diff --git a/README.md b/README.md index afe5feb0..d063473f 100644 --- a/README.md +++ b/README.md @@ -27,16 +27,42 @@ This module can manage all configurations files of Icinga Web 2 and import an in manage all official [modules](https://www.icinga.com/products/icinga-web-2-modules/) as well as modules developed by the community. +### What's new in version 4.0.0 + +NOTICE: With this release come some breaking changes, please also read the CHANGELOG and test this new version with +your manifests beforehand. + +The puppet module `icinga` is required. Some functions, data types and defined resources of this module are now used. +Depends on [#380](https://github.com/Icinga/puppet-icingaweb2/pull/380). + +The additional services for the Director, reporting and x509 module are not optinal anymore. The service classes are +private now and cannot declared individually. However, in order to still manage the service new parameters `manage_service`, +`service_ensure` and `service_enable` are added. See [#281](https://github.com/Icinga/puppet-icingaweb2/issues/281) and +[#379](https://github.com/Icinga/puppet-icingaweb2/pull/379). + +Support of INI files as configuration backend for user preferences is dropped. The parameter `config_backend` also dropped +because the only supported backend by Icinga Web is `db` since v2.11.0. + +We switched the default logging to `syslog`. Done in [#376](https://github.com/Icinga/puppet-icingaweb2/pull/376). + +All parameters `db_type` must be set now ([#373](https://github.com/Icinga/puppet-icingaweb2/pull/376)), e.g. for `icingaweb2`, +`icingaweb2::module::monitoring` and all other modules that require a database. + +The default location of all private keys and certificates for authentication or validation has changed +to `/var/lib/icingaweb2//`. For more details [#380](https://github.com/Icinga/puppet-icingaweb2/pull/380). + +Support of earlier version of Icinga Web as v2.9.0 is dropped. So we also removed the module classes of ipl, reactbundle and +incubator. If you use Icinga Web modules installed from git that require the incubator, please use `icingaweb2::extra_packages` +to install the official package `icinga-php-incubator`. + +For more flexibility, we have added a parameter `db_resource_name` for an individual name for the automatically maintained Icinga Web resources, e.g. +the database resources for the Icinga Web backend, the Director database and so on. As a result, the default names have also changed. + ### What's new in version 3.9.1 The Icinga team removed package icingaweb2-module-monitoring (only on Debian/Ubuntu) for Icinga Web 2 >= 2.12.0. For now we add an parameter `manage_package` (set to `true` bye default) to do not managed the missing transition package. -### What's new in version 3.0.0 - -* The current version now uses the `icinga::repos` class from the new module `icinga` for the configuration of -repositories including EPEL on RedHat and Backports on Debian. (see https://github.com/icinga/puppet-icinga) - ## Setup ### What the Icinga 2 Puppet module supports @@ -51,23 +77,24 @@ repositories including EPEL on RedHat and Backports on Debian. (see https://gith This module depends on -* [icinga/icinga] >= 1.0.0 - * needed if `manage_repos` is set to `true` -* [puppetlabs/stdlib] >= 4.25.0 -* [puppetlabs/vcsrepo] >= 1.3.0 -* [puppetlabs/concat] >= 2.0.1 +* [icinga/icinga] >= 2.9.0 < 5.0.0 +* [puppetlabs/stdlib] >= 6.6.0 < 10.0.0 +* [puppetlabs/vcsrepo] >= 3.2.0 < 7.0.0 + * required if modules use `git` (default) as `install_method`. +* [puppetlabs/concat] >= 6.4.0 < 10.0.0 +* [puppet/systemd] >= 3.1.0 < 7.0.0 + ### Limitations This module has been tested on: -* Debian 10, 11 +* Debian 10, 11, 12 * CentOS/RHEL 7 * Requires [Software Collections Repository](https://wiki.centos.org/AdditionalResources/Repositories/SCL) * RHEL/AlmaLinux/Rocky 8, 9 * Requires an [Icinga Subscription](https://icinga.com/subscription) for all versions >= 2.9.5 of Icinga Web 2. * Ubuntu 20.04, 22.04 -* SLES 15 Other operating systems or versions may work but have not been tested. @@ -145,62 +172,41 @@ icingaweb2::config::groupbackend { 'ldap-groups': domain => 'icinga.com', } ``` -So that a group gets admin rights a role has to manage: +A role must be managed for a group to receive admin rights: ``` icingaweb2::config::role { 'default admin user': groups => 'icingaadmins', permissions => '*', + parent => 'default protection', } ``` -All available permissions for module monitoring are listed below: -| Description | Value | -|-------------|-------| -| Allow everything | `*` | -| Allow to share navigation items | `application/share/navigation` | -| Allow to adjust in the preferences whether to show stacktraces | `application/stacktraces` | -| Allow to view the application log | `application/log` | -| Grant admin permissions, e.g. manage announcements | `admin` | -| Allow config access | `config/*` | -| Allow access to module doc | `module/doc` | -| Allow access to module monitoring | `module/monitoring` | -| Allow all commands | `monitoring/command/*` | -| Allow scheduling host and service checks | `monitoring/command/schedule-check` | -| Allow acknowledging host and service problems | `monitoring/command/acknowledge-problem` | -| Allow removing problem acknowledgements | `monitoring/command/remove-acknowledgement` | -| Allow adding and deleting host and service comments | `monitoring/command/comment/*` | -| Allow commenting on hosts and services | `monitoring/command/comment/add` | -| Allow deleting host and service comments | `monitoring/command/comment/delete` | -| Allow scheduling and deleting host and service downtimes | `monitoring/command/downtime/*` | -| Allow scheduling host and service downtimes | `monitoring/command/downtime/schedule` | -| Allow deleting host and service downtimes | `monitoring/command/downtime/delete` | -| Allow processing host and service check results | `monitoring/command/process-check-result` | -| Allow processing commands for toggling features on an instance-wide basis | `monitoring/command/feature/instance` | -| Allow processing commands for toggling features on host and service objects | `monitoring/command/feature/object/*`) | -| Allow processing commands for toggling active checks on host and service objects | `monitoring/command/feature/object/active-checks` | -| Allow processing commands for toggling passive checks on host and service objects | `monitoring/command/feature/object/passive-checks` | -| Allow processing commands for toggling notifications on host and service objects | `monitoring/command/feature/object/notifications` | -| Allow processing commands for toggling event handlers on host and service objects | `monitoring/command/feature/object/event-handler` | -| Allow processing commands for toggling flap detection on host and service objects | `monitoring/command/feature/object/flap-detection` | -| Allow sending custom notifications for hosts and services | `monitoring/command/send-custom-notification` | -| Allow access to module setup | `module/setup` | -| Allow access to module test | `module/test` | -| Allow access to module translation | `module/translation` | - -Finally we configure the monitoring with the needed connection to the IDO to get information and an API user to send commands to Icinga 2: +But the values of some custom variables are not displayed via inheritance: ``` -class {'icingaweb2::module::monitoring': - ido_host => 'localhost', - ido_db_type => 'mysql', - ido_db_name => 'icinga2', - ido_db_username => 'icinga2', - ido_db_password => 'supersecret', +icingaweb2::config::role { 'default protection': + filters => { + 'icingadb/protect/variables' => '*pw*, *pass*, community', + } +} +``` +All available permissions for module `icingadb` are listed [here](https://icinga.com/docs/icinga-db-web/latest/doc/04-Security). + +Finally we configure the icingadb with the needed connection to the database and the redis server and an API user to send commands to Icinga 2: +``` +class {'icingaweb2::module::icingadb': + db_type => 'mysql', + db_host => 'db.icinga.com', + db_port => 1800, + db_name => 'icinga2', + db_username => 'icinga2', + db_password => Sensitive('supersecret'), + redis_host => 'localhost', commandtransports => { icinga2 => { transport => 'api', username => 'icingaweb2', - password => 'supersecret', + password => Sensitive('supersecret'), } - } + }, } ``` diff --git a/REFERENCE.md b/REFERENCE.md index e56c76b1..1d6fa155 100644 --- a/REFERENCE.md +++ b/REFERENCE.md @@ -3845,41 +3845,6 @@ Default value: `undef` Roles define a set of permissions that may be applied to users or groups. -* **Note** Available permissions in module monitoring: - -| Description | Value | -|-------------|-------| -| Allow everything | `*` | -| Allow to share navigation items | `application/share/navigation` | -| Allow to adjust in the preferences whether to show stacktraces | `application/stacktraces` | -| Allow to view the application log | `application/log` | -| Grant admin permissions, e.g. manage announcements | `admin` | -| Allow config access | `config/*` | -| Allow access to module doc | `module/doc` | -| Allow access to module monitoring | `module/monitoring` | -| Allow all commands | `monitoring/command/*` | -| Allow scheduling host and service checks | `monitoring/command/schedule-check` | -| Allow acknowledging host and service problems | `monitoring/command/acknowledge-problem` | -| Allow removing problem acknowledgements | `monitoring/command/remove-acknowledgement` | -| Allow adding and deleting host and service comments | `monitoring/command/comment/*` | -| Allow commenting on hosts and services | `monitoring/command/comment/add` | -| Allow deleting host and service comments | `monitoring/command/comment/delete` | -| Allow scheduling and deleting host and service downtimes | `monitoring/command/downtime/*` | -| Allow scheduling host and service downtimes | `monitoring/command/downtime/schedule` | -| Allow deleting host and service downtimes | `monitoring/command/downtime/delete` | -| Allow processing host and service check results | `monitoring/command/process-check-result` | -| Allow processing commands for toggling features on an instance-wide basis | `monitoring/command/feature/instance` | -| Allow processing commands for toggling features on host and service objects | `monitoring/command/feature/object/*`) | -| Allow processing commands for toggling active checks on host and service objects | `monitoring/command/feature/object/active-checks` | -| Allow processing commands for toggling passive checks on host and service objects | `monitoring/command/feature/object/passive-checks` | -| Allow processing commands for toggling notifications on host and service objects | `monitoring/command/feature/object/notifications` | -| Allow processing commands for toggling event handlers on host and service objects | `monitoring/command/feature/object/event-handler` | -| Allow processing commands for toggling flap detection on host and service objects | `monitoring/command/feature/object/flap-detection` | -| Allow sending custom notifications for hosts and services | `monitoring/command/send-custom-notification` | -| Allow access to module setup | `module/setup` | -| Allow access to module test | `module/test` | -| Allow access to module translation | `module/translation` | - #### Examples ##### Create role that allows only hosts beginning with `linux-*`: @@ -3894,18 +3859,6 @@ icingaweb2::config::role{ 'linux-user': } ``` -##### Create role that allows a user to see only hosts beginning with `linux-*`: - -```puppet -icingaweb2::config::role{'linux-user': - users => 'bob, pete', - permissions => '*', - filters => { - 'monitoring/filter/objects' => 'host_name=linux-*', - } -} -``` - #### Parameters The following parameters are available in the `icingaweb2::config::role` defined type: @@ -3958,8 +3911,8 @@ Data type: `Optional[String]` Comma separated lsit of permissions. Each module may add it's own permissions. Examples are - Allow everything: '*' - Allow config access: 'config/*' -- Allow access do module monitoring: 'module/monitoring' -- Allow scheduling checks: 'monitoring/command/schedule-checks' +- Allow access do module icingadb: 'module/icingadb' +- Allow scheduling checks: 'icingadb/command/schedule-checks' - Grant admin permissions: 'admin' Default value: `undef` @@ -3987,10 +3940,9 @@ Data type: `Hash` Hash of filters. Modules may add new filter keys, some sample keys are: - application/share/users - application/share/groups -- monitoring/filter/objects -- monitoring/blacklist/properties +- icingadb/filter/objects A string value is expected for each used key. For example: -- monitoring/filter/objects = "host_name!=*win*" +- icingadb/filter/objects = "host_name!=*win*" Default value: `{}` diff --git a/manifests/config/role.pp b/manifests/config/role.pp index 97a0bc6d..46d7e3f9 100644 --- a/manifests/config/role.pp +++ b/manifests/config/role.pp @@ -17,8 +17,8 @@ # Comma separated lsit of permissions. Each module may add it's own permissions. Examples are # - Allow everything: '*' # - Allow config access: 'config/*' -# - Allow access do module monitoring: 'module/monitoring' -# - Allow scheduling checks: 'monitoring/command/schedule-checks' +# - Allow access do module icingadb: 'module/icingadb' +# - Allow scheduling checks: 'icingadb/command/schedule-checks' # - Grant admin permissions: 'admin' # # @param refusals @@ -31,10 +31,9 @@ # Hash of filters. Modules may add new filter keys, some sample keys are: # - application/share/users # - application/share/groups -# - monitoring/filter/objects -# - monitoring/blacklist/properties +# - icingadb/filter/objects # A string value is expected for each used key. For example: -# - monitoring/filter/objects = "host_name!=*win*" +# - icingadb/filter/objects = "host_name!=*win*" # # @example Create role that allows only hosts beginning with `linux-*`: # icingaweb2::config::role{ 'linux-user': @@ -45,57 +44,6 @@ # } # } # -# @note Available permissions in module monitoring: -# -# -# | Description | Value | -# |-------------|-------| -# | Allow everything | `*` | -# | Allow to share navigation items | `application/share/navigation` | -# | Allow to adjust in the preferences whether to show stacktraces | `application/stacktraces` | -# | Allow to view the application log | `application/log` | -# | Grant admin permissions, e.g. manage announcements | `admin` | -# | Allow config access | `config/*` | -# | Allow access to module doc | `module/doc` | -# | Allow access to module monitoring | `module/monitoring` | -# | Allow all commands | `monitoring/command/*` | -# | Allow scheduling host and service checks | `monitoring/command/schedule-check` | -# | Allow acknowledging host and service problems | `monitoring/command/acknowledge-problem` | -# | Allow removing problem acknowledgements | `monitoring/command/remove-acknowledgement` | -# | Allow adding and deleting host and service comments | `monitoring/command/comment/*` | -# | Allow commenting on hosts and services | `monitoring/command/comment/add` | -# | Allow deleting host and service comments | `monitoring/command/comment/delete` | -# | Allow scheduling and deleting host and service downtimes | `monitoring/command/downtime/*` | -# | Allow scheduling host and service downtimes | `monitoring/command/downtime/schedule` | -# | Allow deleting host and service downtimes | `monitoring/command/downtime/delete` | -# | Allow processing host and service check results | `monitoring/command/process-check-result` | -# | Allow processing commands for toggling features on an instance-wide basis | `monitoring/command/feature/instance` | -# | Allow processing commands for toggling features on host and service objects | `monitoring/command/feature/object/*`) | -# | Allow processing commands for toggling active checks on host and service objects | `monitoring/command/feature/object/active-checks` | -# | Allow processing commands for toggling passive checks on host and service objects | `monitoring/command/feature/object/passive-checks` | -# | Allow processing commands for toggling notifications on host and service objects | `monitoring/command/feature/object/notifications` | -# | Allow processing commands for toggling event handlers on host and service objects | `monitoring/command/feature/object/event-handler` | -# | Allow processing commands for toggling flap detection on host and service objects | `monitoring/command/feature/object/flap-detection` | -# | Allow sending custom notifications for hosts and services | `monitoring/command/send-custom-notification` | -# | Allow access to module setup | `module/setup` | -# | Allow access to module test | `module/test` | -# | Allow access to module translation | `module/translation` | -# -# @note With the monitoring module, possible filters are: -# * `application/share/users` -# * `application/share/groups` -# * `monitoring/filter/objects` -# * `monitoring/blacklist/properties` -# -# @example Create role that allows a user to see only hosts beginning with `linux-*`: -# icingaweb2::config::role{'linux-user': -# users => 'bob, pete', -# permissions => '*', -# filters => { -# 'monitoring/filter/objects' => 'host_name=linux-*', -# } -# } -# define icingaweb2::config::role ( String $role_name = $title, Optional[String] $users = undef,