lbetz
commented
6 years ago dnsmichi described a problem: "This requires to have a fully provisioned Icinga 2 master before any client deployments, which might be a problem with Puppet here."
The same must be done when we use the icinga ca and a ticket to authentificate the cert request.
Expected Behavior
The Puppet master should query the Icinga 2 Master for a client's ticket.
Current Behavior
The Puppet module uses its own hashing function which might break if the Icinga 2's hashing algorithm is changed for tickets.
https://github.com/Icinga/puppet-icinga2/blob/master/lib/puppet/parser/functions/icinga2_ticket_id.rb
Possible Solution
Use the API action implemented in icinga/icinga2#4485
https://www.icinga.com/docs/icinga2/latest/doc/12-icinga2-api/#generate-ticket
This requires to have a fully provisioned Icinga 2 master before any client deployments, which might be a problem with Puppet here.
Context
We've discussed this in a meeting yesterday. I though I had opened this issue, but this happened for the Director module in icinga/icingaweb2-module-director#401 (where it hasn't been implemented yet to my knowledge).
https://github.com/Icinga/icingaweb2-module-director/blob/da2968a6d3657e20a5695823a80f9f29e6c13e56/library/Director/Util.php#L89 uses their own hashing algorithm, we should take care about it when changing the Puppet module then too.