Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Built-in check command: ifw-api #9062

Merged
merged 97 commits into from
Jul 6, 2023
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
97 commits
Select commit Hold shift + click to select a range
05fd34e
ITL: add CheckCommand icinga4win-api
Al2Klimov Nov 4, 2021
7b1598b
ITL: add checkable templates for CheckCommand icinga4win-api
Al2Klimov Nov 4, 2021
648c022
Revert "ITL: add checkable templates for CheckCommand icinga4win-api"
Al2Klimov Feb 13, 2023
99853ad
WIP
Al2Klimov Feb 13, 2023
884fc62
WIP
Al2Klimov Feb 13, 2023
35708c8
WIP
Al2Klimov Feb 13, 2023
bdb315f
WIP
Al2Klimov Feb 13, 2023
281edad
WIP
Al2Klimov Feb 13, 2023
7f53d14
WIP
Al2Klimov Feb 13, 2023
27ca87b
WIP
Al2Klimov Feb 13, 2023
f5c6600
WIP
Al2Klimov Feb 13, 2023
4c28032
WIP
Al2Klimov Feb 13, 2023
eac3ac9
WIP
Al2Klimov Feb 13, 2023
ad9b581
WIP
Al2Klimov Feb 13, 2023
507c19f
WIP
Al2Klimov Feb 20, 2023
589e45c
WIP
Al2Klimov Feb 20, 2023
0a387fd
WIP
Al2Klimov Feb 20, 2023
d652d7d
WIP
Al2Klimov Feb 20, 2023
52f964f
WIP
Al2Klimov Feb 20, 2023
f9143ce
WIP
Al2Klimov Feb 20, 2023
95f3bbe
WIP
Al2Klimov Feb 20, 2023
b88b900
WIP
Al2Klimov Feb 20, 2023
073e28b
WIP
Al2Klimov Feb 20, 2023
4373def
WIP
Al2Klimov Feb 20, 2023
ac31369
WIP
Al2Klimov Feb 21, 2023
5eda414
WIP
Al2Klimov Feb 21, 2023
a551131
WIP
Al2Klimov Feb 21, 2023
88a5ae8
WIP
Al2Klimov Feb 21, 2023
fc48c9a
WIP
Al2Klimov Feb 21, 2023
86d873a
WIP
Al2Klimov Feb 21, 2023
fd815dd
WIP
Al2Klimov Feb 21, 2023
65dd6b0
WIP
Al2Klimov Feb 21, 2023
091927f
Revert "WIP"
Al2Klimov Feb 22, 2023
d3bb94f
Basic auth
Al2Klimov Feb 22, 2023
45cb95d
WIP
Al2Klimov Apr 4, 2023
efc01c0
WIP
Al2Klimov Apr 4, 2023
989eabd
WIP
Al2Klimov Apr 4, 2023
5a4098e
WIP
Al2Klimov Apr 4, 2023
7a920c5
WIP
Al2Klimov Apr 4, 2023
7d25a89
WIP
Al2Klimov Apr 4, 2023
07f6f6e
WIP: Escape URL
Al2Klimov Apr 4, 2023
4fda32b
WIP
Al2Klimov Apr 4, 2023
44a52b2
WIP
Al2Klimov Apr 4, 2023
5a1ca5f
WIP timeout
Al2Klimov Apr 4, 2023
6867b82
WIP
Al2Klimov Apr 4, 2023
36d9b37
WIP SNI
Al2Klimov Apr 5, 2023
977a53f
WIP
Al2Klimov Apr 5, 2023
0649504
WIP Certificate validation
Al2Klimov Apr 5, 2023
9314c8c
WIP
Al2Klimov Apr 5, 2023
e94f54c
TLS err - print SNI
Al2Klimov Apr 11, 2023
df84af1
TLS err - show CN
Al2Klimov Apr 11, 2023
b78ff58
WIP
Al2Klimov Apr 11, 2023
3d51610
ifw_api_expected_san, not ifw_api_sni
Al2Klimov Apr 11, 2023
c7e8973
vars.ifw_api_localhost_addresses, not ifw_api_sni_denylist
Al2Klimov Apr 11, 2023
d1cac00
More vars.ifw_api_localhost_addresses
Al2Klimov Apr 11, 2023
6d4b162
WIP
Al2Klimov May 2, 2023
50bf2db
Check ALL CVs for "", not for missing
Al2Klimov May 3, 2023
a582b4a
Better defaults
Al2Klimov May 3, 2023
e3c0e2d
docs
Al2Klimov May 3, 2023
0bd7324
docs: less check\_by\_ssh
Al2Klimov May 5, 2023
1b7dc9a
docs: fix resolved on the command endpoint confusion
Al2Klimov May 5, 2023
d3a21d9
Mache Doku einfach geil
Al2Klimov May 5, 2023
b868471
Remove ifw_api_ignore_arguments
Al2Klimov Jun 1, 2023
8f9454c
Remove ifw_api_ignore_arguments II
Al2Klimov Jun 1, 2023
9309d51
curl for debug
Al2Klimov Jun 5, 2023
40859ac
ifw\_api\_arguments must not directly contain functions
Al2Klimov Jun 7, 2023
f0dcdc8
make IDE happy
Al2Klimov Jun 7, 2023
2a378e9
no undef. behavior? - ok.
Al2Klimov Jun 7, 2023
cd508c2
$ifw_api_arguments$ may not directly contain functions
Al2Klimov Jun 12, 2023
9ee3186
docs
Al2Klimov Jun 12, 2023
c6f3343
CheckCommand "ifw-api-if-exists"
Al2Klimov Jun 13, 2023
249bccf
Call PluginCheckTask::ScriptFunc() and hope for the best
Al2Klimov Jun 13, 2023
3f12640
placebo
Al2Klimov Jun 14, 2023
518f955
ApiCapabilities: 1 << x
Al2Klimov Jun 19, 2023
9b86779
ApiCapabilities: trailing ,
Al2Klimov Jun 19, 2023
4fee804
Fix curl --resolve
Al2Klimov Jun 19, 2023
a807019
curl: --verbose, for debugging after all
Al2Klimov Jun 19, 2023
0d57a80
Otherwise, all older nodes which load the modified _PowerShell Base_ …
Al2Klimov Jun 19, 2023
5e2b099
Repair <a id="plugin-check-commands"></a>
Al2Klimov Jun 19, 2023
050dff4
headers
Al2Klimov Jun 20, 2023
4703b46
Timeout exceeded
Al2Klimov Jun 21, 2023
ced0427
Missing ." + psCommand + ".exitcode in JSON object from IfW API
Al2Klimov Jun 21, 2023
bd0a533
static CONST auto
Al2Klimov Jun 21, 2023
22f9e92
code style
Al2Klimov Jun 21, 2023
b783ee1
exitcode == {ServiceOK, ServiceWarning, ServiceCritical, ServiceUnknown}
Al2Klimov Jun 21, 2023
6eade04
perfdata: expected an array
Al2Klimov Jun 21, 2023
e4f51cd
expected an array of strings
Al2Klimov Jun 21, 2023
dc47ad4
Helpful messages
Al2Klimov Jun 21, 2023
9ce70c8
#include <boost/system/system_error.hpp>
Al2Klimov Jun 21, 2023
69c3016
namespace
Al2Klimov Jun 23, 2023
f83bf55
namespace
Al2Klimov Jun 23, 2023
bf14f49
Re: https://github.com/Icinga/icinga2/pull/9062#pullrequestreview-130…
Al2Klimov Jun 23, 2023
ac74d6e
namespace
Al2Klimov Jun 23, 2023
44e1a75
Check multi :(
Al2Klimov Jun 30, 2023
10ffcb8
build fix
Al2Klimov Jun 30, 2023
a994c64
curl --fail-with-body
Al2Klimov Jul 5, 2023
0d72f55
Shorten docs, refer to https://icinga.com/docs/icinga-for-windows/lat…
Al2Klimov Jul 6, 2023
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
50 changes: 50 additions & 0 deletions doc/10-icinga-template-library.md
Original file line number Diff line number Diff line change
Expand Up @@ -187,6 +187,56 @@ Name | Description
----------------|--------------
sleep\_time | **Optional.** The duration of the sleep in seconds. Defaults to 1s.

### ifw-api <a id="itl-ifw-api"></a>

Built-in check command for executing arbitrary PowerShell check commands via the
[Icinga for Windows REST API](https://icinga.com/docs/icinga-for-windows/latest/doc/110-Installation/30-API-Check-Forwarder/).
Consult that documentation for why and how to optimally use the `ifw-api`
command as an addon for existing Icinga clusters with Icinga for Windows.

In short, that feature lets the PowerShell processes spawned by Icinga just
talk to the pre-loaded IfW API instead of loading all PowerShell check commands
by itself on every check. In contrast, the `ifw-api` command doesn't even spawn
any process, but communicates directly with the IfW API.

It may be also used like e.g. [check_by_ssh](#plugin-check-command-by-ssh).
Its custom variables provide high flexibility.
From using a custom CA to controlling the IfW API directly from a Linux satellite.

Optional custom variables passed as [command parameters](03-monitoring-basics.md#command-passing-parameters):

| Name | Default | Description |
|-------------------------|-------------------|-------------------------------------------------------------------------------------------------------------|
| ifw\_api\_command | `$command.name$` | Command to run. |
| ifw\_api\_arguments | {} (none) | Arguments for the command, similar to [CheckCommand](09-object-types.md#objecttype-checkcommand)#arguments. |
| ifw\_api\_host | null (localhost) | IfW API host. |
| ifw\_api\_port | 5668 | IfW API port. |
| ifw\_api\_expected\_san | `$ifw_api_host$` | Peer TLS certificate SAN (and SNI). null means agent NodeName. |
| ifw\_api\_cert | null (Icinga PKI) | TLS client certificate path. |
| ifw\_api\_key | null (Icinga PKI) | TLS client private key path. |
| ifw\_api\_ca | null (Icinga PKI) | Peer TLS CA certificate path. |
| ifw\_api\_crl | null (Icinga PKI) | Path to TLS CRL to check peer against. |
| ifw\_api\_username | null (none) | Basic auth username. |
| ifw\_api\_password | null (none) | Basic auth password. |

!!! info

Due to how Icinga 2 resolves macros and serializes the resolved values for
sending to a command endpoint (if any), ifw\_api\_arguments may not directly
contain functions for the case `ifw-api` is used with command endpoints. Only
macro strings referring to custom variables which are set to functions work.

#### Remarks

* `$command.name$` is resolved at runtime to the name of the specific
check command being run and not any of the templates it imports, i.e. it
becomes e.g. "Invoke-IcingaCheckCPU" if "ifw-api" is imported there
* `ifw-api` connects to localhost (if ifw\_api\_host is null), but expects
the peer to identify itself via TLS with the NodeName of the endpoint
actually running the command (if ifw\_api\_expected\_san is null)
* The actual values of ifw\_api\_cert, ifw\_api\_key, ifw\_api\_ca and ifw\_api\_crl
are also resolved to the Icinga PKI on the command endpoint if null

<!-- keep this anchor for URL link history only -->
<a id="plugin-check-commands"></a>

Expand Down
16 changes: 16 additions & 0 deletions itl/command-icinga.conf
Original file line number Diff line number Diff line change
Expand Up @@ -39,3 +39,19 @@ object CheckCommand "exception" {
object CheckCommand "sleep" {
import "sleep-check-command"
}

object CheckCommand "ifw-api" {
import "ifw-api-check-command"

vars.ifw_api_command = "$command.name$"
vars.ifw_api_arguments = {}
vars.ifw_api_host = null
vars.ifw_api_port = 5668
vars.ifw_api_expected_san = "$ifw_api_host$"
vars.ifw_api_cert = null
vars.ifw_api_key = null
vars.ifw_api_ca = null
vars.ifw_api_crl = null
vars.ifw_api_username = null
vars.ifw_api_password = null
}
1 change: 1 addition & 0 deletions lib/methods/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ set(methods_SOURCES
dummychecktask.cpp dummychecktask.hpp
exceptionchecktask.cpp exceptionchecktask.hpp
icingachecktask.cpp icingachecktask.hpp
ifwapichecktask.cpp ifwapichecktask.hpp
nullchecktask.cpp nullchecktask.hpp
nulleventtask.cpp nulleventtask.hpp
pluginchecktask.cpp pluginchecktask.hpp
Expand Down
Loading