Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Migration path for improved certificate signing in the cluster #5679

Closed
5 tasks done
dnsmichi opened this issue Oct 16, 2017 · 0 comments · Fixed by #5682
Closed
5 tasks done

Migration path for improved certificate signing in the cluster #5679

dnsmichi opened this issue Oct 16, 2017 · 0 comments · Fixed by #5682
Assignees
@gunnarbeutner
Labels
area/cli Command line helpers area/distributed Distributed monitoring (master, satellites, clients) enhancement New feature or request
Milestone
2.8.0

Comments

@dnsmichi
Copy link
Contributor

dnsmichi commented Oct 16, 2017
edited by gunnarbeutner

Follows #5450

Requirements

We need to ensure that the certificates are copied to LocalStateDir + "/lib/icinga2/certs" during startup. The user must be notified about these changes and encouraged to use the default path.

The ApiListener configuration options will be deprecated thus enforcing the default certificate path

/var/lib/icinga2/certs/<NodeName>.{crt,key}

If the attributes are set, but the path is empty, only a deprecation warning will be logged. Icinga 2 prefers the /var/lib path then.

Tasks

  • Deprecate ca_path, cert_path and key_path in the ApiListener object.
  • Copy the certificates from pki/ if
    • the files are not in /var/lib
    • the files in pki/ are newer than in /var/lib
  • Add log entries when copying the files during startup
  • Update node wizard/setup CLI commands to not write ApiListener configuration attributes anymore
  • Update documentation

Notes

Instead of a shell script (e.g. prepare-dirs) we have that migration path inside the binary. This makes it easy to migrate Windows clients in the same way like Linux nodes.
@dnsmichi dnsmichi added area/cli Command line helpers area/distributed Distributed monitoring (master, satellites, clients) enhancement New feature or request labels Oct 16, 2017
@dnsmichi dnsmichi added this to the 2.8.0 milestone Oct 16, 2017
@gunnarbeutner gunnarbeutner mentioned this issue Oct 16, 2017
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gunnarbeutner gunnarbeutner

Labels
area/cli Command line helpers area/distributed Distributed monitoring (master, satellites, clients) enhancement New feature or request
Projects
None yet
Milestone
2.8.0
Development

Successfully merging a pull request may close this issue.

Implement support for migrating certificates to /var/lib/icinga2/certs Icinga/icinga2
2 participants
@dnsmichi @gunnarbeutner