Werk #14652: Real-time checks: Simplify encryption setup
|Component||Checks & agents|
|Title||Real-time checks: Simplify encryption setup|
|Date||Oct 27, 2022|
|Checkmk Editon||Checkmk Enterprise (CEE)|
|Compatibility||Incompatible - Manual interaction might be required|
This Werk is incompatible for users of the real-time check (RTC) feature.
We incompatibly change the way the encryption for RTC is configured. Since we cannot guarantee a compatible migration in all cases, we play it safe: All rulesets of the rule "Real-time checks" are extended by a randomly generated secret, used for (and enabling) encryption. Users have to reconfigure the rules to get the old behavior (or deploy the agents to use the created password).
The setup of the RTC encryption had become confusing over time.
We now radically simplify it. The setup is exclusively done via a new configuration option "Encryption", added to the ruleset "Real-time checks" (formally known as "Send data for real-time checks").
- The Checkmk agent for Linux encrypts real-time data if and only if the parameter RTC_SECRET is set (not empty) in /etc/check_mk/real_time_checks.cfg.
- The Checkmk site expects encrypted data if and only if a pre-shared secret is configured via the ruleset "Real-time checks".
- If the site expects encrypted data, unencrypted data is discarded (and vice versa).
For users of the Agent Bakery the configuration of the ruleset is sufficient. The configuration of the agent is taken care of by the bakery. However, even if you do not use the agent bakery, you still have to set up the rule, such that the site knows which secret to use for decryption.
All other encryption settings (distributed across the rules "Encryption (Linux, Windows)" and "Enable handling of Real-Time Checks") have no effect on the RTC encryption anymore.
Unfortunately, we can't make this change compatible via automatic configuration update. Since we do not want to make users send unencrypted data by accident, we populate the encryption setting for all existing rules with a random value. To make the RTC work again either update the baked agents, or adapt the configured rules to reflect the behavior of the deployed agent.