Implement mTLS support.

robin-checkmk · robin-checkmk · commit 024a5fb7f5a4 · 2026-01-12T16:17:00.000+01:00
diff --git a/changelogs/fragments/mtls.yml b/changelogs/fragments/mtls.yml
@@ -0,0 +1,5 @@
+minor_changes:
+  - All modules - Enable mTLS support for all modules.
+    This is not a Checkmk feature, but one of Ansible and the respective web server.
+    This collection only provides the means to use mTLS, we neither document how to implement it,
+    nor will we provide support on top of enabling the basic functionality.
diff --git a/plugins/doc_fragments/common.py b/plugins/doc_fragments/common.py
@@ -43,6 +43,18 @@ class ModuleDocFragment(object):
             description: Authentication cookie for the Checkmk session.
             required: false
             type: str
+        client_cert:
+            description:
+                - Path to the client certificate file for authentication with the web server hosting Checkmk.
+                  This is not a Checkmk feature, but one of Ansible and the respective web server.
+            required: false
+            type: path
+        client_key:
+            description:
+                - Path to the client certificate key file for authentication with the web server hosting Checkmk.
+                  This is not a Checkmk feature, but one of Ansible and the respective web server.
+            required: false
+            type: path
         validate_certs:
             description:
                 - Whether to validate the SSL certificate of the Checkmk server.
diff --git a/plugins/module_utils/api.py b/plugins/module_utils/api.py
@@ -46,6 +46,10 @@ def __init__(self, module, logger=None):
         automation_secret = self.params.get("automation_secret")
         auth_cookie = self.params.get("auth_cookie")
 
+        # Enable mTLS
+        self.client_cert = self.params.get("client_cert")
+        self.client_key = self.params.get("client_key")
+
         if api_auth_type == "bearer":
             # Bearer Authentication
             if not automation_user or not automation_secret:
diff --git a/plugins/module_utils/utils.py b/plugins/module_utils/utils.py
@@ -52,6 +52,18 @@ def base_argument_spec():
             no_log=True,
             fallback=(env_fallback, ["CHECKMK_VAR_API_AUTH_COOKIE"]),
         ),
+        client_cert=dict(
+            type="path",
+            required=False,
+            default=None,
+            fallback=(env_fallback, ["CHECKMK_VAR_CLIENT_CERT"]),
+        ),
+        client_key=dict(
+            type="path",
+            required=False,
+            default=None,
+            fallback=(env_fallback, ["CHECKMK_VAR_CLIENT_KEY"]),
+        ),
     )
 
 
