Commit 60d2a504 authored by Markus Frosch's avatar Markus Frosch 📣

feature/api: Add TLS detail settings

ssl_protocolmin and ssl_cipher_list
parent f60d7720
[![Build Status](https://travis-ci.org/Icinga/puppet-icinga2-rewrite.svg?branch=master)](https://travis-ci.org/Icinga/puppet-icinga2-rewrite)
# Icinga2 Puppet Module
![Icinga Logo](https://www.icinga.com/wp-content/uploads/2014/06/icinga_logo.png)
......@@ -555,6 +557,15 @@ This module offers following options to create these certificates:
}
```
* Fine tune TLS / SSL settings
``` puppet
class { 'icinga2::feature::api':
ssl_protocolmin => 'TLSv1.2',
ssl_cipher_list => 'HIGH:MEDIUM:!aNULL:!MD5:!RC4',
}
```
### Custom configuration
Sometimes it's necessary to cover very special configurations that you cannot handle with this module. In this case you
can use the `icinga2::config::file` tag on your file ressource. This module collects all file ressource types with this
......
......@@ -68,6 +68,12 @@
# Hash to configure zone objects. Defaults to { 'ZoneName' => {'endpoints' => ['NodeName']} }.
# ZoneName and NodeName are icinga2 constants.
#
# [*ssl_protocolmin*]
# Minimal TLS version to require. Default undef (e.g. "TLSv1.2")
#
# [*ssl_cipher_list*]
# List of allowed TLS ciphers, to finetune encryption. Default undef (e.g. "HIGH:MEDIUM:!aNULL:!MD5:!RC4")
#
# === Variables
#
# [*node_name*]
......@@ -138,6 +144,8 @@ class icinga2::feature::api(
$ssl_key = undef,
$ssl_cert = undef,
$ssl_cacert = undef,
$ssl_protocolmin = undef,
$ssl_cipher_list = undef,
) {
$conf_dir = $::icinga2::params::conf_dir
......@@ -184,6 +192,13 @@ class icinga2::feature::api(
else {
$_ssl_cacert_path = "${pki_dir}/ca.crt" }
if $ssl_protocolmin {
validate_string($ssl_protocolmin)
}
if $ssl_cipher_list {
validate_string($ssl_cipher_list)
}
# handle the certificate's stuff
case $pki {
'puppet': {
......@@ -291,6 +306,8 @@ class icinga2::feature::api(
accept_commands => $accept_commands,
accept_config => $accept_config,
ticket_salt => $ticket_salt,
tls_protocolmin => $ssl_protocolmin,
cipher_list => $ssl_cipher_list,
}
# create endpoints and zones
......@@ -314,5 +331,4 @@ class icinga2::feature::api(
icinga2::feature { 'api':
ensure => $ensure,
}
}
......@@ -260,6 +260,17 @@ describe('icinga2::feature::api', :type => :class) do
it { is_expected.to raise_error(Puppet::Error, /"foo" is not a Hash/) }
end
context "#{os} with TLS detail settings" do
let(:params) { { ssl_protocolmin: 'TLSv1.2', ssl_cipher_list: 'HIGH:MEDIUM:!aNULL:!MD5:!RC4' } }
it 'should set TLS detail setting' do
is_expected.to contain_concat__fragment('icinga2::object::ApiListener::api')
.with({ 'target' => '/etc/icinga2/features-available/api.conf' })
.with_content(/tls_protocolmin = "TLSv1.2"/)
.with_content(/cipher_list = "HIGH:MEDIUM:!aNULL:!MD5:!RC4"/)
end
end
end
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment