diff --git a/.env_prx b/.env_prx index 3b16ef249..3bca1ca9e 100644 --- a/.env_prx +++ b/.env_prx @@ -58,3 +58,6 @@ # ZBX_TLSKEYFILE= # ZBX_TLSPSKIDENTITY= # ZBX_TLSPSKFILE= +# ZBX_VAULTDBPATH= +# ZBX_VAULTURL=https://127.0.0.1:8200 +# VAULT_TOKEN= diff --git a/.env_srv b/.env_srv index 45b034064..8fec3afae 100644 --- a/.env_srv +++ b/.env_srv @@ -55,3 +55,6 @@ ZBX_ENABLE_SNMP_TRAPS=true # ZBX_TLSCRLFILE= # ZBX_TLSCERTFILE= # ZBX_TLSKEYFILE= +# ZBX_VAULTDBPATH= +# ZBX_VAULTURL=https://127.0.0.1:8200 +# VAULT_TOKEN= diff --git a/.env_web b/.env_web index ad8fae6a3..d71c9a3ef 100644 --- a/.env_web +++ b/.env_web @@ -7,6 +7,9 @@ ZBX_SERVER_NAME=Composed installation # ZBX_DB_CA_FILE=/run/secrets/root-ca.pem # Available since 5.0.0 # ZBX_DB_VERIFY_HOST=false # Available since 5.0.0 # ZBX_DB_CIPHER_LIST= # Available since 5.0.0 +# ZBX_VAULTDBPATH= +# ZBX_VAULTURL=https://127.0.0.1:8200 +# VAULT_TOKEN= # ZBX_HISTORYSTORAGEURL=http://elasticsearch:9200/ # Available since 3.4.5 # ZBX_HISTORYSTORAGETYPES=['uint', 'dbl', 'str', 'text', 'log'] # Available since 3.4.5 # ENABLE_WEB_ACCESS_LOG=true diff --git a/proxy-mysql/alpine/docker-entrypoint.sh b/proxy-mysql/alpine/docker-entrypoint.sh index 9082bfd81..e2e17fbf6 100755 --- a/proxy-mysql/alpine/docker-entrypoint.sh +++ b/proxy-mysql/alpine/docker-entrypoint.sh @@ -343,9 +343,19 @@ update_zbx_config() { update_config_var $ZBX_CONFIG "DBHost" "${DB_SERVER_HOST}" update_config_var $ZBX_CONFIG "DBName" "${DB_SERVER_DBNAME}" update_config_var $ZBX_CONFIG "DBSchema" "${DB_SERVER_SCHEMA}" - update_config_var $ZBX_CONFIG "DBUser" "${DB_SERVER_ZBX_USER}" update_config_var $ZBX_CONFIG "DBPort" "${DB_SERVER_PORT}" - update_config_var $ZBX_CONFIG "DBPassword" "${DB_SERVER_ZBX_PASS}" + + if [ -n "${VAULT_TOKEN}" ]; then + update_config_var $ZBX_CONFIG "VaultDBPath" "${ZBX_VAULTDBPATH}" + update_config_var $ZBX_CONFIG "VaultURL" "${ZBX_VAULTURL}" + update_config_var $ZBX_CONFIG "DBUser" + update_config_var $ZBX_CONFIG "DBPassword" + else + update_config_var $ZBX_CONFIG "VaultDBPath" + update_config_var $ZBX_CONFIG "VaultURL" + update_config_var $ZBX_CONFIG "DBUser" "${DB_SERVER_ZBX_USER}" + update_config_var $ZBX_CONFIG "DBPassword" "${DB_SERVER_ZBX_PASS}" + fi update_config_var $ZBX_CONFIG "DBSocket" "${DB_SERVER_SOCKET}" diff --git a/proxy-mysql/centos/docker-entrypoint.sh b/proxy-mysql/centos/docker-entrypoint.sh index 7b26f123a..efb8d4e12 100755 --- a/proxy-mysql/centos/docker-entrypoint.sh +++ b/proxy-mysql/centos/docker-entrypoint.sh @@ -341,9 +341,19 @@ update_zbx_config() { update_config_var $ZBX_CONFIG "DBHost" "${DB_SERVER_HOST}" update_config_var $ZBX_CONFIG "DBName" "${DB_SERVER_DBNAME}" update_config_var $ZBX_CONFIG "DBSchema" "${DB_SERVER_SCHEMA}" - update_config_var $ZBX_CONFIG "DBUser" "${DB_SERVER_ZBX_USER}" update_config_var $ZBX_CONFIG "DBPort" "${DB_SERVER_PORT}" - update_config_var $ZBX_CONFIG "DBPassword" "${DB_SERVER_ZBX_PASS}" + + if [ -n "${VAULT_TOKEN}" ]; then + update_config_var $ZBX_CONFIG "VaultDBPath" "${ZBX_VAULTDBPATH}" + update_config_var $ZBX_CONFIG "VaultURL" "${ZBX_VAULTURL}" + update_config_var $ZBX_CONFIG "DBUser" + update_config_var $ZBX_CONFIG "DBPassword" + else + update_config_var $ZBX_CONFIG "VaultDBPath" + update_config_var $ZBX_CONFIG "VaultURL" + update_config_var $ZBX_CONFIG "DBUser" "${DB_SERVER_ZBX_USER}" + update_config_var $ZBX_CONFIG "DBPassword" "${DB_SERVER_ZBX_PASS}" + fi update_config_var $ZBX_CONFIG "DBSocket" "${DB_SERVER_SOCKET}" diff --git a/proxy-mysql/ubuntu/docker-entrypoint.sh b/proxy-mysql/ubuntu/docker-entrypoint.sh index ae04c987b..850ba6073 100755 --- a/proxy-mysql/ubuntu/docker-entrypoint.sh +++ b/proxy-mysql/ubuntu/docker-entrypoint.sh @@ -340,9 +340,19 @@ update_zbx_config() { update_config_var $ZBX_CONFIG "DBHost" "${DB_SERVER_HOST}" update_config_var $ZBX_CONFIG "DBName" "${DB_SERVER_DBNAME}" update_config_var $ZBX_CONFIG "DBSchema" "${DB_SERVER_SCHEMA}" - update_config_var $ZBX_CONFIG "DBUser" "${DB_SERVER_ZBX_USER}" update_config_var $ZBX_CONFIG "DBPort" "${DB_SERVER_PORT}" - update_config_var $ZBX_CONFIG "DBPassword" "${DB_SERVER_ZBX_PASS}" + + if [ -n "${VAULT_TOKEN}" ]; then + update_config_var $ZBX_CONFIG "VaultDBPath" "${ZBX_VAULTDBPATH}" + update_config_var $ZBX_CONFIG "VaultURL" "${ZBX_VAULTURL}" + update_config_var $ZBX_CONFIG "DBUser" + update_config_var $ZBX_CONFIG "DBPassword" + else + update_config_var $ZBX_CONFIG "VaultDBPath" + update_config_var $ZBX_CONFIG "VaultURL" + update_config_var $ZBX_CONFIG "DBUser" "${DB_SERVER_ZBX_USER}" + update_config_var $ZBX_CONFIG "DBPassword" "${DB_SERVER_ZBX_PASS}" + fi update_config_var $ZBX_CONFIG "DBSocket" "${DB_SERVER_SOCKET}" diff --git a/proxy-sqlite3/alpine/docker-entrypoint.sh b/proxy-sqlite3/alpine/docker-entrypoint.sh index 5a068a347..ef13eb4bb 100755 --- a/proxy-sqlite3/alpine/docker-entrypoint.sh +++ b/proxy-sqlite3/alpine/docker-entrypoint.sh @@ -143,6 +143,14 @@ update_zbx_config() { update_config_var $ZBX_CONFIG "DBPort" update_config_var $ZBX_CONFIG "DBPassword" + if [ -n "${VAULT_TOKEN}" ]; then + update_config_var $ZBX_CONFIG "VaultDBPath" "${ZBX_VAULTDBPATH}" + update_config_var $ZBX_CONFIG "VaultURL" "${ZBX_VAULTURL}" + else + update_config_var $ZBX_CONFIG "VaultDBPath" + update_config_var $ZBX_CONFIG "VaultURL" + fi + update_config_var $ZBX_CONFIG "ProxyLocalBuffer" "${ZBX_PROXYLOCALBUFFER}" update_config_var $ZBX_CONFIG "ProxyOfflineBuffer" "${ZBX_PROXYOFFLINEBUFFER}" update_config_var $ZBX_CONFIG "HeartbeatFrequency" "${ZBX_PROXYHEARTBEATFREQUENCY}" diff --git a/proxy-sqlite3/centos/docker-entrypoint.sh b/proxy-sqlite3/centos/docker-entrypoint.sh index 5a068a347..ef13eb4bb 100755 --- a/proxy-sqlite3/centos/docker-entrypoint.sh +++ b/proxy-sqlite3/centos/docker-entrypoint.sh @@ -143,6 +143,14 @@ update_zbx_config() { update_config_var $ZBX_CONFIG "DBPort" update_config_var $ZBX_CONFIG "DBPassword" + if [ -n "${VAULT_TOKEN}" ]; then + update_config_var $ZBX_CONFIG "VaultDBPath" "${ZBX_VAULTDBPATH}" + update_config_var $ZBX_CONFIG "VaultURL" "${ZBX_VAULTURL}" + else + update_config_var $ZBX_CONFIG "VaultDBPath" + update_config_var $ZBX_CONFIG "VaultURL" + fi + update_config_var $ZBX_CONFIG "ProxyLocalBuffer" "${ZBX_PROXYLOCALBUFFER}" update_config_var $ZBX_CONFIG "ProxyOfflineBuffer" "${ZBX_PROXYOFFLINEBUFFER}" update_config_var $ZBX_CONFIG "HeartbeatFrequency" "${ZBX_PROXYHEARTBEATFREQUENCY}" diff --git a/proxy-sqlite3/ubuntu/docker-entrypoint.sh b/proxy-sqlite3/ubuntu/docker-entrypoint.sh index e9a88482a..ed4815dae 100755 --- a/proxy-sqlite3/ubuntu/docker-entrypoint.sh +++ b/proxy-sqlite3/ubuntu/docker-entrypoint.sh @@ -143,6 +143,14 @@ update_zbx_config() { update_config_var $ZBX_CONFIG "DBPort" update_config_var $ZBX_CONFIG "DBPassword" + if [ -n "${VAULT_TOKEN}" ]; then + update_config_var $ZBX_CONFIG "VaultDBPath" "${ZBX_VAULTDBPATH}" + update_config_var $ZBX_CONFIG "VaultURL" "${ZBX_VAULTURL}" + else + update_config_var $ZBX_CONFIG "VaultDBPath" + update_config_var $ZBX_CONFIG "VaultURL" + fi + update_config_var $ZBX_CONFIG "ProxyLocalBuffer" "${ZBX_PROXYLOCALBUFFER}" update_config_var $ZBX_CONFIG "ProxyOfflineBuffer" "${ZBX_PROXYOFFLINEBUFFER}" update_config_var $ZBX_CONFIG "HeartbeatFrequency" "${ZBX_PROXYHEARTBEATFREQUENCY}" diff --git a/server-mysql/alpine/docker-entrypoint.sh b/server-mysql/alpine/docker-entrypoint.sh index 5d05994b1..f63f76310 100755 --- a/server-mysql/alpine/docker-entrypoint.sh +++ b/server-mysql/alpine/docker-entrypoint.sh @@ -324,9 +324,19 @@ update_zbx_config() { update_config_var $ZBX_CONFIG "DBHost" "${DB_SERVER_HOST}" update_config_var $ZBX_CONFIG "DBName" "${DB_SERVER_DBNAME}" update_config_var $ZBX_CONFIG "DBSchema" "${DB_SERVER_SCHEMA}" - update_config_var $ZBX_CONFIG "DBUser" "${DB_SERVER_ZBX_USER}" update_config_var $ZBX_CONFIG "DBPort" "${DB_SERVER_PORT}" - update_config_var $ZBX_CONFIG "DBPassword" "${DB_SERVER_ZBX_PASS}" + + if [ -n "${VAULT_TOKEN}" ]; then + update_config_var $ZBX_CONFIG "VaultDBPath" "${ZBX_VAULTDBPATH}" + update_config_var $ZBX_CONFIG "VaultURL" "${ZBX_VAULTURL}" + update_config_var $ZBX_CONFIG "DBUser" + update_config_var $ZBX_CONFIG "DBPassword" + else + update_config_var $ZBX_CONFIG "VaultDBPath" + update_config_var $ZBX_CONFIG "VaultURL" + update_config_var $ZBX_CONFIG "DBUser" "${DB_SERVER_ZBX_USER}" + update_config_var $ZBX_CONFIG "DBPassword" "${DB_SERVER_ZBX_PASS}" + fi update_config_var $ZBX_CONFIG "HistoryStorageURL" "${ZBX_HISTORYSTORAGEURL}" update_config_var $ZBX_CONFIG "HistoryStorageTypes" "${ZBX_HISTORYSTORAGETYPES}" diff --git a/server-mysql/centos/docker-entrypoint.sh b/server-mysql/centos/docker-entrypoint.sh index fc1a18e05..d00d048fc 100755 --- a/server-mysql/centos/docker-entrypoint.sh +++ b/server-mysql/centos/docker-entrypoint.sh @@ -321,9 +321,19 @@ update_zbx_config() { update_config_var $ZBX_CONFIG "DBHost" "${DB_SERVER_HOST}" update_config_var $ZBX_CONFIG "DBName" "${DB_SERVER_DBNAME}" update_config_var $ZBX_CONFIG "DBSchema" "${DB_SERVER_SCHEMA}" - update_config_var $ZBX_CONFIG "DBUser" "${DB_SERVER_ZBX_USER}" update_config_var $ZBX_CONFIG "DBPort" "${DB_SERVER_PORT}" - update_config_var $ZBX_CONFIG "DBPassword" "${DB_SERVER_ZBX_PASS}" + + if [ -n "${VAULT_TOKEN}" ]; then + update_config_var $ZBX_CONFIG "VaultDBPath" "${ZBX_VAULTDBPATH}" + update_config_var $ZBX_CONFIG "VaultURL" "${ZBX_VAULTURL}" + update_config_var $ZBX_CONFIG "DBUser" + update_config_var $ZBX_CONFIG "DBPassword" + else + update_config_var $ZBX_CONFIG "VaultDBPath" + update_config_var $ZBX_CONFIG "VaultURL" + update_config_var $ZBX_CONFIG "DBUser" "${DB_SERVER_ZBX_USER}" + update_config_var $ZBX_CONFIG "DBPassword" "${DB_SERVER_ZBX_PASS}" + fi update_config_var $ZBX_CONFIG "HistoryStorageURL" "${ZBX_HISTORYSTORAGEURL}" update_config_var $ZBX_CONFIG "HistoryStorageTypes" "${ZBX_HISTORYSTORAGETYPES}" diff --git a/server-mysql/ubuntu/docker-entrypoint.sh b/server-mysql/ubuntu/docker-entrypoint.sh index fa199fdb1..271d2d72d 100755 --- a/server-mysql/ubuntu/docker-entrypoint.sh +++ b/server-mysql/ubuntu/docker-entrypoint.sh @@ -321,9 +321,19 @@ update_zbx_config() { update_config_var $ZBX_CONFIG "DBHost" "${DB_SERVER_HOST}" update_config_var $ZBX_CONFIG "DBName" "${DB_SERVER_DBNAME}" update_config_var $ZBX_CONFIG "DBSchema" "${DB_SERVER_SCHEMA}" - update_config_var $ZBX_CONFIG "DBUser" "${DB_SERVER_ZBX_USER}" update_config_var $ZBX_CONFIG "DBPort" "${DB_SERVER_PORT}" - update_config_var $ZBX_CONFIG "DBPassword" "${DB_SERVER_ZBX_PASS}" + + if [ -n "${VAULT_TOKEN}" ]; then + update_config_var $ZBX_CONFIG "VaultDBPath" "${ZBX_VAULTDBPATH}" + update_config_var $ZBX_CONFIG "VaultURL" "${ZBX_VAULTURL}" + update_config_var $ZBX_CONFIG "DBUser" + update_config_var $ZBX_CONFIG "DBPassword" + else + update_config_var $ZBX_CONFIG "VaultDBPath" + update_config_var $ZBX_CONFIG "VaultURL" + update_config_var $ZBX_CONFIG "DBUser" "${DB_SERVER_ZBX_USER}" + update_config_var $ZBX_CONFIG "DBPassword" "${DB_SERVER_ZBX_PASS}" + fi update_config_var $ZBX_CONFIG "HistoryStorageURL" "${ZBX_HISTORYSTORAGEURL}" update_config_var $ZBX_CONFIG "HistoryStorageTypes" "${ZBX_HISTORYSTORAGETYPES}" diff --git a/server-pgsql/alpine/docker-entrypoint.sh b/server-pgsql/alpine/docker-entrypoint.sh index 568562bff..9877b18f7 100755 --- a/server-pgsql/alpine/docker-entrypoint.sh +++ b/server-pgsql/alpine/docker-entrypoint.sh @@ -357,9 +357,19 @@ update_zbx_config() { update_config_var $ZBX_CONFIG "DBHost" "${DB_SERVER_HOST}" update_config_var $ZBX_CONFIG "DBName" "${DB_SERVER_DBNAME}" update_config_var $ZBX_CONFIG "DBSchema" "${DB_SERVER_SCHEMA}" - update_config_var $ZBX_CONFIG "DBUser" "${DB_SERVER_ZBX_USER}" update_config_var $ZBX_CONFIG "DBPort" "${DB_SERVER_PORT}" - update_config_var $ZBX_CONFIG "DBPassword" "${DB_SERVER_ZBX_PASS}" + + if [ -n "${VAULT_TOKEN}" ]; then + update_config_var $ZBX_CONFIG "VaultDBPath" "${ZBX_VAULTDBPATH}" + update_config_var $ZBX_CONFIG "VaultURL" "${ZBX_VAULTURL}" + update_config_var $ZBX_CONFIG "DBUser" + update_config_var $ZBX_CONFIG "DBPassword" + else + update_config_var $ZBX_CONFIG "VaultDBPath" + update_config_var $ZBX_CONFIG "VaultURL" + update_config_var $ZBX_CONFIG "DBUser" "${DB_SERVER_ZBX_USER}" + update_config_var $ZBX_CONFIG "DBPassword" "${DB_SERVER_ZBX_PASS}" + fi update_config_var $ZBX_CONFIG "HistoryStorageURL" "${ZBX_HISTORYSTORAGEURL}" update_config_var $ZBX_CONFIG "HistoryStorageTypes" "${ZBX_HISTORYSTORAGETYPES}" diff --git a/server-pgsql/centos/docker-entrypoint.sh b/server-pgsql/centos/docker-entrypoint.sh index 568562bff..9877b18f7 100755 --- a/server-pgsql/centos/docker-entrypoint.sh +++ b/server-pgsql/centos/docker-entrypoint.sh @@ -357,9 +357,19 @@ update_zbx_config() { update_config_var $ZBX_CONFIG "DBHost" "${DB_SERVER_HOST}" update_config_var $ZBX_CONFIG "DBName" "${DB_SERVER_DBNAME}" update_config_var $ZBX_CONFIG "DBSchema" "${DB_SERVER_SCHEMA}" - update_config_var $ZBX_CONFIG "DBUser" "${DB_SERVER_ZBX_USER}" update_config_var $ZBX_CONFIG "DBPort" "${DB_SERVER_PORT}" - update_config_var $ZBX_CONFIG "DBPassword" "${DB_SERVER_ZBX_PASS}" + + if [ -n "${VAULT_TOKEN}" ]; then + update_config_var $ZBX_CONFIG "VaultDBPath" "${ZBX_VAULTDBPATH}" + update_config_var $ZBX_CONFIG "VaultURL" "${ZBX_VAULTURL}" + update_config_var $ZBX_CONFIG "DBUser" + update_config_var $ZBX_CONFIG "DBPassword" + else + update_config_var $ZBX_CONFIG "VaultDBPath" + update_config_var $ZBX_CONFIG "VaultURL" + update_config_var $ZBX_CONFIG "DBUser" "${DB_SERVER_ZBX_USER}" + update_config_var $ZBX_CONFIG "DBPassword" "${DB_SERVER_ZBX_PASS}" + fi update_config_var $ZBX_CONFIG "HistoryStorageURL" "${ZBX_HISTORYSTORAGEURL}" update_config_var $ZBX_CONFIG "HistoryStorageTypes" "${ZBX_HISTORYSTORAGETYPES}" diff --git a/server-pgsql/ubuntu/docker-entrypoint.sh b/server-pgsql/ubuntu/docker-entrypoint.sh index 27acf0933..9821c2151 100755 --- a/server-pgsql/ubuntu/docker-entrypoint.sh +++ b/server-pgsql/ubuntu/docker-entrypoint.sh @@ -357,9 +357,19 @@ update_zbx_config() { update_config_var $ZBX_CONFIG "DBHost" "${DB_SERVER_HOST}" update_config_var $ZBX_CONFIG "DBName" "${DB_SERVER_DBNAME}" update_config_var $ZBX_CONFIG "DBSchema" "${DB_SERVER_SCHEMA}" - update_config_var $ZBX_CONFIG "DBUser" "${DB_SERVER_ZBX_USER}" update_config_var $ZBX_CONFIG "DBPort" "${DB_SERVER_PORT}" - update_config_var $ZBX_CONFIG "DBPassword" "${DB_SERVER_ZBX_PASS}" + + if [ -n "${VAULT_TOKEN}" ]; then + update_config_var $ZBX_CONFIG "VaultDBPath" "${ZBX_VAULTDBPATH}" + update_config_var $ZBX_CONFIG "VaultURL" "${ZBX_VAULTURL}" + update_config_var $ZBX_CONFIG "DBUser" + update_config_var $ZBX_CONFIG "DBPassword" + else + update_config_var $ZBX_CONFIG "VaultDBPath" + update_config_var $ZBX_CONFIG "VaultURL" + update_config_var $ZBX_CONFIG "DBUser" "${DB_SERVER_ZBX_USER}" + update_config_var $ZBX_CONFIG "DBPassword" "${DB_SERVER_ZBX_PASS}" + fi update_config_var $ZBX_CONFIG "HistoryStorageURL" "${ZBX_HISTORYSTORAGEURL}" update_config_var $ZBX_CONFIG "HistoryStorageTypes" "${ZBX_HISTORYSTORAGETYPES}" diff --git a/web-apache-mysql/alpine/conf/etc/zabbix/web/zabbix.conf.php b/web-apache-mysql/alpine/conf/etc/zabbix/web/zabbix.conf.php index 72b99cfc1..e3a21c62b 100644 --- a/web-apache-mysql/alpine/conf/etc/zabbix/web/zabbix.conf.php +++ b/web-apache-mysql/alpine/conf/etc/zabbix/web/zabbix.conf.php @@ -6,10 +6,10 @@ $DB['TYPE'] = getenv('DB_SERVER_TYPE'); $DB['SERVER'] = getenv('DB_SERVER_HOST'); $DB['PORT'] = getenv('DB_SERVER_PORT'); $DB['DATABASE'] = getenv('DB_SERVER_DBNAME'); -$DB['USER'] = getenv('DB_SERVER_USER'); -$DB['PASSWORD'] = getenv('DB_SERVER_PASS'); +$DB['USER'] = ! getenv('VAULT_TOKEN') ? getenv('DB_SERVER_USER') : ''; +$DB['PASSWORD'] = ! getenv('VAULT_TOKEN') ? getenv('DB_SERVER_PASS') : ''; -// Schema name. Used for IBM DB2 and PostgreSQL. +// Schema name. Used for PostgreSQL. $DB['SCHEMA'] = getenv('DB_SERVER_SCHEMA'); $ZBX_SERVER = getenv('ZBX_SERVER_HOST'); @@ -24,6 +24,11 @@ $DB['CA_FILE'] = getenv('ZBX_DB_CA_FILE'); $DB['VERIFY_HOST'] = getenv('ZBX_DB_VERIFY_HOST') == 'true' ? true: false; $DB['CIPHER_LIST'] = getenv('ZBX_DB_CIPHER_LIST') ? getenv('ZBX_DB_CIPHER_LIST') : ''; +// Vault configuration. Used if database credentials are stored in Vault secrets manager. +$DB['VAULT_URL'] = getenv('ZBX_VAULTURL'); +$DB['VAULT_DB_PATH'] = getenv('ZBX_VAULTDBPATH'); +$DB['VAULT_TOKEN'] = getenv('VAULT_TOKEN'); + // Use IEEE754 compatible value range for 64-bit Numeric (float) history values. // This option is enabled by default for new Zabbix installations. // For upgraded installations, please read database upgrade notes before enabling this option. @@ -41,7 +46,6 @@ $storage_types = str_replace("'","\"",getenv('ZBX_HISTORYSTORAGETYPES')); $HISTORY['types'] = (json_decode($storage_types)) ? json_decode($storage_types, true) : array(); // Used for SAML authentication. -// Uncomment to override the default paths to SP private key, SP and IdP X.509 certificates, and to set extra settings. $SSO['SP_KEY'] = file_exists('/etc/zabbix/web/certs/sp.key') ? '/etc/zabbix/web/certs/sp.key' : (file_exists(getenv('ZBX_SSO_SP_KEY')) ? getenv('ZBX_SSO_SP_KEY') : ''); $SSO['SP_CERT'] = file_exists('/etc/zabbix/web/certs/sp.crt') ? '/etc/zabbix/web/certs/sp.crt' : (file_exists(getenv('ZBX_SSO_SP_CERT')) ? getenv('ZBX_SSO_SP_CERT') : ''); $SSO['IDP_CERT'] = file_exists('/etc/zabbix/web/certs/idp.crt') ? '/etc/zabbix/web/certs/idp.crt' : (file_exists(getenv('ZBX_SSO_IDP_CERT')) ? getenv('ZBX_SSO_IDP_CERT') : ''); diff --git a/web-apache-mysql/alpine/docker-entrypoint.sh b/web-apache-mysql/alpine/docker-entrypoint.sh index fb6ce0de7..0f770ab42 100755 --- a/web-apache-mysql/alpine/docker-entrypoint.sh +++ b/web-apache-mysql/alpine/docker-entrypoint.sh @@ -198,6 +198,10 @@ prepare_zbx_web_config() { export ZBX_DB_CA_FILE=${ZBX_DB_CA_FILE} export ZBX_DB_VERIFY_HOST=${ZBX_DB_VERIFY_HOST-"false"} + export ZBX_VAULTURL=${ZBX_VAULTURL} + export ZBX_VAULTDBPATH=${ZBX_VAULTDBPATH} + export VAULT_TOKEN=${VAULT_TOKEN} + export DB_DOUBLE_IEEE754=${DB_DOUBLE_IEEE754:-"true"} export ZBX_HISTORYSTORAGEURL=${ZBX_HISTORYSTORAGEURL} diff --git a/web-apache-mysql/centos/conf/etc/zabbix/web/zabbix.conf.php b/web-apache-mysql/centos/conf/etc/zabbix/web/zabbix.conf.php index 72b99cfc1..e3a21c62b 100644 --- a/web-apache-mysql/centos/conf/etc/zabbix/web/zabbix.conf.php +++ b/web-apache-mysql/centos/conf/etc/zabbix/web/zabbix.conf.php @@ -6,10 +6,10 @@ $DB['TYPE'] = getenv('DB_SERVER_TYPE'); $DB['SERVER'] = getenv('DB_SERVER_HOST'); $DB['PORT'] = getenv('DB_SERVER_PORT'); $DB['DATABASE'] = getenv('DB_SERVER_DBNAME'); -$DB['USER'] = getenv('DB_SERVER_USER'); -$DB['PASSWORD'] = getenv('DB_SERVER_PASS'); +$DB['USER'] = ! getenv('VAULT_TOKEN') ? getenv('DB_SERVER_USER') : ''; +$DB['PASSWORD'] = ! getenv('VAULT_TOKEN') ? getenv('DB_SERVER_PASS') : ''; -// Schema name. Used for IBM DB2 and PostgreSQL. +// Schema name. Used for PostgreSQL. $DB['SCHEMA'] = getenv('DB_SERVER_SCHEMA'); $ZBX_SERVER = getenv('ZBX_SERVER_HOST'); @@ -24,6 +24,11 @@ $DB['CA_FILE'] = getenv('ZBX_DB_CA_FILE'); $DB['VERIFY_HOST'] = getenv('ZBX_DB_VERIFY_HOST') == 'true' ? true: false; $DB['CIPHER_LIST'] = getenv('ZBX_DB_CIPHER_LIST') ? getenv('ZBX_DB_CIPHER_LIST') : ''; +// Vault configuration. Used if database credentials are stored in Vault secrets manager. +$DB['VAULT_URL'] = getenv('ZBX_VAULTURL'); +$DB['VAULT_DB_PATH'] = getenv('ZBX_VAULTDBPATH'); +$DB['VAULT_TOKEN'] = getenv('VAULT_TOKEN'); + // Use IEEE754 compatible value range for 64-bit Numeric (float) history values. // This option is enabled by default for new Zabbix installations. // For upgraded installations, please read database upgrade notes before enabling this option. @@ -41,7 +46,6 @@ $storage_types = str_replace("'","\"",getenv('ZBX_HISTORYSTORAGETYPES')); $HISTORY['types'] = (json_decode($storage_types)) ? json_decode($storage_types, true) : array(); // Used for SAML authentication. -// Uncomment to override the default paths to SP private key, SP and IdP X.509 certificates, and to set extra settings. $SSO['SP_KEY'] = file_exists('/etc/zabbix/web/certs/sp.key') ? '/etc/zabbix/web/certs/sp.key' : (file_exists(getenv('ZBX_SSO_SP_KEY')) ? getenv('ZBX_SSO_SP_KEY') : ''); $SSO['SP_CERT'] = file_exists('/etc/zabbix/web/certs/sp.crt') ? '/etc/zabbix/web/certs/sp.crt' : (file_exists(getenv('ZBX_SSO_SP_CERT')) ? getenv('ZBX_SSO_SP_CERT') : ''); $SSO['IDP_CERT'] = file_exists('/etc/zabbix/web/certs/idp.crt') ? '/etc/zabbix/web/certs/idp.crt' : (file_exists(getenv('ZBX_SSO_IDP_CERT')) ? getenv('ZBX_SSO_IDP_CERT') : ''); diff --git a/web-apache-mysql/centos/docker-entrypoint.sh b/web-apache-mysql/centos/docker-entrypoint.sh index 88dc1e526..41647aa2a 100755 --- a/web-apache-mysql/centos/docker-entrypoint.sh +++ b/web-apache-mysql/centos/docker-entrypoint.sh @@ -207,6 +207,10 @@ prepare_zbx_web_config() { export ZBX_DB_CA_FILE=${ZBX_DB_CA_FILE} export ZBX_DB_VERIFY_HOST=${ZBX_DB_VERIFY_HOST-"false"} + export ZBX_VAULTURL=${ZBX_VAULTURL} + export ZBX_VAULTDBPATH=${ZBX_VAULTDBPATH} + export VAULT_TOKEN=${VAULT_TOKEN} + export DB_DOUBLE_IEEE754=${DB_DOUBLE_IEEE754:-"true"} export ZBX_HISTORYSTORAGEURL=${ZBX_HISTORYSTORAGEURL} diff --git a/web-apache-mysql/ubuntu/conf/etc/zabbix/web/zabbix.conf.php b/web-apache-mysql/ubuntu/conf/etc/zabbix/web/zabbix.conf.php index 72b99cfc1..e3a21c62b 100644 --- a/web-apache-mysql/ubuntu/conf/etc/zabbix/web/zabbix.conf.php +++ b/web-apache-mysql/ubuntu/conf/etc/zabbix/web/zabbix.conf.php @@ -6,10 +6,10 @@ $DB['TYPE'] = getenv('DB_SERVER_TYPE'); $DB['SERVER'] = getenv('DB_SERVER_HOST'); $DB['PORT'] = getenv('DB_SERVER_PORT'); $DB['DATABASE'] = getenv('DB_SERVER_DBNAME'); -$DB['USER'] = getenv('DB_SERVER_USER'); -$DB['PASSWORD'] = getenv('DB_SERVER_PASS'); +$DB['USER'] = ! getenv('VAULT_TOKEN') ? getenv('DB_SERVER_USER') : ''; +$DB['PASSWORD'] = ! getenv('VAULT_TOKEN') ? getenv('DB_SERVER_PASS') : ''; -// Schema name. Used for IBM DB2 and PostgreSQL. +// Schema name. Used for PostgreSQL. $DB['SCHEMA'] = getenv('DB_SERVER_SCHEMA'); $ZBX_SERVER = getenv('ZBX_SERVER_HOST'); @@ -24,6 +24,11 @@ $DB['CA_FILE'] = getenv('ZBX_DB_CA_FILE'); $DB['VERIFY_HOST'] = getenv('ZBX_DB_VERIFY_HOST') == 'true' ? true: false; $DB['CIPHER_LIST'] = getenv('ZBX_DB_CIPHER_LIST') ? getenv('ZBX_DB_CIPHER_LIST') : ''; +// Vault configuration. Used if database credentials are stored in Vault secrets manager. +$DB['VAULT_URL'] = getenv('ZBX_VAULTURL'); +$DB['VAULT_DB_PATH'] = getenv('ZBX_VAULTDBPATH'); +$DB['VAULT_TOKEN'] = getenv('VAULT_TOKEN'); + // Use IEEE754 compatible value range for 64-bit Numeric (float) history values. // This option is enabled by default for new Zabbix installations. // For upgraded installations, please read database upgrade notes before enabling this option. @@ -41,7 +46,6 @@ $storage_types = str_replace("'","\"",getenv('ZBX_HISTORYSTORAGETYPES')); $HISTORY['types'] = (json_decode($storage_types)) ? json_decode($storage_types, true) : array(); // Used for SAML authentication. -// Uncomment to override the default paths to SP private key, SP and IdP X.509 certificates, and to set extra settings. $SSO['SP_KEY'] = file_exists('/etc/zabbix/web/certs/sp.key') ? '/etc/zabbix/web/certs/sp.key' : (file_exists(getenv('ZBX_SSO_SP_KEY')) ? getenv('ZBX_SSO_SP_KEY') : ''); $SSO['SP_CERT'] = file_exists('/etc/zabbix/web/certs/sp.crt') ? '/etc/zabbix/web/certs/sp.crt' : (file_exists(getenv('ZBX_SSO_SP_CERT')) ? getenv('ZBX_SSO_SP_CERT') : ''); $SSO['IDP_CERT'] = file_exists('/etc/zabbix/web/certs/idp.crt') ? '/etc/zabbix/web/certs/idp.crt' : (file_exists(getenv('ZBX_SSO_IDP_CERT')) ? getenv('ZBX_SSO_IDP_CERT') : ''); diff --git a/web-apache-mysql/ubuntu/docker-entrypoint.sh b/web-apache-mysql/ubuntu/docker-entrypoint.sh index 1cf466675..b20e16ef3 100755 --- a/web-apache-mysql/ubuntu/docker-entrypoint.sh +++ b/web-apache-mysql/ubuntu/docker-entrypoint.sh @@ -198,6 +198,10 @@ prepare_zbx_web_config() { export ZBX_DB_CA_FILE=${ZBX_DB_CA_FILE} export ZBX_DB_VERIFY_HOST=${ZBX_DB_VERIFY_HOST-"false"} + export ZBX_VAULTURL=${ZBX_VAULTURL} + export ZBX_VAULTDBPATH=${ZBX_VAULTDBPATH} + export VAULT_TOKEN=${VAULT_TOKEN} + export DB_DOUBLE_IEEE754=${DB_DOUBLE_IEEE754:-"true"} export ZBX_HISTORYSTORAGEURL=${ZBX_HISTORYSTORAGEURL} diff --git a/web-apache-pgsql/alpine/conf/etc/zabbix/web/zabbix.conf.php b/web-apache-pgsql/alpine/conf/etc/zabbix/web/zabbix.conf.php index 72b99cfc1..e3a21c62b 100644 --- a/web-apache-pgsql/alpine/conf/etc/zabbix/web/zabbix.conf.php +++ b/web-apache-pgsql/alpine/conf/etc/zabbix/web/zabbix.conf.php @@ -6,10 +6,10 @@ $DB['TYPE'] = getenv('DB_SERVER_TYPE'); $DB['SERVER'] = getenv('DB_SERVER_HOST'); $DB['PORT'] = getenv('DB_SERVER_PORT'); $DB['DATABASE'] = getenv('DB_SERVER_DBNAME'); -$DB['USER'] = getenv('DB_SERVER_USER'); -$DB['PASSWORD'] = getenv('DB_SERVER_PASS'); +$DB['USER'] = ! getenv('VAULT_TOKEN') ? getenv('DB_SERVER_USER') : ''; +$DB['PASSWORD'] = ! getenv('VAULT_TOKEN') ? getenv('DB_SERVER_PASS') : ''; -// Schema name. Used for IBM DB2 and PostgreSQL. +// Schema name. Used for PostgreSQL. $DB['SCHEMA'] = getenv('DB_SERVER_SCHEMA'); $ZBX_SERVER = getenv('ZBX_SERVER_HOST'); @@ -24,6 +24,11 @@ $DB['CA_FILE'] = getenv('ZBX_DB_CA_FILE'); $DB['VERIFY_HOST'] = getenv('ZBX_DB_VERIFY_HOST') == 'true' ? true: false; $DB['CIPHER_LIST'] = getenv('ZBX_DB_CIPHER_LIST') ? getenv('ZBX_DB_CIPHER_LIST') : ''; +// Vault configuration. Used if database credentials are stored in Vault secrets manager. +$DB['VAULT_URL'] = getenv('ZBX_VAULTURL'); +$DB['VAULT_DB_PATH'] = getenv('ZBX_VAULTDBPATH'); +$DB['VAULT_TOKEN'] = getenv('VAULT_TOKEN'); + // Use IEEE754 compatible value range for 64-bit Numeric (float) history values. // This option is enabled by default for new Zabbix installations. // For upgraded installations, please read database upgrade notes before enabling this option. @@ -41,7 +46,6 @@ $storage_types = str_replace("'","\"",getenv('ZBX_HISTORYSTORAGETYPES')); $HISTORY['types'] = (json_decode($storage_types)) ? json_decode($storage_types, true) : array(); // Used for SAML authentication. -// Uncomment to override the default paths to SP private key, SP and IdP X.509 certificates, and to set extra settings. $SSO['SP_KEY'] = file_exists('/etc/zabbix/web/certs/sp.key') ? '/etc/zabbix/web/certs/sp.key' : (file_exists(getenv('ZBX_SSO_SP_KEY')) ? getenv('ZBX_SSO_SP_KEY') : ''); $SSO['SP_CERT'] = file_exists('/etc/zabbix/web/certs/sp.crt') ? '/etc/zabbix/web/certs/sp.crt' : (file_exists(getenv('ZBX_SSO_SP_CERT')) ? getenv('ZBX_SSO_SP_CERT') : ''); $SSO['IDP_CERT'] = file_exists('/etc/zabbix/web/certs/idp.crt') ? '/etc/zabbix/web/certs/idp.crt' : (file_exists(getenv('ZBX_SSO_IDP_CERT')) ? getenv('ZBX_SSO_IDP_CERT') : ''); diff --git a/web-apache-pgsql/alpine/docker-entrypoint.sh b/web-apache-pgsql/alpine/docker-entrypoint.sh index deae51655..32be2bf07 100755 --- a/web-apache-pgsql/alpine/docker-entrypoint.sh +++ b/web-apache-pgsql/alpine/docker-entrypoint.sh @@ -182,6 +182,10 @@ prepare_zbx_web_config() { export ZBX_DB_CA_FILE=${ZBX_DB_CA_FILE} export ZBX_DB_VERIFY_HOST=${ZBX_DB_VERIFY_HOST-"false"} + export ZBX_VAULTURL=${ZBX_VAULTURL} + export ZBX_VAULTDBPATH=${ZBX_VAULTDBPATH} + export VAULT_TOKEN=${VAULT_TOKEN} + export DB_DOUBLE_IEEE754=${DB_DOUBLE_IEEE754:-"true"} export ZBX_HISTORYSTORAGEURL=${ZBX_HISTORYSTORAGEURL} diff --git a/web-apache-pgsql/centos/conf/etc/zabbix/web/zabbix.conf.php b/web-apache-pgsql/centos/conf/etc/zabbix/web/zabbix.conf.php index 72b99cfc1..e3a21c62b 100644 --- a/web-apache-pgsql/centos/conf/etc/zabbix/web/zabbix.conf.php +++ b/web-apache-pgsql/centos/conf/etc/zabbix/web/zabbix.conf.php @@ -6,10 +6,10 @@ $DB['TYPE'] = getenv('DB_SERVER_TYPE'); $DB['SERVER'] = getenv('DB_SERVER_HOST'); $DB['PORT'] = getenv('DB_SERVER_PORT'); $DB['DATABASE'] = getenv('DB_SERVER_DBNAME'); -$DB['USER'] = getenv('DB_SERVER_USER'); -$DB['PASSWORD'] = getenv('DB_SERVER_PASS'); +$DB['USER'] = ! getenv('VAULT_TOKEN') ? getenv('DB_SERVER_USER') : ''; +$DB['PASSWORD'] = ! getenv('VAULT_TOKEN') ? getenv('DB_SERVER_PASS') : ''; -// Schema name. Used for IBM DB2 and PostgreSQL. +// Schema name. Used for PostgreSQL. $DB['SCHEMA'] = getenv('DB_SERVER_SCHEMA'); $ZBX_SERVER = getenv('ZBX_SERVER_HOST'); @@ -24,6 +24,11 @@ $DB['CA_FILE'] = getenv('ZBX_DB_CA_FILE'); $DB['VERIFY_HOST'] = getenv('ZBX_DB_VERIFY_HOST') == 'true' ? true: false; $DB['CIPHER_LIST'] = getenv('ZBX_DB_CIPHER_LIST') ? getenv('ZBX_DB_CIPHER_LIST') : ''; +// Vault configuration. Used if database credentials are stored in Vault secrets manager. +$DB['VAULT_URL'] = getenv('ZBX_VAULTURL'); +$DB['VAULT_DB_PATH'] = getenv('ZBX_VAULTDBPATH'); +$DB['VAULT_TOKEN'] = getenv('VAULT_TOKEN'); + // Use IEEE754 compatible value range for 64-bit Numeric (float) history values. // This option is enabled by default for new Zabbix installations. // For upgraded installations, please read database upgrade notes before enabling this option. @@ -41,7 +46,6 @@ $storage_types = str_replace("'","\"",getenv('ZBX_HISTORYSTORAGETYPES')); $HISTORY['types'] = (json_decode($storage_types)) ? json_decode($storage_types, true) : array(); // Used for SAML authentication. -// Uncomment to override the default paths to SP private key, SP and IdP X.509 certificates, and to set extra settings. $SSO['SP_KEY'] = file_exists('/etc/zabbix/web/certs/sp.key') ? '/etc/zabbix/web/certs/sp.key' : (file_exists(getenv('ZBX_SSO_SP_KEY')) ? getenv('ZBX_SSO_SP_KEY') : ''); $SSO['SP_CERT'] = file_exists('/etc/zabbix/web/certs/sp.crt') ? '/etc/zabbix/web/certs/sp.crt' : (file_exists(getenv('ZBX_SSO_SP_CERT')) ? getenv('ZBX_SSO_SP_CERT') : ''); $SSO['IDP_CERT'] = file_exists('/etc/zabbix/web/certs/idp.crt') ? '/etc/zabbix/web/certs/idp.crt' : (file_exists(getenv('ZBX_SSO_IDP_CERT')) ? getenv('ZBX_SSO_IDP_CERT') : ''); diff --git a/web-apache-pgsql/centos/docker-entrypoint.sh b/web-apache-pgsql/centos/docker-entrypoint.sh index 8e9b6f84a..ca7eb0415 100755 --- a/web-apache-pgsql/centos/docker-entrypoint.sh +++ b/web-apache-pgsql/centos/docker-entrypoint.sh @@ -194,6 +194,10 @@ prepare_zbx_web_config() { export ZBX_DB_CA_FILE=${ZBX_DB_CA_FILE} export ZBX_DB_VERIFY_HOST=${ZBX_DB_VERIFY_HOST-"false"} + export ZBX_VAULTURL=${ZBX_VAULTURL} + export ZBX_VAULTDBPATH=${ZBX_VAULTDBPATH} + export VAULT_TOKEN=${VAULT_TOKEN} + export DB_DOUBLE_IEEE754=${DB_DOUBLE_IEEE754:-"true"} export ZBX_HISTORYSTORAGEURL=${ZBX_HISTORYSTORAGEURL} diff --git a/web-apache-pgsql/ubuntu/conf/etc/zabbix/web/zabbix.conf.php b/web-apache-pgsql/ubuntu/conf/etc/zabbix/web/zabbix.conf.php index 72b99cfc1..e3a21c62b 100644 --- a/web-apache-pgsql/ubuntu/conf/etc/zabbix/web/zabbix.conf.php +++ b/web-apache-pgsql/ubuntu/conf/etc/zabbix/web/zabbix.conf.php @@ -6,10 +6,10 @@ $DB['TYPE'] = getenv('DB_SERVER_TYPE'); $DB['SERVER'] = getenv('DB_SERVER_HOST'); $DB['PORT'] = getenv('DB_SERVER_PORT'); $DB['DATABASE'] = getenv('DB_SERVER_DBNAME'); -$DB['USER'] = getenv('DB_SERVER_USER'); -$DB['PASSWORD'] = getenv('DB_SERVER_PASS'); +$DB['USER'] = ! getenv('VAULT_TOKEN') ? getenv('DB_SERVER_USER') : ''; +$DB['PASSWORD'] = ! getenv('VAULT_TOKEN') ? getenv('DB_SERVER_PASS') : ''; -// Schema name. Used for IBM DB2 and PostgreSQL. +// Schema name. Used for PostgreSQL. $DB['SCHEMA'] = getenv('DB_SERVER_SCHEMA'); $ZBX_SERVER = getenv('ZBX_SERVER_HOST'); @@ -24,6 +24,11 @@ $DB['CA_FILE'] = getenv('ZBX_DB_CA_FILE'); $DB['VERIFY_HOST'] = getenv('ZBX_DB_VERIFY_HOST') == 'true' ? true: false; $DB['CIPHER_LIST'] = getenv('ZBX_DB_CIPHER_LIST') ? getenv('ZBX_DB_CIPHER_LIST') : ''; +// Vault configuration. Used if database credentials are stored in Vault secrets manager. +$DB['VAULT_URL'] = getenv('ZBX_VAULTURL'); +$DB['VAULT_DB_PATH'] = getenv('ZBX_VAULTDBPATH'); +$DB['VAULT_TOKEN'] = getenv('VAULT_TOKEN'); + // Use IEEE754 compatible value range for 64-bit Numeric (float) history values. // This option is enabled by default for new Zabbix installations. // For upgraded installations, please read database upgrade notes before enabling this option. @@ -41,7 +46,6 @@ $storage_types = str_replace("'","\"",getenv('ZBX_HISTORYSTORAGETYPES')); $HISTORY['types'] = (json_decode($storage_types)) ? json_decode($storage_types, true) : array(); // Used for SAML authentication. -// Uncomment to override the default paths to SP private key, SP and IdP X.509 certificates, and to set extra settings. $SSO['SP_KEY'] = file_exists('/etc/zabbix/web/certs/sp.key') ? '/etc/zabbix/web/certs/sp.key' : (file_exists(getenv('ZBX_SSO_SP_KEY')) ? getenv('ZBX_SSO_SP_KEY') : ''); $SSO['SP_CERT'] = file_exists('/etc/zabbix/web/certs/sp.crt') ? '/etc/zabbix/web/certs/sp.crt' : (file_exists(getenv('ZBX_SSO_SP_CERT')) ? getenv('ZBX_SSO_SP_CERT') : ''); $SSO['IDP_CERT'] = file_exists('/etc/zabbix/web/certs/idp.crt') ? '/etc/zabbix/web/certs/idp.crt' : (file_exists(getenv('ZBX_SSO_IDP_CERT')) ? getenv('ZBX_SSO_IDP_CERT') : ''); diff --git a/web-apache-pgsql/ubuntu/docker-entrypoint.sh b/web-apache-pgsql/ubuntu/docker-entrypoint.sh index 6c53a035e..db3c9bddc 100755 --- a/web-apache-pgsql/ubuntu/docker-entrypoint.sh +++ b/web-apache-pgsql/ubuntu/docker-entrypoint.sh @@ -189,6 +189,10 @@ prepare_zbx_web_config() { export ZBX_DB_CA_FILE=${ZBX_DB_CA_FILE} export ZBX_DB_VERIFY_HOST=${ZBX_DB_VERIFY_HOST-"false"} + export ZBX_VAULTURL=${ZBX_VAULTURL} + export ZBX_VAULTDBPATH=${ZBX_VAULTDBPATH} + export VAULT_TOKEN=${VAULT_TOKEN} + export DB_DOUBLE_IEEE754=${DB_DOUBLE_IEEE754:-"true"} export ZBX_HISTORYSTORAGEURL=${ZBX_HISTORYSTORAGEURL} diff --git a/web-nginx-mysql/alpine/conf/etc/zabbix/web/zabbix.conf.php b/web-nginx-mysql/alpine/conf/etc/zabbix/web/zabbix.conf.php index 72b99cfc1..e3a21c62b 100644 --- a/web-nginx-mysql/alpine/conf/etc/zabbix/web/zabbix.conf.php +++ b/web-nginx-mysql/alpine/conf/etc/zabbix/web/zabbix.conf.php @@ -6,10 +6,10 @@ $DB['TYPE'] = getenv('DB_SERVER_TYPE'); $DB['SERVER'] = getenv('DB_SERVER_HOST'); $DB['PORT'] = getenv('DB_SERVER_PORT'); $DB['DATABASE'] = getenv('DB_SERVER_DBNAME'); -$DB['USER'] = getenv('DB_SERVER_USER'); -$DB['PASSWORD'] = getenv('DB_SERVER_PASS'); +$DB['USER'] = ! getenv('VAULT_TOKEN') ? getenv('DB_SERVER_USER') : ''; +$DB['PASSWORD'] = ! getenv('VAULT_TOKEN') ? getenv('DB_SERVER_PASS') : ''; -// Schema name. Used for IBM DB2 and PostgreSQL. +// Schema name. Used for PostgreSQL. $DB['SCHEMA'] = getenv('DB_SERVER_SCHEMA'); $ZBX_SERVER = getenv('ZBX_SERVER_HOST'); @@ -24,6 +24,11 @@ $DB['CA_FILE'] = getenv('ZBX_DB_CA_FILE'); $DB['VERIFY_HOST'] = getenv('ZBX_DB_VERIFY_HOST') == 'true' ? true: false; $DB['CIPHER_LIST'] = getenv('ZBX_DB_CIPHER_LIST') ? getenv('ZBX_DB_CIPHER_LIST') : ''; +// Vault configuration. Used if database credentials are stored in Vault secrets manager. +$DB['VAULT_URL'] = getenv('ZBX_VAULTURL'); +$DB['VAULT_DB_PATH'] = getenv('ZBX_VAULTDBPATH'); +$DB['VAULT_TOKEN'] = getenv('VAULT_TOKEN'); + // Use IEEE754 compatible value range for 64-bit Numeric (float) history values. // This option is enabled by default for new Zabbix installations. // For upgraded installations, please read database upgrade notes before enabling this option. @@ -41,7 +46,6 @@ $storage_types = str_replace("'","\"",getenv('ZBX_HISTORYSTORAGETYPES')); $HISTORY['types'] = (json_decode($storage_types)) ? json_decode($storage_types, true) : array(); // Used for SAML authentication. -// Uncomment to override the default paths to SP private key, SP and IdP X.509 certificates, and to set extra settings. $SSO['SP_KEY'] = file_exists('/etc/zabbix/web/certs/sp.key') ? '/etc/zabbix/web/certs/sp.key' : (file_exists(getenv('ZBX_SSO_SP_KEY')) ? getenv('ZBX_SSO_SP_KEY') : ''); $SSO['SP_CERT'] = file_exists('/etc/zabbix/web/certs/sp.crt') ? '/etc/zabbix/web/certs/sp.crt' : (file_exists(getenv('ZBX_SSO_SP_CERT')) ? getenv('ZBX_SSO_SP_CERT') : ''); $SSO['IDP_CERT'] = file_exists('/etc/zabbix/web/certs/idp.crt') ? '/etc/zabbix/web/certs/idp.crt' : (file_exists(getenv('ZBX_SSO_IDP_CERT')) ? getenv('ZBX_SSO_IDP_CERT') : ''); diff --git a/web-nginx-mysql/alpine/docker-entrypoint.sh b/web-nginx-mysql/alpine/docker-entrypoint.sh index 5a2c34400..dc0011932 100755 --- a/web-nginx-mysql/alpine/docker-entrypoint.sh +++ b/web-nginx-mysql/alpine/docker-entrypoint.sh @@ -211,6 +211,10 @@ prepare_zbx_web_config() { export ZBX_DB_CA_FILE=${ZBX_DB_CA_FILE} export ZBX_DB_VERIFY_HOST=${ZBX_DB_VERIFY_HOST-"false"} + export ZBX_VAULTURL=${ZBX_VAULTURL} + export ZBX_VAULTDBPATH=${ZBX_VAULTDBPATH} + export VAULT_TOKEN=${VAULT_TOKEN} + export DB_DOUBLE_IEEE754=${DB_DOUBLE_IEEE754:-"true"} export ZBX_HISTORYSTORAGEURL=${ZBX_HISTORYSTORAGEURL} diff --git a/web-nginx-mysql/centos/conf/etc/zabbix/web/zabbix.conf.php b/web-nginx-mysql/centos/conf/etc/zabbix/web/zabbix.conf.php index 72b99cfc1..e3a21c62b 100644 --- a/web-nginx-mysql/centos/conf/etc/zabbix/web/zabbix.conf.php +++ b/web-nginx-mysql/centos/conf/etc/zabbix/web/zabbix.conf.php @@ -6,10 +6,10 @@ $DB['TYPE'] = getenv('DB_SERVER_TYPE'); $DB['SERVER'] = getenv('DB_SERVER_HOST'); $DB['PORT'] = getenv('DB_SERVER_PORT'); $DB['DATABASE'] = getenv('DB_SERVER_DBNAME'); -$DB['USER'] = getenv('DB_SERVER_USER'); -$DB['PASSWORD'] = getenv('DB_SERVER_PASS'); +$DB['USER'] = ! getenv('VAULT_TOKEN') ? getenv('DB_SERVER_USER') : ''; +$DB['PASSWORD'] = ! getenv('VAULT_TOKEN') ? getenv('DB_SERVER_PASS') : ''; -// Schema name. Used for IBM DB2 and PostgreSQL. +// Schema name. Used for PostgreSQL. $DB['SCHEMA'] = getenv('DB_SERVER_SCHEMA'); $ZBX_SERVER = getenv('ZBX_SERVER_HOST'); @@ -24,6 +24,11 @@ $DB['CA_FILE'] = getenv('ZBX_DB_CA_FILE'); $DB['VERIFY_HOST'] = getenv('ZBX_DB_VERIFY_HOST') == 'true' ? true: false; $DB['CIPHER_LIST'] = getenv('ZBX_DB_CIPHER_LIST') ? getenv('ZBX_DB_CIPHER_LIST') : ''; +// Vault configuration. Used if database credentials are stored in Vault secrets manager. +$DB['VAULT_URL'] = getenv('ZBX_VAULTURL'); +$DB['VAULT_DB_PATH'] = getenv('ZBX_VAULTDBPATH'); +$DB['VAULT_TOKEN'] = getenv('VAULT_TOKEN'); + // Use IEEE754 compatible value range for 64-bit Numeric (float) history values. // This option is enabled by default for new Zabbix installations. // For upgraded installations, please read database upgrade notes before enabling this option. @@ -41,7 +46,6 @@ $storage_types = str_replace("'","\"",getenv('ZBX_HISTORYSTORAGETYPES')); $HISTORY['types'] = (json_decode($storage_types)) ? json_decode($storage_types, true) : array(); // Used for SAML authentication. -// Uncomment to override the default paths to SP private key, SP and IdP X.509 certificates, and to set extra settings. $SSO['SP_KEY'] = file_exists('/etc/zabbix/web/certs/sp.key') ? '/etc/zabbix/web/certs/sp.key' : (file_exists(getenv('ZBX_SSO_SP_KEY')) ? getenv('ZBX_SSO_SP_KEY') : ''); $SSO['SP_CERT'] = file_exists('/etc/zabbix/web/certs/sp.crt') ? '/etc/zabbix/web/certs/sp.crt' : (file_exists(getenv('ZBX_SSO_SP_CERT')) ? getenv('ZBX_SSO_SP_CERT') : ''); $SSO['IDP_CERT'] = file_exists('/etc/zabbix/web/certs/idp.crt') ? '/etc/zabbix/web/certs/idp.crt' : (file_exists(getenv('ZBX_SSO_IDP_CERT')) ? getenv('ZBX_SSO_IDP_CERT') : ''); diff --git a/web-nginx-mysql/centos/docker-entrypoint.sh b/web-nginx-mysql/centos/docker-entrypoint.sh index 8372fe3c4..479ca9e1e 100755 --- a/web-nginx-mysql/centos/docker-entrypoint.sh +++ b/web-nginx-mysql/centos/docker-entrypoint.sh @@ -211,6 +211,10 @@ prepare_zbx_web_config() { export ZBX_DB_CA_FILE=${ZBX_DB_CA_FILE} export ZBX_DB_VERIFY_HOST=${ZBX_DB_VERIFY_HOST-"false"} + export ZBX_VAULTURL=${ZBX_VAULTURL} + export ZBX_VAULTDBPATH=${ZBX_VAULTDBPATH} + export VAULT_TOKEN=${VAULT_TOKEN} + export DB_DOUBLE_IEEE754=${DB_DOUBLE_IEEE754:-"true"} export ZBX_HISTORYSTORAGEURL=${ZBX_HISTORYSTORAGEURL} diff --git a/web-nginx-mysql/ubuntu/conf/etc/zabbix/web/zabbix.conf.php b/web-nginx-mysql/ubuntu/conf/etc/zabbix/web/zabbix.conf.php index 72b99cfc1..e3a21c62b 100644 --- a/web-nginx-mysql/ubuntu/conf/etc/zabbix/web/zabbix.conf.php +++ b/web-nginx-mysql/ubuntu/conf/etc/zabbix/web/zabbix.conf.php @@ -6,10 +6,10 @@ $DB['TYPE'] = getenv('DB_SERVER_TYPE'); $DB['SERVER'] = getenv('DB_SERVER_HOST'); $DB['PORT'] = getenv('DB_SERVER_PORT'); $DB['DATABASE'] = getenv('DB_SERVER_DBNAME'); -$DB['USER'] = getenv('DB_SERVER_USER'); -$DB['PASSWORD'] = getenv('DB_SERVER_PASS'); +$DB['USER'] = ! getenv('VAULT_TOKEN') ? getenv('DB_SERVER_USER') : ''; +$DB['PASSWORD'] = ! getenv('VAULT_TOKEN') ? getenv('DB_SERVER_PASS') : ''; -// Schema name. Used for IBM DB2 and PostgreSQL. +// Schema name. Used for PostgreSQL. $DB['SCHEMA'] = getenv('DB_SERVER_SCHEMA'); $ZBX_SERVER = getenv('ZBX_SERVER_HOST'); @@ -24,6 +24,11 @@ $DB['CA_FILE'] = getenv('ZBX_DB_CA_FILE'); $DB['VERIFY_HOST'] = getenv('ZBX_DB_VERIFY_HOST') == 'true' ? true: false; $DB['CIPHER_LIST'] = getenv('ZBX_DB_CIPHER_LIST') ? getenv('ZBX_DB_CIPHER_LIST') : ''; +// Vault configuration. Used if database credentials are stored in Vault secrets manager. +$DB['VAULT_URL'] = getenv('ZBX_VAULTURL'); +$DB['VAULT_DB_PATH'] = getenv('ZBX_VAULTDBPATH'); +$DB['VAULT_TOKEN'] = getenv('VAULT_TOKEN'); + // Use IEEE754 compatible value range for 64-bit Numeric (float) history values. // This option is enabled by default for new Zabbix installations. // For upgraded installations, please read database upgrade notes before enabling this option. @@ -41,7 +46,6 @@ $storage_types = str_replace("'","\"",getenv('ZBX_HISTORYSTORAGETYPES')); $HISTORY['types'] = (json_decode($storage_types)) ? json_decode($storage_types, true) : array(); // Used for SAML authentication. -// Uncomment to override the default paths to SP private key, SP and IdP X.509 certificates, and to set extra settings. $SSO['SP_KEY'] = file_exists('/etc/zabbix/web/certs/sp.key') ? '/etc/zabbix/web/certs/sp.key' : (file_exists(getenv('ZBX_SSO_SP_KEY')) ? getenv('ZBX_SSO_SP_KEY') : ''); $SSO['SP_CERT'] = file_exists('/etc/zabbix/web/certs/sp.crt') ? '/etc/zabbix/web/certs/sp.crt' : (file_exists(getenv('ZBX_SSO_SP_CERT')) ? getenv('ZBX_SSO_SP_CERT') : ''); $SSO['IDP_CERT'] = file_exists('/etc/zabbix/web/certs/idp.crt') ? '/etc/zabbix/web/certs/idp.crt' : (file_exists(getenv('ZBX_SSO_IDP_CERT')) ? getenv('ZBX_SSO_IDP_CERT') : ''); diff --git a/web-nginx-mysql/ubuntu/docker-entrypoint.sh b/web-nginx-mysql/ubuntu/docker-entrypoint.sh index b1723176a..200f94042 100755 --- a/web-nginx-mysql/ubuntu/docker-entrypoint.sh +++ b/web-nginx-mysql/ubuntu/docker-entrypoint.sh @@ -211,6 +211,10 @@ prepare_zbx_web_config() { export ZBX_DB_CA_FILE=${ZBX_DB_CA_FILE} export ZBX_DB_VERIFY_HOST=${ZBX_DB_VERIFY_HOST-"false"} + export ZBX_VAULTURL=${ZBX_VAULTURL} + export ZBX_VAULTDBPATH=${ZBX_VAULTDBPATH} + export VAULT_TOKEN=${VAULT_TOKEN} + export DB_DOUBLE_IEEE754=${DB_DOUBLE_IEEE754:-"true"} export ZBX_HISTORYSTORAGEURL=${ZBX_HISTORYSTORAGEURL} diff --git a/web-nginx-pgsql/alpine/conf/etc/zabbix/web/zabbix.conf.php b/web-nginx-pgsql/alpine/conf/etc/zabbix/web/zabbix.conf.php index 72b99cfc1..e3a21c62b 100644 --- a/web-nginx-pgsql/alpine/conf/etc/zabbix/web/zabbix.conf.php +++ b/web-nginx-pgsql/alpine/conf/etc/zabbix/web/zabbix.conf.php @@ -6,10 +6,10 @@ $DB['TYPE'] = getenv('DB_SERVER_TYPE'); $DB['SERVER'] = getenv('DB_SERVER_HOST'); $DB['PORT'] = getenv('DB_SERVER_PORT'); $DB['DATABASE'] = getenv('DB_SERVER_DBNAME'); -$DB['USER'] = getenv('DB_SERVER_USER'); -$DB['PASSWORD'] = getenv('DB_SERVER_PASS'); +$DB['USER'] = ! getenv('VAULT_TOKEN') ? getenv('DB_SERVER_USER') : ''; +$DB['PASSWORD'] = ! getenv('VAULT_TOKEN') ? getenv('DB_SERVER_PASS') : ''; -// Schema name. Used for IBM DB2 and PostgreSQL. +// Schema name. Used for PostgreSQL. $DB['SCHEMA'] = getenv('DB_SERVER_SCHEMA'); $ZBX_SERVER = getenv('ZBX_SERVER_HOST'); @@ -24,6 +24,11 @@ $DB['CA_FILE'] = getenv('ZBX_DB_CA_FILE'); $DB['VERIFY_HOST'] = getenv('ZBX_DB_VERIFY_HOST') == 'true' ? true: false; $DB['CIPHER_LIST'] = getenv('ZBX_DB_CIPHER_LIST') ? getenv('ZBX_DB_CIPHER_LIST') : ''; +// Vault configuration. Used if database credentials are stored in Vault secrets manager. +$DB['VAULT_URL'] = getenv('ZBX_VAULTURL'); +$DB['VAULT_DB_PATH'] = getenv('ZBX_VAULTDBPATH'); +$DB['VAULT_TOKEN'] = getenv('VAULT_TOKEN'); + // Use IEEE754 compatible value range for 64-bit Numeric (float) history values. // This option is enabled by default for new Zabbix installations. // For upgraded installations, please read database upgrade notes before enabling this option. @@ -41,7 +46,6 @@ $storage_types = str_replace("'","\"",getenv('ZBX_HISTORYSTORAGETYPES')); $HISTORY['types'] = (json_decode($storage_types)) ? json_decode($storage_types, true) : array(); // Used for SAML authentication. -// Uncomment to override the default paths to SP private key, SP and IdP X.509 certificates, and to set extra settings. $SSO['SP_KEY'] = file_exists('/etc/zabbix/web/certs/sp.key') ? '/etc/zabbix/web/certs/sp.key' : (file_exists(getenv('ZBX_SSO_SP_KEY')) ? getenv('ZBX_SSO_SP_KEY') : ''); $SSO['SP_CERT'] = file_exists('/etc/zabbix/web/certs/sp.crt') ? '/etc/zabbix/web/certs/sp.crt' : (file_exists(getenv('ZBX_SSO_SP_CERT')) ? getenv('ZBX_SSO_SP_CERT') : ''); $SSO['IDP_CERT'] = file_exists('/etc/zabbix/web/certs/idp.crt') ? '/etc/zabbix/web/certs/idp.crt' : (file_exists(getenv('ZBX_SSO_IDP_CERT')) ? getenv('ZBX_SSO_IDP_CERT') : ''); diff --git a/web-nginx-pgsql/alpine/docker-entrypoint.sh b/web-nginx-pgsql/alpine/docker-entrypoint.sh index 06ef99376..ee2b40aa2 100755 --- a/web-nginx-pgsql/alpine/docker-entrypoint.sh +++ b/web-nginx-pgsql/alpine/docker-entrypoint.sh @@ -197,6 +197,10 @@ prepare_zbx_web_config() { export ZBX_DB_CA_FILE=${ZBX_DB_CA_FILE} export ZBX_DB_VERIFY_HOST=${ZBX_DB_VERIFY_HOST-"false"} + export ZBX_VAULTURL=${ZBX_VAULTURL} + export ZBX_VAULTDBPATH=${ZBX_VAULTDBPATH} + export VAULT_TOKEN=${VAULT_TOKEN} + export DB_DOUBLE_IEEE754=${DB_DOUBLE_IEEE754:-"true"} export ZBX_HISTORYSTORAGEURL=${ZBX_HISTORYSTORAGEURL} diff --git a/web-nginx-pgsql/centos/conf/etc/zabbix/web/zabbix.conf.php b/web-nginx-pgsql/centos/conf/etc/zabbix/web/zabbix.conf.php index 72b99cfc1..e3a21c62b 100644 --- a/web-nginx-pgsql/centos/conf/etc/zabbix/web/zabbix.conf.php +++ b/web-nginx-pgsql/centos/conf/etc/zabbix/web/zabbix.conf.php @@ -6,10 +6,10 @@ $DB['TYPE'] = getenv('DB_SERVER_TYPE'); $DB['SERVER'] = getenv('DB_SERVER_HOST'); $DB['PORT'] = getenv('DB_SERVER_PORT'); $DB['DATABASE'] = getenv('DB_SERVER_DBNAME'); -$DB['USER'] = getenv('DB_SERVER_USER'); -$DB['PASSWORD'] = getenv('DB_SERVER_PASS'); +$DB['USER'] = ! getenv('VAULT_TOKEN') ? getenv('DB_SERVER_USER') : ''; +$DB['PASSWORD'] = ! getenv('VAULT_TOKEN') ? getenv('DB_SERVER_PASS') : ''; -// Schema name. Used for IBM DB2 and PostgreSQL. +// Schema name. Used for PostgreSQL. $DB['SCHEMA'] = getenv('DB_SERVER_SCHEMA'); $ZBX_SERVER = getenv('ZBX_SERVER_HOST'); @@ -24,6 +24,11 @@ $DB['CA_FILE'] = getenv('ZBX_DB_CA_FILE'); $DB['VERIFY_HOST'] = getenv('ZBX_DB_VERIFY_HOST') == 'true' ? true: false; $DB['CIPHER_LIST'] = getenv('ZBX_DB_CIPHER_LIST') ? getenv('ZBX_DB_CIPHER_LIST') : ''; +// Vault configuration. Used if database credentials are stored in Vault secrets manager. +$DB['VAULT_URL'] = getenv('ZBX_VAULTURL'); +$DB['VAULT_DB_PATH'] = getenv('ZBX_VAULTDBPATH'); +$DB['VAULT_TOKEN'] = getenv('VAULT_TOKEN'); + // Use IEEE754 compatible value range for 64-bit Numeric (float) history values. // This option is enabled by default for new Zabbix installations. // For upgraded installations, please read database upgrade notes before enabling this option. @@ -41,7 +46,6 @@ $storage_types = str_replace("'","\"",getenv('ZBX_HISTORYSTORAGETYPES')); $HISTORY['types'] = (json_decode($storage_types)) ? json_decode($storage_types, true) : array(); // Used for SAML authentication. -// Uncomment to override the default paths to SP private key, SP and IdP X.509 certificates, and to set extra settings. $SSO['SP_KEY'] = file_exists('/etc/zabbix/web/certs/sp.key') ? '/etc/zabbix/web/certs/sp.key' : (file_exists(getenv('ZBX_SSO_SP_KEY')) ? getenv('ZBX_SSO_SP_KEY') : ''); $SSO['SP_CERT'] = file_exists('/etc/zabbix/web/certs/sp.crt') ? '/etc/zabbix/web/certs/sp.crt' : (file_exists(getenv('ZBX_SSO_SP_CERT')) ? getenv('ZBX_SSO_SP_CERT') : ''); $SSO['IDP_CERT'] = file_exists('/etc/zabbix/web/certs/idp.crt') ? '/etc/zabbix/web/certs/idp.crt' : (file_exists(getenv('ZBX_SSO_IDP_CERT')) ? getenv('ZBX_SSO_IDP_CERT') : ''); diff --git a/web-nginx-pgsql/centos/docker-entrypoint.sh b/web-nginx-pgsql/centos/docker-entrypoint.sh index 028e821ac..5c130e38c 100755 --- a/web-nginx-pgsql/centos/docker-entrypoint.sh +++ b/web-nginx-pgsql/centos/docker-entrypoint.sh @@ -197,6 +197,10 @@ prepare_zbx_web_config() { export ZBX_DB_CA_FILE=${ZBX_DB_CA_FILE} export ZBX_DB_VERIFY_HOST=${ZBX_DB_VERIFY_HOST-"false"} + export ZBX_VAULTURL=${ZBX_VAULTURL} + export ZBX_VAULTDBPATH=${ZBX_VAULTDBPATH} + export VAULT_TOKEN=${VAULT_TOKEN} + export DB_DOUBLE_IEEE754=${DB_DOUBLE_IEEE754:-"true"} export ZBX_HISTORYSTORAGEURL=${ZBX_HISTORYSTORAGEURL} diff --git a/web-nginx-pgsql/ubuntu/conf/etc/zabbix/web/zabbix.conf.php b/web-nginx-pgsql/ubuntu/conf/etc/zabbix/web/zabbix.conf.php index 72b99cfc1..e3a21c62b 100644 --- a/web-nginx-pgsql/ubuntu/conf/etc/zabbix/web/zabbix.conf.php +++ b/web-nginx-pgsql/ubuntu/conf/etc/zabbix/web/zabbix.conf.php @@ -6,10 +6,10 @@ $DB['TYPE'] = getenv('DB_SERVER_TYPE'); $DB['SERVER'] = getenv('DB_SERVER_HOST'); $DB['PORT'] = getenv('DB_SERVER_PORT'); $DB['DATABASE'] = getenv('DB_SERVER_DBNAME'); -$DB['USER'] = getenv('DB_SERVER_USER'); -$DB['PASSWORD'] = getenv('DB_SERVER_PASS'); +$DB['USER'] = ! getenv('VAULT_TOKEN') ? getenv('DB_SERVER_USER') : ''; +$DB['PASSWORD'] = ! getenv('VAULT_TOKEN') ? getenv('DB_SERVER_PASS') : ''; -// Schema name. Used for IBM DB2 and PostgreSQL. +// Schema name. Used for PostgreSQL. $DB['SCHEMA'] = getenv('DB_SERVER_SCHEMA'); $ZBX_SERVER = getenv('ZBX_SERVER_HOST'); @@ -24,6 +24,11 @@ $DB['CA_FILE'] = getenv('ZBX_DB_CA_FILE'); $DB['VERIFY_HOST'] = getenv('ZBX_DB_VERIFY_HOST') == 'true' ? true: false; $DB['CIPHER_LIST'] = getenv('ZBX_DB_CIPHER_LIST') ? getenv('ZBX_DB_CIPHER_LIST') : ''; +// Vault configuration. Used if database credentials are stored in Vault secrets manager. +$DB['VAULT_URL'] = getenv('ZBX_VAULTURL'); +$DB['VAULT_DB_PATH'] = getenv('ZBX_VAULTDBPATH'); +$DB['VAULT_TOKEN'] = getenv('VAULT_TOKEN'); + // Use IEEE754 compatible value range for 64-bit Numeric (float) history values. // This option is enabled by default for new Zabbix installations. // For upgraded installations, please read database upgrade notes before enabling this option. @@ -41,7 +46,6 @@ $storage_types = str_replace("'","\"",getenv('ZBX_HISTORYSTORAGETYPES')); $HISTORY['types'] = (json_decode($storage_types)) ? json_decode($storage_types, true) : array(); // Used for SAML authentication. -// Uncomment to override the default paths to SP private key, SP and IdP X.509 certificates, and to set extra settings. $SSO['SP_KEY'] = file_exists('/etc/zabbix/web/certs/sp.key') ? '/etc/zabbix/web/certs/sp.key' : (file_exists(getenv('ZBX_SSO_SP_KEY')) ? getenv('ZBX_SSO_SP_KEY') : ''); $SSO['SP_CERT'] = file_exists('/etc/zabbix/web/certs/sp.crt') ? '/etc/zabbix/web/certs/sp.crt' : (file_exists(getenv('ZBX_SSO_SP_CERT')) ? getenv('ZBX_SSO_SP_CERT') : ''); $SSO['IDP_CERT'] = file_exists('/etc/zabbix/web/certs/idp.crt') ? '/etc/zabbix/web/certs/idp.crt' : (file_exists(getenv('ZBX_SSO_IDP_CERT')) ? getenv('ZBX_SSO_IDP_CERT') : ''); diff --git a/web-nginx-pgsql/ubuntu/docker-entrypoint.sh b/web-nginx-pgsql/ubuntu/docker-entrypoint.sh index 56ad24684..a1e7e5975 100755 --- a/web-nginx-pgsql/ubuntu/docker-entrypoint.sh +++ b/web-nginx-pgsql/ubuntu/docker-entrypoint.sh @@ -197,6 +197,10 @@ prepare_zbx_web_config() { export ZBX_DB_CA_FILE=${ZBX_DB_CA_FILE} export ZBX_DB_VERIFY_HOST=${ZBX_DB_VERIFY_HOST-"false"} + export ZBX_VAULTURL=${ZBX_VAULTURL} + export ZBX_VAULTDBPATH=${ZBX_VAULTDBPATH} + export VAULT_TOKEN=${VAULT_TOKEN} + export DB_DOUBLE_IEEE754=${DB_DOUBLE_IEEE754:-"true"} export ZBX_HISTORYSTORAGEURL=${ZBX_HISTORYSTORAGEURL} diff --git a/zabbix-appliance/rhel/conf/etc/zabbix/web/zabbix.conf.php b/zabbix-appliance/rhel/conf/etc/zabbix/web/zabbix.conf.php index 72b99cfc1..e3a21c62b 100644 --- a/zabbix-appliance/rhel/conf/etc/zabbix/web/zabbix.conf.php +++ b/zabbix-appliance/rhel/conf/etc/zabbix/web/zabbix.conf.php @@ -6,10 +6,10 @@ $DB['TYPE'] = getenv('DB_SERVER_TYPE'); $DB['SERVER'] = getenv('DB_SERVER_HOST'); $DB['PORT'] = getenv('DB_SERVER_PORT'); $DB['DATABASE'] = getenv('DB_SERVER_DBNAME'); -$DB['USER'] = getenv('DB_SERVER_USER'); -$DB['PASSWORD'] = getenv('DB_SERVER_PASS'); +$DB['USER'] = ! getenv('VAULT_TOKEN') ? getenv('DB_SERVER_USER') : ''; +$DB['PASSWORD'] = ! getenv('VAULT_TOKEN') ? getenv('DB_SERVER_PASS') : ''; -// Schema name. Used for IBM DB2 and PostgreSQL. +// Schema name. Used for PostgreSQL. $DB['SCHEMA'] = getenv('DB_SERVER_SCHEMA'); $ZBX_SERVER = getenv('ZBX_SERVER_HOST'); @@ -24,6 +24,11 @@ $DB['CA_FILE'] = getenv('ZBX_DB_CA_FILE'); $DB['VERIFY_HOST'] = getenv('ZBX_DB_VERIFY_HOST') == 'true' ? true: false; $DB['CIPHER_LIST'] = getenv('ZBX_DB_CIPHER_LIST') ? getenv('ZBX_DB_CIPHER_LIST') : ''; +// Vault configuration. Used if database credentials are stored in Vault secrets manager. +$DB['VAULT_URL'] = getenv('ZBX_VAULTURL'); +$DB['VAULT_DB_PATH'] = getenv('ZBX_VAULTDBPATH'); +$DB['VAULT_TOKEN'] = getenv('VAULT_TOKEN'); + // Use IEEE754 compatible value range for 64-bit Numeric (float) history values. // This option is enabled by default for new Zabbix installations. // For upgraded installations, please read database upgrade notes before enabling this option. @@ -41,7 +46,6 @@ $storage_types = str_replace("'","\"",getenv('ZBX_HISTORYSTORAGETYPES')); $HISTORY['types'] = (json_decode($storage_types)) ? json_decode($storage_types, true) : array(); // Used for SAML authentication. -// Uncomment to override the default paths to SP private key, SP and IdP X.509 certificates, and to set extra settings. $SSO['SP_KEY'] = file_exists('/etc/zabbix/web/certs/sp.key') ? '/etc/zabbix/web/certs/sp.key' : (file_exists(getenv('ZBX_SSO_SP_KEY')) ? getenv('ZBX_SSO_SP_KEY') : ''); $SSO['SP_CERT'] = file_exists('/etc/zabbix/web/certs/sp.crt') ? '/etc/zabbix/web/certs/sp.crt' : (file_exists(getenv('ZBX_SSO_SP_CERT')) ? getenv('ZBX_SSO_SP_CERT') : ''); $SSO['IDP_CERT'] = file_exists('/etc/zabbix/web/certs/idp.crt') ? '/etc/zabbix/web/certs/idp.crt' : (file_exists(getenv('ZBX_SSO_IDP_CERT')) ? getenv('ZBX_SSO_IDP_CERT') : ''); diff --git a/zabbix-appliance/rhel/docker-entrypoint.sh b/zabbix-appliance/rhel/docker-entrypoint.sh index ba30ee500..8b6a80aff 100755 --- a/zabbix-appliance/rhel/docker-entrypoint.sh +++ b/zabbix-appliance/rhel/docker-entrypoint.sh @@ -410,9 +410,19 @@ update_zbx_config() { update_config_var $ZBX_CONFIG "DBHost" "${DB_SERVER_HOST}" update_config_var $ZBX_CONFIG "DBName" "${DB_SERVER_DBNAME}" update_config_var $ZBX_CONFIG "DBSchema" "${DB_SERVER_SCHEMA}" - update_config_var $ZBX_CONFIG "DBUser" "${DB_SERVER_ZBX_USER}" update_config_var $ZBX_CONFIG "DBPort" "${DB_SERVER_PORT}" - update_config_var $ZBX_CONFIG "DBPassword" "${DB_SERVER_ZBX_PASS}" + + if [ -n "${VAULT_TOKEN}" ]; then + update_config_var $ZBX_CONFIG "VaultDBPath" "${ZBX_VAULTDBPATH}" + update_config_var $ZBX_CONFIG "VaultURL" "${ZBX_VAULTURL}" + update_config_var $ZBX_CONFIG "DBUser" + update_config_var $ZBX_CONFIG "DBPassword" + else + update_config_var $ZBX_CONFIG "VaultDBPath" + update_config_var $ZBX_CONFIG "VaultURL" + update_config_var $ZBX_CONFIG "DBUser" "${DB_SERVER_ZBX_USER}" + update_config_var $ZBX_CONFIG "DBPassword" "${DB_SERVER_ZBX_PASS}" + fi update_config_var $ZBX_CONFIG "HistoryStorageURL" "${ZBX_HISTORYSTORAGEURL}" update_config_var $ZBX_CONFIG "HistoryStorageTypes" "${ZBX_HISTORYSTORAGETYPES}" @@ -566,6 +576,10 @@ prepare_zbx_web_config() { export ZBX_DB_CA_FILE=${ZBX_DB_CA_FILE} export ZBX_DB_VERIFY_HOST=${ZBX_DB_VERIFY_HOST-"false"} + export ZBX_VAULTURL=${ZBX_VAULTURL} + export ZBX_VAULTDBPATH=${ZBX_VAULTDBPATH} + export VAULT_TOKEN=${VAULT_TOKEN} + export DB_DOUBLE_IEEE754=${DB_DOUBLE_IEEE754:-"true"} export ZBX_HISTORYSTORAGEURL=${ZBX_HISTORYSTORAGEURL}