2

I'm trying to write an Ansible playbook to set up Icinga2 nodes, but each host needs a unique ticket from the Icinga2 master to authenticate. Right now I'm thinking of ssh'ing out from the node to the master to grab the ticket, but that doesn't seem like a good idea. I also tried using Ansible's prompts, but I'm running the playbook from Ansible Tower, which apparently doesn't support that (it just hangs waiting for stdin).

wmassingham
  • 192
  • 1
  • 3
  • 11
  • If you are still looking for a real and complete example take a look at the post from this person: https://monitoring-portal.org/index.php?thread/35989-using-ansible-to-generate-the-icinga-client-certificates/ – Tom V. May 15 '17 at 13:16

3 Answers3

3

Ansible allows to get facts from other hosts with the delegate_to parameter.

To grab the ticket from the icinga2 server you will need something like this:

- name: Get ticket.
  command: icinga2 pki ticket --cn 'your cn'
  register: ticket
  delegate_to: icinga2_server

This tasks will store the output of the icinga2 pki ticket command in the ticket variable. You might need to filter a bit to get only the ticket id. Take a look at Ansible examples repository for more information. You will also need to have the icinga2_server in you inventory for the delegation.

Henrik Pingel
  • 9,380
  • 2
  • 28
  • 39
1

In addition to knowhy's answer, you can also generate the ticket on the Ansible system, with a crypto/hashing algorithm called PKDF2.

I did something similar in the Puppet module, you would only need to know the "TicketSalt" value, to calculate the ticket for the FQDN. (Password is the FQDN in that case)

https://github.com/Icinga/puppet-icinga2/blob/daf5d5c859332596dab1e855c13f459698e78218/lib/puppet/functions/icinga2/ticket_id.rb

https://github.com/Icinga/puppet-icinga2/blob/daf5d5c859332596dab1e855c13f459698e78218/lib/puppet_x/icinga2/pbkdf2.rb

There seems to be a module for Python as well: https://pypi.python.org/pypi/pbkdf2

villapx
  • 143
  • 1
  • 9
lazyfrosch
  • 790
  • 4
  • 10
  • Could you add detail to this answer instead of linking? The link is now a 404 and I'm interested in how this is achieved. Thanks! – tommy_o Mar 15 '17 at 12:38
  • the link is now here https://github.com/Icinga/puppet-icinga2/blob/master/lib/puppet/parser/functions/icinga2_ticket_id.rb I will edit the answer – byoungb Feb 06 '18 at 18:25
0

Okay since I ended up writing this filter I though I should share it. https://gist.github.com/byoungb/35c8bbed924bb34f557023992b9b67d3

from ansible.errors import AnsibleError


def icinga_ticket(value, salt):
    try:
    from pbkdf2 import PBKDF2
    except ImportError:
    raise AnsibleError('pbkdf2 library is required for `icinga_ticket` filter "pip install pbkdf2"')
    return PBKDF2(str(value), str(salt), iterations=50000).hexread(20)


class FilterModule(object):
    def filters(self):
    return dict(
        icinga_ticket=icinga_ticket,
    )

store this in your ansible's plugin filters location plugins/filter/icinga.py

and use it like this

- name: setup icinga node
  command: icinga2 node setup --ticket {{ 'web1.domain'|icinga_ticket('salt') }} --cn web1.domain --endpoint master.domain --zone web1.domain --master_host master.domain --trustedcert /var/lib/icinga2/certs/master.domain.crt --accept-commands --accept-config
  notify: restart icinga
byoungb
  • 163
  • 1
  • 7