The self service API is director exclusive.
https://icinga.com/docs/icinga-director/latest/doc/74-Self-Service-API/#windows-agents
https://icinga.com/docs/icinga-director/latest/doc/70-REST-API/#self-service-api
Here is some of my code to get you started:
# 2. install icinga and plugins
# refresh repos
apt-get update
# make packages installable
apt-mark unhold icinga2
apt-mark unhold linuxfabrik-monitoring-plugins
# install packages
apt-get install \
curl \
icinga2=${ICINGA_VERSION}${VERSION_ID} \
linuxfabrik-monitoring-plugins=${MONITORING_PLUGINS_VERSION} -y
# prevent updates to incompatible versions
apt-mark hold icinga2
apt-mark hold linuxfabrik-monitoring-plugins
# 3. get key from director
# use HOST Template API Key to create host and get self-service Host API Key
HOST_KEY=$(curl --request POST \
--url $ICINGA_URL'/icingaweb2/director/self-service/register-host?name='$FQDN'&key='$DIRECTOR_KEY \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--data '{
"display_name": "'"$DISPLAY_NAME"'",
"address": "'"$IP"'"
}'
)
# remove surrounding double quotes
HOST_KEY="${HOST_KEY%\"}"
HOST_KEY="${HOST_KEY#\"}"
# if error in HOST_KEY try to find key in /var/lib/icinga2/certs/ticket
if [[ $HOST_KEY == *"error"* ]]; then
if [ -f "${HOST_KEY_FILE}" ]; then
HOST_KEY=$(<"${HOST_KEY_FILE}")
else
echo -e '\033[0;31mError: could not create or load host key for self service ticket API to get Cert signed by Icinga PKI!'
echo -e 'Remove host from director or check self service token of director host-template.\033[0m'
exit 1
fi
fi
# use Host API Key to get Icinga2 PKI ticket
ICINGA_TICKET=$(curl --request GET \
--url $ICINGA_URL'/icingaweb2/director/self-service/ticket?key='$HOST_KEY \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
)
# remove surrounding double quotes
ICINGA_TICKET="${ICINGA_TICKET%\"}"
ICINGA_TICKET="${ICINGA_TICKET#\"}"
# if error in HOST_KEY try to find key in /var/lib/icinga2/certs/ticket
if [[ $ICINGA_TICKET == *"error"* ]]; then
if [ -f "${TICKET_FILE}" ]; then
ICINGA_TICKET=$(<"${TICKET_FILE}")
else
echo -e '\033[0;31mError: could not create or load ticket to get Cert signed by Icinga PKI!'
echo -e 'Remove host from director or check self service token of director host-template.\033[0m'
exit 1
fi
fi
# 4. Setup Icinga2 Agent
#make sure the directory /var/lib/icinga2/certs exists and has the correct permissions
install --owner=nagios \
--group=nagios \
--mode=700 \
--directory /var/lib/icinga2/certs
#save host key
echo "$HOST_KEY" > $HOST_KEY_FILE
#save PKI cert from Icinga config master while still
#fd3 will preserve output to stdout while capturing stdout for later checking of fingerprint
{ PKI_OUTPUT=$(icinga2 pki save-cert \
--host $ICINGA_MASTER1 \
--port 5665 \
--key local.key \
--cert local.crt \
--trustedcert /var/lib/icinga2/certs/master.crt | tee /dev/fd/3 ); } 3>&1
if [[ $PKI_OUTPUT = *${FINGERPRINT}* ]]; then
echo "Icinga PKI: fingerprint matched"
else
echo -e "\033[0;31mError: Icinga PKI fingerprint didn't match! Man in the middle attack?\033[0m"
exit 1
fi
# execute icinga2 node setup
icinga2 node setup --zone $ICINGA_MASTER1 \
--endpoint ${ICINGA_MASTER1},${ICINGA_MASTER1},5665 \
--endpoint ${ICINGA_MASTER2},${ICINGA_MASTER2},5665 \
--parent_host ${ICINGA_MASTER1},5665 \
--parent_zone master \
--cn $FQDN \
--accept-config \
--accept-commands \
--disable-confd \
--trustedcert /var/lib/icinga2/certs/master.crt \
--ticket $ICINGA_TICKET
# enable the icinga2 service
systemctl enable --now icinga2.service
# restart the icinga2 service to ensure new configuration is enabled
systemctl restart icinga2.service
# 5. Install sudoers file for monitoring-plugins
echo "$LINUXFABRIK_SUDOERS" > $LINUXFABRIK_SUDOERS_PATH
chmod 0640 $LINUXFABRIK_SUDOERS_PATH