diff --git a/manifests/feature/gelf.pp b/manifests/feature/gelf.pp index dddd7656..bd7fd2a3 100644 --- a/manifests/feature/gelf.pp +++ b/manifests/feature/gelf.pp @@ -13,6 +13,33 @@ # @param [Optional[String]] source # Source name for this instance. # +# @param [Boolean] enable_ssl +# Either enable or disable SSL/TLS. Other SSL parameters are only affected if this is set to 'true'. +# +# @param [Optional[Stdlib::Absolutepath]] ssl_key_path +# Location of the private key. Only valid if ssl is enabled. +# +# @param [Optional[Stdlib::Absolutepath]] ssl_cert_path +# Location of the certificate. Only valid if ssl is enabled. +# +# @param [Optional[Stdlib::Absolutepath]] ssl_cacert_path +# Location of the CA certificate. Only valid if ssl is enabled. +# +# @param [Optional[Stdlib::Base64]] ssl_key +# The private key in a base64 encoded string to store in spicified ssl_key_path file. +# Only valid if ssl is enabled. +# +# @param [Optional[Stdlib::Base64]] ssl_cert +# The certificate in a base64 encoded string to store in spicified ssl_cert_path file. +# Only valid if ssl is enabled. +# +# @param [Optional[Stdlib::Base64]] ssl_cacert +# The CA root certificate in a base64 encoded string to store in spicified ssl_cacert_path file. +# Only valid if ssl is enabled. +# +# @param [Optional[Boolean]] ssl_noverify +# Disable TLS peer verification. +# # @param [Optional[Boolean]] enable_send_perfdata # Enable performance data for 'CHECK RESULT' events. # @@ -24,6 +51,14 @@ Optional[Stdlib::Host] $host = undef, Optional[Stdlib::Port::Unprivileged] $port = undef, Optional[String] $source = undef, + Boolean $enable_ssl = false, + Optional[Stdlib::Absolutepath] $ssl_key_path = undef, + Optional[Stdlib::Absolutepath] $ssl_cert_path = undef, + Optional[Stdlib::Absolutepath] $ssl_cacert_path = undef, + Optional[Stdlib::Base64] $ssl_key = undef, + Optional[Stdlib::Base64] $ssl_cert = undef, + Optional[Stdlib::Base64] $ssl_cacert = undef, + Optional[Boolean] $ssl_noverify = undef, Optional[Boolean] $enable_send_perfdata = undef, Optional[Boolean] $enable_ha = undef, ) { @@ -32,12 +67,106 @@ fail('You must include the icinga2 base class before using any icinga2 feature class!') } + $owner = $::icinga2::globals::user + $group = $::icinga2::globals::group $conf_dir = $::icinga2::globals::conf_dir - $_notify = $ensure ? { + $ssl_dir = $::icinga2::globals::cert_dir + + $_ssl_key_mode = $::facts['os']['family'] ? { + 'windows' => undef, + default => '0600', + } + + $_notify = $ensure ? { 'present' => Class['::icinga2::service'], default => undef, } + File { + owner => $owner, + group => $group, + } + + + if $enable_ssl { + # Set defaults for certificate stuff + if $ssl_key { + if $ssl_key_path { + $_ssl_key_path = $ssl_key_path } + else { + $_ssl_key_path = "${ssl_dir}/GelfWriter_gelf.key" + } + + $_ssl_key = $::facts['os']['family'] ? { + 'windows' => regsubst($ssl_key, '\n', "\r\n", 'EMG'), + default => $ssl_key, + } + + file { $_ssl_key_path: + ensure => file, + mode => $_ssl_key_mode, + content => $ssl_key, + tag => 'icinga2::config::file', + } + } else { + $_ssl_key_path = $ssl_key_path + } + + if $ssl_cert { + if $ssl_cert_path { + $_ssl_cert_path = $ssl_cert_path } + else { + $_ssl_cert_path = "${ssl_dir}/GelfWriter_gelf.crt" + } + + $_ssl_cert = $::facts['os']['family'] ? { + 'windows' => regsubst($ssl_cert, '\n', "\r\n", 'EMG'), + default => $ssl_cert, + } + + file { $_ssl_cert_path: + ensure => file, + content => $ssl_cert, + tag => 'icinga2::config::file', + } + } else { + $_ssl_cert_path = $ssl_cert_path + } + + if $ssl_cacert { + if $ssl_cacert_path { + $_ssl_cacert_path = $ssl_cacert_path } + else { + $_ssl_cacert_path = "${ssl_dir}/GelfWriter_gelf_ca.crt" + } + + $_ssl_cacert = $::facts['os']['family'] ? { + 'windows' => regsubst($ssl_cacert, '\n', "\r\n", 'EMG'), + default => $ssl_cacert, + } + + file { $_ssl_cacert_path: + ensure => file, + content => $ssl_cacert, + tag => 'icinga2::config::file', + } + } else { + $_ssl_cacert_path = $ssl_cacert_path + } + + $attrs_ssl = { + enable_tls => $enable_ssl, + insecure_noverify => $ssl_noverify, + ca_path => $_ssl_cacert_path, + cert_path => $_ssl_cert_path, + key_path => $_ssl_key_path, + } + } # enable_ssl + else { + $attrs_ssl = { enable_tls => $enable_ssl } + } + + # compose attributes $attrs = { host => $host, @@ -51,7 +180,7 @@ icinga2::object { 'icinga2::object::GelfWriter::gelf': object_name => 'gelf', object_type => 'GelfWriter', - attrs => delete_undef_values($attrs), + attrs => delete_undef_values(merge($attrs, $attrs_ssl)), attrs_list => keys($attrs), target => "${conf_dir}/features-available/gelf.conf", order => 10, diff --git a/spec/classes/gelf_spec.rb b/spec/classes/gelf_spec.rb index dbcd1c47..ae045fdf 100644 --- a/spec/classes/gelf_spec.rb +++ b/spec/classes/gelf_spec.rb @@ -16,10 +16,28 @@ case facts[:kernel] when 'windows' let(:icinga2_conf_dir) { 'C:/ProgramData/icinga2/etc/icinga2' } + let(:icinga2_pki_dir) { 'C:/ProgramData/icinga2/var/lib/icinga2/certs' } + let(:icinga2_sslkey_mode) { nil } + let(:icinga2_user) { nil } + let(:icinga2_group) { nil } when 'FreeBSD' let(:icinga2_conf_dir) { '/usr/local/etc/icinga2' } + let(:icinga2_pki_dir) { '/var/lib/icinga2/certs' } + let(:icinga2_sslkey_mode) { '0600' } + let(:icinga2_user) { 'icinga' } + let(:icinga2_group) { 'icinga' } else let(:icinga2_conf_dir) { '/etc/icinga2' } + let(:icinga2_pki_dir) { '/var/lib/icinga2/certs' } + let(:icinga2_sslkey_mode) { '0600' } + case facts[:os]['family'] + when 'Debian' + let(:icinga2_user) { 'nagios' } + let(:icinga2_group) { 'nagios' } + else + let(:icinga2_user) { 'icinga' } + let(:icinga2_group) { 'icinga' } + end end context 'with defaults' do @@ -50,6 +68,75 @@ it { is_expected.to contain_icinga2__feature('gelf').with({ 'ensure' => 'absent' }) } end + + context "with enable_ssl => true, host => '127.0.0.1', ssl_key => 'foo', ssl_cert => 'bar', ssl_cacert => 'baz'" do + let(:params) do + { + enable_ssl: true, + ssl_key: 'foo', + ssl_cert: 'bar', + ssl_cacert: 'baz', + host: '127.0.0.1', + } + end + + it { + is_expected.to contain_file("#{icinga2_pki_dir}/GelfWriter_gelf.key").with( + { + 'mode' => icinga2_sslkey_mode, + 'owner' => icinga2_user, + 'group' => icinga2_group, + }, + ).with_content(%r{^foo}) + } + + it { + is_expected.to contain_file("#{icinga2_pki_dir}/GelfWriter_gelf.crt").with( + { + 'owner' => icinga2_user, + 'group' => icinga2_group, + }, + ).with_content(%r{^bar$}) + } + + it { + is_expected.to contain_file("#{icinga2_pki_dir}/GelfWriter_gelf_ca.crt").with( + { + 'owner' => icinga2_user, + 'group' => icinga2_group, + }, + ).with_content(%r{^baz$}) + } + end + + context 'with enable_ssl => true, ssl_key_path, ssl_cert_path and ssl_cacert_path set' do + let(:params) do + { + enable_ssl: true, + ssl_key_path: "#{icinga2_pki_dir}/GelfWriter_gelf.key", + ssl_cert_path: "#{icinga2_pki_dir}/GelfWriter_gelf.crt", + ssl_cacert_path: "#{icinga2_pki_dir}/GelfWriter_gelf_ca.crt", + } + end + + it { + is_expected.to contain_concat__fragment('icinga2::object::GelfWriter::gelf').with_content( + %r{key_path = "#{icinga2_pki_dir}/GelfWriter_gelf.key"}, + ) + } + + it { + is_expected.to contain_concat__fragment('icinga2::object::GelfWriter::gelf').with_content( + %r{cert_path = "#{icinga2_pki_dir}/GelfWriter_gelf.crt"}, + ) + } + + it { + is_expected.to contain_concat__fragment('icinga2::object::GelfWriter::gelf').with_content( + %r{ca_path = "#{icinga2_pki_dir}/GelfWriter_gelf_ca.crt"}, + ) + } + end end end end