Merge pull request #222 from Icinga/feature/ticket-salt

Adds possibility to delegate ticket creation to satellites
Icinga · Dec 7, 2023 · 1d45229 · 1d45229
2 parents 43c3880 + 0a1ef95
commit 1d45229
Show file tree

Hide file tree

Showing 3 changed files with 18 additions and 3 deletions.
diff --git a/changelogs/fragments/feature_add_satellite_delegation.yml b/changelogs/fragments/feature_add_satellite_delegation.yml
@@ -0,0 +1,3 @@
+---
+minor_changes:
+  - Added possibility to delegate ticket creation to satellites
diff --git a/doc/role-icinga2/features/feature-api.md b/doc/role-icinga2/features/feature-api.md
@@ -52,13 +52,24 @@ Create Signing Request to get a certificate managed by the parameter `ca_host` a
 set to the master/server hostname, FQDN or IP, the node setup tries to connect
 via API an retrieve the trusted certificate.
 
-> **_NOTE:_**  Ansible will delegate the ticket creation to the CA host. You can change this behaviour by setting 'icinga2_delegate_host' to match another Ansible alias.
+> [!INFO]
+> Ansible will delegate the ticket creation to the CA host. You can change this behaviour by setting 'icinga2_delegate_host' to match another Ansible alias.
 
-```
+```yaml
 ca_host: icinga-server.localdomain
 ca_host_port: 5665
 ```
 
+> [!INFO]
+> In case your agent can't connect to the CA host, you can use the variables `icinga2_delegate_host`
+> and `ticket_salt` to delegate ticket creation to one of your satellites instead.
+
+```yaml
+ca_host: icinga-server.localdomain
+icinga2_delegate_host: icinga-satellite.localdomain
+ticket_salt: "{{ icinga2_constants.ticket_salt }}"
+```
+
 By default the FQDN is used as certificate common name, to put a name
 yourself:
 

diff --git a/roles/icinga2/tasks/features/api.yml b/roles/icinga2/tasks/features/api.yml
@@ -12,6 +12,7 @@
     icinga2_ssl_cert: "{{ icinga2_dict_features.api.ssl_cert | default(omit) }}"
     icinga2_ssl_cacert: "{{ icinga2_dict_features.api.ssl_cacert | default(omit) }}"
     icinga2_ssl_key: "{{ icinga2_dict_features.api.ssl_key | default(omit) }}"
+    icinga2_ticket_salt: "{{ icinga2_dict_features.api.ticket_salt | default(omit) }}"
 
 - assert:
     that: ((icinga2_ssl_cacert is defined and icinga2_ssl_cert is defined and icinga2_ssl_key is defined) or (icinga2_ssl_cacert is undefined and icinga2_ssl_cert is undefined and icinga2_ssl_key is undefined and icinga2_ca_host is defined))
@@ -135,7 +136,7 @@
         {% if icinga2_ca_host != 'none' %} --cert "{{ icinga2_cert_path }}/{{ icinga2_cert_name }}.crt" {% else %} --csr "{{ icinga2_cert_path }}/{{ icinga2_cert_name }}.csr" {%- endif %}
 
     - name: delegate ticket request to master
-      shell: icinga2 pki ticket --cn "{{ icinga2_cert_name }}"
+      shell: icinga2 pki ticket --cn "{{ icinga2_cert_name }}{% if icinga2_ticket_salt is defined %} --salt {{ icinga2_ticket_salt }}{% endif %}}"
       delegate_to: "{{ icinga2_delegate_host | default(icinga2_ca_host) }}"
       register: icinga2_ticket
       when: icinga2_ca_host != 'none'