diff --git a/charts/icinga-stack/charts/icinga2/templates/_core_config.tpl b/charts/icinga-stack/charts/icinga2/templates/_core_config.tpl index fa5aea9..0b2e305 100644 --- a/charts/icinga-stack/charts/icinga2/templates/_core_config.tpl +++ b/charts/icinga-stack/charts/icinga2/templates/_core_config.tpl @@ -3,7 +3,7 @@ const PluginDir = "/usr/lib/nagios/plugins" const ManubulonPluginDir = "/usr/lib/nagios/plugins" const PluginContribDir = "/usr/lib/nagios/plugins" -const NodeName = {{ .Values.config.node_name | quote }} +const NodeName = getenv("ICINGA_CN") const ZoneName = {{ .Values.config.zone_name | quote }} const TicketSalt = getenv("ICINGA_TICKET_SALT") @@ -17,17 +17,58 @@ include include "features-enabled/*.conf" {{- if .Values.features.api.enabled }} include "api-users.conf" -{{- end}} +{{- end }} -// zones.conf -object Endpoint NodeName { - host = {{ include "icinga2.fullname" . | quote }} - port = 5665 +{{ $all_endpoints := list -}} +{{- if .Values.config.create_endpoints -}} +// Define endpoints in our own zone (autogenerated) +{{- range $i := until (.Values.replicas | int) }} +{{- $node_name := printf "%s-%d" (include "icinga2.fullname" $) $i }} +{{- $all_endpoints = append $all_endpoints $node_name -}} +{{- $service_name := printf "%s-%d" (include "icinga2.fullname" $) $i }} +object Endpoint {{ $node_name | quote }} { + host = {{ $service_name | quote }} + port = {{ $.Values.service.port }} } - +{{- end }} object Zone ZoneName { - endpoints = [ NodeName ] + endpoints = {{ toJson $all_endpoints }} +} +{{- end }} + +// Define all custom endpoints +{{- range $endpoint := .Values.config.endpoints | default list }} +{{- if not (has $endpoint.name $all_endpoints) }} +object Endpoint {{ $endpoint.name | quote }} { + {{- if $endpoint.host }} + host = {{ $endpoint.host | quote }} + {{- end }} + {{- if $endpoint.port }} + port = {{ $endpoint.port }} + {{- end }} + {{- if $endpoint.log_duration }} + log_duration = {{ $endpoint.log_duration | quote }} + {{- end }} +} +{{- end }} +{{- end }} + +// Define all custom endpoints +{{- range $zone := .Values.config.zones | default list }} +object Zone {{ $zone.name | quote }} { + {{- if $zone.endpoints }} + endpoints = {{ toJson $zone.endpoints }} + {{- end }} + {{- if $zone.parent }} + parent = {{ $zone.parent | quote }} + {{- end }} + {{ if $zone.global | default false -}} + global = true + {{- else -}} + global = false + {{- end }} } +{{- end }} object Zone "global-templates" { global = true diff --git a/charts/icinga-stack/charts/icinga2/templates/_env_secrets.tpl b/charts/icinga-stack/charts/icinga2/templates/_env_secrets.tpl index cd1d20a..1d20550 100644 --- a/charts/icinga-stack/charts/icinga2/templates/_env_secrets.tpl +++ b/charts/icinga-stack/charts/icinga2/templates/_env_secrets.tpl @@ -11,7 +11,7 @@ {{ fail "Icinga TicketSalt not set. Either set .Values.config.ticket_salt.value or .Values.config.ticket_salt.credSecret and .Values.config.ticket_salt.secretKey" }} {{- end }} {{- range $user, $settings := .Values.global.api.users }} -{{- if ne $user "credSecret" }} # skip credSecret key +{{- if and (ne $user "credSecret") $settings.enabled }} # skip credSecret key and disabled users - name: {{ print "ICINGA_" $user "_API_PASSWORD" | upper }} {{- if and $settings.password $settings.password.value }} value: {{ $settings.password.value | quote }} diff --git a/charts/icinga-stack/charts/icinga2/templates/configmaps.yaml b/charts/icinga-stack/charts/icinga2/templates/configmaps.yaml index 144fcd1..988e79e 100644 --- a/charts/icinga-stack/charts/icinga2/templates/configmaps.yaml +++ b/charts/icinga-stack/charts/icinga2/templates/configmaps.yaml @@ -11,7 +11,7 @@ data: {{- if .Values.features.api.enabled }} api-users.conf: | {{- range $user, $settings := .Values.global.api.users }} - {{- if ne $user "credSecret" }} # skip key credSecret + {{- if and (ne $user "credSecret") $settings.enabled }} # skip credSecret key and disabled users {{- $permissions := $settings.permissions | default (list "*") }} object ApiUser {{ $user | quote }} { password = getenv("{{ print "ICINGA_" $user "_API_PASSWORD" | upper }}") diff --git a/charts/icinga-stack/charts/icinga2/templates/service.yaml b/charts/icinga-stack/charts/icinga2/templates/service.yaml index 7ffcfba..d933149 100644 --- a/charts/icinga-stack/charts/icinga2/templates/service.yaml +++ b/charts/icinga-stack/charts/icinga2/templates/service.yaml @@ -1,3 +1,4 @@ +--- apiVersion: v1 kind: Service metadata: @@ -12,4 +13,23 @@ spec: protocol: TCP name: api selector: - {{- include "icinga2.selectorLabels" . | nindent 4 }} \ No newline at end of file + {{- include "icinga2.selectorLabels" . | nindent 4 }} +{{- range $i := until (.Values.replicas | int) }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "icinga2.fullname" $ }}-{{ $i }} + labels: + {{- include "icinga2.labels" $ | nindent 4 }} +spec: + type: {{ $.Values.service.type }} + ports: + - port: {{ $.Values.service.port }} + targetPort: api + protocol: TCP + name: api + selector: + {{- include "icinga2.selectorLabels" $ | nindent 4 }} + apps.kubernetes.io/pod-index: "{{ $i }}" +{{- end }} \ No newline at end of file diff --git a/charts/icinga-stack/charts/icinga2/templates/statefulset.yaml b/charts/icinga-stack/charts/icinga2/templates/statefulset.yaml index b34db6f..b31c82d 100644 --- a/charts/icinga-stack/charts/icinga2/templates/statefulset.yaml +++ b/charts/icinga-stack/charts/icinga2/templates/statefulset.yaml @@ -6,7 +6,7 @@ metadata: {{- include "icinga2.labels" . | nindent 4 }} spec: serviceName: {{ include "icinga2.fullname" . }} - replicas: 1 + replicas: {{ .Values.replicas }} selector: matchLabels: {{- include "icinga2.selectorLabels" . | nindent 6 }} @@ -31,6 +31,26 @@ spec: image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} env: + - name: ICINGA_CN + valueFrom: + fieldRef: + fieldPath: metadata.labels['statefulset.kubernetes.io/pod-name'] + - name: POD_INDEX + valueFrom: + fieldRef: + fieldPath: metadata.labels['apps.kubernetes.io/pod-index'] + - name: ICINGA_ZONE + value: {{ .Values.config.zone_name }} + # {{- if and (hasKey .Values.config "node_setup") .Values.config.node_setup.endpoint }} + # - name: ICINGA_ENDPOINT + # value: {{ .Values.config.node_setup.endpoint }} + # {{- if .Values.config.node_setup.host -}} + # ,{{ .Values.config.node_setup.host }} + # {{- end }} + # {{- if .Values.config.node_setup.port -}} + # ,{{ .Values.config.node_setup.port }} + # {{- end }} + # {{- end }} - name: ICINGA_DISABLE_CONFD value: {{ .Values.config.disable_confd | int | quote }} {{- include "icinga2.envSecrets" . | nindent 12 }} @@ -61,15 +81,76 @@ spec: - name: {{ .Chart.Name }}-bootstrapper image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" imagePullPolicy: {{ .Values.image.pullPolicy }} + {{- if and (hasKey .Values.config "node_setup") (not .Values.config.is_master) }} + command: + - bash + - -c args: - - icinga2 - - daemon - - -C + - | + set -eu + mkdir -p /data/var/lib/icinga2/certs /data/var/cache/icinga2 + CA_PATH="/var/lib/icinga2/certs/ca.crt" + CRT_PATH="/var/lib/icinga2/certs/${ICINGA_CN}.crt" + KEY_PATH="/var/lib/icinga2/certs/${ICINGA_CN}.key" + CSR_PATH="/var/lib/icinga2/certs/${ICINGA_CN}.key" + icinga2 pki save-cert --host o-mgmt-master-0 --trustedcert /tmp/trusted.crt + if ! [ -r /var/lib/icinga2/certs/ca.crt ] || ! icinga2 pki verify --cert /tmp/trusted.crt --ca "${CA_PATH}"; then + openssl s_client -connect "o-mgmt-master-0:5665" -showcerts /dev/null | awk ' + /-----BEGIN CERTIFICATE-----/ {in_cert=1; cert=""} + in_cert {cert = cert $0 "\n"} + /-----END CERTIFICATE-----/ {in_cert=0; certs[++i]=cert} + END {print certs[i] > "/var/lib/icinga2/certs/ca.crt"}' + fi + if ! [ -r "${CRT_PATH}" ] \ + || ! icinga2 pki verify --cert "${CRT_PATH}" --ca "${CA_PATH}" \ + || ! icinga2 pki verify --cert "${CRT_PATH}" --cn "${ICINGA_CN}"; then + TICKET="$(icinga2 pki ticket --cn ${ICINGA_CN} --salt "${ICINGA_TICKET_SALT}")" + icinga2 pki new-cert --cn "${ICINGA_CN}" --key "${KEY_PATH}" --cert "${CRT_PATH}" + icinga2 pki request --key "${KEY_PATH}" --cert "${CRT_PATH}" --ca "${CA_PATH}" --trustedcert /tmp/trusted.crt --host "${ICINGA_PARENT_HOST}" --ticket "${TICKET}" + fi + export ICINGA_TRUSTEDCERT="$(cat /tmp/trusted.crt)" + export ICINGA_CACERT="$(cat "${CA_PATH}")" + exec /entrypoint icinga2 daemon -C + {{- end }} env: - name: ICINGA_CN - value: {{ .Values.config.node_name | quote }} + valueFrom: + fieldRef: + fieldPath: metadata.labels['statefulset.kubernetes.io/pod-name'] + - name: POD_INDEX + valueFrom: + fieldRef: + fieldPath: metadata.labels['apps.kubernetes.io/pod-index'] + {{- if .Values.config.is_master }} - name: ICINGA_MASTER value: "1" + {{- end }} + - name: ICINGA_ZONE + value: {{ .Values.config.zone_name }} + {{- if hasKey .Values.config "node_setup" }} + {{- if .Values.config.node_setup.endpoint }} + - name: ICINGA_ENDPOINT + {{- if typeIs "string" .Values.config.node_setup.endpoint -}} + value: {{ .Values.config.node_setup.endpoint }} + {{- else }} + value: {{ .Values.config.node_setup.endpoint.name }} + {{- if .Values.config.node_setup.endpoint.host -}} + ,{{ .Values.config.node_setup.endpoint.host }} + {{- end }} + {{- if .Values.config.node_setup.endpoint.port -}} + ,{{ .Values.config.node_setup.endpoint.port }} + {{- end }} + {{- end }} + {{- end }} + {{- if .Values.config.node_setup.parent_host }} + - name: ICINGA_PARENT_HOST + value: {{ .Values.config.node_setup.parent_host }} + {{- end }} + {{- if .Values.config.node_setup.parent_host }} + - name: ICINGA_PARENT_ZONE + value: {{ .Values.config.node_setup.parent_zone }} + {{- end }} + {{- end }} - name: ICINGA_DISABLE_CONFD value: {{ .Values.config.disable_confd | int | quote }} {{- include "icinga2.envSecrets" . | nindent 12 }} diff --git a/charts/icinga-stack/charts/icinga2/values.yaml b/charts/icinga-stack/charts/icinga2/values.yaml index efcb22c..bdb0a6b 100644 --- a/charts/icinga-stack/charts/icinga2/values.yaml +++ b/charts/icinga-stack/charts/icinga2/values.yaml @@ -27,19 +27,23 @@ ingress: # hosts: # - chart-example.local +replicas: 1 + config: - node_name: icinga2-master zone_name: master + create_endpoints: true ticket_salt: value: # Add random (long!) string here credSecret: # Or use existing secret secretKey: disable_confd: true + endpoints: [] + zones: [] features: - # The features are configured as described in the official documentation + # The features are configured as described in the official documentation # at https://icinga.com/docs/icinga-2/latest/doc/09-object-types/#features - # Only some features are enabled by default; Some are missing, for more information + # Only some features are enabled by default; Some are missing, for more information # see this project's README.md # `Optional` settings for each features are commented out, all other settings are required when enabling # a feature. @@ -58,7 +62,7 @@ features: # acl_allow_origin: # - example.com # - agent1.example.com - # environment: "" + # environment: "" # For configuration information see https://icinga.com/docs/icinga-2/latest/doc/09-object-types/#checkercomponent checker: @@ -128,7 +132,7 @@ features: enabled: true # credSecret: # used for credentials # tlsSecret: # used for certificates - # password: + # password: # value: password # Specify password # secretKey: password # Or use existing secret # enable_tls: false @@ -223,7 +227,7 @@ features: service = "$service.name$" } } - + # For configuration information see https://icinga.com/docs/icinga-2/latest/doc/09-object-types/#filelogger mainlog: enabled: false @@ -282,7 +286,7 @@ resources: {} # requests: # cpu: 100m # memory: 128Mi - + nodeSelector: {} tolerations: [] diff --git a/charts/icinga-stack/templates/redis.yaml b/charts/icinga-stack/templates/redis.yaml index 16c6999..83ffa48 100644 --- a/charts/icinga-stack/templates/redis.yaml +++ b/charts/icinga-stack/templates/redis.yaml @@ -1,4 +1,4 @@ -{{- if .Values.global.redis.enabled }} +{{- if .Values.global.databases.redis.enabled }} --- apiVersion: apps/v1 kind: StatefulSet diff --git a/charts/icinga-stack/values.yaml b/charts/icinga-stack/values.yaml index 316c7a6..9169b89 100644 --- a/charts/icinga-stack/values.yaml +++ b/charts/icinga-stack/values.yaml @@ -28,14 +28,18 @@ icinga2: # hosts: # - chart-example.local + replicas: 1 + config: - node_name: icinga2-master zone_name: master + create_endpoints: true ticket_salt: value: # Add random (long!) string here credSecret: # Or use existing secret secretKey: disable_confd: true + endpoints: [] + zones: [] features: # The features are configured as described in the official documentation @@ -520,6 +524,7 @@ global: users: credSecret: # Existing secret for director and icingaweb password director: + enabled: true password: value: # Add a password here secretKey: # Or specify secret key @@ -527,6 +532,7 @@ global: - "*" icingaweb: + enabled: true password: value: # Add a password here secretKey: # Or specify secret key