Using pki => "ca" can either cause incomplete deps or circular reference

[ikirker]

I'm trying to use this module, and trying to get Icinga2 to configure the certificates automatically:

  class { 'icinga2::feature::api':
    accept_commands  => true,
    accept_config    => true,
    pki              => "ca",
  }

This means that it uses the icinga2 command to try and create certs. Unfortunately, this doesn't seem to always ensure that the icinga2 command is available first, which makes it able to fail on first run:

Error: Could not find command 'icinga2'
Error: /Stage[main]/Icinga2::Pki::Ca/Exec[create-icinga2-ca]/returns: change from notrun to 0 failed: Could not find command 'icinga2'

I tried fixing the dependency chain using:

  class { 'icinga2::feature::api':
    accept_commands  => true,
    accept_config    => true,
    pki              => "ca",
    require          => Class['icinga2'],
  }

But then I get a circular reference error:

(Anchor[::icinga2::end] => Class[Icinga2] => Class[Icinga2::Feature::Api] => Exec[icinga2 pki sign certificate] => Class[Icinga2::Service] => Service[icinga2] => Class[Icinga2::Service] => Anchor[::icinga2::end])

Trying to whittle this down to requiring just the icinga2 Package resource didn't help, because that doesn't necessarily ensure the icinga2 command is present, and even requiring the icinga2::feature::command class didn't seem to, either. Requiring the icinga2-bin package seemed to work; I had to make that depend on the Icinga repo but that was doable.

So now I have this:

  package { 'icinga2-bin':
    require => Yumrepo['icinga2_repo'],
  }

  class { 'icinga2::feature::api':
    accept_commands  => true,
    accept_config    => true,
    pki              => "ca",
    require          => Package['icinga2-bin'],
  }

This involved a bit of trial and error, and seems fixable but I feel like my solution isn't a particularly good solution and could be improved upon by someone more familiar with Icinga2's packaging.

[ikirker]

(Oh, and, that Yumrepo resource is my own, rather than an automatic repo resource handled by the module: I've not been having this module manage it.)

[bobapple]

You need to include or declare the ::icinga2 class which handles the installation of Icinga 2

class { '::icinga2': }

class { '::icinga2::feature::api':
  accept_commands  => true,
  accept_config    => true,
  pki              => "ca",
}

[ikirker]

Ah, sorry, I should have been clearer but I didn't want to post a huge mass of Puppet.

As well as the above, I'm already including the main class and some other Icinga class resources:

  class { 'icinga2':
    features => ['checker', 'command', 'mainlog', 'notification', 'perfdata', 'livestatus'],
    # Features configured later: api, idomysql, graphite
  }

  icinga2::object::apiuser { 'a_user_name':
      target      => '/etc/icinga2/conf.d/apiuser.conf',
      permissions => [ "*" ],
      password    => 'somepassword',
  }

  icinga2::object::zone { 'global-templates':
      global => true,
  }

  class {'icinga2::feature::graphite':
    host                  => 'localhost',
    port                  => 2003,
    host_name_template    => 'icinga2.$host.name$.host.$host.check_command$',
    service_name_template => 'icinga2.$host.name$.services.$service.name$.$service.check_command$',
  }

  class { 'icinga2::feature::idomysql':
    host          => '127.0.0.1',
    port          => 3306,
    user          => 'icinga2_user',
    password      => 'mypass',
    database      => 'ido_db',
    import_schema => true,
  }

[bobapple]

I am not able to reproduce this, but it looks like an ordering issue.

Here's a potential fix: 734d82c
Can you test it and give me feedback?

[ikirker]

@bobapple Using that version, and deleting the icinga2-bin package resource and the explicit requirement for it in the use of icinga2::feature::api, does seem to work.

I don't think I understand why, at the moment, though. 😳