Adding multi-master to Icinga2 Formula

Adding baseline for multi-master to Icinga2 formula

icinga2/master.sls

@@ -1,5 +1,7 @@
 include:
+{% if icinga2.salt_master_ca is False %}
   - icinga2.pki.master
+{% endif %}
   - icinga2.config
   - icinga2.features
 
@@ -7,5 +9,7 @@ extend:
   icinga2_api_enable:
     file:
       - require:
+        {% if icinga2.salt_master_ca is False %}
         - x509: icinga2_node_ca_cert
+        {% endif %}
         - x509: icinga2_node_cert

icinga2/os_family.yaml

@@ -5,5 +5,16 @@ Debian:
   repo_file: /etc/apt/sources.list.d/icinga2.list
   config_dir: /etc/icinga2
   ca_dir: /var/lib/icinga2/ca
-  pki_dir: /etc/icinga2/pki
+  ca_trusted_root_cert: {{ pillar.salt.ca.trusted_cert_root_debian }}/ca_{{ pillar.salt.domain }}.crt
+  salt_master_ca: True
+  pki_dir: /var/lib/icinga2/certs
+  pki_pkg: python-m2crypto
+CentOS:
+  user: icinga2
+  group: icinga2
+  config_dir: /etc/icinga2
+  ca_dir: /var/lib/icinga2/ca
+  ca_trusted_root_cert: pillar.salt.ca.trusted_cert_root_centos }}/ca_{{ pillar.salt.domain }}.crt
+  salt_master_ca: True
+  pki_dir: /var/lib/icinga2/certs
   pki_pkg: python-m2crypto

icinga2/pki/node.sls

@@ -1,6 +1,9 @@
 {% from 'icinga2/map.jinja' import icinga2 with context %}
 
 include:
+{% if icinga2.salt_master_ca is True %}
+  - icinga2.salt_master_ca_cert
+{% else %}
   - icinga2.pki.cert
 
 # Get master certificate from mine
@@ -18,3 +21,5 @@ icinga2_node_master_cert_perms:
     - group: {{icinga2.group}}
     - watch:
       - x509: icinga2_node_master_cert
+
+{% endif %}

icinga2/pki/salt_master_ca_cert.sls

@@ -0,0 +1,50 @@
+{% from 'icinga2/map.jinja' import icinga2 with context %}
+{% set fqdn = salt.grains.get('fqdn') %}
+
+# TODO: Import salt_settings same as other modules at Lexicon
+#       for things like salt_settings.ca.host and
+#       salt_settings.ca.policy
+
+include:
+  - icinga2.pki
+
+# Get ca certificate from mine
+icinga2_node_ca_cert:
+  file.symlink:
+    - name: {{ icinga2.pki_dir }}/ca.crt
+    - target: {{ icinga2.ca_trusted_root_cert }}
+    - require:
+      - file: icinga2_pki_dir
+
+icinga2_node_cert:
+  x509.certificate_managed:
+    - name: {{ icinga2.pki_dir }}/{{ fqdn }}.crt
+    - ca_server: {{ salt_settings.ca.host }}
+    - signing_policy: {{ salt_settings.ca.policy }}
+    - public_key: {{ icinga2.pki_dir }}/{{ fqdn }}.key
+    - CN: {{ fqdn }}
+    - days_remaining: 30
+    - backup: True
+    - managed_private_key:
+        name: {{ icinga2.pki_dir }}/{{ fqdn }}.key
+        bits: 4096
+        backup: True
+    - require:
+      - file: icinga2_pki_dir
+
+icinga2_node_key_perms:
+  file.managed:
+    - name: {{ icinga2.pki_dir }}/{{ fqdn }}.key
+    - user: {{ icinga2.user }}
+    - group: {{ icinga2.group }}
+    - mode: 600
+    - watch:
+      - x509: icinga2_node_cert
+
+icinga2_node_cert_perms:
+  file.managed:
+    - name: {{ icinga2.pki_dir }}/{{ fqdn }}.crt
+    - user: {{ icinga2.user }}
+    - group: {{ icinga2.group }}
+    - watch:
+      - x509: icinga2_node_cert

icinga2/templates/api.conf.jinja

@@ -2,11 +2,10 @@
 {% set fqdn = salt.grains.get('fqdn') -%}
 
 object ApiListener "api" {
-  cert_path = SysconfDir + "/icinga2/pki/" + NodeName + ".crt"
-  key_path = SysconfDir + "/icinga2/pki/" + NodeName + ".key"
-  ca_path = SysconfDir + "/icinga2/pki/ca.crt"
-  {% if fqdn != icinga2.master_fqdn -%}
+  cert_path = "{{ icinga2.pki_dir }}/{{ fqdn }}.crt"
+  key_path = "{{ icinga2.pki_dir }}/{{ fqdn }}.key"
+  ca_path = "{{ icinga2.pki_dir }}/ca.crt"
+
   accept_config = true
   accept_commands = true
-  {% endif -%}
 }

icinga2/templates/zones.conf.jinja

@@ -1,23 +1,36 @@
 {%- from 'icinga2/map.jinja' import icinga2 with context %}
 {%- set fqdn = salt.grains.get('fqdn') -%}
 
-{% if fqdn != icinga2.master_fqdn -%}
-object Endpoint "{{icinga2.master_fqdn}}" {
-  host = "{{icinga2.master_fqdn}}"
-  port = "5665"
+{% if icinga2.get("parent_zone") is not None -%}
+object Zone "{{ icinga2.get("parent_zone") }}" {
+    endpoints = [
+        {{ icinga2.parent_endpoints }}
+    ]
 }
+{% endif -%}
 
-object Zone "master" {
-  endpoints = [ "{{icinga2.master_fqdn}}" ]
+object Zone "{{ icinga2.get("zone", fqdn) }}" {
+    {% if icinga2.get("parent_zone") is not None %}parent = "{{ icinga2.get("parent_zone") }}"{% endif -%}
+    endpoints = [
+        "{{ fqdn }}"
+    ]
 }
-{%- endif %}
 
-object Endpoint NodeName {
+object Endpoint "{{ fqdn }}" {
 }
 
-object Zone ZoneName {
-  endpoints = [ NodeName ]
-  {% if fqdn != icinga2.master_fqdn -%}
-  parent = "master"
-  {%- endif %}
+{% if icinga2.get("parent_endpoints") is not None -%}
+{% for parent_endpoint in icinga2.get("parent_endpoints") -%}
+object Endpoint "{{ parent_endpoint }}" {
+}
+{% endfor -%}
+{% endif -%}
+
+/* sync global commands */
+object Zone "global-templates" {
+  global = true
+}
+
+object Zone "director-global" {
+  global = true
 }