Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Additional icingaweb2 user creation feature #230

Open
wants to merge 19 commits into
base: main
Choose a base branch
from
Open
Show file tree
Hide file tree
Changes from 18 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 10 additions & 2 deletions CHANGELOG.rst
Original file line number Diff line number Diff line change
Expand Up @@ -5,13 +5,21 @@ Icinga.Icinga Release Notes
.. contents:: Topics


v0.3.1
v0.3.2
======

Release Summary
---------------

This is a bugfix release
Bugfix Release

Bugfixes
--------

- Role repos: Fix bug in variable search - thanks to @gianmarco-mameli #224

v0.3.1
======

Major Changes
-------------
Expand Down
9 changes: 9 additions & 0 deletions changelogs/changelog.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -110,3 +110,12 @@ releases:
- trivial_naming_tasks.yml
- trivial_wrong_variable_name.yml
release_date: '2023-11-21'
0.3.2:
changes:
bugfixes:
- 'Role repos: Fix bug in variable search - thanks to @gianmarco-mameli #224'
release_summary: Bugfix Release
fragments:
- bugfix_variable_search.yml
- release.yml
release_date: '2023-11-30'
3 changes: 3 additions & 0 deletions changelogs/fragments/feature-add-icingaweb2-users.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
---
minor_changes:
- Added the ability to create additional Icinga Web 2 users
40 changes: 39 additions & 1 deletion doc/getting-started.md
Original file line number Diff line number Diff line change
@@ -1,11 +1,19 @@
### Getting Started

The collection includes two roles in the current version.
The collection includes six roles in the current version.

* icinga.repos: Role to manage repositories
* [Documentation: doc/role-repos](role-repos/role-repos.md)
* icinga.icinga2: Role to install and manage Icinga 2 instances.
* [Documentation: doc/role-icinga2](role-icinga2/role-icinga2.md)
* icinga.icingadb: Role to install and manage IcingaDB, Icinga2's new data backend.
* [Documentation: doc/role-icingadb](role-icingadb/role-icingadb.md)
* icinga.icingadb_redis: Role to install and manage Redis, IcingaDB's cache backend.
* [Documentation: doc/role-icingadb_redis](role-icingadb_redis/role-icingadb_redis.md)
* icinga.icingaweb2: Role to install and manage Icinga Web 2.
* [Documentation: doc/role-icingaweb2](role-icingaweb2/role-icingaweb2.md)
* icinga.monitoring_plugins: Role to install and manage Icinga2 compatible monitoring plugins.
* [Documentation: doc/role-monitoring_plugins](role-monitoring_plugins/role-monitoring_plugins.md)


---
Expand Down Expand Up @@ -39,6 +47,36 @@ ansible-galaxy collection build ansible-collection-icinga
ansible-galaxy collection install icinga-icinga-0.3.0.tar.gz
```

## Databases

Icinga2 relies on relational databases for many parts of its functionality. **None** of those databases get installed by the roles. You need to install and configure them yourself. For doing so, there are many ways available, e.g. the Ansible role [geerlingguy.mysql](https://galaxy.ansible.com/geerlingguy/mysql) for MySQL flavours (both MySQL and MariaDB) or [geerlingguy.postgresql](https://galaxy.ansible.com/geerlingguy/postgresql) for PostGresQL:

```yaml
- name: Configure databases for Icinga2
hosts: database
vars:
mysql_databases:
- name: icingadb
- name: icingaweb
- name: vspheredb
encoding: utf8mb4
collation: utf8mb4_unicode_ci
- name: director
mysql_users:
- name: icingadb-user
host: localhost
password: icingadb-password
priv: "icingadb.*:ALL"
[...]
roles:
- role: geerlingguy.mysql
```

> [!NOTE]
> Schema migrations needed for the respective Icinga components to work will be handled either by the respective roles or by the Icinga components themselves.



## Example Playbooks

This is an example on how to install an Icinga 2 server/master instance.
Expand Down
7 changes: 6 additions & 1 deletion doc/role-icingadb/role-icingadb.md
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,12 @@ This role installs and configures the IcingaDB daemon. In addition it can also i
It serves as the official, more performant successor to Icinga IDO. More information about its purpose and design can be found [in the official documentation](https://icinga.com/docs/icinga-db/latest/doc/01-About/).


> :information_source: In many scenarios you want to install the [icingadb_redis role](../role-icingadb_redis/) together with this role. It is part of this collection, too.
> [!TIP]
> In many scenarios you want to install the [icingadb_redis role](../role-icingadb_redis/) together with this role. It is part of this collection, too.

## Database

IcingaDB relies on a relational database to persist received data. This database **won't** be created by this role - you need to deploy and configure one in advance. For more information, see the [Databases](../getting-started.md#databases) section in the getting started guide.

## Variables

Expand Down
95 changes: 95 additions & 0 deletions doc/role-icingaweb2/module-x509.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,95 @@
## Module x509

### Variables and Configuration

The general module parameter like `enabled` and `source` can be applied here.

| Variable | Value |
|----------|------------|
| enabled | true/false |
| source | package |

#### Section configuration

The backend database for the module needs to be available and configured at the `icingaweb2_resources` variable.

```
icingaweb2_modules:
x509:
source: package
enabled: true
config:
backend:
resource: x509
```

#### Configure SNI Names.

To configure SNIs for a IP address, use the dictionary `sni`.

Example:

```
icingaweb2_modules:
x509:
source: package
enabled: true
config:
backend:
resource: x509
sni:
192.168.56.213:
hostnames:
- icinga.com
- test2.icinga.com
```

#### Import Certificates

To import certificates use the **list** `certificate_files` all files need to be
available locally beforehand.

```
icingaweb2_modules:
x509:
source: package
enabled: true
config:
backend:
resource: x509
certificate_files:
- /etc/ssl/certs/ca-certificates.crt
```

#### Database Schema Setup

To import the database schema use `database` dictionary with the following variables.

| Variable | Type | Description | Default |
|----------|------|-------------|---------|
| `import_schema` | `Boolean` | Defines wether the schema will be imported or not. | false |
| `host` | `String` | Defines database address to connect to. | `localhost` |
| `port` | `int` | Defines the database port to connect to. | `3306` or `5432` |
| `user` | `string` | Defines database user | `x509` |
| `name` | `String` | Defines the database to connect to. | `x509` |
| `password` | `String` | Defines the database password to connect with. | OMITTED |
| `ssl_mode` | `String` | Clients attempt to connect using encryption, falling back to an unencrypted connection if an encrypted connection cannot be established |**n/a** |
|`ssl_ca`| `String`| Defines the path to the ca certificate for client authentication. | **n/a** |
|`ssl_cert`|`String`| Defines the path to the certificate for client authentication. | **n/a** |
|`ssl_key`| `String` | Defines the path to the certificate key for client key authentication. | **n/a** |
|`ssl_cipher`|`String`| Ciphers for the client authentication. | **n/a** |
|`ssl_extra_options`|`String`| Extra options for the client authentication. | **n/a** |


```
icingaweb2_modules:
x509:
source: package
enabled: true
database:
import_schema: true
host: localhost
port: 3306
user: x509
password: secret
```
18 changes: 17 additions & 1 deletion doc/role-icingaweb2/role-icingaweb2.md
Original file line number Diff line number Diff line change
Expand Up @@ -7,6 +7,10 @@ The role icingaweb2 installs and configures Icinga Web 2 and its modules.
* [IcingaDB](./module-icingadb.md)
* [Monitoring](./module-monitoring.md)

## Databases

Icingaweb2 and some of its modules rely on a relational database to persist data. These databases **won't** be created by this role - you need to deploy and configure them in advance. For more information, see the [Databases](../getting-started.md#databases) section in the getting started guide.

## Variables

### Icinga Web 2 DB Configuration
Expand All @@ -25,8 +29,20 @@ icingaweb2_db:
* `icingaweb2_db_import_schema: boolean`
* Decides whether the schema should be imported in the database defined at `icingaweb2_db`. **Default: False**

* `icingaweb2_admin_<username|password>: string`
* `icingaweb2_admin_<username|password|recreate>: string`
* Set the username and password for the first admin user for Icinga Web 2.
* Recreate can be used to change password of admin. **Default:False**
losten-git marked this conversation as resolved.
Show resolved Hide resolved

In addition to the Icinga Web 2 Admin, other users can be configured by defining `icingaweb2_users`.
The `recreate` parameter can be used to change passwords or to enable the user if he has been disabled. **Default: False**
```
icingaweb2_users:
- username: 'foo'
password: 'bar'
recreate: true
- username: webadmin
[...]
```

#### Resources

Expand Down
2 changes: 1 addition & 1 deletion galaxy.yml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
namespace: icinga
name: icinga
version: 0.3.1
version: 0.3.2
readme: README.md
authors:
- Lennart Betz <[email protected]>
Expand Down
10 changes: 7 additions & 3 deletions molecule/default/converge.yml
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,11 @@
host: 127.0.0.1
user: icingaweb
password: icingaweb
icingaweb2_database_import_schema: false
icingaweb2_database_import_schema: true
icingaweb2_users:
- username: webadmin
password: webadmin
recreate: false
icingadb_database_import_schema: false
mysql_innodb_file_format: barracuda
mysql_innodb_large_prefix: 1
Expand Down Expand Up @@ -83,8 +87,8 @@
pre_tasks:
- ansible.builtin.include_role:
name: repos
# - ansible.builtin.include_role:
# name: geerlingguy.mysql
- ansible.builtin.include_role:
name: geerlingguy.mysql
- ansible.builtin.include_role:
name: icinga2
- ansible.builtin.include_role:
Expand Down
12 changes: 10 additions & 2 deletions roles/icingaweb2/tasks/main.yml
Original file line number Diff line number Diff line change
Expand Up @@ -25,8 +25,8 @@
ansible.builtin.include_tasks: "manage_icingaweb_config.yml"

- name: Manage Icinga Web 2 DB
ansible.builtin.include_tasks: "manage_icingaweb_{{ icingaweb2_db.type }}_db.yml"
when: icingaweb2_db is defined
ansible.builtin.include_tasks: "manage_db.yml"
when: icingaweb2_db is defined and (icingaweb2_db_import_schema | default(False) or icingaweb2_users is defined or icingaweb2_admin_username is defined)

- name: Configure modules
ansible.builtin.include_tasks: "modules/{{ item.key }}.yml"
Expand All @@ -43,3 +43,11 @@
force: yes
when: icingaweb2_modules is defined
loop: "{{ icingaweb2_modules | dict2items }}"

# Many daemons fail before e.g. the resource is set up or the schema hasn't been migrated. This is a workaround.
- name: Manage enabled module daemons
ansible.builtin.service:
name: "icinga-{{ item.key }}"
state: restarted
when: icingaweb2_modules is defined and item.value.enabled|bool == true and item.key in ['vspheredb', 'x509']
loop: "{{ icingaweb2_modules | dict2items }}"
29 changes: 29 additions & 0 deletions roles/icingaweb2/tasks/manage_db.yml
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
---

- name: Prepare database
ansible.builtin.include_tasks: "{{ icingaweb2_db.type }}/prepare_db.yml"
when: icingaweb2_db is defined

- name: Import database schema
ansible.builtin.include_tasks: "{{ icingaweb2_db.type }}/import_db.yml"
when: icingaweb2_db_import_schema | default(False)

- name: Add admin to users list when users is defined
ansible.builtin.set_fact:
icingaweb2_users: '{{ icingaweb2_users + [{"username": "{{ icingaweb2_admin_username }}", "password": "{{ icingaweb2_admin_password }}", "recreate": "{{ icingaweb2_admin_recreate is defined }}" }]}}'
when: icingaweb2_admin_username is defined and icingaweb2_admin_password is defined and icingaweb2_users is defined

- name: Add Icinga web 2 users
ansible.builtin.include_tasks: "{{ icingaweb2_db.type }}/users_db.yml"
loop: "{{ icingaweb2_users }}"
loop_control:
loop_var: _users
when: icingaweb2_users is defined

- name: Add Icingaweb2 admin
ansible.builtin.include_tasks: "{{ icingaweb2_db.type }}/users_db.yml"
loop:
- { username: '{{ icingaweb2_admin_username }}', password: '{{ icingaweb2_admin_password }}', recreate: '{{ icingaweb2_admin_recreate is defined }}' }
loop_control:
loop_var: _users
when: icingaweb2_admin_username is defined and icingaweb2_admin_password and icingaweb2_users is undefined
losten-git marked this conversation as resolved.
Show resolved Hide resolved
70 changes: 0 additions & 70 deletions roles/icingaweb2/tasks/manage_icingaweb_mysql_db.yml

This file was deleted.

Loading