Merge pull request #365 from Icinga:fix/ignore_agent_config_on_install_failure

LordHepipud · web-flow · commit 5ae390f0f6eb · 2021-09-09T18:28:35.000+02:00
Fix: Icinga environment corruption on Icinga Agent installation failure

In case the Icinga Agent could not be installed, regardless of the reason, we should not write any zone, api or other related config to the environment.

By doing so, we can corrupt the environment and make it impossible for the Icinga Agent to be installed in the future, unless we manually delete the folowing directories:

* `C:\ProgramData\icinga2`
* `C:\Program Files\ICINGA2`
* `C:\Program Files (x86)\ICINGA2` (only for x86 installations)
diff --git a/doc/100-General/10-Changelog.md b/doc/100-General/10-Changelog.md
@@ -16,6 +16,7 @@ Released closed milestones can be found on [GitHub](https://github.com/Icinga/ic
 * [#361](https://github.com/Icinga/icinga-powershell-framework/issues/361) Fixes IMC freeze on Icinga Director Self-Service installation, in case no Agent installation set on Self-Service API config
 * [#362](https://github.com/Icinga/icinga-powershell-framework/issues/362) Fixes repository component installation from file share locations
 * [#363](https://github.com/Icinga/icinga-powershell-framework/issues/363) Fixes unneeded continue for JEA process lookup, in case no JEA pid is present
+* [#365](https://github.com/Icinga/icinga-powershell-framework/issues/365) Fixes Icinga environment corruption on Icinga Agent installation failure
 
 ### Enhancements
 
diff --git a/lib/core/installer/Start-IcingaForWindowsInstallation.psm1 b/lib/core/installer/Start-IcingaForWindowsInstallation.psm1
@@ -165,28 +165,35 @@ function Start-IcingaForWindowsInstallation()
     if ($InstallAgent) {
         Set-IcingaPowerShellConfig -Path 'Framework.Icinga.AgentLocation' -Value $AgentInstallDir;
         Install-IcingaComponent -Name 'agent' -Version $AgentVersion -Confirm -Release;
-        Reset-IcingaAgentConfigFile;
-        Move-IcingaAgentDefaultConfig;
-        Set-IcingaAgentNodeName -Hostname $Hostname;
-        Set-IcingaAgentServiceUser -User $ServiceUser -Password (ConvertTo-IcingaSecureString $ServicePassword) -SetPermission | Out-Null;
-        Install-IcingaAgentBaseFeatures;
-        Write-IcingaAgentApiConfig -Port $IcingaPort;
-    }
 
-    if ((Install-IcingaAgentCertificates -Hostname $Hostname -Endpoint $IcingaCAServer -Port $IcingaPort -CACert $CertificateCAFile -Ticket $CertificateTicket) -eq $FALSE) {
-        Disable-IcingaAgentFeature 'api';
-        Write-IcingaConsoleWarning `
-            -Message '{0}{1}{2}{3}{4}' `
-            -Objects (
-                'Your Icinga Agent API feature has been disabled. Please provide either your ca.crt ',
-                'or connect to a parent node for certificate requests. You can run "Install-IcingaAgentCertificates" ',
-                'with your configuration to properly create the host certificate and a valid certificate request. ',
-                'After this you can enable the API feature by using "Enable-IcingaAgentFeature api" and restart the ',
-                'Icinga Agent service "Restart-IcingaService icinga2"'
-            );
+        # Only continue this, if our installation was successful
+        if ((Get-IcingaAgentInstallation).Installed) {
+            Reset-IcingaAgentConfigFile;
+            Move-IcingaAgentDefaultConfig;
+            Set-IcingaAgentNodeName -Hostname $Hostname;
+            Set-IcingaAgentServiceUser -User $ServiceUser -Password (ConvertTo-IcingaSecureString $ServicePassword) -SetPermission | Out-Null;
+            Install-IcingaAgentBaseFeatures;
+            Write-IcingaAgentApiConfig -Port $IcingaPort;
+        }
     }
 
-    Write-IcingaAgentZonesConfig -Endpoints $IcingaEndpoints -EndpointConnections $IcingaParentAddresses -ParentZone $IcingaZone -GlobalZones $GlobalZones -Hostname $Hostname;
+    # Only continue this, if our installation was successful
+    if ((Get-IcingaAgentInstallation).Installed) {
+        if ((Install-IcingaAgentCertificates -Hostname $Hostname -Endpoint $IcingaCAServer -Port $IcingaPort -CACert $CertificateCAFile -Ticket $CertificateTicket) -eq $FALSE) {
+            Disable-IcingaAgentFeature 'api';
+            Write-IcingaConsoleWarning `
+                -Message '{0}{1}{2}{3}{4}' `
+                -Objects (
+                    'Your Icinga Agent API feature has been disabled. Please provide either your ca.crt ',
+                    'or connect to a parent node for certificate requests. You can run "Install-IcingaAgentCertificates" ',
+                    'with your configuration to properly create the host certificate and a valid certificate request. ',
+                    'After this you can enable the API feature by using "Enable-IcingaAgentFeature api" and restart the ',
+                    'Icinga Agent service "Restart-IcingaService icinga2"'
+                );
+        }
+
+        Write-IcingaAgentZonesConfig -Endpoints $IcingaEndpoints -EndpointConnections $IcingaParentAddresses -ParentZone $IcingaZone -GlobalZones $GlobalZones -Hostname $Hostname;
+    }
 
     if ($InstallService) {
         Set-IcingaPowerShellConfig -Path 'Framework.Icinga.IcingaForWindowsService' -Value $WindowsServiceDir;
