100% manual client configuration

This forum was archived to /woltlab and is now in read-only mode.
  • We want to deploy Icinga2 for monitoring systems for monitoring targets that reside within private customer networks that we (and our Icinga2 master) can connect to over a VPN.


    Our customers are very security-conscious, often large corporations and we have no power whatsoever over their firewall policies. For example, we can not install icinga2 satellites or clients using the Icinga2 setup wizard or cli command because they try to connect back to the master for csr auto-signing and master certificate review.


    I would assume it is however possible to do all the pki stuff manually, if that's the only reason for the client connecting to the master, during the setup. Is there any documentation for this? That way Icinga2 could still work for us in this kind of restricted network environment.


    I've read through the Icinga2 docs and could find no information on doing this part of the setup manually in there.

    The post was edited 2 times, last by Petri ().

  • would your clients be willing to use a premade VM for the icinga2 satellite? if so, you could build the VM on your site and then just ship it to them.


    The signing of the certs etc do work manually, take a look at the icinga2 puppet stuff, it should explain how to do it.

    Linux is dead, long live Linux


    Remember to NEVER EVER use git repositories in a productive environment if you CAN NOT control them

  • Is that all that it takes?

    Yes.

    Try it yourself.

    n this case make sure things are configured so that the master connects to the client, not the other way around.

    Correct.


    There should not be any complicate stuff involved with that.

  • Thanks. I managed to make it work. The idea of configuring and shipping a premade VM (or a docker image) is certainly interesting, too.