Docs: Improve signing modes with preparation hints

For those who do not run `node setup/wizard` but
automation.
This commit is contained in:
Michael Friedrich 2019-07-30 15:16:23 +02:00
parent 0c15b9d7e4
commit 10c78c0159
1 changed files with 24 additions and 1 deletions

View File

@ -360,6 +360,17 @@ Disadvantages:
* Tickets need to be generated on the master and copied to client setup wizards. * Tickets need to be generated on the master and copied to client setup wizards.
* No central signing management. * No central signing management.
#### CSR Auto-Signing: Preparation <a id="distributed-monitoring-setup-csr-auto-signing-preparation"></a>
Prior to using this mode, ensure that the following steps are taken on
the signing master:
* The [master setup](06-distributed-monitoring.md#distributed-monitoring-setup-master) was run successfully. This includes:
* Generated a CA key pair
* Generated a private ticket salt stored in the `TicketSalt` constant, set as `ticket_salt` attribute inside the [api](09-object-types.md#objecttype-apilistener) feature.
* Restart of the master instance.
#### CSR Auto-Signing: On the master <a id="distributed-monitoring-setup-csr-auto-signing-master"></a>
Setup wizards for agent/satellite nodes will ask you for this specific client ticket. Setup wizards for agent/satellite nodes will ask you for this specific client ticket.
@ -368,6 +379,7 @@ There are two possible ways to retrieve the ticket:
* [CLI command](11-cli-commands.md#cli-command-pki) executed on the master node. * [CLI command](11-cli-commands.md#cli-command-pki) executed on the master node.
* [REST API](12-icinga2-api.md#icinga2-api) request against the master node. * [REST API](12-icinga2-api.md#icinga2-api) request against the master node.
Required information: Required information:
Parameter | Description Parameter | Description
@ -399,7 +411,7 @@ Retrieve the ticket on the master node `icinga2-master1.localdomain` with `curl`
-X POST 'https://localhost:5665/v1/actions/generate-ticket' -d '{ "cn": "icinga2-agent1.localdomain" }' -X POST 'https://localhost:5665/v1/actions/generate-ticket' -d '{ "cn": "icinga2-agent1.localdomain" }'
``` ```
Store that ticket number for the agent/satellite setup below. Store that ticket number for the [agent/satellite setup](06-distributed-monitoring.md#distributed-monitoring-setup-agent-satellite) below.
> **Note** > **Note**
> >
@ -408,6 +420,7 @@ Store that ticket number for the agent/satellite setup below.
> to the authorized Puppet agent node which will invoke the > to the authorized Puppet agent node which will invoke the
> [automated setup steps](06-distributed-monitoring.md#distributed-monitoring-automation-cli-node-setup). > [automated setup steps](06-distributed-monitoring.md#distributed-monitoring-automation-cli-node-setup).
### On-Demand CSR Signing <a id="distributed-monitoring-setup-on-demand-csr-signing"></a> ### On-Demand CSR Signing <a id="distributed-monitoring-setup-on-demand-csr-signing"></a>
The client can be a secondary master, satellite or agent. The client can be a secondary master, satellite or agent.
@ -428,6 +441,16 @@ Disadvantages:
* Asynchronous step for automated deployments. * Asynchronous step for automated deployments.
* Needs client verification on the master. * Needs client verification on the master.
#### On-Demand CSR Signing: Preparation <a id="distributed-monitoring-setup-on-demand-csr-signing-preparation"></a>
Prior to using this mode, ensure that the following steps are taken on
the signing master:
* The [master setup](06-distributed-monitoring.md#distributed-monitoring-setup-master) was run successfully. This includes:
* Generated a CA key pair
* Restart of the master instance.
#### On-Demand CSR Signing: On the master <a id="distributed-monitoring-setup-on-demand-csr-signing-master"></a>
You can list pending certificate signing requests with the `ca list` CLI command. You can list pending certificate signing requests with the `ca list` CLI command.