Commit 60d2a504 authored by Markus Frosch's avatar Markus Frosch 📣

feature/api: Add TLS detail settings

ssl_protocolmin and ssl_cipher_list
parent f60d7720
[![Build Status](https://travis-ci.org/Icinga/puppet-icinga2-rewrite.svg?branch=master)](https://travis-ci.org/Icinga/puppet-icinga2-rewrite)
# Icinga2 Puppet Module # Icinga2 Puppet Module
![Icinga Logo](https://www.icinga.com/wp-content/uploads/2014/06/icinga_logo.png) ![Icinga Logo](https://www.icinga.com/wp-content/uploads/2014/06/icinga_logo.png)
...@@ -555,6 +557,15 @@ This module offers following options to create these certificates: ...@@ -555,6 +557,15 @@ This module offers following options to create these certificates:
} }
``` ```
* Fine tune TLS / SSL settings
``` puppet
class { 'icinga2::feature::api':
ssl_protocolmin => 'TLSv1.2',
ssl_cipher_list => 'HIGH:MEDIUM:!aNULL:!MD5:!RC4',
}
```
### Custom configuration ### Custom configuration
Sometimes it's necessary to cover very special configurations that you cannot handle with this module. In this case you Sometimes it's necessary to cover very special configurations that you cannot handle with this module. In this case you
can use the `icinga2::config::file` tag on your file ressource. This module collects all file ressource types with this can use the `icinga2::config::file` tag on your file ressource. This module collects all file ressource types with this
......
...@@ -68,6 +68,12 @@ ...@@ -68,6 +68,12 @@
# Hash to configure zone objects. Defaults to { 'ZoneName' => {'endpoints' => ['NodeName']} }. # Hash to configure zone objects. Defaults to { 'ZoneName' => {'endpoints' => ['NodeName']} }.
# ZoneName and NodeName are icinga2 constants. # ZoneName and NodeName are icinga2 constants.
# #
# [*ssl_protocolmin*]
# Minimal TLS version to require. Default undef (e.g. "TLSv1.2")
#
# [*ssl_cipher_list*]
# List of allowed TLS ciphers, to finetune encryption. Default undef (e.g. "HIGH:MEDIUM:!aNULL:!MD5:!RC4")
#
# === Variables # === Variables
# #
# [*node_name*] # [*node_name*]
...@@ -138,6 +144,8 @@ class icinga2::feature::api( ...@@ -138,6 +144,8 @@ class icinga2::feature::api(
$ssl_key = undef, $ssl_key = undef,
$ssl_cert = undef, $ssl_cert = undef,
$ssl_cacert = undef, $ssl_cacert = undef,
$ssl_protocolmin = undef,
$ssl_cipher_list = undef,
) { ) {
$conf_dir = $::icinga2::params::conf_dir $conf_dir = $::icinga2::params::conf_dir
...@@ -184,6 +192,13 @@ class icinga2::feature::api( ...@@ -184,6 +192,13 @@ class icinga2::feature::api(
else { else {
$_ssl_cacert_path = "${pki_dir}/ca.crt" } $_ssl_cacert_path = "${pki_dir}/ca.crt" }
if $ssl_protocolmin {
validate_string($ssl_protocolmin)
}
if $ssl_cipher_list {
validate_string($ssl_cipher_list)
}
# handle the certificate's stuff # handle the certificate's stuff
case $pki { case $pki {
'puppet': { 'puppet': {
...@@ -291,6 +306,8 @@ class icinga2::feature::api( ...@@ -291,6 +306,8 @@ class icinga2::feature::api(
accept_commands => $accept_commands, accept_commands => $accept_commands,
accept_config => $accept_config, accept_config => $accept_config,
ticket_salt => $ticket_salt, ticket_salt => $ticket_salt,
tls_protocolmin => $ssl_protocolmin,
cipher_list => $ssl_cipher_list,
} }
# create endpoints and zones # create endpoints and zones
...@@ -314,5 +331,4 @@ class icinga2::feature::api( ...@@ -314,5 +331,4 @@ class icinga2::feature::api(
icinga2::feature { 'api': icinga2::feature { 'api':
ensure => $ensure, ensure => $ensure,
} }
} }
...@@ -260,6 +260,17 @@ describe('icinga2::feature::api', :type => :class) do ...@@ -260,6 +260,17 @@ describe('icinga2::feature::api', :type => :class) do
it { is_expected.to raise_error(Puppet::Error, /"foo" is not a Hash/) } it { is_expected.to raise_error(Puppet::Error, /"foo" is not a Hash/) }
end end
context "#{os} with TLS detail settings" do
let(:params) { { ssl_protocolmin: 'TLSv1.2', ssl_cipher_list: 'HIGH:MEDIUM:!aNULL:!MD5:!RC4' } }
it 'should set TLS detail setting' do
is_expected.to contain_concat__fragment('icinga2::object::ApiListener::api')
.with({ 'target' => '/etc/icinga2/features-available/api.conf' })
.with_content(/tls_protocolmin = "TLSv1.2"/)
.with_content(/cipher_list = "HIGH:MEDIUM:!aNULL:!MD5:!RC4"/)
end
end
end end
end end
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment