i am big fan of passive checks e.g. gitlab-runner docker container sending result of stuff. So i am using the icinga2 REST API to submit check results.
The point now is that i’d like to further tighten login credential “distribution” in the infrastructure. So basically i’d like to have an api user per agent host beeing able to submit only results for THAT hosts services, typically only on that hosts icinga2 agent.
Does anyone have a nice automated solution for this? I guess i cant generate api-users with the icinga2 DSL using some “secret” to be combined with the hostname, sha1, base64 to generate a password.
Or am i just to paranoid or think into the wrong direction?
first things first:
limit the rights of the user with the permissions entry, if not already done
permissions = [ "actions/process-check-result" ]
One idea:
write a script that reads icinga hosts with the icinga api and create a passive-api-users.conf with the content, you can choose how to generate your password.
The certificate with CN=<hostname> is the agent certificate. However, the very task was to have a per-host API user (or, more precisely, per-agent certificate API user). What could we use instead of API (and API user) to push data to Icinga?