Puppet Class: icinga2::pki::ca

Defined in:
manifests/pki/ca.pp

Overview

== Class: icinga2::pki::ca

This class provides multiple ways to create the CA used by Icinga 2. By default it will create a CA by using the icinga2 CLI. If you want to use your own CA you will either have to transfer it by using a file resource or you can set the content of your certificat and key in this class.

The certificate of the icinga2 instance itself will be created, is signed by the new CA and has the CN based on the constant NodeName.

=== Parameters

[*ca_cert*] Content of the CA certificate. If this is unset, a certificate will be generated with the Icinga 2 CLI.

[*ca_key*] Content of the CA key. If this is unset, a key will be generated with the Icinga 2 CLI.

=== Examples

Let Icinga 2 generate a CA for you:

include icinga2 class { 'icinga2::pki::ca': }

Set the content of CA certificate and key:

include icinga2 class { 'icinga2::pki::ca': ca_cert => '-----BEGIN CERTIFICATE----- ...', ca_key => '-----BEGIN RSA PRIVATE KEY----- ...', }

Parameters:

  • ca_cert (Optional[String]) (defaults to: undef)
  • ca_key (Optional[String]) (defaults to: undef)


35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
# File 'manifests/pki/ca.pp', line 35

class icinga2::pki::ca(
  Optional[String]               $ca_cert         = undef,
  Optional[String]               $ca_key          = undef,
) {

  require ::icinga2::config

  $icinga2_bin = $::icinga2::globals::icinga2_bin
  $ca_dir      = $::icinga2::globals::ca_dir
  $cert_dir    = $::icinga2::globals::cert_dir
  $user        = $::icinga2::globals::user
  $group       = $::icinga2::globals::group
  $node_name   = $::icinga2::_constants['NodeName']

  $_ssl_key_path    = "${::icinga2::globals::cert_dir}/${node_name}.key"
  $_ssl_csr_path    = "${::icinga2::globals::cert_dir}/${node_name}.csr"
  $_ssl_cert_path   = "${::icinga2::globals::cert_dir}/${node_name}.crt"
  $_ssl_cacert_path = "${::icinga2::globals::cert_dir}/ca.crt"

  File {
    owner => $user,
    group => $group,
  }

  if $::osfamily != 'windows' {
    $_ca_key_mode = '0600'
  } else {
    $_ca_key_mode = undef
  }


  if !$ca_cert or !$ca_key {
    exec { 'create-icinga2-ca':
      command => "\"${icinga2_bin}\" pki new-ca",
      creates => "${ca_dir}/ca.crt",
      before  => File[$_ssl_cacert_path],
      notify  => Class['::icinga2::service'],
    }
  } else {
    if $::osfamily == 'windows' {
      $_ca_cert     = regsubst($ca_cert, '\n', "\r\n", 'EMG')
      $_ca_key      = regsubst($ca_key, '\n', "\r\n", 'EMG')
    } else {
      $_ca_cert     = $ca_cert
      $_ca_key      = $ca_key
    }

    file { "${ca_dir}/ca.crt":
      ensure  => file,
      content => $_ca_cert,
      tag     => 'icinga2::config::file',
      before  => File[$_ssl_cacert_path],
    }

    file { "${ca_dir}/ca.key":
      ensure  => file,
      mode    => $_ca_key_mode,
      content => $_ca_key,
      tag     => 'icinga2::config::file',
    }
  }

  file { $_ssl_cacert_path:
    ensure => file,
    source => $::kernel ? {
      'windows' => "file:///${ca_dir}/ca.crt",
      default   => "${ca_dir}/ca.crt",
    },
  }

  exec { 'icinga2 pki create certificate signing request':
    command => "\"${icinga2_bin}\" pki new-cert --cn ${node_name} --key ${_ssl_key_path} --csr ${_ssl_csr_path}",
    creates => $_ssl_key_path,
    require => File[$_ssl_cacert_path],
  }

  -> file { $_ssl_key_path:
    ensure => file,
    mode   => $_ca_key_mode,
  }

  exec { 'icinga2 pki sign certificate':
    command     => "\"${icinga2_bin}\" pki sign-csr --csr ${_ssl_csr_path} --cert ${_ssl_cert_path}",
    subscribe   => Exec['icinga2 pki create certificate signing request'],
    refreshonly => true,
    notify      => Class['::icinga2::service'],
  }

  -> file {
    $_ssl_cert_path:
      ensure => file;
    $_ssl_csr_path:
      ensure => absent;
  }
}