We want to deploy Icinga2 for monitoring systems for monitoring targets that reside within private customer networks that we (and our Icinga2 master) can connect to over a VPN.
Our customers are very security-conscious, often large corporations and we have no power whatsoever over their firewall policies. For example, we can not install icinga2 satellites or clients using the Icinga2 setup wizard or cli command because they try to connect back to the master for csr auto-signing and master certificate review.
I would assume it is however possible to do all the pki stuff manually, if that's the only reason for the client connecting to the master, during the setup. Is there any documentation for this? That way Icinga2 could still work for us in this kind of restricted network environment.
I've read through the Icinga2 docs and could find no information on doing this part of the setup manually in there.