Merge pull request #199 from tribe29/feature-new-pass-hashing

Add support for new password hashing algorithm to agent role

Author: robin-checkmk

changelogs/fragments/new-passwd-hashing.yml

@@ -0,0 +1,44 @@
+# https://docs.ansible.com/ansible/latest/community/development_process.html#changelogs-how-to
+
+minor_changes:
+  - Agent role - Now supports new password hashing according to L(Werk 14391,https://checkmk.com/werk/14391)
+
+## Line Format
+
+# When writing a changelog entry, use the following format:
+
+# - scope - description starting with a uppercase letter and ending with a period at the very end. Multiple sentences are allowed.
+
+# The scope is usually a module or plugin name or group of modules or plugins, for example, lookup plugins. While module names can (and should) be mentioned directly (foo_module), plugin names should always be followed by the type (foo inventory plugin).
+
+# For changes that are not really scoped (for example, which affect a whole collection), use the following format:
+
+# - Description starting with an uppercase letter and ending with a dot at the very end. Multiple sentences are allowed.
+
+
+## Possible keys:
+
+# breaking_changes
+
+#     Changes that break existing playbooks or roles. This includes any change to existing behavior that forces users to update tasks. Displayed in both the changelogs and the Porting Guides.
+# major_changes
+
+#     Major changes to Ansible itself. Generally does not include module or plugin changes. Displayed in both the changelogs and the Porting Guides.
+# minor_changes
+
+#     Minor changes to Ansible, modules, or plugins. This includes new features, new parameters added to modules, or behavior changes to existing parameters.
+# deprecated_features
+
+#     Features that have been deprecated and are scheduled for removal in a future release. Displayed in both the changelogs and the Porting Guides.
+# removed_features
+
+#     Features that were previously deprecated and are now removed. Displayed in both the changelogs and the Porting Guides.
+# security_fixes
+
+#     Fixes that address CVEs or resolve security concerns. Include links to CVE information.
+# bugfixes
+
+#     Fixes that resolve issues.
+# known_issues
+
+#     Known issues that are currently not fixed or will not be fixed.

roles/server/defaults/main.yml

@@ -11,7 +11,7 @@ checkmk_server_server_stable_os:
   - RedHat-8
 
 checkmk_server_edition: cre
-checkmk_server_version: 2.1.0p13
+checkmk_server_version: 2.1.0p17
 checkmk_server_verify_setup: 'true'
 
 checkmk_server_download_user: []

roles/server/tasks/sites.yml

@@ -81,7 +81,7 @@
   tags:
     - destroy-sites
 
-- name: "Update Site Admin Password."
+- name: "Update Site Admin Password for Checkmk < 2.1."
   become: true
   ansible.builtin.shell: |
     set -o pipefail
@@ -90,6 +90,21 @@
     executable: /bin/bash
   no_log: true
   loop: "{{ checkmk_server_sites }}"
-  when: item.state != "absent"
+  when: (item.state != "absent") and (item.version | regex_replace('p.*', '') is version('2.1', '<'))
+  tags:
+    - set-site-admin-pw
+
+# In the future this should be done with 'cmk-passwd' available from 2.1.0p16 (https://checkmk.com/werk/14389)
+# To keep things simple, we do it in a more generic way here, which works in all 2.1 releases
+- name: "Update Site Admin Password for Checkmk >= 2.1."
+  become: true
+  ansible.builtin.shell: |
+    set -o pipefail
+    echo '{{ item.admin_pw }}' | htpasswd -i -B -C 12 /omd/sites/{{ item.name }}/etc/htpasswd cmkadmin
+  args:
+    executable: /bin/bash
+  no_log: true
+  loop: "{{ checkmk_server_sites }}"
+  when: (item.state != "absent") and (item.version | regex_replace('p.*', '') is version('2.1', '>='))
   tags:
     - set-site-admin-pw