Enhancement/icinga2 zones conf

[Donien]

This is currently still work in progress.

This PR will introduce a simple variable (nested dictionary) to define the zone hierarchy.

The corresponding action plugin creates the zones and endpoints for each host according to the variable.
Each host will only know those zones and endpoints it has to know.

Example:

icinga2_zones_conf:
  hierarchy:
    master: # Could be inventory_hostname or Ansible group name
      germany:
        berlin1:
        berlin2:
      france:
        paris:

From this, the plugin will create zones and endpoints based on available variables.
It only returns information. Using the information is still up to the role!

---

Feedback

There is still a need for a proper way to define variables which will be used for the endpoints host attribute.

2 hosts could have the same parent but in different networks (2 firewall zones for example).
We must be able to provide some kind of mapping to tell a given host the correct address when it wants to access its parent.

• Master A
• Satellite B in firewall zone 1
• Satellite C in firewall zone 2

If B wants to access A, it needs IP-1.
If C wants to access A, it needs IP-2.

This mapping must be defined somewhere.

As a fallback, we can always use inventory_hostname.

[Donien]

Since we've talked about this @mkayontour, I now have a working playbook example (I hope).

The comments should explain everything in here. Also, there are no fancy variables on my hosts. They simply belong to either group master or group sat, nothing special.

- name: Test PR
  become: true
  # serial 1 because master needs to be running before it can accept PKI requests
  # So, we go through master/satellites layer by layer, starting with master 1 (then master 2), then satellites underneath master(s), then satellites under those satellites, etc.
  serial: 1
  hosts:
    - ansible-ubuntu24 # master 1
    - ansible-ubuntu22 # master 2
    - ansible-debian12 # satellite


  vars:
    # Needed in my env because my FQDNs are bad
    icinga2_config_host: "{{ inventory_hostname }}"
    icinga2_constants:
      # We generally need a ticket on master 1
      TicketSalt: "{{ 'some-secret' if inventory_hostname == 'ansible-ubuntu24' else '' }}"
      NodeName: "{{ inventory_hostname }}"



    # All you got to define is that you want the API feature + some extras
    # zones, endpoints, and ca host/port will be gathered and used (through 'icinga2_zone_hierarchy')
    # First master will always be ca host
    icinga2_features:
      - name: api
        # again, my FQDNs are bad
        cert_name: "{{ inventory_hostname }}"
        accept_config: true
        accept_commands: true


    # Define all global zones
    icinga2_global_zones:
      - "director"
      - "global-templates"


    # Define the hierarchy of the environment
    # Each key is either an 'inventory_hostname' or an Ansible group name
    # Indents mean that zones are underneath the prior zone
    # Multiple keys within the same (top) key are satellites at the same level of depth (different zones, same parent zone)
    icinga2_zone_hierarchy:
      master:
        sat:


  roles:
    - netways.icinga.repos
    - netways.icinga.icinga2