Icinga agent Puppet question

MikeKall · September 15, 2021, 9:04am

Hi,

I am having some problems trying to configure Icinga agent with puppet. I have this in my manifest:


class hg_winmonit::agent{
	
  exec{'PowerTools Epel':
      command     => "/bin/dnf install -y 'dnf-command(config-manager)' & /bin/dnf config-manager --set-enabled PowerTools",
  }


    $icinga_source =  $facts['os']['distro']['release']['major']  ? {
      '8' => 'https://packages.icinga.com/epel/icinga-rpm-release-8-latest.noarch.rpm',
      '7' => 'https://packages.icinga.com/epel/icinga-rpm-release-7-latest.noarch.rpm'
    }

    package {'icinga-rpm-release':
      name     => 'icinga-rpm-release',
      ensure   => 'installed',
      provider => 'rpm',
      source   => $icinga_source,
    }

    package {'epel-release':}
# Fix ownership that otherwise prevents icinga2 service to start

  $conf_dir = '/etc/icinga2'
  File <| title == "${conf_dir}/constants.conf" |> {
      owner => 'icinga',
      group => 'icinga',
    }
  File <| title == "${conf_dir}/icinga2.conf" |> {
      owner => 'icinga',
      group => 'icinga',
  }
  File <| title == "${conf_dir}/features-enabled" |> {
      owner => 'icinga',
      group => 'icinga',
    }
  

  class { '::icinga2':
          manage_repo    => true,
          manage_package => true,
          manage_selinux => true,
          confd     => false,
          features  => ['checker','mainlog','notification','statusdata','compatlog','command'],
          constants => {
            'NodeName' => $facts['fqdn'],
            'ZoneName'   => 'master',
            'TicketSalt' => 'Managed in api.conf',
          },
  }

  $api_conf='/etc/icinga2/features-available/api.conf'

  File <| title == $api_conf |> {
    path => "${teigi_temp}/api.conf" ,
  }

  teigi::secret::sub_file { $api_conf:
    content    => template('hg_winmonit/api.conf.erb'),
    teigi_keys => ["icinga2_ticketsalt_prod"],
    owner      => 'icinga',
    group      => 'icinga',
  }

  $master_cert = '<master1>'
  $second_master = '<master2>'
  $master1_ip = '<ip1>'
  $master2_ip = '<ip2>'

  class { '::icinga2::feature::api':
    pki             => 'none',
    ca_host         => $master_ip,
    #ticket_salt     => 'Managed in api.conf',
    ensure          => 'present',
    accept_config   => true,
    accept_commands => true,
    endpoints       => {
      "${facts['fqdn']}"  => {},
      "${master_cert}" => {
          'host' => $master1_ip,
      },
      "${second_master}" => {
        'host'  => $master2_ip,
      }
    },
    zones           => {
      'master' => {
        'endpoints' => [ $master_cert, $second_master ],
      },
    },  
  }

  icinga2::object::zone { 'global-templates':
    global => true,
  }

  icinga2::object::zone { 'director-global':
    global => true,
  }

  icinga2::object::zone { "${facts['fqdn']}":
    parent => 'master',
    endpoints = ["${facts['fqdn']}",],
  }
}

I get an error for the certificate:

Error: Systemd start for icinga2 failed!
journalctl log for icinga2:
-- Logs begin at Wed 2021-09-15 09:36:03 CEST, end at Wed 2021-09-15 10:58:16 CEST. --
Sep 15 10:58:16 c8-agent3.cern.ch systemd[1]: Starting Icinga host/service/network monitoring system...
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]: [2021-09-15 10:58:16 +0200] information/cli: Icinga application loader (version: 2.13.1-1)
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]: [2021-09-15 10:58:16 +0200] information/cli: Loading configuration file(s).
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]: [2021-09-15 10:58:16 +0200] information/ConfigItem: Committing config item(s).
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]: [2021-09-15 10:58:16 +0200] critical/SSL: Error on bio X509 AUX reading pem file '/var/lib/icinga2/certs//c8-agent3.cern.ch.crt': 33558530, "error:02001002:system library:fopen:No such file or directory"
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]: [2021-09-15 10:58:16 +0200] critical/config: Error: Cannot get certificate from cert path: '/var/lib/icinga2/certs//c8-agent3.cern.ch.crt'.
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]: Location: in /etc/icinga2/features-enabled/api.conf: 3:1-3:24
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]: /etc/icinga2/features-enabled/api.conf(1): # This file is managed by Puppet. DO NOT EDIT.
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]: /etc/icinga2/features-enabled/api.conf(2):
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]: /etc/icinga2/features-enabled/api.conf(3): object ApiListener "api" {
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]:                                            ^^^^^^^^^^^^^^^^^^^^^^^^
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]: /etc/icinga2/features-enabled/api.conf(4):   accept_commands = true
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]: /etc/icinga2/features-enabled/api.conf(5):   accept_config = true
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]: [2021-09-15 10:58:16 +0200] critical/config: 1 error
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]: [2021-09-15 10:58:16 +0200] critical/cli: Config validation failed. Re-run with 'icinga2 daemon -C' after fixing the config.
Sep 15 10:58:16 c8-agent3.cern.ch systemd[1]: icinga2.service: Main process exited, code=exited, status=1/FAILURE
Sep 15 10:58:16 c8-agent3.cern.ch systemd[1]: icinga2.service: Failed with result 'exit-code'.
Sep 15 10:58:16 c8-agent3.cern.ch systemd[1]: Failed to start Icinga host/service/network monitoring system.

Error: /Stage[main]/Icinga2::Service/Service[icinga2]/ensure: change from 'stopped' to 'running' failed: Systemd start for icinga2 failed!
journalctl log for icinga2:
-- Logs begin at Wed 2021-09-15 09:36:03 CEST, end at Wed 2021-09-15 10:58:16 CEST. --
Sep 15 10:58:16 c8-agent3.cern.ch systemd[1]: Starting Icinga host/service/network monitoring system...
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]: [2021-09-15 10:58:16 +0200] information/cli: Icinga application loader (version: 2.13.1-1)
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]: [2021-09-15 10:58:16 +0200] information/cli: Loading configuration file(s).
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]: [2021-09-15 10:58:16 +0200] information/ConfigItem: Committing config item(s).
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]: [2021-09-15 10:58:16 +0200] critical/SSL: Error on bio X509 AUX reading pem file '/var/lib/icinga2/certs//c8-agent3.cern.ch.crt': 33558530, "error:02001002:system library:fopen:No such file or directory"
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]: [2021-09-15 10:58:16 +0200] critical/config: Error: Cannot get certificate from cert path: '/var/lib/icinga2/certs//c8-agent3.cern.ch.crt'.
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]: Location: in /etc/icinga2/features-enabled/api.conf: 3:1-3:24
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]: /etc/icinga2/features-enabled/api.conf(1): # This file is managed by Puppet. DO NOT EDIT.
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]: /etc/icinga2/features-enabled/api.conf(2):
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]: /etc/icinga2/features-enabled/api.conf(3): object ApiListener "api" {
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]:                                            ^^^^^^^^^^^^^^^^^^^^^^^^
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]: /etc/icinga2/features-enabled/api.conf(4):   accept_commands = true
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]: /etc/icinga2/features-enabled/api.conf(5):   accept_config = true
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]: [2021-09-15 10:58:16 +0200] critical/config: 1 error
Sep 15 10:58:16 c8-agent3.cern.ch icinga2[11645]: [2021-09-15 10:58:16 +0200] critical/cli: Config validation failed. Re-run with 'icinga2 daemon -C' after fixing the config.
Sep 15 10:58:16 c8-agent3.cern.ch systemd[1]: icinga2.service: Main process exited, code=exited, status=1/FAILURE
Sep 15 10:58:16 c8-agent3.cern.ch systemd[1]: icinga2.service: Failed with result 'exit-code'.
Sep 15 10:58:16 c8-agent3.cern.ch systemd[1]: Failed to start Icinga host/service/network monitoring system.

I checked these links:
https://github.com/Icinga/puppet-icinga2

https://forge.puppet.com/modules/icinga/icinga2

But I can’t make it work. What is missing from the manifest?

Cheers,
Mike

dgoetz · September 15, 2021, 9:28am

You are using pki => 'none' indicating you want to use your own certificates, but I do not see any code to provide them. It is more likely that you want “icinga2” or “puppet” as a value here.

github.com

Icinga/puppet-icinga2/blob/master/manifests/feature/api.pp#L54-L66

    
      
          # @param [Enum['ca', 'icinga2', 'none', 'puppet']] pki
          #   Provides multiple sources for the certificate, key and ca.
          #   - puppet: Copies the key, cert and CAcert from the Puppet ssl directory to the cert directory
          #             /var/lib/icinga2/certs on Linux and C:/ProgramData/icinga2/var/lib/icinga2/certs on Windows.
          #             Please note that Puppet 7 uses an intermediate CA by default and Icinga cannot handle
          #             its CA certificate, see [Icinga Issue](https://github.com/Icinga/icinga2/pull/8859).
          #   - icinga2: Uses the icinga2 CLI to generate a Certificate Request and Key to obtain a signed
          #              Certificate from 'ca_host' using the icinga2 ticket mechanism.
          #              In case the 'ticket_salt' has been configured the ticket_id will be generated
          #              by the module in a custom function that imitates the icinga ticket generation.
          #              The 'ticket_id' parameter can be used to directly set an ticket_id.
          #   - none: Does nothing and you either have to manage the files yourself as file resources
          #           or use the ssl_key, ssl_cert, ssl_cacert parameters.

MikeKall · September 15, 2021, 9:54am

Oh I missed that completely.
Thank you very much!