Merge pull request #697 from ra2xfael/proxy-registration

Allow proxy registration via agent role

roles/agent/README.md

@@ -161,6 +161,16 @@ Typically this would be your Ansible host, hence the default `localhost`.
 
 Configure the host to which downloads are delegated to. After download the files are transferred to the remote node, when the remote node didn't do the download itself.
 
+    checkmk_agent_delegate_registration: 'false'
+
+Enable this to set up TLS encryption using a third host, which has the Checkmk agent installed already.
+`checkmk_agent_delegate_registration_target` defines this third host.
+This feature can be used in case a direct connection to the Checkmk site on the agent receiver port (8000+) is not possible from the monitored host.
+
+    checkmk_agent_delegate_registration_target: "{{ inventory_hostname }}"
+
+Configure the target which is used to register the monitored host on the Checkmk server for TLS. The target needs to have a Checkmk agent installed.
+
     checkmk_agent_mode: 'pull'
 
 The mode the agent operates in. For most deployments, this will be the `pull` mode.

roles/agent/defaults/main.yml

@@ -30,6 +30,8 @@ checkmk_agent_force_install: 'false'
 checkmk_agent_prep_legacy: 'false'
 checkmk_agent_delegate_api_calls: 'localhost'
 checkmk_agent_delegate_download: "{{ inventory_hostname }}"
+checkmk_agent_delegate_registration: 'false'
+checkmk_agent_delegate_registration_target: "{{ inventory_hostname }}"
 checkmk_agent_host_name: "{{ inventory_hostname }}"
 checkmk_agent_folder: "{{ checkmk_var_folder_path | default('/') }}"
 checkmk_agent_host_attributes:

roles/agent/tasks/Linux.yml

@@ -140,7 +140,7 @@
     and ('"error": null' in __checkmk_agent_updater_state.stdout) )
   changed_when: "'Successfully registered agent of host' in __checkmk_agent_update_state.stderr"
 
-- name: "{{ ansible_system }}: Register Agent for TLS."
+- name: "{{ ansible_system }}: Register Agent for TLS directly."
   become: true
   ansible.builtin.shell: |
     cmk-agent-ctl register -H {{ checkmk_agent_host_name }} \
@@ -151,10 +151,73 @@
   when: |
     __checkmk_agent_controller_binary.stat.exists | bool
     and checkmk_agent_tls | bool
+    and not checkmk_agent_delegate_registration | bool
     and (__checkmk_agent_auth is defined and __checkmk_agent_auth | length)
     and not checkmk_agent_registration_server + '/' + checkmk_agent_registration_site in __checkmk_agent_registered_connections.stdout
   changed_when: "'Registration complete' in __checkmk_agent_tls_state.stdout"
 
+- name: "{{ ansible_system }}: Register Agent for TLS with proxy-register."
+  become: true
+  ansible.builtin.shell: |
+    cmk-agent-ctl proxy-register -H {{ checkmk_agent_host_name }} \
+    -s {{ checkmk_agent_registration_server }} -i {{ checkmk_agent_registration_site }} \
+    -U {{ checkmk_agent_user }} -P {{ __checkmk_agent_auth }} --trust-cert
+  no_log: "{{ checkmk_agent_no_log | bool }}"
+  register: __checkmk_agent_proxy_registration_state
+  when: |
+    __checkmk_agent_controller_binary.stat.exists | bool
+    and checkmk_agent_tls | bool
+    and checkmk_agent_delegate_registration | bool
+    and (__checkmk_agent_auth is defined and __checkmk_agent_auth | length)
+    and not checkmk_agent_registration_server + '/' + checkmk_agent_registration_site in __checkmk_agent_registered_connections.stdout
+  delegate_to: "{{ checkmk_agent_delegate_registration_target }}"
+  changed_when: "'-----BEGIN PRIVATE KEY-----' in __checkmk_agent_proxy_registration_state.stdout"
+
+- name: "{{ ansible_system }}: Create temporary proxy-register file."
+  become: true
+  ansible.builtin.copy:
+    dest: "{{ __checkmk_agent_host_tmp_dir }}/checkmk-import"
+    mode: u=r,g=,o=
+    owner: cmk-agent
+    group: cmk-agent
+    content: "{{ __checkmk_agent_proxy_registration_state.stdout }}"
+  no_log: "{{ checkmk_agent_no_log | bool }}"
+  when: |
+    __checkmk_agent_controller_binary.stat.exists | bool
+    and checkmk_agent_tls | bool
+    and checkmk_agent_delegate_registration | bool
+    and (__checkmk_agent_auth is defined and __checkmk_agent_auth | length)
+    and not checkmk_agent_registration_server + '/' + checkmk_agent_registration_site in __checkmk_agent_registered_connections.stdout
+    and __checkmk_agent_proxy_registration_state is defined
+
+- name: "{{ ansible_system }}: Import proxy-register file."
+  become: true
+  ansible.builtin.command: "cmk-agent-ctl import {{ __checkmk_agent_host_tmp_dir }}/checkmk-import"
+  no_log: "{{ checkmk_agent_no_log | bool }}"
+  register: __checkmk_agent_import_result
+  when: |
+    __checkmk_agent_controller_binary.stat.exists | bool
+    and checkmk_agent_tls | bool
+    and checkmk_agent_delegate_registration | bool
+    and (__checkmk_agent_auth is defined and __checkmk_agent_auth | length)
+    and not checkmk_agent_registration_server + '/' + checkmk_agent_registration_site in __checkmk_agent_registered_connections.stdout
+    and __checkmk_agent_proxy_registration_state is defined
+  changed_when: __checkmk_agent_import_result.rc == 0
+
+- name: "{{ ansible_system }}: Clean-up proxy-register temporary file."
+  become: true
+  ansible.builtin.file:
+    path: "{{ __checkmk_agent_host_tmp_dir }}/checkmk-import"
+    state: absent
+  no_log: "{{ checkmk_agent_no_log | bool }}"
+  when: |
+    __checkmk_agent_controller_binary.stat.exists | bool
+    and checkmk_agent_tls | bool
+    and checkmk_agent_delegate_registration | bool
+    and (__checkmk_agent_auth is defined and __checkmk_agent_auth | length)
+    and not checkmk_agent_registration_server + '/' + checkmk_agent_registration_site in __checkmk_agent_registered_connections.stdout
+    and __checkmk_agent_proxy_registration_state is defined
+
 - name: "{{ ansible_system }}: Verify Checkmk Agent Port is open."
   ansible.builtin.wait_for:
     port: "{{ checkmk_agent_port }}"