We run our Icinga cluster with 3 zones (master zone, satellite zone 1 and satellite zone 2) and many Windows and Linux agents. For the configuration we use the Icinga director and furthermore the zone “director-global”, which by default contains all configured check commands, service templates, service sets, … are contained.
This way we can take advantage of the fact that the configuration is available on every single Icinga node and also on every Icinga agent.
But this could also be a problem. For example, if you store your password as an argument to one of your check commands/service templates, then the password would be made available on every node. Even on nodes that don’t need that command/service template.
I wanted to ask you how you handle such situations?
In my case, I wanted to set up a command/service for sat zone 1 and sat zone 2, but not for all agents as they should not receive the password.
So I created a service template for Sat Zone 1 and another service template for Sat Zone 2 and stored the password for the check command in them. Unfortunately, it is not possible to store a service template for multiple zones…
The next step was to create two rules for services (one for Sat Zone 1 and one for Sat Zone 2) and apply them to the correct hosts in each zone.
So the configs and passwords will be stored in /var/lib/icinga2/api/zones/sat-zone1/director … and our agents don’t receive it.
I find this configuration very cumbersome. How do you store your passwords for commands/services so that not every Icinga node gets them?