Fix tlsaccept (#1343)

ansible-collections · Jul 13, 2024 · 6eb097e · 6eb097e
1 parent 58234c6
commit 6eb097e
Show file tree

Hide file tree

Showing 8 changed files with 153 additions and 17 deletions.
diff --git a/changelogs/fragments/tlsaccept.yml b/changelogs/fragments/tlsaccept.yml
@@ -0,0 +1,3 @@
+---
+bugfixes:
+  - zabbix_agent role - fix TLSAccept parameter provisioning in zabbix_agentd.conf
diff --git a/molecule/zabbix_agent_tests/common/molecule.yml b/molecule/zabbix_agent_tests/common/molecule.yml
@@ -42,7 +42,10 @@ provisioner:
         zabbix_agent_serveractive: 192.168.3.33
         zabbix_agent_listenip: 0.0.0.0
         zabbix_agent_tlsconnect: psk
-        zabbix_agent_tlsaccept: psk
+        zabbix_agent_tlsaccept: psk,cert
+        zabbix_agent_tlscertfile: /etc/zabbix/cert
+        zabbix_agent_tlskeyfile: /etc/zabbix/key
+        zabbix_agent_tlscafile: /etc/zabbix/ca
         zabbix_repo_apt_priority: 1
         zabbix_repo_yum_gpg_check: 1
       v70:

diff --git a/molecule/zabbix_agent_tests/common/playbooks/prepare.yml b/molecule/zabbix_agent_tests/common/playbooks/prepare.yml
@@ -51,6 +51,126 @@
       tags:
         - skip_ansible_lint
 
+    - block:
+      - name: 'Create zabbix group'
+        ansible.builtin.group:
+          name: zabbix
+
+      - name: 'Create zabbix user'
+        ansible.builtin.user:
+          create_home: False
+          name: zabbix
+          group: zabbix
+
+      - name: 'Create /etc/zabbix folder'
+        ansible.builtin.file:
+          path: /etc/zabbix
+          state: directory
+          owner: zabbix
+          group: zabbix
+
+
+      - name: "Create certificate file"
+        ansible.builtin.copy:
+          dest: "{{ zabbix_agent_tlscertfile }}"
+          content: |
+            -----BEGIN CERTIFICATE-----
+            MIID/DCCAuSgAwIBAgIQN/dIqcouWAa+TOzCuMr3dDANBgkqhkiG9w0BAQsFADAZ
+            MRcwFQYDVQQDDA5CR21vdCBsb2NhbCBDQTAeFw0yMzAyMTAxMzIxNTNaFw0yNTA1
+            MTUxMzIxNTNaMIGYMQswCQYDVQQGEwJDQTEQMA4GA1UECAwHT250YXJpbzETMBEG
+            A1UEBwwKV29vZGJyaWRnZTETMBEGA1UECgwKQkdtb3QgSW5jLjETMBEGA1UECwwK
+            T3BlcmF0aW9uczEWMBQGA1UEAwwNeC1tYmxhYi5sb2NhbDEgMB4GCSqGSIb3DQEJ
+            ARYRc3VwcG9ydEBiZ21vdC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK
+            AoIBAQC9WalzI6XplGnWFbWEEWS/ZR401709JQ6afWPPUvF44opeadqrjzBG5qmq
+            G/174+GxrTbNXwKLIkRKM8xvSJkn9zIXOJBnU+UTzpR0gzF2CTDrzXDvmNfZe6ii
+            RCkfFd7mMxevMq+mK6XQBAZ2xH31OLWJ1+Jv8HVM7ifIIhRGLZFI3W6t2V9hm39+
+            pxtUJwyyT/lf7GIRu8aTmS4bOtxarySWvPZihuoIjDKe3G5xpK1tId49GIVeDYRz
+            5wN9GBOOAbgtKQgQHV7w50p7KIg8Y4CSHRLKNpx1CoegJqjIVkYZXiF0UUqbakQm
+            EAejgfSO8ZEeC/uKwz/L8jT0jyA9AgMBAAGjgb8wgbwwCQYDVR0TBAIwADAdBgNV
+            HQ4EFgQU6DrOwAQRc8FL0SWrueA9ugt8WygwVAYDVR0jBE0wS4AU8U2o5wCvoNaP
+            daIOfdkQpiaWzNWhHaQbMBkxFzAVBgNVBAMMDkJHbW90IGxvY2FsIENBghRMcv/1
+            gHx5O7aF72N5HCR+PLFc0zATBgNVHSUEDDAKBggrBgEFBQcDATALBgNVHQ8EBAMC
+            BaAwGAYDVR0RBBEwD4INeC1tYmxhYi5sb2NhbDANBgkqhkiG9w0BAQsFAAOCAQEA
+            CDuGnlLGUrBDhXnJZHkf0Yur4rnzzH7gpoMGlsJ777zNkL9K5KWOMtN4NJ14cLCN
+            pCQaj0awPkPqLcUmAAjNKXrEHHiWtNHPbU86sZAOMPnf/Nop6rIrSnY9TgNj0voW
+            dUWT6rCUTgIeEs075X6vmNlziTZ5nvA041OrSQFY//OBpwDnQcBEyFgoMa3Ikcer
+            2+khuwdNC7vrkBsMs0Iym4Ej+bNib0LGtH4sozBhgZxtCBPXtDDsb6Q76kHXeaL9
+            z80yQjQXeX+fePfXi6WF1RhmUmb8c7Q36vtfGWi3qvJFawYdcDpUROyhsLQCo/kW
+            9YoBvbTxZrwTilcI1Sm5qw==
+            -----END CERTIFICATE-----
+          owner: zabbix
+          group: zabbix
+          mode: 0444
+        become: true
+
+      - name: "Create certificate key file"
+        ansible.builtin.copy:
+          dest: "{{ zabbix_agent_tlskeyfile }}"
+          content: |
+            -----BEGIN PRIVATE KEY-----
+            MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC9WalzI6XplGnW
+            FbWEEWS/ZR401709JQ6afWPPUvF44opeadqrjzBG5qmqG/174+GxrTbNXwKLIkRK
+            M8xvSJkn9zIXOJBnU+UTzpR0gzF2CTDrzXDvmNfZe6iiRCkfFd7mMxevMq+mK6XQ
+            BAZ2xH31OLWJ1+Jv8HVM7ifIIhRGLZFI3W6t2V9hm39+pxtUJwyyT/lf7GIRu8aT
+            mS4bOtxarySWvPZihuoIjDKe3G5xpK1tId49GIVeDYRz5wN9GBOOAbgtKQgQHV7w
+            50p7KIg8Y4CSHRLKNpx1CoegJqjIVkYZXiF0UUqbakQmEAejgfSO8ZEeC/uKwz/L
+            8jT0jyA9AgMBAAECggEABnvSZOCeUHjzBZzy44W4jLwFkUSnGur9n+xvcjMPLrCY
+            xIvcxedRlvpUaloQz3qDPDmUrB3QcS6bgDj1Pp6rRxmPuKJvG2kQtofQpvHl5ZQb
+            lzxB9wpYr2Tf5njtn/Fe4ER1AqkT9Hb/jTeeEXIMzn+1g6jsFlSTB68KykkUdAsR
+            sx8WnnvhtHe9V34rNcpY+hVUF9liqUZDeiO/zPmMEzlqD5lY+hcyntnyy8L5GJ5B
+            3GDKwURFO3lC1bSkxTid8Iv8uoFCkJZMnOcJqkGYiV5ulFOqvD2hUBN8GzyJFijG
+            7NeO2DL8NKBoeIySrydzvxDy2hqnQ4UpQ4NYPbAA5wKBgQDP8kp0Jcp4GQiwNwiM
+            VEegoaDxBH9hsLpKTk8w2RQLQjmOvASKbKT1eq5sP6b77VSwZKRLUBGIA7Eaw0KG
+            Id8XiN9dk3qtZy5NgSy8JE5OdKtUaz8WXz7G4w0L834fOZAJr36watAG+DGPjl/0
+            bpHxDzckQHWOWvwEfOG1yldlWwKBgQDpG0FotcqkHus9s9fKZ2zY1YAAXOZa9ehW
+            RXIbBLFkR+TKCwUEBUkxkXxwZwPivyiciA6EK0azpJGbH5LJpMINZen620D4IFSz
+            ANzuW8YL21ggJ9fI18F7XnNTmMgIBiMegwdY4Wo4WqH/q+LEWo5UXbAww4sRcAYF
+            fYP+UqFMRwKBgGH+aB+7/2IBShrglGKtBOQpxtJNsEm1ItUJekAmzE9R8hXVfL5O
+            3J3iJnhUtrhZ62MEynfDT7+tHbTi92KGa7+HfNt4OIOm8CcODKrM4SoPyP2LXLuK
+            Pucy8F8FbBYC5mHqFeXFMCtYouJn0cg6owPai73FsqBXOBRVVXh51h2pAoGASHQS
+            RouKqqx5jboibmTrLhJeML6vUsJwLrBzIPa6dGLsN+ho7LD/6QpBVWaPjKDB7LVV
+            XbtdxGR4ZXDQ3R/6uNNegHw5m2XhLaotAWFBE1pf786ygVieaMwYqHkqY2QU8lzj
+            obqem1mAVMmGOGW1K3/bTazZwtfA51/18MyaGe0CgYEAnNkbzTcLek5MSbb0uqjJ
+            ftDaf7V4HEmBGH0vAiBWTEsOtBLYaje6a6lsG8wIW4NcYthcGV5LjQfbq6kwosWA
+            5xXoLTMvgI2R+Wc21RZYc61Xp3wII51bWv7EbTRIXGXVn6vLwf7+zuoi/rLw2KG5
+            aAh1Rvx04uY+7cD6R0gy4Jw=
+            -----END PRIVATE KEY-----
+          owner: zabbix
+          group: zabbix
+          mode: 0400
+        become: true
+
+      - name: "Create certificate authority file"
+        ansible.builtin.copy:
+          dest: "{{ zabbix_agent_tlscafile }}"
+          content: |
+            -----BEGIN CERTIFICATE-----
+            MIIDVDCCAjygAwIBAgIUTHL/9YB8eTu2he9jeRwkfjyxXNMwDQYJKoZIhvcNAQEL
+            BQAwGTEXMBUGA1UEAwwOQkdtb3QgbG9jYWwgQ0EwHhcNMjMwMjEwMTMxMjUwWhcN
+            MzMwMjA3MTMxMjUwWjAZMRcwFQYDVQQDDA5CR21vdCBsb2NhbCBDQTCCASIwDQYJ
+            KoZIhvcNAQEBBQADggEPADCCAQoCggEBALp40chYgpb+GiibnMmQ/vw8RcVYSnRa
+            aI3VuBMoQGspXMCrhoFnRfnzB0oME8owg6gWACfyBbq4iH8qFJykBqt7RbQSw23W
+            cNQK7BvcNmJg6YSGZ7VXnm2SIofv7c3MjajdYwUrmrrOhNCRkWz0ro9kGnqKTYM7
+            piH2rezt3qfSkttH9qOaMpfqnkVBCy7Ktc4tfCW0MT6/0g8zZiT4603mdM96CkXe
+            FkeEBaPdIKPnjpVfDjG554yaNFZVwVkUrqy5Y5AHGMCVrXkEljuM0IO7KFHrgzfJ
+            08xPxaR5Hrsb9h4Co238elwVzLJFt+WvkaQ2TkbbeWVVU2ZmRn1FiGUCAwEAAaOB
+            kzCBkDAdBgNVHQ4EFgQU8U2o5wCvoNaPdaIOfdkQpiaWzNUwVAYDVR0jBE0wS4AU
+            8U2o5wCvoNaPdaIOfdkQpiaWzNWhHaQbMBkxFzAVBgNVBAMMDkJHbW90IGxvY2Fs
+            IENBghRMcv/1gHx5O7aF72N5HCR+PLFc0zAMBgNVHRMEBTADAQH/MAsGA1UdDwQE
+            AwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAm1oQNGFnafxuvFgR4T7lgSetimZXnqCW
+            aFBWPyzvho0JsS6N/qk8qeQCmQN82N54sx97v/Ct7ZjjVu9/osG1GqLGrJLhRdY7
+            Wqk1WIKEq1T007P7tEy0/yYc/hJ+vueMX8X5CUli7oeU8PoGzm/3hHvcVTyqpvlz
+            x7yBGiA+Q7Os9qdhLSKWeBf08l2Uv1UuIfdMK5wdL/vCDejJU+v3ABrNRAl5l46i
+            s6oqzPDQxyXn4Yg6QZ7HQP1f5tpaVs1T+dpNXe1Wj3yFBi2qcH/TZc3GlBAN2znB
+            wlTothMmKYR4IbmO4hdgIVR38U8c52xVEg45EHRSWMqjLmrtnHqXAw==
+            -----END CERTIFICATE-----
+          owner: zabbix
+          group: zabbix
+          mode: 0444
+        become: true
+
+      when: zabbix_agent_tlscertfile is defined
+
 - name: Prepare
   hosts: docker
   tasks:

diff --git a/molecule/zabbix_agent_tests/common/tests/common/test_agent.py b/molecule/zabbix_agent_tests/common/tests/common/test_agent.py
@@ -22,6 +22,12 @@ def test_zabbix_agent_dot_conf(zabbix_agent_conf):
     assert zabbix_agent_conf.contains("ServerActive=192.168.3.33")
     assert zabbix_agent_conf.contains("DebugLevel=3")
 
+    assert zabbix_agent_conf.contains("TLSConnect=psk")
+    assert zabbix_agent_conf.contains("TLSAccept=psk,cert")
+    assert zabbix_agent_conf.contains("TLSCertFile=/etc/zabbix/cert")
+    assert zabbix_agent_conf.contains("TLSKeyFile=/etc/zabbix/key")
+    assert zabbix_agent_conf.contains("TLSCAFile=/etc/zabbix/ca")
+
 
 def test_zabbix_include_dir(zabbix_agent_include_dir):
     assert zabbix_agent_include_dir.is_directory

diff --git a/molecule/zabbix_agent_tests/molecule/agent2/molecule.yml b/molecule/zabbix_agent_tests/molecule/agent2/molecule.yml
@@ -7,9 +7,7 @@ provisioner:
     group_vars:
       all:
         zabbix_agent2: true
-        zabbix_agent_tlsconnect: psk
-        zabbix_agent_tlsaccept: psk
-        zabbix_agent_tlspsk_auto: True
+        zabbix_agent_tlspsk_auto: False
         zabbix_agent_tlspskidentity: my_Identity
         zabbix_agent_tlspskfile: /data/certs/zabbix.psk
         zabbix_agent_tlspsk_secret: 97defd6bd126d5ba7fa5f296595f82eac905d5eda270207a580ab7c0cb9e8eab

diff --git a/molecule/zabbix_agent_tests/molecule/agent2autopsk/molecule.yml b/molecule/zabbix_agent_tests/molecule/agent2autopsk/molecule.yml
@@ -7,8 +7,6 @@ provisioner:
     group_vars:
       all:
         zabbix_agent2: true
-        zabbix_agent_tlsconnect: psk
-        zabbix_agent_tlsaccept: psk
         zabbix_agent_tlspsk_auto: True
         zabbix_agent_plugins:
           - name: SystemRun

diff --git a/roles/zabbix_agent/tasks/main.yml b/roles/zabbix_agent/tasks/main.yml
@@ -61,16 +61,29 @@
   when:
     - not (zabbix_agent_docker | bool)
 
-- name: AutoPSK | Default tlsaccept and tlsconnect to enforce PSK
-  ansible.builtin.set_fact:
-    zabbix_agent_tlsaccept: psk
-    zabbix_agent_tlsconnect: psk
+- block:
+    - name: AutoPSK | Default tlsconnect to enforce PSK
+      ansible.builtin.set_fact:
+        zabbix_agent_tlsconnect: psk
+
+    - name: AutoPSK | Default tlsaccept to enforce PSK when zabbix_agent_tlsaccept is not defined
+      ansible.builtin.set_fact:
+        zabbix_agent_tlsaccept: psk
+      when: not zabbix_agent_tlsaccept is defined
+
+    - name: AutoPSK | Default tlsaccept to enforce PSK when zabbix_agent_tlsaccept is defined
+      ansible.builtin.set_fact:
+        zabbix_agent_tlsaccept: "{{ 'psk,' + zabbix_agent_tlsaccept }}"
+      when:
+        - zabbix_agent_tlsaccept is defined
+        - not 'psk' in zabbix_agent_tlsaccept
+
   when: zabbix_agent_tlspsk_auto | bool
   tags:
     - config
 
 - name: Configure PSK
-  when: "( zabbix_agent_tlsaccept == 'psk' ) or (zabbix_agent_tlsconnect  == 'psk')"
+  when: "( 'psk' in zabbix_agent_tlsaccept ) or (zabbix_agent_tlsconnect  == 'psk')"
   block:
     - name: Gather PSK Secret Info
       ansible.builtin.include_tasks: psk_secret.yml
@@ -85,11 +98,6 @@
   when:
     - ansible_os_family == "Windows"
 
-- name: "Configure Agent"
-  ansible.builtin.include_tasks: Windows_conf.yml
-  when:
-    - ansible_os_family == "Windows"
-
 - name: "Configure Agent"
   ansible.builtin.include_tasks: Linux.yml
   when:

diff --git a/roles/zabbix_agent/templates/agent.conf.j2 b/roles/zabbix_agent/templates/agent.conf.j2
@@ -121,7 +121,7 @@ Plugins.{{ my_name }}.{{ param }}={{ value }}
 {{ (zabbix_agent_statusport is defined and zabbix_agent_statusport is not none) | ternary('', '# ') }}StatusPort={{ zabbix_agent_statusport | default('') }}
 {% endif %}
 {{ (zabbix_agent_timeout is defined and zabbix_agent_timeout is not none) | ternary('', '# ') }}Timeout={{ zabbix_agent_timeout | default('') }}
-{{ (zabbix_agent_tlsconnect is defined and zabbix_agent_tlsconnect is not none) | ternary('', '# ') }}TLSAccept={{ zabbix_agent_tlsconnect | default('') }}
+{{ (zabbix_agent_tlsconnect is defined and zabbix_agent_tlsaccept is not none) | ternary('', '# ') }}TLSAccept={{ zabbix_agent_tlsaccept | default('') }}
 {{ (zabbix_agent_tlscafile is defined and zabbix_agent_tlscafile is not none) | ternary('', '# ') }}TLSCAFile={{ zabbix_agent_tlscafile | default('') }}
 {{ (zabbix_agent_tlscertfile is defined and zabbix_agent_tlscertfile is not none) | ternary('', '# ') }}TLSCertFile={{ zabbix_agent_tlscertfile | default('') }}
 {% if not zabbix_agent2 and ansible_os_family != "Windows" %}