Skip to content

Commit

Permalink
fix #679 Add TLS support to feature gelf
Browse files Browse the repository at this point in the history
  • Loading branch information
@lbetz
lbetz committed Sep 13, 2021
1 parent 807df10 commit dcde3ce
Show file tree
Hide file tree
Showing 2 changed files with 218 additions and 2 deletions.
133 changes: 131 additions & 2 deletions manifests/feature/gelf.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,33 @@
# @param [Optional[String]] source
# Source name for this instance.
#
# @param [Boolean] enable_ssl
# Either enable or disable SSL/TLS. Other SSL parameters are only affected if this is set to 'true'.
#
# @param [Optional[Stdlib::Absolutepath]] ssl_key_path
# Location of the private key. Only valid if ssl is enabled.
#
# @param [Optional[Stdlib::Absolutepath]] ssl_cert_path
# Location of the certificate. Only valid if ssl is enabled.
#
# @param [Optional[Stdlib::Absolutepath]] ssl_cacert_path
# Location of the CA certificate. Only valid if ssl is enabled.
#
# @param [Optional[Stdlib::Base64]] ssl_key
# The private key in a base64 encoded string to store in spicified ssl_key_path file.
# Only valid if ssl is enabled.
#
# @param [Optional[Stdlib::Base64]] ssl_cert
# The certificate in a base64 encoded string to store in spicified ssl_cert_path file.
# Only valid if ssl is enabled.
#
# @param [Optional[Stdlib::Base64]] ssl_cacert
# The CA root certificate in a base64 encoded string to store in spicified ssl_cacert_path file.
# Only valid if ssl is enabled.
#
# @param [Optional[Boolean]] ssl_noverify
# Disable TLS peer verification.
#
# @param [Optional[Boolean]] enable_send_perfdata
# Enable performance data for 'CHECK RESULT' events.
#
Expand All @@ -24,6 +51,14 @@
Optional[Stdlib::Host] $host = undef,
Optional[Stdlib::Port::Unprivileged] $port = undef,
Optional[String] $source = undef,
Boolean $enable_ssl = false,
Optional[Stdlib::Absolutepath] $ssl_key_path = undef,
Optional[Stdlib::Absolutepath] $ssl_cert_path = undef,
Optional[Stdlib::Absolutepath] $ssl_cacert_path = undef,
Optional[Stdlib::Base64] $ssl_key = undef,
Optional[Stdlib::Base64] $ssl_cert = undef,
Optional[Stdlib::Base64] $ssl_cacert = undef,
Optional[Boolean] $ssl_noverify = undef,
Optional[Boolean] $enable_send_perfdata = undef,
Optional[Boolean] $enable_ha = undef,
) {
Expand All @@ -32,12 +67,106 @@
fail('You must include the icinga2 base class before using any icinga2 feature class!')
}

$owner = $::icinga2::globals::user
$group = $::icinga2::globals::group
$conf_dir = $::icinga2::globals::conf_dir
$_notify = $ensure ? {
$ssl_dir = $::icinga2::globals::cert_dir

$_ssl_key_mode = $::facts['os']['family'] ? {
'windows' => undef,
default => '0600',
}

$_notify = $ensure ? {
'present' => Class['::icinga2::service'],
default => undef,
}

File {
owner => $owner,
group => $group,
}


if $enable_ssl {
# Set defaults for certificate stuff
if $ssl_key {
if $ssl_key_path {
$_ssl_key_path = $ssl_key_path }
else {
$_ssl_key_path = "${ssl_dir}/GelfWriter_gelf.key"
}

$_ssl_key = $::facts['os']['family'] ? {
'windows' => regsubst($ssl_key, '\n', "\r\n", 'EMG'),
default => $ssl_key,
}

file { $_ssl_key_path:
ensure => file,
mode => $_ssl_key_mode,
content => $ssl_key,
tag => 'icinga2::config::file',
}
} else {
$_ssl_key_path = $ssl_key_path
}

if $ssl_cert {
if $ssl_cert_path {
$_ssl_cert_path = $ssl_cert_path }
else {
$_ssl_cert_path = "${ssl_dir}/GelfWriter_gelf.crt"
}

$_ssl_cert = $::facts['os']['family'] ? {
'windows' => regsubst($ssl_cert, '\n', "\r\n", 'EMG'),
default => $ssl_cert,
}

file { $_ssl_cert_path:
ensure => file,
content => $ssl_cert,
tag => 'icinga2::config::file',
}
} else {
$_ssl_cert_path = $ssl_cert_path
}

if $ssl_cacert {
if $ssl_cacert_path {
$_ssl_cacert_path = $ssl_cacert_path }
else {
$_ssl_cacert_path = "${ssl_dir}/GelfWriter_gelf_ca.crt"
}

$_ssl_cacert = $::facts['os']['family'] ? {
'windows' => regsubst($ssl_cacert, '\n', "\r\n", 'EMG'),
default => $ssl_cacert,
}

file { $_ssl_cacert_path:
ensure => file,
content => $ssl_cacert,
tag => 'icinga2::config::file',
}
} else {
$_ssl_cacert_path = $ssl_cacert_path
}

$attrs_ssl = {
enable_tls => $enable_ssl,
insecure_noverify => $ssl_noverify,
ca_path => $_ssl_cacert_path,
cert_path => $_ssl_cert_path,
key_path => $_ssl_key_path,
}
} # enable_ssl
else {
$attrs_ssl = { enable_tls => $enable_ssl }
}


# compose attributes
$attrs = {
host => $host,
Expand All @@ -51,7 +180,7 @@
icinga2::object { 'icinga2::object::GelfWriter::gelf':
object_name => 'gelf',
object_type => 'GelfWriter',
attrs => delete_undef_values($attrs),
attrs => delete_undef_values(merge($attrs, $attrs_ssl)),
attrs_list => keys($attrs),
target => "${conf_dir}/features-available/gelf.conf",
order => 10,
Expand Down
87 changes: 87 additions & 0 deletions spec/classes/gelf_spec.rb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,10 +16,28 @@
case facts[:kernel]
when 'windows'
let(:icinga2_conf_dir) { 'C:/ProgramData/icinga2/etc/icinga2' }
let(:icinga2_pki_dir) { 'C:/ProgramData/icinga2/var/lib/icinga2/certs' }
let(:icinga2_sslkey_mode) { nil }
let(:icinga2_user) { nil }
let(:icinga2_group) { nil }
when 'FreeBSD'
let(:icinga2_conf_dir) { '/usr/local/etc/icinga2' }
let(:icinga2_pki_dir) { '/var/lib/icinga2/certs' }
let(:icinga2_sslkey_mode) { '0600' }
let(:icinga2_user) { 'icinga' }
let(:icinga2_group) { 'icinga' }
else
let(:icinga2_conf_dir) { '/etc/icinga2' }
let(:icinga2_pki_dir) { '/var/lib/icinga2/certs' }
let(:icinga2_sslkey_mode) { '0600' }
case facts[:os]['family']
when 'Debian'
let(:icinga2_user) { 'nagios' }
let(:icinga2_group) { 'nagios' }
else
let(:icinga2_user) { 'icinga' }
let(:icinga2_group) { 'icinga' }
end
end

context 'with defaults' do
Expand Down Expand Up @@ -50,6 +68,75 @@

it { is_expected.to contain_icinga2__feature('gelf').with({ 'ensure' => 'absent' }) }
end

context "with enable_ssl => true, host => '127.0.0.1', ssl_key => 'foo', ssl_cert => 'bar', ssl_cacert => 'baz'" do
let(:params) do
{
enable_ssl: true,
ssl_key: 'foo',
ssl_cert: 'bar',
ssl_cacert: 'baz',
host: '127.0.0.1',
}
end

it {
is_expected.to contain_file("#{icinga2_pki_dir}/GelfWriter_gelf.key").with(
{
'mode' => icinga2_sslkey_mode,
'owner' => icinga2_user,
'group' => icinga2_group,
},
).with_content(%r{^foo})
}

it {
is_expected.to contain_file("#{icinga2_pki_dir}/GelfWriter_gelf.crt").with(
{
'owner' => icinga2_user,
'group' => icinga2_group,
},
).with_content(%r{^bar$})
}

it {
is_expected.to contain_file("#{icinga2_pki_dir}/GelfWriter_gelf_ca.crt").with(
{
'owner' => icinga2_user,
'group' => icinga2_group,
},
).with_content(%r{^baz$})
}
end

context 'with enable_ssl => true, ssl_key_path, ssl_cert_path and ssl_cacert_path set' do
let(:params) do
{
enable_ssl: true,
ssl_key_path: "#{icinga2_pki_dir}/GelfWriter_gelf.key",
ssl_cert_path: "#{icinga2_pki_dir}/GelfWriter_gelf.crt",
ssl_cacert_path: "#{icinga2_pki_dir}/GelfWriter_gelf_ca.crt",
}
end

it {
is_expected.to contain_concat__fragment('icinga2::object::GelfWriter::gelf').with_content(
%r{key_path = "#{icinga2_pki_dir}/GelfWriter_gelf.key"},
)
}

it {
is_expected.to contain_concat__fragment('icinga2::object::GelfWriter::gelf').with_content(
%r{cert_path = "#{icinga2_pki_dir}/GelfWriter_gelf.crt"},
)
}

it {
is_expected.to contain_concat__fragment('icinga2::object::GelfWriter::gelf').with_content(
%r{ca_path = "#{icinga2_pki_dir}/GelfWriter_gelf_ca.crt"},
)
}
end
end
end
end

0 comments on commit dcde3ce

Please sign in to comment.