Added TLS instructions to README

This commit is contained in:
Kenny Do 2014-01-06 17:56:55 -08:00
parent 0ad2f25d31
commit 7e671303cb

View File

@ -14,6 +14,7 @@ States
Generates a config file for the munin node based on pillar data. Generates a config file for the munin node based on pillar data.
``munin.tls`` ``munin.tls``
Installs the Perl package Net::SSLEay so munin can use TLS. Installs the Perl package Net::SSLEay so munin can use TLS.
Also, if the private key, certificate, or CA certificate are specified (as in ``pillar.example``), then the appropriate files are created. Note that it is up to the user to correctly specify the location of these files in their master and node config files. Also, if the private key, certificate, or CA certificate are specified (as in ``pillar.example``), then the appropriate files are created. Note that it is up to the user to correctly specify the location of these files in their master and node config files.
Configuration Configuration
@ -29,3 +30,17 @@ Node Config
Consult http://munin-monitoring.org/wiki/munin-node.conf and ``man munin-node.conf`` for the full list of directives. Consult http://munin-monitoring.org/wiki/munin-node.conf and ``man munin-node.conf`` for the full list of directives.
For node configuration directives that allow repetition (ie: ``ignore_files``), make ``pillar['munin_node']['ignore_files']`` a list of values (see ``pillar.example`` for an example of this). For node configuration directives that allow repetition (ie: ``ignore_files``), make ``pillar['munin_node']['ignore_files']`` a list of values (see ``pillar.example`` for an example of this).
TLS
---
Consult http://munin-monitoring.org/wiki/MuninConfigurationNetworkTLS.
Instructions for the non-paraonid TLS setup:
1. Generate a private key. For this example, we create a 1024-bit key: ``openssl genrsa -out private.pem 1024``
#. Create a Certificate Signing Reqest: ``openssl req -new -key private.pem -out request.csr``
#. Generate a self-signed certificate: ``openssl x509 -req -in request.csr -signkey private.pem -out certificate.crt``
#. Inline the contents of ``private.pem`` into ``pillar['munin_tls']['private_key']``.
#. Inline the contents of ``certificate.crt`` into ``pillar['munin_tls']['certificate_pem']``.
#. Optional: delete the ``private.pem``, ``request.csr``, and ``certificate.crt`` files you generated. They aren't really needed now that you've inlined the important stuff into pillar.
#. Update your munin config to enable TLS and also to point to the salt-managed PEM files. The default paths where this salt formula puts the PEM files are specified in ``munin/map.jinja``