replace homedir with more specific keydir, authdir, and authfile in order to allow overriding each. modify ::agent, ::agent::config, and ::agent::generate_sshkey to allow changing at each level, with reasonable defaults

3 files changed, 80 insertions, 28 deletions

diff --git a/manifests/agent.pp b/manifests/agent.pp
index 2ff9da5..505db64 100644
--- a/manifests/agent.pp
+++ b/manifests/agent.pp
@@ -4,7 +4,9 @@ class check_mk::agent (
   $ip_whitelist = undef,
   $port         = '6556',
   $server_dir   = '/usr/bin',
-  $homedir      = '/omd/sites/monitoring',
+  $keydir       = '/omd/sites/monitoring',
+  $authdir      = '/omd/sites/monitoring',
+  $authfile     = undef,
   $use_cache    = false,
   $user         = 'root',
   $version      = undef,
@@ -40,16 +42,36 @@ class check_mk::agent (
     agent_logwatch_package_name => $agent_logwatch_package_name,
     method                      => $method
   }
-  class { 'check_mk::agent::config':
-    ip_whitelist       => $ip_whitelist,
-    port               => $port,
-    server_dir         => $server_dir,
-    homedir            => $homedir,
-    use_cache          => $use_cache,
-    user               => $user,
-    method             => $method,
-    generate_sshkey    => $generate_sshkey,
-    require            => Class['check_mk::agent::install'],
+
+  if $authfile {
+    # if authfile is set, pass it though
+    class { 'check_mk::agent::config':
+      ip_whitelist       => $ip_whitelist,
+      port               => $port,
+      server_dir         => $server_dir,
+      keydir             => $keydir,
+      authdir            => $authdir,
+      authfile           => $authfile,
+      use_cache          => $use_cache,
+      user               => $user,
+      method             => $method,
+      generate_sshkey    => $generate_sshkey,
+      require            => Class['check_mk::agent::install'],
+    }
+  } else {
+    # otherwise don't
+    class { 'check_mk::agent::config':
+      ip_whitelist       => $ip_whitelist,
+      port               => $port,
+      server_dir         => $server_dir,
+      keydir             => $keydir,
+      authdir            => $authdir,
+      use_cache          => $use_cache,
+      user               => $user,
+      method             => $method,
+      generate_sshkey    => $generate_sshkey,
+      require            => Class['check_mk::agent::install'],
+    }
   }
 
   if ( $register_agent ) {
diff --git a/manifests/agent/config.pp b/manifests/agent/config.pp
index 256af8f..40b9ff5 100644
--- a/manifests/agent/config.pp
+++ b/manifests/agent/config.pp
@@ -1,8 +1,10 @@
 class check_mk::agent::config (
-  $ip_whitelist = '',
+  $ip_whitelist    = '',
   $port,
   $server_dir,
-  $homedir,
+  $keydir,
+  $authdir,
+  $authfile        = undef,
   $use_cache,
   $user,
   $method          = 'xinetd',
@@ -34,8 +36,19 @@ class check_mk::agent::config (
     }
     'ssh'   : {
       if $generate_sshkey {
-        check_mk::agent::generate_sshkey { 'check_mk_key':
-          homedir => $homedir
+        if $authfile {
+          # if authfile is overridden, pass it through
+          check_mk::agent::generate_sshkey { 'check_mk_key':
+            keydir   => $keydir,
+            authdir  => $authdir,
+            authfile => $authfile
+          }
+        } else {
+          # otherwise don't
+          check_mk::agent::generate_sshkey { 'check_mk_key':
+            keydir  => $keydir,
+            authdir => $authdir
+          }
         }
       }
     }
diff --git a/manifests/agent/generate_sshkey.pp b/manifests/agent/generate_sshkey.pp
index 47f3026..3bc9a1d 100644
--- a/manifests/agent/generate_sshkey.pp
+++ b/manifests/agent/generate_sshkey.pp
@@ -1,27 +1,47 @@
-define check_mk::agent::generate_sshkey(
+define check_mk::agent::generate_sshkey (
+  # dir on the check-mk-server where the collected key pairs are stored
+  $keydir,
+  # dir on the check-mk-agent where the authorized_keys file is stored
+  $authdir,
+  # name of the authorized_keys file
+  $authfile         = undef,
+  # dir on the puppetmaster where keys are stored
   $ssh_key_basepath = '/etc/puppet/modules/keys/files/check_mk_keys',
+  # user and group to run the agent as
   $user             = 'monitoring',
   $group            = 'monitoring',
-  $homedir,
   $check_mk_tag     = 'check_mk_sshkey'
 ){
 
   # generate check-mk ssh keypair
-  $ssh_key_name = "monitoring_${::fqdn}_id_rsa"
+  $ssh_key_name = "${user}_${::fqdn}_id_rsa"
   $ssh_keys     = ssh_keygen("${ssh_key_basepath}/${ssh_key_name}")
   $public       = split($ssh_keys[1],' ')
   $public_type  = $public[0]
   $public_key   = $public[1]
   $secret_key   = $ssh_keys[0]
 
-  sshd::ssh_authorized_key { $ssh_key_name:
-      type    => 'ssh-rsa',
-      key     => $public_key,
-      user    => 'root',
-      options => 'command="/usr/bin/check_mk_agent"';
+  if $authdir or $authfile {
+    # if $authkey or $authdir are set, override authorized_keys path and file
+    sshd::ssh_authorized_key { $ssh_key_name:
+        type    => 'ssh-rsa',
+        key     => $public_key,
+        user    => 'root',
+        target  => "${authdir}/${authfile}",
+        options => 'command="/usr/bin/check_mk_agent"';
+    }
+  } else {
+    # otherwise use the defaults
+    sshd::ssh_authorized_key { $ssh_key_name:
+        type    => 'ssh-rsa',
+        key     => $public_key,
+        user    => 'root',
+        options => 'command="/usr/bin/check_mk_agent"';
+    }
   }
 
-  @@file { "${homedir}/.ssh/${ssh_key_name}":
+  # resource collector, these end up on the check-mk-server host
+  @@file { "${keydir}/${ssh_key_name}":
     content => $secret_key,
     owner   => $user,
     group   => $group,
@@ -29,14 +49,11 @@ define check_mk::agent::generate_sshkey(
     tag     => $check_mk_tag;
   }
 
-
-  @@file { "${homedir}/.ssh/${ssh_key_name}.pub":
+  @@file { "${keydir}/${ssh_key_name}.pub":
     content => $public_key,
     owner   => $user,
     group   => $group,
     mode    => '0666',
     tag     => $check_mk_tag;
   }
-
-
 }