Icinga2 client install without pki ticket

Automation & Infrastructure
#1

Hi,

Is there a way that we can have an auto-install package that will install on Windows and why not Linux that will have a minimum client config but without having to manually going back on the server to do an icinga pki ticket command and giving back the result to the installer…

It will save us a lot of time if we can have some ready to use package that we just install on any client and then, just having to do some config on our main server !

EDIT: we can’t use ansible or anything like that, 'cause most of the time “client” are not connected directly so we have “satellite” running at each site!

#2

You could install a reverse proxy on each satellite, so the clients only need to reach their parent node (the satellite) and not the master - at least not directly.

#3

Right now we modify the zone on each client, that each satellite talk to each client instead of the opposite!

But when we install a new “client” we need to install icinga on it, run the wizard and then modify the zone file, BUT we also need to connect on the master for the pki ticket command, and I would like to avoid that. this way, we can generate an installer that will do everything and skip the pki ticket…

#4

You can skip the ticket and sign the request later on the master by using on demand csr signing.

I typically use also icinga2 node setup with parameters instead of the interactive icinga2 node wizard. Afterwards I only have to remove the default global zones which make no sense on the agents which is easily done with sed on Linux and there should be something similar on Windows.

#5

thanks @dgoetz !

Can you paste an example of your command with parameters?

#6 
icinga2 pki save-cert --trustedcert /tmp/trusted.crt --host PARENTIP
icinga2 node setup --zone HOSTFQDN \
                      --endpoint PARENTFQDN,PARENTIP,5665 \
                      --parent_host PARENTIP,5665 \
                      --parent_zone PARENTZONE \
                      --listen 127.0.0.1,5665 \
                      --trustedcert /tmp/trusted.crt \
                      --cn HOSTFQDN \
                      --accept-config \
                      --accept-commands \
                      --global_zones linux-agents \
                      --disable-confd
sed -ie "/global-templates/,+3d;/director-global/,+3d" /etc/icinga2/zones.conf

Please verify the result as I copied and merged the commands from different documentations and do not forget the certificate signing on the master using icinga2 ca sign.

1 Like
#8

Can you elaborate on that one ?
Right now, all our satellite are having a VPN tunnel too, to reach the master!