: running +icingaweb2::module::x509::service_enable: true +icingaweb2::module::x509::service_user: icingax509 +icingaweb2::module::x509::db_host: localhost +icingaweb2::module::x509::db_name: x509 +icingaweb2::module::x509::db_username: x509 + icingaweb2::globals::mysql_vspheredb_schema: /schema/mysql.sql icingaweb2::globals::pgsql_vspheredb_schema: /schema/pgsql.sql icingaweb2::module::vspheredb::ensure: present diff --git a/manifests/globals.pp b/manifests/globals.pp index 2fb9a206..97304f69 100644 --- a/manifests/globals.pp +++ b/manifests/globals.pp @@ -96,11 +96,13 @@ 'director' => 'utf8', 'vspheredb' => 'utf8mb4', 'reporting' => 'utf8mb4', + 'x509' => 'utf8', }, 'pgsql' => { 'director' => 'UTF8', 'vspheredb' => 'UTF8', 'reporting' => 'UTF8', + 'x509' => 'UTF8', }, } diff --git a/manifests/module/x509.pp b/manifests/module/x509.pp index 42219af5..ef0b6945 100644 --- a/manifests/module/x509.pp +++ b/manifests/module/x509.pp @@ -76,6 +76,18 @@ # both means true. With mariadb its cli options are used for the import, # whereas with mysql its different options. # +# @param manage_service +# If set to true the service (daemon) is managed. +# +# @param service_ensure +# Wether the service is `running` or `stopped`. +# +# @param service_enable +# Whether the service should be started at boot time. +# +# @param service_user +# The user as which the service is running. Only valid if `install_method` is set to `git`. +# # @example # class { 'icingaweb2::module::x509': # ensure => present, @@ -89,18 +101,22 @@ class icingaweb2::module::x509 ( Enum['absent', 'present'] $ensure, Enum['git', 'none', 'package'] $install_method, - String $git_repository, + Stdlib::HTTPUrl $git_repository, String $package_name, - Optional[Stdlib::Absolutepath] $module_dir = undef, - Optional[String] $git_revision = undef, - Enum['mysql', 'pgsql'] $db_type = 'mysql', - Stdlib::Host $db_host = 'localhost', - Optional[Stdlib::Port] $db_port = undef, - String $db_name = 'x509', - String $db_username = 'x509', + Boolean $manage_service, + Stdlib::Ensure::Service $service_ensure, + Boolean $service_enable, + String $service_user, + Enum['mysql', 'pgsql'] $db_type, + Stdlib::Host $db_host, + String $db_name, + String $db_username, Optional[Icingaweb2::Secret] $db_password = undef, + Optional[Stdlib::Port] $db_port = undef, Optional[String] $db_charset = undef, Variant[Boolean, Enum['mariadb', 'mysql']] $import_schema = false, + Stdlib::Absolutepath $module_dir = "${icingaweb2::globals::default_module_path}/x509", + Optional[String] $git_revision = undef, Optional[Boolean] $use_tls = undef, Optional[Stdlib::Absolutepath] $tls_key_file = undef, Optional[Stdlib::Absolutepath] $tls_cert_file = undef, @@ -114,116 +130,43 @@ ) { icingaweb2::assert_module() - $conf_dir = $icingaweb2::globals::conf_dir - $mysql_x509_schema = $icingaweb2::globals::mysql_x509_schema - $pgsql_x509_schema = $icingaweb2::globals::pgsql_x509_schema - $module_conf_dir = "${conf_dir}/modules/x509" - $_db_port = pick($db_port, $icingaweb2::globals::port[$db_type]) + $module_conf_dir = "${icingaweb2::globals::conf_dir}/modules/x509" + $cert_dir = "${icingaweb2::globals::state_dir}/x509/certs" - $_db_charset = if $db_charset { - $db_charset - } else { - if $db_type == 'mysql' { - 'utf8mb4' - } else { - 'UTF8' - } + $db = { + type => $db_type, + database => $db_name, + host => $db_host, + port => $db_port, + username => $db_username, + password => $db_password, } - $tls = delete($icingaweb2::config::tls, ['key', 'cert', 'cacert']) + delete_undef_values(icingaweb2::cert::files( - 'client', - $module_conf_dir, - $tls_key_file, - $tls_cert_file, - $tls_cacert_file, - $tls_key, - $tls_cert, - $tls_cacert, - ), { - capath => $tls_capath, - noverify => $tls_noverify, - cipher => $tls_cipher, - }) + $tls = icinga::cert::files( + $db_username, + $cert_dir, + $tls_key_file, + $tls_cert_file, + $tls_cacert_file, + $tls_key, + $tls_cert, + $tls_cacert, + ) - Exec { - user => 'root', - path => $facts['path'], - provider => 'shell', - require => [Icingaweb2::Module['x509'], Icingaweb2::Tls::Client['icingaweb2::module::x509 tls client config']], - } - - icingaweb2::tls::client { 'icingaweb2::module::x509 tls client config': - args => $tls, - } - - icingaweb2::resource::database { 'x509': - type => $db_type, - host => $db_host, - port => $_db_port, - database => $db_name, - username => $db_username, - password => $db_password, - charset => $_db_charset, - use_tls => $use_tls, - tls_noverify => $tls['noverify'], - tls_key => $tls['key_file'], - tls_cert => $tls['cert_file'], - tls_cacert => $tls['cacert_file'], - tls_capath => $tls['capath'], - tls_cipher => $tls['cipher'], - } - - icingaweb2::module { 'x509': - ensure => $ensure, - git_repository => $git_repository, - git_revision => $git_revision, - install_method => $install_method, - module_dir => $module_dir, - package_name => $package_name, - settings => { - 'icingaweb2-module-x509-backend' => { - 'section_name' => 'backend', - 'target' => "${module_conf_dir}/config.ini", - 'settings' => { - 'resource' => 'x509', - }, + $settings = { + 'icingaweb2-module-x509-backend' => { + 'section_name' => 'backend', + 'target' => "${module_conf_dir}/config.ini", + 'settings' => { + 'resource' => 'x509', }, }, } - if $import_schema { - $real_db_type = if $import_schema =~ Boolean { - if $db_type == 'pgsql' { 'pgsql' } else { 'mariadb' } - } else { - $import_schema - } - $db_cli_options = icingaweb2::db::connect({ - type => $real_db_type, - name => $db_name, - host => $db_host, - port => $_db_port, - user => $db_username, - pass => $db_password, - }, $tls, $use_tls) - - case $db_type { - 'mysql': { - exec { 'import icingaweb2::module::x509 schema': - command => "mysql ${db_cli_options} < '${mysql_x509_schema}'", - unless => "mysql ${db_cli_options} -Ns -e 'SELECT * FROM report'", - } - } - 'pgsql': { - $_db_password = icingaweb2::unwrap($db_password) - exec { 'import icingaweb2::module::x509 schema': - environment => ["PGPASSWORD=${_db_password}"], - command => "psql '${db_cli_options}' -w -f ${pgsql_x509_schema}", - unless => "psql '${db_cli_options}' -w -c 'SELECT * FROM report'", - } - } # pgsql (not supported) - default: { - fail('The database type you provided is not supported.') - } - } - } # schema import + class { 'icingaweb2::module::x509::install': } + -> class { 'icingaweb2::module::x509::config': } + ~> class { 'icingaweb2::module::x509::service': } + contain icingaweb2::module::x509::install + contain icingaweb2::module::x509::config + contain icingaweb2::module::x509::service } diff --git a/manifests/module/x509/config.pp b/manifests/module/x509/config.pp new file mode 100644 index 00000000..430ae616 --- /dev/null +++ b/manifests/module/x509/config.pp @@ -0,0 +1,88 @@ +# @summary +# Configure the x509 module +# +# @api private +# +class icingaweb2::module::x509::config { + assert_private() + + $icingacli_bin = $icingaweb2::globals::icingacli_bin + $install_method = $icingaweb2::module::x509::install_method + $db = $icingaweb2::module::x509::db + $import_schema = $icingaweb2::module::x509::import_schema + $use_tls = $icingaweb2::module::x509::use_tls + $tls = $icingaweb2::module::x509::tls + { + cacert_file => icingaweb2::pick($icingaweb2::module::x509::tls['cacert_file'], $icingaweb2::config::tls['cacert_file']), + capath => icingaweb2::pick($icingaweb2::module::x509::tls_capath, $icingaweb2::config::tls['capath']), + noverify => icingaweb2::pick($icingaweb2::module::x509::tls_noverify, $icingaweb2::config::tls['noverify']), + cipher => icingaweb2::pick($icingaweb2::module::x509::tls_cipher, $icingaweb2::config::tls['cipher']), + } + $mysql_schema = "${icingaweb2::module::x509::module_dir}${icingaweb2::globals::mysql_x509_schema}" + $pgsql_schema = "${icingaweb2::module::x509::module_dir}${icingaweb2::globals::pgsql_x509_schema}" + $service_user = $icingaweb2::module::x509::service_user + $settings = $icingaweb2::module::x509::settings + + Exec { + user => 'root', + path => $facts['path'], + provider => 'shell', + } + + if $install_method == 'git' { + systemd::unit_file { 'icinga-x509.service': + ensure => 'present', + content => epp('icingaweb2/icinga-x509.service.epp', { + 'conf_user' => $service_user, + 'icingacli_bin' => $icingacli_bin, + }), + } + } + + icingaweb2::resource::database { 'x509': + type => $db['type'], + host => $db['host'], + port => $db['port'], + database => $db['database'], + username => $db['username'], + password => $db['password'], + charset => pick($icingaweb2::module::x509::db_charset, $icingaweb2::globals::db_charset[$db['type']]['x509']), + use_tls => $use_tls, + tls_noverify => $tls['noverify'], + tls_key => $tls['key_file'], + tls_cert => $tls['cert_file'], + tls_cacert => $tls['cacert_file'], + tls_capath => $tls['capath'], + tls_cipher => $tls['cipher'], + } + + create_resources('icingaweb2::inisection', $settings) + + if $import_schema { + $real_db_type = if $import_schema =~ Boolean { + if $db['type'] == 'pgsql' { 'pgsql' } else { 'mariadb' } + } else { + $import_schema + } + $db_cli_options = icinga::db::connect($db + { type => $real_db_type }, $tls, $use_tls) + + case $db['type'] { + 'mysql': { + exec { 'import icingaweb2::module::x509 schema': + command => "mysql ${db_cli_options} < '${mysql_schema}'", + unless => "mysql ${db_cli_options} -Ns -e 'SELECT * FROM x509_certificate'", + } + } + 'pgsql': { + $_db_password = icingaweb2::unwrap($db['password']) + exec { 'import icingaweb2::module::x509 schema': + environment => ["PGPASSWORD=${_db_password}"], + command => "psql '${db_cli_options}' -w -f ${pgsql_schema}", + unless => "psql '${db_cli_options}' -w -c 'SELECT * FROM x509_certificate'", + } + } # pgsql (not supported) + default: { + fail('The database type you provided is not supported.') + } + } + } # schema import +} diff --git a/manifests/module/x509/install.pp b/manifests/module/x509/install.pp new file mode 100644 index 00000000..cded7c40 --- /dev/null +++ b/manifests/module/x509/install.pp @@ -0,0 +1,51 @@ +# @summary +# Install the x509 module +# +class icingaweb2::module::x509::install { + assert_private() + + $conf_user = $icingaweb2::conf_user + $conf_group = $icingaweb2::conf_group + $module_dir = $icingaweb2::module::x509::module_dir + $cert_dir = $icingaweb2::module::x509::cert_dir + $ensure = $icingaweb2::module::x509::ensure + $git_repository = $icingaweb2::module::x509::git_repository + $git_revision = $icingaweb2::module::x509::git_revision + $install_method = $icingaweb2::module::x509::install_method + $package_name = $icingaweb2::module::x509::package_name + $use_tls = $icingaweb2::module::x509::use_tls + $tls = $icingaweb2::module::x509::tls + $service_user = $icingaweb2::module::x509::service_user + + icingaweb2::module { 'x509': + ensure => $ensure, + git_repository => $git_repository, + git_revision => $git_revision, + install_method => $install_method, + module_dir => $module_dir, + package_name => $package_name, + } + + if $install_method == 'git' { + user { $service_user: + ensure => present, + gid => $conf_group, + shell => '/bin/false', + } + } + + if $use_tls { + file { $cert_dir: + ensure => directory, + owner => 'root', + group => $conf_group, + mode => '2770', + } + + icinga::cert { 'icingaweb2::module::x509 tls client config': + owner => $conf_user, + group => $conf_group, + args => $tls, + } + } +} diff --git a/manifests/module/x509/service.pp b/manifests/module/x509/service.pp index 1d482256..1b301d86 100644 --- a/manifests/module/x509/service.pp +++ b/manifests/module/x509/service.pp @@ -1,39 +1,18 @@ -# @summary Installs and configures the x509 job scheduler. +# @summary +# Manage the x509 job scheduler. # -# @note Only systemd is supported by the Icinga Team and this module. +# @api private # -# @param [Stdlib::Ensure::Service] ensure -# Whether the x509 service should be running. -# -# @param [Boolean] enable -# Enable or disable the service. -# -# @example -# include icingaweb2::module::x509::service -# -class icingaweb2::module::x509::service ( - Stdlib::Ensure::Service $ensure = 'running', - Boolean $enable = true, -) { - require icingaweb2::module::x509 +class icingaweb2::module::x509::service { + assert_private() - $install_method = $icingaweb2::module::x509::install_method + if $icingaweb2::module::x509::manage_service { + $ensure = $icingaweb2::module::x509::service_ensure + $enable = $icingaweb2::module::x509::service_enable - if $install_method != 'package' { - $_unit_file = if $icingaweb2::module::x509::module_dir { - "${icingaweb2::module::x509::module_dir}/config/systemd/icinga-x509.service" - } else { - "${icingaweb2::globals::default_module_path}/x509/config/systemd/icinga-x509.service" + service { 'icinga-x509': + ensure => $ensure, + enable => $enable, } - systemd::unit_file { 'icinga-x509.service': - ensure => 'present', - source => $_unit_file, - notify => Service['icinga-x509'], - } - } - - service { 'icinga-x509': - ensure => $ensure, - enable => $enable, } } diff --git a/spec/classes/modules/x509_spec.rb b/spec/classes/modules/x509_spec.rb new file mode 100644 index 00000000..e2ded6cb --- /dev/null +++ b/spec/classes/modules/x509_spec.rb @@ -0,0 +1,189 @@ +require 'spec_helper' + +describe('icingaweb2::module::x509', type: :class) do + let(:pre_condition) do + [ + "class { 'icingaweb2': db_type => 'mysql', conf_user => 'foo', conf_group => 'bar' }", + ] + end + + on_supported_os.each do |os, facts| + context "on #{os}" do + let :facts do + facts + end + + context "#{os} with git_revision 'v1.3.1', service_user 'foobaz'" do + let(:params) do + { + git_revision: 'v1.3.1', + db_type: 'mysql', + db_password: 'x509', + service_user: 'foobaz', + } + end + + it { + is_expected.to contain_icingaweb2__resource__database('x509') + .with_type('mysql') + .with_host('localhost') + .with_database('x509') + .with_username('x509') + .with_password('x509') + .with_charset('utf8') + } + + it { + is_expected.to contain_icingaweb2__module('x509') + .with_install_method('git') + .with_git_revision('v1.3.1') + .with_package_name('icingaweb2-module-x509') + } + + it { + is_expected.to contain_icingaweb2__inisection('icingaweb2-module-x509-backend') + .with_section_name('backend') + .with_target('/etc/icingaweb2/modules/x509/config.ini') + .with_settings({ 'resource' => 'x509' }) + } + + it { + is_expected.to contain_user('foobaz') + .with_ensure('present') + .with_gid('bar') + .with_shell('/bin/false') + } + + it { + is_expected.to contain_systemd__unit_file('icinga-x509.service') + .with_content(%r{User=foobaz}) + .with_content(%r{ExecStart=/usr/bin/icingacli}) + } + + it { + is_expected.to contain_service('icinga-x509') + .with_ensure('running') + .with_enable(true) + } + + it { is_expected.not_to contain_exec('import icingaweb2::module::x509 schema') } + end + + context "#{os} with db_type 'mysql', db_port '4711', install_method 'package', manage_service 'false', import_schema 'true'" do + let(:params) do + { + install_method: 'package', + manage_service: false, + db_type: 'mysql', + db_port: 4711, + import_schema: true, + } + end + + it { + is_expected.to contain_package('icingaweb2-module-x509') + .with_ensure('installed') + } + + it { + is_expected.to contain_icingaweb2__resource__database('x509') + .with_type('mysql') + .with_host('localhost') + .with_port(4711) + .with_database('x509') + .with_username('x509') + .with_charset('utf8') + } + + it { + is_expected.to contain_exec('import icingaweb2::module::x509 schema') + .with_command(%r{^mysql.*\< '/usr/share/icingaweb2/modules/x509/schema/mysql.schema.sql'$}) + .with_unless(%r{^mysql.* -Ns -e 'SELECT \* FROM x509_certificate'$}) + } + + it { is_expected.not_to contain_user('icingax509') } + it { is_expected.not_to contain_systemd__unit_file('icinga-x509.service') } + it { is_expected.not_to contain_service('icinga-x509') } + end + + context "#{os} with use_tls 'true', tls_cacert 'cacert', tls_capath '/foo/bar', tls_noverify 'true', tls_cipher 'cipher'" do + let(:params) do + { + db_type: 'mysql', + use_tls: true, + tls_cacert_file: '/foo/bar', + tls_capath: '/foo/bar', + tls_noverify: true, + tls_cipher: 'cipher', + } + end + + it { + is_expected.to contain_icingaweb2__resource__database('x509').with( + { + 'type' => 'mysql', + 'host' => 'localhost', + 'database' => 'x509', + 'username' => 'x509', + 'use_tls' => true, + 'tls_cacert' => '/foo/bar', + 'tls_capath' => '/foo/bar', + 'tls_noverify' => true, + 'tls_cipher' => 'cipher', + }, + ) + } + end + + context "#{os} with db_type 'pgsql', use_tls 'true', import_schema 'true', service_ensure 'stopped', service_enabe 'false'" do + let(:pre_condition) do + [ + "class { 'icingaweb2': db_type => 'pgsql', tls_cacert_file => '/foo/bar', tls_capath => '/foo/bar', tls_noverify => true, tls_cipher => 'cipher' }", + ] + end + + let(:params) do + { + db_type: 'pgsql', + db_password: 'foo', + import_schema: true, + use_tls: true, + service_ensure: 'stopped', + service_enable: false, + } + end + + it { + is_expected.to contain_icingaweb2__resource__database('x509').with( + { + 'type' => 'pgsql', + 'host' => 'localhost', + 'database' => 'x509', + 'username' => 'x509', + 'password' => 'foo', + 'use_tls' => true, + 'tls_cacert' => '/foo/bar', + 'tls_capath' => '/foo/bar', + 'tls_noverify' => true, + 'tls_cipher' => 'cipher', + 'charset' => 'UTF8', + }, + ) + } + + it { + is_expected.to contain_exec('import icingaweb2::module::x509 schema') + .with_environment(['PGPASSWORD=foo']) + .with_command(%r{^psql.*-w -f /usr/share/icingaweb2/modules/x509/schema/pgsql.schema.sql$}) + .with_unless(%r{^psql.* -w -c 'SELECT \* FROM x509_certificate'$}) + } + + it { + is_expected.to contain_service('icinga-x509') + .with_ensure('stopped') + .with_enable(false) + } + end + end + end +end diff --git a/templates/icinga-x509.service.epp b/templates/icinga-x509.service.epp new file mode 100644 index 00000000..bff79aa9 --- /dev/null +++ b/templates/icinga-x509.service.epp @@ -0,0 +1,16 @@ +<%- | + String $conf_user, + String $icingacli_bin, +| -%> +[Unit] +Description=Icinga Certificate Monitoring Module Jobs Runner + +[Service] +Type=simple +ExecStart=<%= $icingacli_bin %> x509 jobs run +User=<%= $conf_user %> +SyslogIdentifier=icingax509 +Restart=on-success + +[Install] +WantedBy=multi-user.target From c026d75d3d3fb3df952dace8b3c7d9ee60548583 Mon Sep 17 00:00:00 2001 From: Lennart Betz Date: Sun, 12 Nov 2023 17:45:34 +0100 Subject: [PATCH 13/14] set all users for daemons to system users --- manifests/module/director/install.pp | 1 + manifests/module/reporting/install.pp | 1 + manifests/module/vspheredb/install.pp | 1 + manifests/module/x509/install.pp | 1 + 4 files changed, 4 insertions(+) diff --git a/manifests/module/director/install.pp b/manifests/module/director/install.pp index 462af7a9..d364b718 100644 --- a/manifests/module/director/install.pp +++ b/manifests/module/director/install.pp @@ -35,6 +35,7 @@ ensure => present, gid => $conf_group, shell => '/bin/false', + system => true, } } diff --git a/manifests/module/reporting/install.pp b/manifests/module/reporting/install.pp index 22d62fbd..1b385e8f 100644 --- a/manifests/module/reporting/install.pp +++ b/manifests/module/reporting/install.pp @@ -48,6 +48,7 @@ ensure => 'present', gid => $conf_group, shell => '/bin/false', + system => true, } } } diff --git a/manifests/module/vspheredb/install.pp b/manifests/module/vspheredb/install.pp index 5bec3f5d..3650f390 100644 --- a/manifests/module/vspheredb/install.pp +++ b/manifests/module/vspheredb/install.pp @@ -48,6 +48,7 @@ ensure => 'present', gid => $conf_group, shell => '/bin/false', + system => true, } } } diff --git a/manifests/module/x509/install.pp b/manifests/module/x509/install.pp index cded7c40..94762cab 100644 --- a/manifests/module/x509/install.pp +++ b/manifests/module/x509/install.pp @@ -31,6 +31,7 @@ ensure => present, gid => $conf_group, shell => '/bin/false', + system => true, } } From f8088083bc962fc3d214d4fff03533fa5a93fb2d Mon Sep 17 00:00:00 2001 From: Lennart Betz Date: Sun, 12 Nov 2023 19:18:33 +0100 Subject: [PATCH 14/14] rework service user also managed for packages --- manifests/module/director/config.pp | 7 +++++ manifests/module/director/install.pp | 2 +- manifests/module/reporting/config.pp | 7 +++++ manifests/module/reporting/install.pp | 2 +- manifests/module/vspheredb/config.pp | 7 +++++ manifests/module/vspheredb/install.pp | 2 +- manifests/module/x509/config.pp | 7 +++++ manifests/module/x509/install.pp | 2 +- spec/classes/modules/director_spec.rb | 37 ++++++++++++++++++++++---- spec/classes/modules/reporting_spec.rb | 16 ++++++++++- spec/classes/modules/vspheredb_spec.rb | 16 ++++++++++- spec/classes/modules/x509_spec.rb | 16 ++++++++++- 12 files changed, 109 insertions(+), 12 deletions(-) diff --git a/manifests/module/director/config.pp b/manifests/module/director/config.pp index 4af5ea08..d7abd1ab 100644 --- a/manifests/module/director/config.pp +++ b/manifests/module/director/config.pp @@ -56,6 +56,13 @@ } } + if $install_method == 'package' { + systemd::dropin_file { 'icinga-director.conf': + unit => 'icinga-director.service', + content => "[Service]\nUser=${service_user}", + } + } + if $import_schema { exec { 'director-migration': command => "${icingacli_bin} director migration run", diff --git a/manifests/module/director/install.pp b/manifests/module/director/install.pp index d364b718..ff299875 100644 --- a/manifests/module/director/install.pp +++ b/manifests/module/director/install.pp @@ -30,7 +30,7 @@ package_name => $package_name, } - if $install_method == 'git' { + if $install_method != 'none' { user { $service_user: ensure => present, gid => $conf_group, diff --git a/manifests/module/reporting/config.pp b/manifests/module/reporting/config.pp index 7be86175..4aabdc17 100644 --- a/manifests/module/reporting/config.pp +++ b/manifests/module/reporting/config.pp @@ -40,6 +40,13 @@ } } + if $install_method == 'package' { + systemd::dropin_file { 'icinga-reporting.conf': + unit => 'icinga-reporting.service', + content => "[Service]\nUser=${service_user}", + } + } + icingaweb2::resource::database { 'reporting': type => $db['type'], host => $db['host'], diff --git a/manifests/module/reporting/install.pp b/manifests/module/reporting/install.pp index 1b385e8f..8f9c2285 100644 --- a/manifests/module/reporting/install.pp +++ b/manifests/module/reporting/install.pp @@ -43,7 +43,7 @@ } } - if $install_method == 'git' { + if $install_method != 'none' { user { $service_user: ensure => 'present', gid => $conf_group, diff --git a/manifests/module/vspheredb/config.pp b/manifests/module/vspheredb/config.pp index 9dea0155..544c705e 100644 --- a/manifests/module/vspheredb/config.pp +++ b/manifests/module/vspheredb/config.pp @@ -43,6 +43,13 @@ } } + if $install_method == 'package' { + systemd::dropin_file { 'icinga-vspheredb.conf': + unit => 'icinga-vspheredb.service', + content => "[Service]\nUser=${service_user}", + } + } + icingaweb2::resource::database { 'icingaweb2-module-vspheredb': type => $db['type'], host => $db['host'], diff --git a/manifests/module/vspheredb/install.pp b/manifests/module/vspheredb/install.pp index 3650f390..4f6fc296 100644 --- a/manifests/module/vspheredb/install.pp +++ b/manifests/module/vspheredb/install.pp @@ -43,7 +43,7 @@ } } - if $install_method == 'git' { + if $install_method != 'none' { user { $service_user: ensure => 'present', gid => $conf_group, diff --git a/manifests/module/x509/config.pp b/manifests/module/x509/config.pp index 430ae616..aa52e6cd 100644 --- a/manifests/module/x509/config.pp +++ b/manifests/module/x509/config.pp @@ -38,6 +38,13 @@ } } + if $install_method == 'package' { + systemd::dropin_file { 'icinga-x509.conf': + unit => 'icinga-x509.service', + content => "[Service]\nUser=${service_user}", + } + } + icingaweb2::resource::database { 'x509': type => $db['type'], host => $db['host'], diff --git a/manifests/module/x509/install.pp b/manifests/module/x509/install.pp index 94762cab..73a295e4 100644 --- a/manifests/module/x509/install.pp +++ b/manifests/module/x509/install.pp @@ -26,7 +26,7 @@ package_name => $package_name, } - if $install_method == 'git' { + if $install_method != 'none' { user { $service_user: ensure => present, gid => $conf_group, diff --git a/spec/classes/modules/director_spec.rb b/spec/classes/modules/director_spec.rb index 4d77e4c9..b1f6be16 100644 --- a/spec/classes/modules/director_spec.rb +++ b/spec/classes/modules/director_spec.rb @@ -3,7 +3,7 @@ describe('icingaweb2::module::director', type: :class) do let(:pre_condition) do [ - "class { 'icingaweb2': db_type => 'mysql' }", + "class { 'icingaweb2': db_type => 'mysql', conf_user => 'foo', conf_group => 'bar' }", ] end @@ -22,6 +22,7 @@ db_username: 'director', db_password: 'director', import_schema: true, + service_user: 'foobaz', kickstart: true, endpoint: 'foobar', api_username: 'root', @@ -59,6 +60,20 @@ .with_settings({ 'endpoint' => 'foobar', 'host' => 'localhost', 'port' => '5665', 'username' => 'root', 'password' => 'secret' }) } + it { + is_expected.to contain_user('foobaz') + .with_ensure('present') + .with_gid('bar') + .with_shell('/bin/false') + .with_system(true) + } + + it { + is_expected.to contain_systemd__unit_file('icinga-director.service') + .with_content(%r{User=foobaz}) + .with_content(%r{ExecStart=/usr/bin/icingacli}) + } + it { is_expected.to contain_service('icinga-director') .with_ensure('running') @@ -69,7 +84,7 @@ it { is_expected.to contain_exec('director-kickstart') } end - context "#{os} with import_schema 'false', manage_service 'false'" do + context "#{os} with import_schema 'false', install_method 'package', manage_service 'false'" do let(:params) do { git_revision: 'foobar', db_type: 'mysql', @@ -77,6 +92,7 @@ db_name: 'director', db_username: 'director', db_password: 'director', + install_method: 'package', manage_service: false, import_schema: false } end @@ -93,15 +109,26 @@ it { is_expected.to contain_icingaweb2__module('director') - .with_install_method('git') - .with_git_revision('foobar') + .with_install_method('package') .with_module_dir('/usr/share/icingaweb2/modules/director') } it { - is_expected.not_to contain_service('icinga-director') + is_expected.to contain_user('icingadirector') + .with_ensure('present') + .with_gid('bar') + .with_shell('/bin/false') + .with_system(true) + } + + it { + is_expected.to contain_systemd__dropin_file('icinga-director.conf') + .with_unit('icinga-director.service') + .with_content(%r{User=icingadirector}) } + it { is_expected.not_to contain_systemd__unit_file('icinga-director.service') } + it { is_expected.not_to contain_service('icinga-director') } it { is_expected.not_to contain_exec('director-migration') } it { is_expected.not_to contain_exec('director-kickstart') } end diff --git a/spec/classes/modules/reporting_spec.rb b/spec/classes/modules/reporting_spec.rb index d58c1962..967698db 100644 --- a/spec/classes/modules/reporting_spec.rb +++ b/spec/classes/modules/reporting_spec.rb @@ -60,6 +60,7 @@ .with_ensure('present') .with_gid('bar') .with_shell('/bin/false') + .with_system(true) } it { @@ -109,7 +110,20 @@ .with_unless(%r{^mysql.* -Ns -e 'SELECT \* FROM report'$}) } - it { is_expected.not_to contain_user('icingareporting') } + it { + is_expected.to contain_user('icingareporting') + .with_ensure('present') + .with_gid('bar') + .with_shell('/bin/false') + .with_system(true) + } + + it { + is_expected.to contain_systemd__dropin_file('icinga-reporting.conf') + .with_unit('icinga-reporting.service') + .with_content(%r{User=icingareporting}) + } + it { is_expected.not_to contain_systemd__unit_file('icinga-reporting.service') } it { is_expected.not_to contain_service('icinga-reporting') } end diff --git a/spec/classes/modules/vspheredb_spec.rb b/spec/classes/modules/vspheredb_spec.rb index 5a79b046..71731118 100644 --- a/spec/classes/modules/vspheredb_spec.rb +++ b/spec/classes/modules/vspheredb_spec.rb @@ -52,6 +52,7 @@ .with_ensure('present') .with_gid('bar') .with_shell('/bin/false') + .with_system(true) } it { @@ -106,7 +107,20 @@ .with_unless(%r{^mysql.*-Ns -e 'SELECT schema_version FROM vspheredb_schema_migration'$}) } - it { is_expected.not_to contain_user('icingavspheredb') } + it { + is_expected.to contain_user('icingavspheredb') + .with_ensure('present') + .with_gid('bar') + .with_shell('/bin/false') + .with_system(true) + } + + it { + is_expected.to contain_systemd__dropin_file('icinga-vspheredb.conf') + .with_unit('icinga-vspheredb.service') + .with_content(%r{User=icingavspheredb}) + } + it { is_expected.not_to contain_systemd__tmpfile('icinga-vspheredb.conf') } it { is_expected.not_to contain_systemd__unit_file('icinga-vspheredb.service') } it { is_expected.not_to contain_service('icinga-vspheredb') } diff --git a/spec/classes/modules/x509_spec.rb b/spec/classes/modules/x509_spec.rb index e2ded6cb..25bc5fb9 100644 --- a/spec/classes/modules/x509_spec.rb +++ b/spec/classes/modules/x509_spec.rb @@ -52,6 +52,7 @@ .with_ensure('present') .with_gid('bar') .with_shell('/bin/false') + .with_system(true) } it { @@ -101,7 +102,20 @@ .with_unless(%r{^mysql.* -Ns -e 'SELECT \* FROM x509_certificate'$}) } - it { is_expected.not_to contain_user('icingax509') } + it { + is_expected.to contain_user('icingax509') + .with_ensure('present') + .with_gid('bar') + .with_shell('/bin/false') + .with_system(true) + } + + it { + is_expected.to contain_systemd__dropin_file('icinga-x509.conf') + .with_unit('icinga-x509.service') + .with_content(%r{User=icingax509}) + } + it { is_expected.not_to contain_systemd__unit_file('icinga-x509.service') } it { is_expected.not_to contain_service('icinga-x509') } end