Icinga2 Agent without access to Icinga2 Master

[lucagubler]

Hi all

When installing an Icinga2 Agent for the first time, it needs the CA certificate from the Icinga2 Master. Usually the Agent can establish a session on port 5665. And this task in roles/icinga2/tasks/features/api.yml saves that certificate:

    - name: save trusted-master.crt
      shell: >-
        icinga2 pki save-cert
        --host "{{ icinga2_ca_host }}"
        --port "{{ icinga2_ca_host_port | default('5665') }}"
        --trustedcert "{{ icinga2_cert_path }}/trusted-master.crt"
      when: icinga2_ca_host != 'none'
      register: _trusted_master_cert

However, in our setup, communication on port 5665 to the Icinga2 Master is blocked. So the Icinga2 Master has to establish a connection to the Agent. But how can I get the CA cert to the Agent? The task above doesn't work because the Agent can't establish the connection.

I was able to make it work with the following workaround, but I'm not sure if there's a better way...

    # NOTE Doesn't work because we have no connection from agent to master
    # - name: save trusted-master.crt
    #   shell: >-
    #     icinga2 pki save-cert
    #     --host "{{ icinga2_ca_host }}"
    #     --port "{{ icinga2_ca_host_port | default('5665') }}"
    #     --trustedcert "{{ icinga2_cert_path }}/trusted-master.crt"
    #   when: icinga2_ca_host != 'none'
    #   register: _trusted_master_cert

    # Workaround
    # Connect to Master, slurp the CA certificate and save it
    - name: Fetch CA certificate content from the delegated host
      slurp:
        src: /var/lib/icinga2/ca/ca.crt
      delegate_to: "{{ icinga2_delegate_host | default(icinga2_ca_host) }}"
      register: ca_cert_content_slurped
      when: icinga2_ca_host != 'none'

    - name: Decode and save the CA certificate content as a fact
      set_fact:
        ca_cert_content: "{{ ca_cert_content_slurped['content'] | b64decode }}"
      when: icinga2_ca_host != 'none' and ca_cert_content_slurped is defined

    - name: Save the CA certificate content to /var/lib/icinga2/certs/ca.crt on the original host
      copy:
        dest: /var/lib/icinga2/certs/ca.crt
        content: "{{ ca_cert_content }}"
        owner: nagios
        group: nagios
        mode: '0644'
      when: icinga2_ca_host != 'none' and ca_cert_content is defined

Is there a better way to achieve that? Or could this be integrated into the collection?

[Donien]

First: Generally speaking, it is highly advisable that the agent connects "up" to the parent (master/satellite).

The master (or satellite) is already busy planning and scheduling checks, collection data, writing metrics, etc.
Whenever an agent is not reachable, that is also additional load on the master because the master (with your configuration) tries to connect to the agent every few seconds (~30). That's a new socket on the system, a new little process, costing RAM/CPU. For what? For a host that cannot even be reached.

That's one of the reasons we almost always recommend to disable active connection attempts from masters/satellites to their respective agents.

---

As for your workaround: We would hit a new problem if we decided to slurp the parent's certificate: We would need to manage the parent using Ansible.
Currently, if the master/satellites are done manually or by any other means, we can still use the icinga2 role to integrate the agents, even without Ansible access to the master.

With this change we would effectively require the master to be managed by Ansible, and thus lose flexibility.

---

The only thing I'm not sure about is whether we could let the task (getting trusted-parent.crt) fail without problems. Or if we could/should add a "get parent cert" variable to toggle this. If false, you could get the parent cert via slurp in your play (outside the role).