From 6eb097eea4be69dd30d509ac94a170f607048aa6 Mon Sep 17 00:00:00 2001 From: Evgeny Date: Sat, 13 Jul 2024 12:10:19 -0400 Subject: [PATCH] Fix tlsaccept (#1343) --- changelogs/fragments/tlsaccept.yml | 3 + .../zabbix_agent_tests/common/molecule.yml | 5 +- .../common/playbooks/prepare.yml | 120 ++++++++++++++++++ .../common/tests/common/test_agent.py | 6 + .../molecule/agent2/molecule.yml | 4 +- .../molecule/agent2autopsk/molecule.yml | 2 - roles/zabbix_agent/tasks/main.yml | 28 ++-- roles/zabbix_agent/templates/agent.conf.j2 | 2 +- 8 files changed, 153 insertions(+), 17 deletions(-) create mode 100644 changelogs/fragments/tlsaccept.yml diff --git a/changelogs/fragments/tlsaccept.yml b/changelogs/fragments/tlsaccept.yml new file mode 100644 index 000000000..eded34589 --- /dev/null +++ b/changelogs/fragments/tlsaccept.yml @@ -0,0 +1,3 @@ +--- +bugfixes: + - zabbix_agent role - fix TLSAccept parameter provisioning in zabbix_agentd.conf diff --git a/molecule/zabbix_agent_tests/common/molecule.yml b/molecule/zabbix_agent_tests/common/molecule.yml index 3dff8972f..7708a284c 100644 --- a/molecule/zabbix_agent_tests/common/molecule.yml +++ b/molecule/zabbix_agent_tests/common/molecule.yml @@ -42,7 +42,10 @@ provisioner: zabbix_agent_serveractive: 192.168.3.33 zabbix_agent_listenip: 0.0.0.0 zabbix_agent_tlsconnect: psk - zabbix_agent_tlsaccept: psk + zabbix_agent_tlsaccept: psk,cert + zabbix_agent_tlscertfile: /etc/zabbix/cert + zabbix_agent_tlskeyfile: /etc/zabbix/key + zabbix_agent_tlscafile: /etc/zabbix/ca zabbix_repo_apt_priority: 1 zabbix_repo_yum_gpg_check: 1 v70: diff --git a/molecule/zabbix_agent_tests/common/playbooks/prepare.yml b/molecule/zabbix_agent_tests/common/playbooks/prepare.yml index fedb2a394..4a86ba356 100644 --- a/molecule/zabbix_agent_tests/common/playbooks/prepare.yml +++ b/molecule/zabbix_agent_tests/common/playbooks/prepare.yml @@ -51,6 +51,126 @@ tags: - skip_ansible_lint + - block: + - name: 'Create zabbix group' + ansible.builtin.group: + name: zabbix + + - name: 'Create zabbix user' + ansible.builtin.user: + create_home: False + name: zabbix + group: zabbix + + - name: 'Create /etc/zabbix folder' + ansible.builtin.file: + path: /etc/zabbix + state: directory + owner: zabbix + group: zabbix + + + - name: "Create certificate file" + ansible.builtin.copy: + dest: "{{ zabbix_agent_tlscertfile }}" + content: | + -----BEGIN CERTIFICATE----- + MIID/DCCAuSgAwIBAgIQN/dIqcouWAa+TOzCuMr3dDANBgkqhkiG9w0BAQsFADAZ + MRcwFQYDVQQDDA5CR21vdCBsb2NhbCBDQTAeFw0yMzAyMTAxMzIxNTNaFw0yNTA1 + MTUxMzIxNTNaMIGYMQswCQYDVQQGEwJDQTEQMA4GA1UECAwHT250YXJpbzETMBEG + A1UEBwwKV29vZGJyaWRnZTETMBEGA1UECgwKQkdtb3QgSW5jLjETMBEGA1UECwwK + T3BlcmF0aW9uczEWMBQGA1UEAwwNeC1tYmxhYi5sb2NhbDEgMB4GCSqGSIb3DQEJ + ARYRc3VwcG9ydEBiZ21vdC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEK + AoIBAQC9WalzI6XplGnWFbWEEWS/ZR401709JQ6afWPPUvF44opeadqrjzBG5qmq + G/174+GxrTbNXwKLIkRKM8xvSJkn9zIXOJBnU+UTzpR0gzF2CTDrzXDvmNfZe6ii + RCkfFd7mMxevMq+mK6XQBAZ2xH31OLWJ1+Jv8HVM7ifIIhRGLZFI3W6t2V9hm39+ + pxtUJwyyT/lf7GIRu8aTmS4bOtxarySWvPZihuoIjDKe3G5xpK1tId49GIVeDYRz + 5wN9GBOOAbgtKQgQHV7w50p7KIg8Y4CSHRLKNpx1CoegJqjIVkYZXiF0UUqbakQm + EAejgfSO8ZEeC/uKwz/L8jT0jyA9AgMBAAGjgb8wgbwwCQYDVR0TBAIwADAdBgNV + HQ4EFgQU6DrOwAQRc8FL0SWrueA9ugt8WygwVAYDVR0jBE0wS4AU8U2o5wCvoNaP + daIOfdkQpiaWzNWhHaQbMBkxFzAVBgNVBAMMDkJHbW90IGxvY2FsIENBghRMcv/1 + gHx5O7aF72N5HCR+PLFc0zATBgNVHSUEDDAKBggrBgEFBQcDATALBgNVHQ8EBAMC + BaAwGAYDVR0RBBEwD4INeC1tYmxhYi5sb2NhbDANBgkqhkiG9w0BAQsFAAOCAQEA + CDuGnlLGUrBDhXnJZHkf0Yur4rnzzH7gpoMGlsJ777zNkL9K5KWOMtN4NJ14cLCN + pCQaj0awPkPqLcUmAAjNKXrEHHiWtNHPbU86sZAOMPnf/Nop6rIrSnY9TgNj0voW + dUWT6rCUTgIeEs075X6vmNlziTZ5nvA041OrSQFY//OBpwDnQcBEyFgoMa3Ikcer + 2+khuwdNC7vrkBsMs0Iym4Ej+bNib0LGtH4sozBhgZxtCBPXtDDsb6Q76kHXeaL9 + z80yQjQXeX+fePfXi6WF1RhmUmb8c7Q36vtfGWi3qvJFawYdcDpUROyhsLQCo/kW + 9YoBvbTxZrwTilcI1Sm5qw== + -----END CERTIFICATE----- + owner: zabbix + group: zabbix + mode: 0444 + become: true + + - name: "Create certificate key file" + ansible.builtin.copy: + dest: "{{ zabbix_agent_tlskeyfile }}" + content: | + -----BEGIN PRIVATE KEY----- + MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC9WalzI6XplGnW + FbWEEWS/ZR401709JQ6afWPPUvF44opeadqrjzBG5qmqG/174+GxrTbNXwKLIkRK + M8xvSJkn9zIXOJBnU+UTzpR0gzF2CTDrzXDvmNfZe6iiRCkfFd7mMxevMq+mK6XQ + BAZ2xH31OLWJ1+Jv8HVM7ifIIhRGLZFI3W6t2V9hm39+pxtUJwyyT/lf7GIRu8aT + mS4bOtxarySWvPZihuoIjDKe3G5xpK1tId49GIVeDYRz5wN9GBOOAbgtKQgQHV7w + 50p7KIg8Y4CSHRLKNpx1CoegJqjIVkYZXiF0UUqbakQmEAejgfSO8ZEeC/uKwz/L + 8jT0jyA9AgMBAAECggEABnvSZOCeUHjzBZzy44W4jLwFkUSnGur9n+xvcjMPLrCY + xIvcxedRlvpUaloQz3qDPDmUrB3QcS6bgDj1Pp6rRxmPuKJvG2kQtofQpvHl5ZQb + lzxB9wpYr2Tf5njtn/Fe4ER1AqkT9Hb/jTeeEXIMzn+1g6jsFlSTB68KykkUdAsR + sx8WnnvhtHe9V34rNcpY+hVUF9liqUZDeiO/zPmMEzlqD5lY+hcyntnyy8L5GJ5B + 3GDKwURFO3lC1bSkxTid8Iv8uoFCkJZMnOcJqkGYiV5ulFOqvD2hUBN8GzyJFijG + 7NeO2DL8NKBoeIySrydzvxDy2hqnQ4UpQ4NYPbAA5wKBgQDP8kp0Jcp4GQiwNwiM + VEegoaDxBH9hsLpKTk8w2RQLQjmOvASKbKT1eq5sP6b77VSwZKRLUBGIA7Eaw0KG + Id8XiN9dk3qtZy5NgSy8JE5OdKtUaz8WXz7G4w0L834fOZAJr36watAG+DGPjl/0 + bpHxDzckQHWOWvwEfOG1yldlWwKBgQDpG0FotcqkHus9s9fKZ2zY1YAAXOZa9ehW + RXIbBLFkR+TKCwUEBUkxkXxwZwPivyiciA6EK0azpJGbH5LJpMINZen620D4IFSz + ANzuW8YL21ggJ9fI18F7XnNTmMgIBiMegwdY4Wo4WqH/q+LEWo5UXbAww4sRcAYF + fYP+UqFMRwKBgGH+aB+7/2IBShrglGKtBOQpxtJNsEm1ItUJekAmzE9R8hXVfL5O + 3J3iJnhUtrhZ62MEynfDT7+tHbTi92KGa7+HfNt4OIOm8CcODKrM4SoPyP2LXLuK + Pucy8F8FbBYC5mHqFeXFMCtYouJn0cg6owPai73FsqBXOBRVVXh51h2pAoGASHQS + RouKqqx5jboibmTrLhJeML6vUsJwLrBzIPa6dGLsN+ho7LD/6QpBVWaPjKDB7LVV + XbtdxGR4ZXDQ3R/6uNNegHw5m2XhLaotAWFBE1pf786ygVieaMwYqHkqY2QU8lzj + obqem1mAVMmGOGW1K3/bTazZwtfA51/18MyaGe0CgYEAnNkbzTcLek5MSbb0uqjJ + ftDaf7V4HEmBGH0vAiBWTEsOtBLYaje6a6lsG8wIW4NcYthcGV5LjQfbq6kwosWA + 5xXoLTMvgI2R+Wc21RZYc61Xp3wII51bWv7EbTRIXGXVn6vLwf7+zuoi/rLw2KG5 + aAh1Rvx04uY+7cD6R0gy4Jw= + -----END PRIVATE KEY----- + owner: zabbix + group: zabbix + mode: 0400 + become: true + + - name: "Create certificate authority file" + ansible.builtin.copy: + dest: "{{ zabbix_agent_tlscafile }}" + content: | + -----BEGIN CERTIFICATE----- + MIIDVDCCAjygAwIBAgIUTHL/9YB8eTu2he9jeRwkfjyxXNMwDQYJKoZIhvcNAQEL + BQAwGTEXMBUGA1UEAwwOQkdtb3QgbG9jYWwgQ0EwHhcNMjMwMjEwMTMxMjUwWhcN + MzMwMjA3MTMxMjUwWjAZMRcwFQYDVQQDDA5CR21vdCBsb2NhbCBDQTCCASIwDQYJ + KoZIhvcNAQEBBQADggEPADCCAQoCggEBALp40chYgpb+GiibnMmQ/vw8RcVYSnRa + aI3VuBMoQGspXMCrhoFnRfnzB0oME8owg6gWACfyBbq4iH8qFJykBqt7RbQSw23W + cNQK7BvcNmJg6YSGZ7VXnm2SIofv7c3MjajdYwUrmrrOhNCRkWz0ro9kGnqKTYM7 + piH2rezt3qfSkttH9qOaMpfqnkVBCy7Ktc4tfCW0MT6/0g8zZiT4603mdM96CkXe + FkeEBaPdIKPnjpVfDjG554yaNFZVwVkUrqy5Y5AHGMCVrXkEljuM0IO7KFHrgzfJ + 08xPxaR5Hrsb9h4Co238elwVzLJFt+WvkaQ2TkbbeWVVU2ZmRn1FiGUCAwEAAaOB + kzCBkDAdBgNVHQ4EFgQU8U2o5wCvoNaPdaIOfdkQpiaWzNUwVAYDVR0jBE0wS4AU + 8U2o5wCvoNaPdaIOfdkQpiaWzNWhHaQbMBkxFzAVBgNVBAMMDkJHbW90IGxvY2Fs + IENBghRMcv/1gHx5O7aF72N5HCR+PLFc0zAMBgNVHRMEBTADAQH/MAsGA1UdDwQE + AwIBBjANBgkqhkiG9w0BAQsFAAOCAQEAm1oQNGFnafxuvFgR4T7lgSetimZXnqCW + aFBWPyzvho0JsS6N/qk8qeQCmQN82N54sx97v/Ct7ZjjVu9/osG1GqLGrJLhRdY7 + Wqk1WIKEq1T007P7tEy0/yYc/hJ+vueMX8X5CUli7oeU8PoGzm/3hHvcVTyqpvlz + x7yBGiA+Q7Os9qdhLSKWeBf08l2Uv1UuIfdMK5wdL/vCDejJU+v3ABrNRAl5l46i + s6oqzPDQxyXn4Yg6QZ7HQP1f5tpaVs1T+dpNXe1Wj3yFBi2qcH/TZc3GlBAN2znB + wlTothMmKYR4IbmO4hdgIVR38U8c52xVEg45EHRSWMqjLmrtnHqXAw== + -----END CERTIFICATE----- + owner: zabbix + group: zabbix + mode: 0444 + become: true + + when: zabbix_agent_tlscertfile is defined + - name: Prepare hosts: docker tasks: diff --git a/molecule/zabbix_agent_tests/common/tests/common/test_agent.py b/molecule/zabbix_agent_tests/common/tests/common/test_agent.py index 688b62e22..c7920f505 100644 --- a/molecule/zabbix_agent_tests/common/tests/common/test_agent.py +++ b/molecule/zabbix_agent_tests/common/tests/common/test_agent.py @@ -22,6 +22,12 @@ def test_zabbix_agent_dot_conf(zabbix_agent_conf): assert zabbix_agent_conf.contains("ServerActive=192.168.3.33") assert zabbix_agent_conf.contains("DebugLevel=3") + assert zabbix_agent_conf.contains("TLSConnect=psk") + assert zabbix_agent_conf.contains("TLSAccept=psk,cert") + assert zabbix_agent_conf.contains("TLSCertFile=/etc/zabbix/cert") + assert zabbix_agent_conf.contains("TLSKeyFile=/etc/zabbix/key") + assert zabbix_agent_conf.contains("TLSCAFile=/etc/zabbix/ca") + def test_zabbix_include_dir(zabbix_agent_include_dir): assert zabbix_agent_include_dir.is_directory diff --git a/molecule/zabbix_agent_tests/molecule/agent2/molecule.yml b/molecule/zabbix_agent_tests/molecule/agent2/molecule.yml index 6aec67310..a2b21794b 100644 --- a/molecule/zabbix_agent_tests/molecule/agent2/molecule.yml +++ b/molecule/zabbix_agent_tests/molecule/agent2/molecule.yml @@ -7,9 +7,7 @@ provisioner: group_vars: all: zabbix_agent2: true - zabbix_agent_tlsconnect: psk - zabbix_agent_tlsaccept: psk - zabbix_agent_tlspsk_auto: True + zabbix_agent_tlspsk_auto: False zabbix_agent_tlspskidentity: my_Identity zabbix_agent_tlspskfile: /data/certs/zabbix.psk zabbix_agent_tlspsk_secret: 97defd6bd126d5ba7fa5f296595f82eac905d5eda270207a580ab7c0cb9e8eab diff --git a/molecule/zabbix_agent_tests/molecule/agent2autopsk/molecule.yml b/molecule/zabbix_agent_tests/molecule/agent2autopsk/molecule.yml index 90c4a49a7..9384400ee 100644 --- a/molecule/zabbix_agent_tests/molecule/agent2autopsk/molecule.yml +++ b/molecule/zabbix_agent_tests/molecule/agent2autopsk/molecule.yml @@ -7,8 +7,6 @@ provisioner: group_vars: all: zabbix_agent2: true - zabbix_agent_tlsconnect: psk - zabbix_agent_tlsaccept: psk zabbix_agent_tlspsk_auto: True zabbix_agent_plugins: - name: SystemRun diff --git a/roles/zabbix_agent/tasks/main.yml b/roles/zabbix_agent/tasks/main.yml index 47be732e4..a809829ae 100644 --- a/roles/zabbix_agent/tasks/main.yml +++ b/roles/zabbix_agent/tasks/main.yml @@ -61,16 +61,29 @@ when: - not (zabbix_agent_docker | bool) -- name: AutoPSK | Default tlsaccept and tlsconnect to enforce PSK - ansible.builtin.set_fact: - zabbix_agent_tlsaccept: psk - zabbix_agent_tlsconnect: psk +- block: + - name: AutoPSK | Default tlsconnect to enforce PSK + ansible.builtin.set_fact: + zabbix_agent_tlsconnect: psk + + - name: AutoPSK | Default tlsaccept to enforce PSK when zabbix_agent_tlsaccept is not defined + ansible.builtin.set_fact: + zabbix_agent_tlsaccept: psk + when: not zabbix_agent_tlsaccept is defined + + - name: AutoPSK | Default tlsaccept to enforce PSK when zabbix_agent_tlsaccept is defined + ansible.builtin.set_fact: + zabbix_agent_tlsaccept: "{{ 'psk,' + zabbix_agent_tlsaccept }}" + when: + - zabbix_agent_tlsaccept is defined + - not 'psk' in zabbix_agent_tlsaccept + when: zabbix_agent_tlspsk_auto | bool tags: - config - name: Configure PSK - when: "( zabbix_agent_tlsaccept == 'psk' ) or (zabbix_agent_tlsconnect == 'psk')" + when: "( 'psk' in zabbix_agent_tlsaccept ) or (zabbix_agent_tlsconnect == 'psk')" block: - name: Gather PSK Secret Info ansible.builtin.include_tasks: psk_secret.yml @@ -85,11 +98,6 @@ when: - ansible_os_family == "Windows" -- name: "Configure Agent" - ansible.builtin.include_tasks: Windows_conf.yml - when: - - ansible_os_family == "Windows" - - name: "Configure Agent" ansible.builtin.include_tasks: Linux.yml when: diff --git a/roles/zabbix_agent/templates/agent.conf.j2 b/roles/zabbix_agent/templates/agent.conf.j2 index 879699c16..d8324002c 100644 --- a/roles/zabbix_agent/templates/agent.conf.j2 +++ b/roles/zabbix_agent/templates/agent.conf.j2 @@ -121,7 +121,7 @@ Plugins.{{ my_name }}.{{ param }}={{ value }} {{ (zabbix_agent_statusport is defined and zabbix_agent_statusport is not none) | ternary('', '# ') }}StatusPort={{ zabbix_agent_statusport | default('') }} {% endif %} {{ (zabbix_agent_timeout is defined and zabbix_agent_timeout is not none) | ternary('', '# ') }}Timeout={{ zabbix_agent_timeout | default('') }} -{{ (zabbix_agent_tlsconnect is defined and zabbix_agent_tlsconnect is not none) | ternary('', '# ') }}TLSAccept={{ zabbix_agent_tlsconnect | default('') }} +{{ (zabbix_agent_tlsconnect is defined and zabbix_agent_tlsaccept is not none) | ternary('', '# ') }}TLSAccept={{ zabbix_agent_tlsaccept | default('') }} {{ (zabbix_agent_tlscafile is defined and zabbix_agent_tlscafile is not none) | ternary('', '# ') }}TLSCAFile={{ zabbix_agent_tlscafile | default('') }} {{ (zabbix_agent_tlscertfile is defined and zabbix_agent_tlscertfile is not none) | ternary('', '# ') }}TLSCertFile={{ zabbix_agent_tlscertfile | default('') }} {% if not zabbix_agent2 and ansible_os_family != "Windows" %}