diff --git a/Dockerfiles/web-apache-mysql/alpine/Dockerfile b/Dockerfiles/web-apache-mysql/alpine/Dockerfile index 93c7e4dfa..d829c6265 100644 --- a/Dockerfiles/web-apache-mysql/alpine/Dockerfile +++ b/Dockerfiles/web-apache-mysql/alpine/Dockerfile @@ -50,6 +50,7 @@ RUN set -eux && \ INSTALL_PKGS="bash \ tzdata \ curl \ + jq \ mariadb-client \ mariadb-connector-c \ apache2 \ diff --git a/Dockerfiles/web-apache-mysql/alpine/docker-entrypoint.sh b/Dockerfiles/web-apache-mysql/alpine/docker-entrypoint.sh index 09757f5aa..82b691b99 100755 --- a/Dockerfiles/web-apache-mysql/alpine/docker-entrypoint.sh +++ b/Dockerfiles/web-apache-mysql/alpine/docker-entrypoint.sh @@ -128,6 +128,57 @@ db_tls_params() { echo $result } +get_vault_secrets() { + WAIT_TIMEOUT=5 + vault_url="${ZBX_VAULTURL}${ZBX_VAULTPREFIX}${ZBX_VAULTDBPATH}" + curl_opts=(-s -m 10 -k) + + + if [ -z "${ZBX_VAULTURL}" ] || [ -z "${ZBX_VAULTPREFIX}" ] || [ -z "${ZBX_VAULTDBPATH}" ]; then + echo "Missing variables! If ZBX_VAULT is used then ZBX_VAULTURL, ZBX_VAULTPREFIX and ZBX_VAULTDBPATH must be set" + exit 1 + fi + + if [ "${ZBX_VAULT}" == "HashiCorp" ]; then + while ! vaultdata="$(curl "${curl_opts[@]}" -H "X-Vault-Token: $VAULT_TOKEN" "$vault_url")"; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + errors=$(printf '%s' "$vaultdata" | jq -r '.errors // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.data.data.username')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.data.data.password')" + + elif [ "${ZBX_VAULT}" == "CyberArk" ]; then + cyberark_opts=(-H "Content-type: application/json" --cert "$ZBX_VAULTCERTFILE") + + # if key is defined use it + if [ -n "${ZBX_VAULTKEYFILE}" ]; then + cyberark_opts+=(--key "$ZBX_VAULTKEYFILE") + fi + while ! vaultdata=$(curl "${curl_opts[@]}" "${cyberark_opts[@]}" "$vault_url") ; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + + errors=$(printf '%s' "$vaultdata" | jq -r '.ErrorCode // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.UserName')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.Content')" + + else + echo "ZBX_VAULT has wrong value. HashiCorp or CyberArk are supported!" + exit 1 + fi + +} + check_db_connect() { echo "********************" echo "* DB_SERVER_HOST: ${DB_SERVER_HOST}" @@ -144,13 +195,22 @@ check_db_connect() { WAIT_TIMEOUT=5 + if [ -n "${ZBX_VAULT}" ]; then + unset DB_SERVER_ZBX_USER + unset DB_SERVER_ZBX_PASS + + echo "***** Connecting to vault... ******" + echo "***** VAULT URL: $ZBX_VAULTURL" + get_vault_secrets + fi + ssl_opts="$(db_tls_params)" export MYSQL_PWD="${DB_SERVER_ZBX_PASS}" while [ ! "$(mariadb-admin ping $mysql_connect_args -u ${DB_SERVER_ZBX_USER} \ --silent --skip-ssl-verify-server-cert --connect_timeout=10 $ssl_opts)" ]; do - echo "**** MySQL server is not available. Waiting $WAIT_TIMEOUT seconds..." + echo "**** MySQL server is not available. Waiting ${WAIT_TIMEOUT} seconds..." sleep $WAIT_TIMEOUT done diff --git a/Dockerfiles/web-apache-mysql/centos/Dockerfile b/Dockerfiles/web-apache-mysql/centos/Dockerfile index dc7d72d11..7d3e9a073 100644 --- a/Dockerfiles/web-apache-mysql/centos/Dockerfile +++ b/Dockerfiles/web-apache-mysql/centos/Dockerfile @@ -68,6 +68,7 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ glibc-locale-source \ shadow-utils \ gzip \ + jq \ supervisor" && \ microdnf -y install \ --disablerepo="*" \ diff --git a/Dockerfiles/web-apache-mysql/centos/docker-entrypoint.sh b/Dockerfiles/web-apache-mysql/centos/docker-entrypoint.sh index d78e28164..423545814 100755 --- a/Dockerfiles/web-apache-mysql/centos/docker-entrypoint.sh +++ b/Dockerfiles/web-apache-mysql/centos/docker-entrypoint.sh @@ -128,6 +128,57 @@ db_tls_params() { echo $result } +get_vault_secrets() { + WAIT_TIMEOUT=5 + vault_url="${ZBX_VAULTURL}${ZBX_VAULTPREFIX}${ZBX_VAULTDBPATH}" + curl_opts=(-s -m 10 -k) + + + if [ -z "${ZBX_VAULTURL}" ] || [ -z "${ZBX_VAULTPREFIX}" ] || [ -z "${ZBX_VAULTDBPATH}" ]; then + echo "Missing variables! If ZBX_VAULT is used then ZBX_VAULTURL, ZBX_VAULTPREFIX and ZBX_VAULTDBPATH must be set" + exit 1 + fi + + if [ "${ZBX_VAULT}" == "HashiCorp" ]; then + while ! vaultdata="$(curl "${curl_opts[@]}" -H "X-Vault-Token: $VAULT_TOKEN" "$vault_url")"; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + errors=$(printf '%s' "$vaultdata" | jq -r '.errors // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.data.data.username')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.data.data.password')" + + elif [ "${ZBX_VAULT}" == "CyberArk" ]; then + cyberark_opts=(-H "Content-type: application/json" --cert "$ZBX_VAULTCERTFILE") + + # if key is defined use it + if [ -n "${ZBX_VAULTKEYFILE}" ]; then + cyberark_opts+=(--key "$ZBX_VAULTKEYFILE") + fi + while ! vaultdata=$(curl "${curl_opts[@]}" "${cyberark_opts[@]}" "$vault_url") ; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + + errors=$(printf '%s' "$vaultdata" | jq -r '.ErrorCode // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.UserName')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.Content')" + + else + echo "ZBX_VAULT has wrong value. HashiCorp or CyberArk are supported!" + exit 1 + fi + +} + check_db_connect() { echo "********************" echo "* DB_SERVER_HOST: ${DB_SERVER_HOST}" @@ -144,13 +195,22 @@ check_db_connect() { WAIT_TIMEOUT=5 + if [ -n "${ZBX_VAULT}" ]; then + unset DB_SERVER_ZBX_USER + unset DB_SERVER_ZBX_PASS + + echo "***** Connecting to vault... *****" + echo "***** VAULT URL: $ZBX_VAULTURL" + get_vault_secrets + fi + ssl_opts="$(db_tls_params)" export MYSQL_PWD="${DB_SERVER_ZBX_PASS}" while [ ! "$(mysqladmin ping $mysql_connect_args -u ${DB_SERVER_ZBX_USER} \ --silent --connect_timeout=10 $ssl_opts)" ]; do - echo "**** MySQL server is not available. Waiting $WAIT_TIMEOUT seconds..." + echo "**** MySQL server is not available. Waiting ${WAIT_TIMEOUT} seconds..." sleep $WAIT_TIMEOUT done diff --git a/Dockerfiles/web-apache-mysql/ol/Dockerfile b/Dockerfiles/web-apache-mysql/ol/Dockerfile index 996fb18f6..df47340bf 100644 --- a/Dockerfiles/web-apache-mysql/ol/Dockerfile +++ b/Dockerfiles/web-apache-mysql/ol/Dockerfile @@ -68,6 +68,7 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ php-xml \ findutils \ glibc-locale-source \ + jq \ supervisor" && \ microdnf -y install \ --disablerepo="*" \ diff --git a/Dockerfiles/web-apache-mysql/ol/docker-entrypoint.sh b/Dockerfiles/web-apache-mysql/ol/docker-entrypoint.sh index d78e28164..423545814 100755 --- a/Dockerfiles/web-apache-mysql/ol/docker-entrypoint.sh +++ b/Dockerfiles/web-apache-mysql/ol/docker-entrypoint.sh @@ -128,6 +128,57 @@ db_tls_params() { echo $result } +get_vault_secrets() { + WAIT_TIMEOUT=5 + vault_url="${ZBX_VAULTURL}${ZBX_VAULTPREFIX}${ZBX_VAULTDBPATH}" + curl_opts=(-s -m 10 -k) + + + if [ -z "${ZBX_VAULTURL}" ] || [ -z "${ZBX_VAULTPREFIX}" ] || [ -z "${ZBX_VAULTDBPATH}" ]; then + echo "Missing variables! If ZBX_VAULT is used then ZBX_VAULTURL, ZBX_VAULTPREFIX and ZBX_VAULTDBPATH must be set" + exit 1 + fi + + if [ "${ZBX_VAULT}" == "HashiCorp" ]; then + while ! vaultdata="$(curl "${curl_opts[@]}" -H "X-Vault-Token: $VAULT_TOKEN" "$vault_url")"; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + errors=$(printf '%s' "$vaultdata" | jq -r '.errors // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.data.data.username')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.data.data.password')" + + elif [ "${ZBX_VAULT}" == "CyberArk" ]; then + cyberark_opts=(-H "Content-type: application/json" --cert "$ZBX_VAULTCERTFILE") + + # if key is defined use it + if [ -n "${ZBX_VAULTKEYFILE}" ]; then + cyberark_opts+=(--key "$ZBX_VAULTKEYFILE") + fi + while ! vaultdata=$(curl "${curl_opts[@]}" "${cyberark_opts[@]}" "$vault_url") ; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + + errors=$(printf '%s' "$vaultdata" | jq -r '.ErrorCode // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.UserName')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.Content')" + + else + echo "ZBX_VAULT has wrong value. HashiCorp or CyberArk are supported!" + exit 1 + fi + +} + check_db_connect() { echo "********************" echo "* DB_SERVER_HOST: ${DB_SERVER_HOST}" @@ -144,13 +195,22 @@ check_db_connect() { WAIT_TIMEOUT=5 + if [ -n "${ZBX_VAULT}" ]; then + unset DB_SERVER_ZBX_USER + unset DB_SERVER_ZBX_PASS + + echo "***** Connecting to vault... *****" + echo "***** VAULT URL: $ZBX_VAULTURL" + get_vault_secrets + fi + ssl_opts="$(db_tls_params)" export MYSQL_PWD="${DB_SERVER_ZBX_PASS}" while [ ! "$(mysqladmin ping $mysql_connect_args -u ${DB_SERVER_ZBX_USER} \ --silent --connect_timeout=10 $ssl_opts)" ]; do - echo "**** MySQL server is not available. Waiting $WAIT_TIMEOUT seconds..." + echo "**** MySQL server is not available. Waiting ${WAIT_TIMEOUT} seconds..." sleep $WAIT_TIMEOUT done diff --git a/Dockerfiles/web-apache-mysql/ubuntu/Dockerfile b/Dockerfiles/web-apache-mysql/ubuntu/Dockerfile index dcc0d5a00..51f9444ad 100644 --- a/Dockerfiles/web-apache-mysql/ubuntu/Dockerfile +++ b/Dockerfiles/web-apache-mysql/ubuntu/Dockerfile @@ -68,6 +68,7 @@ RUN --mount=type=cache,target=/var/cache/apt/,sharing=locked \ php8.3-mbstring \ php8.3-mysql \ php8.3-xml \ + jq \ supervisor" && \ apt-get -y update && \ DEBIAN_FRONTEND=noninteractive apt-get -y \ diff --git a/Dockerfiles/web-apache-mysql/ubuntu/docker-entrypoint.sh b/Dockerfiles/web-apache-mysql/ubuntu/docker-entrypoint.sh index 68219d7d5..3e270986b 100755 --- a/Dockerfiles/web-apache-mysql/ubuntu/docker-entrypoint.sh +++ b/Dockerfiles/web-apache-mysql/ubuntu/docker-entrypoint.sh @@ -128,6 +128,57 @@ db_tls_params() { echo $result } +get_vault_secrets() { + WAIT_TIMEOUT=5 + vault_url="${ZBX_VAULTURL}${ZBX_VAULTPREFIX}${ZBX_VAULTDBPATH}" + curl_opts=(-s -m 10 -k) + + + if [ -z "${ZBX_VAULTURL}" ] || [ -z "${ZBX_VAULTPREFIX}" ] || [ -z "${ZBX_VAULTDBPATH}" ]; then + echo "Missing variables! If ZBX_VAULT is used then ZBX_VAULTURL, ZBX_VAULTPREFIX and ZBX_VAULTDBPATH must be set" + exit 1 + fi + + if [ "${ZBX_VAULT}" == "HashiCorp" ]; then + while ! vaultdata="$(curl "${curl_opts[@]}" -H "X-Vault-Token: $VAULT_TOKEN" "$vault_url")"; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + errors=$(printf '%s' "$vaultdata" | jq -r '.errors // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.data.data.username')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.data.data.password')" + + elif [ "${ZBX_VAULT}" == "CyberArk" ]; then + cyberark_opts=(-H "Content-type: application/json" --cert "$ZBX_VAULTCERTFILE") + + # if key is defined use it + if [ -n "${ZBX_VAULTKEYFILE}" ]; then + cyberark_opts+=(--key "$ZBX_VAULTKEYFILE") + fi + while ! vaultdata=$(curl "${curl_opts[@]}" "${cyberark_opts[@]}" "$vault_url") ; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + + errors=$(printf '%s' "$vaultdata" | jq -r '.ErrorCode // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.UserName')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.Content')" + + else + echo "ZBX_VAULT has wrong value. HashiCorp or CyberArk are supported!" + exit 1 + fi + +} + check_db_connect() { echo "********************" echo "* DB_SERVER_HOST: ${DB_SERVER_HOST}" @@ -144,13 +195,22 @@ check_db_connect() { WAIT_TIMEOUT=5 + if [ -n "${ZBX_VAULT}" ]; then + unset DB_SERVER_ZBX_USER + unset DB_SERVER_ZBX_PASS + + echo "***** Connecting to vault... *****" + echo "***** VAULT URL: $ZBX_VAULTURL" + get_vault_secrets + fi + ssl_opts="$(db_tls_params)" export MYSQL_PWD="${DB_SERVER_ZBX_PASS}" while [ ! "$(mysqladmin ping $mysql_connect_args -u ${DB_SERVER_ZBX_USER} \ --silent --connect_timeout=10 $ssl_opts)" ]; do - echo "**** MySQL server is not available. Waiting $WAIT_TIMEOUT seconds..." + echo "**** MySQL server is not available. Waiting ${WAIT_TIMEOUT} seconds..." sleep $WAIT_TIMEOUT done diff --git a/Dockerfiles/web-apache-pgsql/alpine/Dockerfile b/Dockerfiles/web-apache-pgsql/alpine/Dockerfile index d53c52547..21301e940 100644 --- a/Dockerfiles/web-apache-pgsql/alpine/Dockerfile +++ b/Dockerfiles/web-apache-pgsql/alpine/Dockerfile @@ -50,6 +50,7 @@ RUN set -eux && \ INSTALL_PKGS="bash \ tzdata \ curl \ + jq \ apache2 \ apache2-proxy \ php84-bcmath \ diff --git a/Dockerfiles/web-apache-pgsql/alpine/docker-entrypoint.sh b/Dockerfiles/web-apache-pgsql/alpine/docker-entrypoint.sh index 904141ce0..d71202beb 100755 --- a/Dockerfiles/web-apache-pgsql/alpine/docker-entrypoint.sh +++ b/Dockerfiles/web-apache-pgsql/alpine/docker-entrypoint.sh @@ -109,6 +109,57 @@ check_variables() { fi } +get_vault_secrets() { + WAIT_TIMEOUT=5 + vault_url="${ZBX_VAULTURL}${ZBX_VAULTPREFIX}${ZBX_VAULTDBPATH}" + curl_opts=(-s -m 10 -k) + + + if [ -z "${ZBX_VAULTURL}" ] || [ -z "${ZBX_VAULTPREFIX}" ] || [ -z "${ZBX_VAULTDBPATH}" ]; then + echo "Missing variables! If ZBX_VAULT is used then ZBX_VAULTURL, ZBX_VAULTPREFIX and ZBX_VAULTDBPATH must be set" + exit 1 + fi + + if [ "${ZBX_VAULT}" == "HashiCorp" ]; then + while ! vaultdata="$(curl "${curl_opts[@]}" -H "X-Vault-Token: $VAULT_TOKEN" "$vault_url")"; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + errors=$(printf '%s' "$vaultdata" | jq -r '.errors // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.data.data.username')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.data.data.password')" + + elif [ "${ZBX_VAULT}" == "CyberArk" ]; then + cyberark_opts=(-H "Content-type: application/json" --cert "$ZBX_VAULTCERTFILE") + + # if key is defined use it + if [ -n "${ZBX_VAULTKEYFILE}" ]; then + cyberark_opts+=(--key "$ZBX_VAULTKEYFILE") + fi + while ! vaultdata=$(curl "${curl_opts[@]}" "${cyberark_opts[@]}" "$vault_url") ; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + + errors=$(printf '%s' "$vaultdata" | jq -r '.ErrorCode // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.UserName')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.Content')" + + else + echo "ZBX_VAULT has wrong value. HashiCorp or CyberArk are supported!" + exit 1 + fi + +} + check_db_connect() { echo "********************" if [ -n "${DB_SERVER_HOST}" ]; then @@ -127,12 +178,21 @@ check_db_connect() { fi echo "********************" + WAIT_TIMEOUT=5 + + if [ -n "${ZBX_VAULT}" ]; then + unset DB_SERVER_ZBX_USER + unset DB_SERVER_ZBX_PASS + + echo "***** Connecting to vault... *****" + echo "***** VAULT URL: $ZBX_VAULTURL" + get_vault_secrets + fi + if [ -n "${DB_SERVER_ZBX_PASS}" ]; then export PGPASSWORD="${DB_SERVER_ZBX_PASS}" fi - WAIT_TIMEOUT=5 - if [ "${POSTGRES_USE_IMPLICIT_SEARCH_PATH,,}" == "false" ] && [ -n "${DB_SERVER_SCHEMA}" ]; then PGOPTIONS="--search_path=${DB_SERVER_SCHEMA}" export PGOPTIONS @@ -147,7 +207,7 @@ check_db_connect() { fi while [ ! "$(psql $psql_connect_args --username ${DB_SERVER_ZBX_USER} --dbname ${DB_SERVER_DBNAME} --list --quiet 2>/dev/null)" ]; do - echo "**** PostgreSQL server is not available. Waiting $WAIT_TIMEOUT seconds..." + echo "**** PostgreSQL server is not available. Waiting ${WAIT_TIMEOUT} seconds..." sleep $WAIT_TIMEOUT done diff --git a/Dockerfiles/web-apache-pgsql/centos/Dockerfile b/Dockerfiles/web-apache-pgsql/centos/Dockerfile index 758e72931..e09d7560d 100644 --- a/Dockerfiles/web-apache-pgsql/centos/Dockerfile +++ b/Dockerfiles/web-apache-pgsql/centos/Dockerfile @@ -68,6 +68,7 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ glibc-locale-source \ shadow-utils \ gzip \ + jq \ supervisor" && \ microdnf -y install \ --disablerepo="*" \ diff --git a/Dockerfiles/web-apache-pgsql/centos/docker-entrypoint.sh b/Dockerfiles/web-apache-pgsql/centos/docker-entrypoint.sh index d234dc991..91bab1e04 100755 --- a/Dockerfiles/web-apache-pgsql/centos/docker-entrypoint.sh +++ b/Dockerfiles/web-apache-pgsql/centos/docker-entrypoint.sh @@ -109,6 +109,57 @@ check_variables() { fi } +get_vault_secrets() { + WAIT_TIMEOUT=5 + vault_url="${ZBX_VAULTURL}${ZBX_VAULTPREFIX}${ZBX_VAULTDBPATH}" + curl_opts=(-s -m 10 -k) + + + if [ -z "${ZBX_VAULTURL}" ] || [ -z "${ZBX_VAULTPREFIX}" ] || [ -z "${ZBX_VAULTDBPATH}" ]; then + echo "Missing variables! If ZBX_VAULT is used then ZBX_VAULTURL, ZBX_VAULTPREFIX and ZBX_VAULTDBPATH must be set" + exit 1 + fi + + if [ "${ZBX_VAULT}" == "HashiCorp" ]; then + while ! vaultdata="$(curl "${curl_opts[@]}" -H "X-Vault-Token: $VAULT_TOKEN" "$vault_url")"; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + errors=$(printf '%s' "$vaultdata" | jq -r '.errors // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.data.data.username')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.data.data.password')" + + elif [ "${ZBX_VAULT}" == "CyberArk" ]; then + cyberark_opts=(-H "Content-type: application/json" --cert "$ZBX_VAULTCERTFILE") + + # if key is defined use it + if [ -n "${ZBX_VAULTKEYFILE}" ]; then + cyberark_opts+=(--key "$ZBX_VAULTKEYFILE") + fi + while ! vaultdata=$(curl "${curl_opts[@]}" "${cyberark_opts[@]}" "$vault_url") ; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + + errors=$(printf '%s' "$vaultdata" | jq -r '.ErrorCode // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.UserName')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.Content')" + + else + echo "ZBX_VAULT has wrong value. HashiCorp or CyberArk are supported!" + exit 1 + fi + +} + check_db_connect() { echo "********************" if [ -n "${DB_SERVER_HOST}" ]; then @@ -127,12 +178,21 @@ check_db_connect() { fi echo "********************" + WAIT_TIMEOUT=5 + + if [ -n "${ZBX_VAULT}" ]; then + unset DB_SERVER_ZBX_USER + unset DB_SERVER_ZBX_PASS + + echo "***** Connecting to vault... *****" + echo "***** VAULT URL: $ZBX_VAULTURL" + get_vault_secrets + fi + if [ -n "${DB_SERVER_ZBX_PASS}" ]; then export PGPASSWORD="${DB_SERVER_ZBX_PASS}" fi - WAIT_TIMEOUT=5 - if [ "${POSTGRES_USE_IMPLICIT_SEARCH_PATH,,}" == "false" ] && [ -n "${DB_SERVER_SCHEMA}" ]; then PGOPTIONS="--search_path=${DB_SERVER_SCHEMA}" export PGOPTIONS @@ -147,7 +207,7 @@ check_db_connect() { fi while [ ! "$(psql $psql_connect_args --username ${DB_SERVER_ZBX_USER} --dbname ${DB_SERVER_DBNAME} --list --quiet 2>/dev/null)" ]; do - echo "**** PostgreSQL server is not available. Waiting $WAIT_TIMEOUT seconds..." + echo "**** PostgreSQL server is not available. Waiting ${WAIT_TIMEOUT} seconds..." sleep $WAIT_TIMEOUT done diff --git a/Dockerfiles/web-apache-pgsql/ol/Dockerfile b/Dockerfiles/web-apache-pgsql/ol/Dockerfile index 14d12887a..2912278a2 100644 --- a/Dockerfiles/web-apache-pgsql/ol/Dockerfile +++ b/Dockerfiles/web-apache-pgsql/ol/Dockerfile @@ -68,6 +68,7 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ postgresql \ findutils \ glibc-locale-source \ + jq \ supervisor" && \ microdnf -y install \ --disablerepo="*" \ diff --git a/Dockerfiles/web-apache-pgsql/ol/docker-entrypoint.sh b/Dockerfiles/web-apache-pgsql/ol/docker-entrypoint.sh index 663f8b5a9..af664709e 100755 --- a/Dockerfiles/web-apache-pgsql/ol/docker-entrypoint.sh +++ b/Dockerfiles/web-apache-pgsql/ol/docker-entrypoint.sh @@ -109,6 +109,57 @@ check_variables() { fi } +get_vault_secrets() { + WAIT_TIMEOUT=5 + vault_url="${ZBX_VAULTURL}${ZBX_VAULTPREFIX}${ZBX_VAULTDBPATH}" + curl_opts=(-s -m 10 -k) + + + if [ -z "${ZBX_VAULTURL}" ] || [ -z "${ZBX_VAULTPREFIX}" ] || [ -z "${ZBX_VAULTDBPATH}" ]; then + echo "Missing variables! If ZBX_VAULT is used then ZBX_VAULTURL, ZBX_VAULTPREFIX and ZBX_VAULTDBPATH must be set" + exit 1 + fi + + if [ "${ZBX_VAULT}" == "HashiCorp" ]; then + while ! vaultdata="$(curl "${curl_opts[@]}" -H "X-Vault-Token: $VAULT_TOKEN" "$vault_url")"; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + errors=$(printf '%s' "$vaultdata" | jq -r '.errors // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.data.data.username')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.data.data.password')" + + elif [ "${ZBX_VAULT}" == "CyberArk" ]; then + cyberark_opts=(-H "Content-type: application/json" --cert "$ZBX_VAULTCERTFILE") + + # if key is defined use it + if [ -n "${ZBX_VAULTKEYFILE}" ]; then + cyberark_opts+=(--key "$ZBX_VAULTKEYFILE") + fi + while ! vaultdata=$(curl "${curl_opts[@]}" "${cyberark_opts[@]}" "$vault_url") ; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + + errors=$(printf '%s' "$vaultdata" | jq -r '.ErrorCode // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.UserName')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.Content')" + + else + echo "ZBX_VAULT has wrong value. HashiCorp or CyberArk are supported!" + exit 1 + fi + +} + check_db_connect() { echo "********************" if [ -n "${DB_SERVER_HOST}" ]; then @@ -127,12 +178,21 @@ check_db_connect() { fi echo "********************" + WAIT_TIMEOUT=5 + + if [ -n "${ZBX_VAULT}" ]; then + unset DB_SERVER_ZBX_USER + unset DB_SERVER_ZBX_PASS + + echo "***** Connecting to vault... ******" + echo "***** VAULT URL: $ZBX_VAULTURL" + get_vault_secrets + fi + if [ -n "${DB_SERVER_ZBX_PASS}" ]; then export PGPASSWORD="${DB_SERVER_ZBX_PASS}" fi - WAIT_TIMEOUT=5 - if [ "${POSTGRES_USE_IMPLICIT_SEARCH_PATH,,}" == "false" ] && [ -n "${DB_SERVER_SCHEMA}" ]; then PGOPTIONS="--search_path=${DB_SERVER_SCHEMA}" export PGOPTIONS @@ -147,7 +207,7 @@ check_db_connect() { fi while [ ! "$(psql $psql_connect_args --username ${DB_SERVER_ZBX_USER} --dbname ${DB_SERVER_DBNAME} --list --quiet 2>/dev/null)" ]; do - echo "**** PostgreSQL server is not available. Waiting $WAIT_TIMEOUT seconds..." + echo "**** PostgreSQL server is not available. Waiting ${WAIT_TIMEOUT} seconds..." sleep $WAIT_TIMEOUT done diff --git a/Dockerfiles/web-apache-pgsql/ubuntu/Dockerfile b/Dockerfiles/web-apache-pgsql/ubuntu/Dockerfile index 0538e45ff..d28c0600d 100644 --- a/Dockerfiles/web-apache-pgsql/ubuntu/Dockerfile +++ b/Dockerfiles/web-apache-pgsql/ubuntu/Dockerfile @@ -68,6 +68,7 @@ RUN --mount=type=cache,target=/var/cache/apt/,sharing=locked \ php8.3-xml \ php8.3-pgsql \ postgresql-client-17 \ + jq \ supervisor" && \ apt-get -y update && \ DEBIAN_FRONTEND=noninteractive apt-get -y \ diff --git a/Dockerfiles/web-apache-pgsql/ubuntu/docker-entrypoint.sh b/Dockerfiles/web-apache-pgsql/ubuntu/docker-entrypoint.sh index ceb047f9d..d9a9658a5 100755 --- a/Dockerfiles/web-apache-pgsql/ubuntu/docker-entrypoint.sh +++ b/Dockerfiles/web-apache-pgsql/ubuntu/docker-entrypoint.sh @@ -109,6 +109,57 @@ check_variables() { fi } +get_vault_secrets() { + WAIT_TIMEOUT=5 + vault_url="${ZBX_VAULTURL}${ZBX_VAULTPREFIX}${ZBX_VAULTDBPATH}" + curl_opts=(-s -m 10 -k) + + + if [ -z "${ZBX_VAULTURL}" ] || [ -z "${ZBX_VAULTPREFIX}" ] || [ -z "${ZBX_VAULTDBPATH}" ]; then + echo "Missing variables! If ZBX_VAULT is used then ZBX_VAULTURL, ZBX_VAULTPREFIX and ZBX_VAULTDBPATH must be set" + exit 1 + fi + + if [ "${ZBX_VAULT}" == "HashiCorp" ]; then + while ! vaultdata="$(curl "${curl_opts[@]}" -H "X-Vault-Token: $VAULT_TOKEN" "$vault_url")"; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + errors=$(printf '%s' "$vaultdata" | jq -r '.errors // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.data.data.username')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.data.data.password')" + + elif [ "${ZBX_VAULT}" == "CyberArk" ]; then + cyberark_opts=(-H "Content-type: application/json" --cert "$ZBX_VAULTCERTFILE") + + # if key is defined use it + if [ -n "${ZBX_VAULTKEYFILE}" ]; then + cyberark_opts+=(--key "$ZBX_VAULTKEYFILE") + fi + while ! vaultdata=$(curl "${curl_opts[@]}" "${cyberark_opts[@]}" "$vault_url") ; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + + errors=$(printf '%s' "$vaultdata" | jq -r '.ErrorCode // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.UserName')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.Content')" + + else + echo "ZBX_VAULT has wrong value. HashiCorp or CyberArk are supported!" + exit 1 + fi + +} + check_db_connect() { echo "********************" if [ -n "${DB_SERVER_HOST}" ]; then @@ -127,12 +178,21 @@ check_db_connect() { fi echo "********************" + WAIT_TIMEOUT=5 + + if [ -n "${ZBX_VAULT}" ]; then + unset DB_SERVER_ZBX_USER + unset DB_SERVER_ZBX_PASS + + echo "***** Connecting to vault... *****" + echo "***** VAULT URL: $ZBX_VAULTURL" + get_vault_secrets + fi + if [ -n "${DB_SERVER_ZBX_PASS}" ]; then export PGPASSWORD="${DB_SERVER_ZBX_PASS}" fi - WAIT_TIMEOUT=5 - if [ "${POSTGRES_USE_IMPLICIT_SEARCH_PATH,,}" == "false" ] && [ -n "${DB_SERVER_SCHEMA}" ]; then PGOPTIONS="--search_path=${DB_SERVER_SCHEMA}" export PGOPTIONS @@ -147,7 +207,7 @@ check_db_connect() { fi while [ ! "$(psql $psql_connect_args --username ${DB_SERVER_ZBX_USER} --dbname ${DB_SERVER_DBNAME} --list --quiet 2>/dev/null)" ]; do - echo "**** PostgreSQL server is not available. Waiting $WAIT_TIMEOUT seconds..." + echo "**** PostgreSQL server is not available. Waiting ${WAIT_TIMEOUT} seconds..." sleep $WAIT_TIMEOUT done diff --git a/Dockerfiles/web-nginx-mysql/alpine/Dockerfile b/Dockerfiles/web-nginx-mysql/alpine/Dockerfile index 7aa82b582..2b3812ca5 100644 --- a/Dockerfiles/web-nginx-mysql/alpine/Dockerfile +++ b/Dockerfiles/web-nginx-mysql/alpine/Dockerfile @@ -50,6 +50,7 @@ RUN set -eux && \ INSTALL_PKGS="bash \ tzdata \ curl \ + jq \ mariadb-client \ mariadb-connector-c \ nginx \ diff --git a/Dockerfiles/web-nginx-mysql/alpine/docker-entrypoint.sh b/Dockerfiles/web-nginx-mysql/alpine/docker-entrypoint.sh index e05a597d8..167c3cb72 100755 --- a/Dockerfiles/web-nginx-mysql/alpine/docker-entrypoint.sh +++ b/Dockerfiles/web-nginx-mysql/alpine/docker-entrypoint.sh @@ -134,6 +134,57 @@ db_tls_params() { echo $result } +get_vault_secrets() { + WAIT_TIMEOUT=5 + vault_url="${ZBX_VAULTURL}${ZBX_VAULTPREFIX}${ZBX_VAULTDBPATH}" + curl_opts=(-s -m 10 -k) + + + if [ -z "${ZBX_VAULTURL}" ] || [ -z "${ZBX_VAULTPREFIX}" ] || [ -z "${ZBX_VAULTDBPATH}" ]; then + echo "Missing variables! If ZBX_VAULT is used then ZBX_VAULTURL, ZBX_VAULTPREFIX and ZBX_VAULTDBPATH must be set" + exit 1 + fi + + if [ "${ZBX_VAULT}" == "HashiCorp" ]; then + while ! vaultdata="$(curl "${curl_opts[@]}" -H "X-Vault-Token: $VAULT_TOKEN" "$vault_url")"; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + errors=$(printf '%s' "$vaultdata" | jq -r '.errors // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.data.data.username')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.data.data.password')" + + elif [ "${ZBX_VAULT}" == "CyberArk" ]; then + cyberark_opts=(-H "Content-type: application/json" --cert "$ZBX_VAULTCERTFILE") + + # if key is defined use it + if [ -n "${ZBX_VAULTKEYFILE}" ]; then + cyberark_opts+=(--key "$ZBX_VAULTKEYFILE") + fi + while ! vaultdata=$(curl "${curl_opts[@]}" "${cyberark_opts[@]}" "$vault_url") ; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + + errors=$(printf '%s' "$vaultdata" | jq -r '.ErrorCode // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.UserName')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.Content')" + + else + echo "ZBX_VAULT has wrong value. HashiCorp or CyberArk are supported!" + exit 1 + fi + +} + check_db_connect() { echo "********************" echo "* DB_SERVER_HOST: ${DB_SERVER_HOST}" @@ -150,13 +201,22 @@ check_db_connect() { WAIT_TIMEOUT=5 + if [ -n "${ZBX_VAULT}" ]; then + unset DB_SERVER_ZBX_USER + unset DB_SERVER_ZBX_PASS + + echo "***** Connecting to vault... *****" + echo "***** VAULT URL: $ZBX_VAULTURL" + get_vault_secrets + fi + ssl_opts="$(db_tls_params)" export MYSQL_PWD="${DB_SERVER_ZBX_PASS}" while [ ! "$(mariadb-admin ping $mysql_connect_args -u ${DB_SERVER_ZBX_USER} \ --silent --skip-ssl-verify-server-cert --connect_timeout=10 $ssl_opts)" ]; do - echo "**** MySQL server is not available. Waiting $WAIT_TIMEOUT seconds..." + echo "**** MySQL server is not available. Waiting ${WAIT_TIMEOUT} seconds..." sleep $WAIT_TIMEOUT done diff --git a/Dockerfiles/web-nginx-mysql/centos/Dockerfile b/Dockerfiles/web-nginx-mysql/centos/Dockerfile index 687e00c63..cccf5baed 100644 --- a/Dockerfiles/web-nginx-mysql/centos/Dockerfile +++ b/Dockerfiles/web-nginx-mysql/centos/Dockerfile @@ -66,6 +66,7 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ php-xml \ shadow-utils \ gzip \ + jq \ supervisor" && \ microdnf -y install \ --disablerepo="*" \ diff --git a/Dockerfiles/web-nginx-mysql/centos/docker-entrypoint.sh b/Dockerfiles/web-nginx-mysql/centos/docker-entrypoint.sh index 356398f65..653007661 100755 --- a/Dockerfiles/web-nginx-mysql/centos/docker-entrypoint.sh +++ b/Dockerfiles/web-nginx-mysql/centos/docker-entrypoint.sh @@ -134,6 +134,57 @@ db_tls_params() { echo $result } +get_vault_secrets() { + WAIT_TIMEOUT=5 + vault_url="${ZBX_VAULTURL}${ZBX_VAULTPREFIX}${ZBX_VAULTDBPATH}" + curl_opts=(-s -m 10 -k) + + + if [ -z "${ZBX_VAULTURL}" ] || [ -z "${ZBX_VAULTPREFIX}" ] || [ -z "${ZBX_VAULTDBPATH}" ]; then + echo "Missing variables! If ZBX_VAULT is used then ZBX_VAULTURL, ZBX_VAULTPREFIX and ZBX_VAULTDBPATH must be set" + exit 1 + fi + + if [ "${ZBX_VAULT}" == "HashiCorp" ]; then + while ! vaultdata="$(curl "${curl_opts[@]}" -H "X-Vault-Token: $VAULT_TOKEN" "$vault_url")"; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + errors=$(printf '%s' "$vaultdata" | jq -r '.errors // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.data.data.username')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.data.data.password')" + + elif [ "${ZBX_VAULT}" == "CyberArk" ]; then + cyberark_opts=(-H "Content-type: application/json" --cert "$ZBX_VAULTCERTFILE") + + # if key is defined use it + if [ -n "${ZBX_VAULTKEYFILE}" ]; then + cyberark_opts+=(--key "$ZBX_VAULTKEYFILE") + fi + while ! vaultdata=$(curl "${curl_opts[@]}" "${cyberark_opts[@]}" "$vault_url") ; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + + errors=$(printf '%s' "$vaultdata" | jq -r '.ErrorCode // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.UserName')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.Content')" + + else + echo "ZBX_VAULT has wrong value. HashiCorp or CyberArk are supported!" + exit 1 + fi + +} + check_db_connect() { echo "********************" echo "* DB_SERVER_HOST: ${DB_SERVER_HOST}" @@ -150,13 +201,22 @@ check_db_connect() { WAIT_TIMEOUT=5 + if [ -n "${ZBX_VAULT}" ]; then + unset DB_SERVER_ZBX_USER + unset DB_SERVER_ZBX_PASS + + echo "***** Connecting to vault... *****" + echo "***** VAULT URL: $ZBX_VAULTURL" + get_vault_secrets + fi + ssl_opts="$(db_tls_params)" export MYSQL_PWD="${DB_SERVER_ZBX_PASS}" while [ ! "$(mysqladmin ping $mysql_connect_args -u ${DB_SERVER_ZBX_USER} \ --silent --connect_timeout=10 $ssl_opts)" ]; do - echo "**** MySQL server is not available. Waiting $WAIT_TIMEOUT seconds..." + echo "**** MySQL server is not available. Waiting ${WAIT_TIMEOUT} seconds..." sleep $WAIT_TIMEOUT done diff --git a/Dockerfiles/web-nginx-mysql/ol/Dockerfile b/Dockerfiles/web-nginx-mysql/ol/Dockerfile index 6fb70b2bf..debc4673b 100644 --- a/Dockerfiles/web-nginx-mysql/ol/Dockerfile +++ b/Dockerfiles/web-nginx-mysql/ol/Dockerfile @@ -66,6 +66,7 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ php-xml \ findutils \ glibc-locale-source \ + jq \ supervisor" && \ microdnf -y install \ --disablerepo="*" \ diff --git a/Dockerfiles/web-nginx-mysql/ol/docker-entrypoint.sh b/Dockerfiles/web-nginx-mysql/ol/docker-entrypoint.sh index 356398f65..653007661 100755 --- a/Dockerfiles/web-nginx-mysql/ol/docker-entrypoint.sh +++ b/Dockerfiles/web-nginx-mysql/ol/docker-entrypoint.sh @@ -134,6 +134,57 @@ db_tls_params() { echo $result } +get_vault_secrets() { + WAIT_TIMEOUT=5 + vault_url="${ZBX_VAULTURL}${ZBX_VAULTPREFIX}${ZBX_VAULTDBPATH}" + curl_opts=(-s -m 10 -k) + + + if [ -z "${ZBX_VAULTURL}" ] || [ -z "${ZBX_VAULTPREFIX}" ] || [ -z "${ZBX_VAULTDBPATH}" ]; then + echo "Missing variables! If ZBX_VAULT is used then ZBX_VAULTURL, ZBX_VAULTPREFIX and ZBX_VAULTDBPATH must be set" + exit 1 + fi + + if [ "${ZBX_VAULT}" == "HashiCorp" ]; then + while ! vaultdata="$(curl "${curl_opts[@]}" -H "X-Vault-Token: $VAULT_TOKEN" "$vault_url")"; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + errors=$(printf '%s' "$vaultdata" | jq -r '.errors // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.data.data.username')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.data.data.password')" + + elif [ "${ZBX_VAULT}" == "CyberArk" ]; then + cyberark_opts=(-H "Content-type: application/json" --cert "$ZBX_VAULTCERTFILE") + + # if key is defined use it + if [ -n "${ZBX_VAULTKEYFILE}" ]; then + cyberark_opts+=(--key "$ZBX_VAULTKEYFILE") + fi + while ! vaultdata=$(curl "${curl_opts[@]}" "${cyberark_opts[@]}" "$vault_url") ; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + + errors=$(printf '%s' "$vaultdata" | jq -r '.ErrorCode // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.UserName')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.Content')" + + else + echo "ZBX_VAULT has wrong value. HashiCorp or CyberArk are supported!" + exit 1 + fi + +} + check_db_connect() { echo "********************" echo "* DB_SERVER_HOST: ${DB_SERVER_HOST}" @@ -150,13 +201,22 @@ check_db_connect() { WAIT_TIMEOUT=5 + if [ -n "${ZBX_VAULT}" ]; then + unset DB_SERVER_ZBX_USER + unset DB_SERVER_ZBX_PASS + + echo "***** Connecting to vault... *****" + echo "***** VAULT URL: $ZBX_VAULTURL" + get_vault_secrets + fi + ssl_opts="$(db_tls_params)" export MYSQL_PWD="${DB_SERVER_ZBX_PASS}" while [ ! "$(mysqladmin ping $mysql_connect_args -u ${DB_SERVER_ZBX_USER} \ --silent --connect_timeout=10 $ssl_opts)" ]; do - echo "**** MySQL server is not available. Waiting $WAIT_TIMEOUT seconds..." + echo "**** MySQL server is not available. Waiting ${WAIT_TIMEOUT} seconds..." sleep $WAIT_TIMEOUT done diff --git a/Dockerfiles/web-nginx-mysql/rhel/Dockerfile b/Dockerfiles/web-nginx-mysql/rhel/Dockerfile index fb019a8cf..cca88f82b 100644 --- a/Dockerfiles/web-nginx-mysql/rhel/Dockerfile +++ b/Dockerfiles/web-nginx-mysql/rhel/Dockerfile @@ -70,6 +70,7 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ set -eux && \ INSTALL_PKGS="bash \ curl-minimal \ + jq \ supervisor \ shadow-utils \ findutils \ diff --git a/Dockerfiles/web-nginx-mysql/rhel/docker-entrypoint.sh b/Dockerfiles/web-nginx-mysql/rhel/docker-entrypoint.sh index 356398f65..653007661 100755 --- a/Dockerfiles/web-nginx-mysql/rhel/docker-entrypoint.sh +++ b/Dockerfiles/web-nginx-mysql/rhel/docker-entrypoint.sh @@ -134,6 +134,57 @@ db_tls_params() { echo $result } +get_vault_secrets() { + WAIT_TIMEOUT=5 + vault_url="${ZBX_VAULTURL}${ZBX_VAULTPREFIX}${ZBX_VAULTDBPATH}" + curl_opts=(-s -m 10 -k) + + + if [ -z "${ZBX_VAULTURL}" ] || [ -z "${ZBX_VAULTPREFIX}" ] || [ -z "${ZBX_VAULTDBPATH}" ]; then + echo "Missing variables! If ZBX_VAULT is used then ZBX_VAULTURL, ZBX_VAULTPREFIX and ZBX_VAULTDBPATH must be set" + exit 1 + fi + + if [ "${ZBX_VAULT}" == "HashiCorp" ]; then + while ! vaultdata="$(curl "${curl_opts[@]}" -H "X-Vault-Token: $VAULT_TOKEN" "$vault_url")"; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + errors=$(printf '%s' "$vaultdata" | jq -r '.errors // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.data.data.username')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.data.data.password')" + + elif [ "${ZBX_VAULT}" == "CyberArk" ]; then + cyberark_opts=(-H "Content-type: application/json" --cert "$ZBX_VAULTCERTFILE") + + # if key is defined use it + if [ -n "${ZBX_VAULTKEYFILE}" ]; then + cyberark_opts+=(--key "$ZBX_VAULTKEYFILE") + fi + while ! vaultdata=$(curl "${curl_opts[@]}" "${cyberark_opts[@]}" "$vault_url") ; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + + errors=$(printf '%s' "$vaultdata" | jq -r '.ErrorCode // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.UserName')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.Content')" + + else + echo "ZBX_VAULT has wrong value. HashiCorp or CyberArk are supported!" + exit 1 + fi + +} + check_db_connect() { echo "********************" echo "* DB_SERVER_HOST: ${DB_SERVER_HOST}" @@ -150,13 +201,22 @@ check_db_connect() { WAIT_TIMEOUT=5 + if [ -n "${ZBX_VAULT}" ]; then + unset DB_SERVER_ZBX_USER + unset DB_SERVER_ZBX_PASS + + echo "***** Connecting to vault... *****" + echo "***** VAULT URL: $ZBX_VAULTURL" + get_vault_secrets + fi + ssl_opts="$(db_tls_params)" export MYSQL_PWD="${DB_SERVER_ZBX_PASS}" while [ ! "$(mysqladmin ping $mysql_connect_args -u ${DB_SERVER_ZBX_USER} \ --silent --connect_timeout=10 $ssl_opts)" ]; do - echo "**** MySQL server is not available. Waiting $WAIT_TIMEOUT seconds..." + echo "**** MySQL server is not available. Waiting ${WAIT_TIMEOUT} seconds..." sleep $WAIT_TIMEOUT done diff --git a/Dockerfiles/web-nginx-mysql/ubuntu/Dockerfile b/Dockerfiles/web-nginx-mysql/ubuntu/Dockerfile index 6bbf93908..18ab372ed 100644 --- a/Dockerfiles/web-nginx-mysql/ubuntu/Dockerfile +++ b/Dockerfiles/web-nginx-mysql/ubuntu/Dockerfile @@ -68,6 +68,7 @@ RUN --mount=type=cache,target=/var/cache/apt/,sharing=locked \ php8.3-mbstring \ php8.3-mysql \ php8.3-xml \ + jq \ supervisor" && \ apt-get -y update && \ DEBIAN_FRONTEND=noninteractive apt-get -y \ diff --git a/Dockerfiles/web-nginx-mysql/ubuntu/docker-entrypoint.sh b/Dockerfiles/web-nginx-mysql/ubuntu/docker-entrypoint.sh index 37e32220f..0edcf5477 100755 --- a/Dockerfiles/web-nginx-mysql/ubuntu/docker-entrypoint.sh +++ b/Dockerfiles/web-nginx-mysql/ubuntu/docker-entrypoint.sh @@ -134,6 +134,57 @@ db_tls_params() { echo $result } +get_vault_secrets() { + WAIT_TIMEOUT=5 + vault_url="${ZBX_VAULTURL}${ZBX_VAULTPREFIX}${ZBX_VAULTDBPATH}" + curl_opts=(-s -m 10 -k) + + + if [ -z "${ZBX_VAULTURL}" ] || [ -z "${ZBX_VAULTPREFIX}" ] || [ -z "${ZBX_VAULTDBPATH}" ]; then + echo "Missing variables! If ZBX_VAULT is used then ZBX_VAULTURL, ZBX_VAULTPREFIX and ZBX_VAULTDBPATH must be set" + exit 1 + fi + + if [ "${ZBX_VAULT}" == "HashiCorp" ]; then + while ! vaultdata="$(curl "${curl_opts[@]}" -H "X-Vault-Token: $VAULT_TOKEN" "$vault_url")"; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + errors=$(printf '%s' "$vaultdata" | jq -r '.errors // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.data.data.username')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.data.data.password')" + + elif [ "${ZBX_VAULT}" == "CyberArk" ]; then + cyberark_opts=(-H "Content-type: application/json" --cert "$ZBX_VAULTCERTFILE") + + # if key is defined use it + if [ -n "${ZBX_VAULTKEYFILE}" ]; then + cyberark_opts+=(--key "$ZBX_VAULTKEYFILE") + fi + while ! vaultdata=$(curl "${curl_opts[@]}" "${cyberark_opts[@]}" "$vault_url") ; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + + errors=$(printf '%s' "$vaultdata" | jq -r '.ErrorCode // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.UserName')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.Content')" + + else + echo "ZBX_VAULT has wrong value. HashiCorp or CyberArk are supported!" + exit 1 + fi + +} + check_db_connect() { echo "********************" echo "* DB_SERVER_HOST: ${DB_SERVER_HOST}" @@ -150,13 +201,22 @@ check_db_connect() { WAIT_TIMEOUT=5 + if [ -n "${ZBX_VAULT}" ]; then + unset DB_SERVER_ZBX_USER + unset DB_SERVER_ZBX_PASS + + echo "***** Connecting to vault... *****" + echo "***** VAULT URL: $ZBX_VAULTURL" + get_vault_secrets + fi + ssl_opts="$(db_tls_params)" export MYSQL_PWD="${DB_SERVER_ZBX_PASS}" while [ ! "$(mysqladmin ping $mysql_connect_args -u ${DB_SERVER_ZBX_USER} \ --silent --connect_timeout=10 $ssl_opts)" ]; do - echo "**** MySQL server is not available. Waiting $WAIT_TIMEOUT seconds..." + echo "**** MySQL server is not available. Waiting ${WAIT_TIMEOUT} seconds..." sleep $WAIT_TIMEOUT done diff --git a/Dockerfiles/web-nginx-pgsql/alpine/Dockerfile b/Dockerfiles/web-nginx-pgsql/alpine/Dockerfile index d8bb99474..13a0453ae 100644 --- a/Dockerfiles/web-nginx-pgsql/alpine/Dockerfile +++ b/Dockerfiles/web-nginx-pgsql/alpine/Dockerfile @@ -50,6 +50,7 @@ RUN set -eux && \ INSTALL_PKGS="bash \ tzdata \ curl \ + jq \ nginx \ php84-bcmath \ php84-ctype \ diff --git a/Dockerfiles/web-nginx-pgsql/alpine/docker-entrypoint.sh b/Dockerfiles/web-nginx-pgsql/alpine/docker-entrypoint.sh index 7fd1557eb..e0112c82e 100755 --- a/Dockerfiles/web-nginx-pgsql/alpine/docker-entrypoint.sh +++ b/Dockerfiles/web-nginx-pgsql/alpine/docker-entrypoint.sh @@ -115,6 +115,57 @@ check_variables() { fi } +get_vault_secrets() { + WAIT_TIMEOUT=5 + vault_url="${ZBX_VAULTURL}${ZBX_VAULTPREFIX}${ZBX_VAULTDBPATH}" + curl_opts=(-s -m 10 -k) + + + if [ -z "${ZBX_VAULTURL}" ] || [ -z "${ZBX_VAULTPREFIX}" ] || [ -z "${ZBX_VAULTDBPATH}" ]; then + echo "Missing variables! If ZBX_VAULT is used then ZBX_VAULTURL, ZBX_VAULTPREFIX and ZBX_VAULTDBPATH must be set" + exit 1 + fi + + if [ "${ZBX_VAULT}" == "HashiCorp" ]; then + while ! vaultdata="$(curl "${curl_opts[@]}" -H "X-Vault-Token: $VAULT_TOKEN" "$vault_url")"; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + errors=$(printf '%s' "$vaultdata" | jq -r '.errors // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.data.data.username')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.data.data.password')" + + elif [ "${ZBX_VAULT}" == "CyberArk" ]; then + cyberark_opts=(-H "Content-type: application/json" --cert "$ZBX_VAULTCERTFILE") + + # if key is defined use it + if [ -n "${ZBX_VAULTKEYFILE}" ]; then + cyberark_opts+=(--key "$ZBX_VAULTKEYFILE") + fi + while ! vaultdata=$(curl "${curl_opts[@]}" "${cyberark_opts[@]}" "$vault_url") ; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + + errors=$(printf '%s' "$vaultdata" | jq -r '.ErrorCode // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.UserName')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.Content')" + + else + echo "ZBX_VAULT has wrong value. HashiCorp or CyberArk are supported!" + exit 1 + fi + +} + check_db_connect() { echo "********************" if [ -n "${DB_SERVER_HOST}" ]; then @@ -133,11 +184,21 @@ check_db_connect() { fi echo "********************" + WAIT_TIMEOUT=5 + + if [ -n "${ZBX_VAULT}" ]; then + unset DB_SERVER_ZBX_USER + unset DB_SERVER_ZBX_PASS + + echo "***** Connecting to vault... *****" + echo "***** VAULT URL: $ZBX_VAULTURL" + get_vault_secrets + fi + if [ -n "${DB_SERVER_ZBX_PASS}" ]; then export PGPASSWORD="${DB_SERVER_ZBX_PASS}" fi - WAIT_TIMEOUT=5 if [ "${POSTGRES_USE_IMPLICIT_SEARCH_PATH,,}" == "false" ] && [ -n "${DB_SERVER_SCHEMA}" ]; then PGOPTIONS="--search_path=${DB_SERVER_SCHEMA}" diff --git a/Dockerfiles/web-nginx-pgsql/centos/Dockerfile b/Dockerfiles/web-nginx-pgsql/centos/Dockerfile index cf13098be..2b56b43b7 100644 --- a/Dockerfiles/web-nginx-pgsql/centos/Dockerfile +++ b/Dockerfiles/web-nginx-pgsql/centos/Dockerfile @@ -66,6 +66,7 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ postgresql18 \ shadow-utils \ gzip \ + jq \ supervisor" && \ microdnf -y install \ --disablerepo="*" \ diff --git a/Dockerfiles/web-nginx-pgsql/centos/docker-entrypoint.sh b/Dockerfiles/web-nginx-pgsql/centos/docker-entrypoint.sh index 2d41d36b6..de2cd0c9e 100755 --- a/Dockerfiles/web-nginx-pgsql/centos/docker-entrypoint.sh +++ b/Dockerfiles/web-nginx-pgsql/centos/docker-entrypoint.sh @@ -115,6 +115,57 @@ check_variables() { fi } +get_vault_secrets() { + WAIT_TIMEOUT=5 + vault_url="${ZBX_VAULTURL}${ZBX_VAULTPREFIX}${ZBX_VAULTDBPATH}" + curl_opts=(-s -m 10 -k) + + + if [ -z "${ZBX_VAULTURL}" ] || [ -z "${ZBX_VAULTPREFIX}" ] || [ -z "${ZBX_VAULTDBPATH}" ]; then + echo "Missing variables! If ZBX_VAULT is used then ZBX_VAULTURL, ZBX_VAULTPREFIX and ZBX_VAULTDBPATH must be set" + exit 1 + fi + + if [ "${ZBX_VAULT}" == "HashiCorp" ]; then + while ! vaultdata="$(curl "${curl_opts[@]}" -H "X-Vault-Token: $VAULT_TOKEN" "$vault_url")"; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + errors=$(printf '%s' "$vaultdata" | jq -r '.errors // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.data.data.username')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.data.data.password')" + + elif [ "${ZBX_VAULT}" == "CyberArk" ]; then + cyberark_opts=(-H "Content-type: application/json" --cert "$ZBX_VAULTCERTFILE") + + # if key is defined use it + if [ -n "${ZBX_VAULTKEYFILE}" ]; then + cyberark_opts+=(--key "$ZBX_VAULTKEYFILE") + fi + while ! vaultdata=$(curl "${curl_opts[@]}" "${cyberark_opts[@]}" "$vault_url") ; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + + errors=$(printf '%s' "$vaultdata" | jq -r '.ErrorCode // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.UserName')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.Content')" + + else + echo "ZBX_VAULT has wrong value. HashiCorp or CyberArk are supported!" + exit 1 + fi + +} + check_db_connect() { echo "********************" if [ -n "${DB_SERVER_HOST}" ]; then @@ -133,11 +184,21 @@ check_db_connect() { fi echo "********************" + WAIT_TIMEOUT=5 + + if [ -n "${ZBX_VAULT}" ]; then + unset DB_SERVER_ZBX_USER + unset DB_SERVER_ZBX_PASS + + echo "*************** Connecting to vault... ***************************************" + echo "*************** VAULT URL: $ZBX_VAULTURL" + get_vault_secrets + fi + if [ -n "${DB_SERVER_ZBX_PASS}" ]; then export PGPASSWORD="${DB_SERVER_ZBX_PASS}" fi - WAIT_TIMEOUT=5 if [ "${POSTGRES_USE_IMPLICIT_SEARCH_PATH,,}" == "false" ] && [ -n "${DB_SERVER_SCHEMA}" ]; then PGOPTIONS="--search_path=${DB_SERVER_SCHEMA}" @@ -153,7 +214,7 @@ check_db_connect() { fi while [ ! "$(psql $psql_connect_args --username ${DB_SERVER_ZBX_USER} --dbname ${DB_SERVER_DBNAME} --list --quiet 2>/dev/null)" ]; do - echo "**** PostgreSQL server is not available. Waiting $WAIT_TIMEOUT seconds..." + echo "**** PostgreSQL server is not available. Waiting ${WAIT_TIMEOUT} seconds..." sleep $WAIT_TIMEOUT done diff --git a/Dockerfiles/web-nginx-pgsql/ol/Dockerfile b/Dockerfiles/web-nginx-pgsql/ol/Dockerfile index bc0f8e63c..e4bafe885 100644 --- a/Dockerfiles/web-nginx-pgsql/ol/Dockerfile +++ b/Dockerfiles/web-nginx-pgsql/ol/Dockerfile @@ -64,6 +64,7 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ php-json \ php-xml \ postgresql \ + jq \ findutils \ glibc-locale-source \ supervisor" && \ diff --git a/Dockerfiles/web-nginx-pgsql/ol/docker-entrypoint.sh b/Dockerfiles/web-nginx-pgsql/ol/docker-entrypoint.sh index 2d41d36b6..55cd3fa02 100755 --- a/Dockerfiles/web-nginx-pgsql/ol/docker-entrypoint.sh +++ b/Dockerfiles/web-nginx-pgsql/ol/docker-entrypoint.sh @@ -115,6 +115,57 @@ check_variables() { fi } +get_vault_secrets() { + WAIT_TIMEOUT=5 + vault_url="${ZBX_VAULTURL}${ZBX_VAULTPREFIX}${ZBX_VAULTDBPATH}" + curl_opts=(-s -m 10 -k) + + + if [ -z "${ZBX_VAULTURL}" ] || [ -z "${ZBX_VAULTPREFIX}" ] || [ -z "${ZBX_VAULTDBPATH}" ]; then + echo "Missing variables! If ZBX_VAULT is used then ZBX_VAULTURL, ZBX_VAULTPREFIX and ZBX_VAULTDBPATH must be set" + exit 1 + fi + + if [ "${ZBX_VAULT}" == "HashiCorp" ]; then + while ! vaultdata="$(curl "${curl_opts[@]}" -H "X-Vault-Token: $VAULT_TOKEN" "$vault_url")"; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + errors=$(printf '%s' "$vaultdata" | jq -r '.errors // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.data.data.username')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.data.data.password')" + + elif [ "${ZBX_VAULT}" == "CyberArk" ]; then + cyberark_opts=(-H "Content-type: application/json" --cert "$ZBX_VAULTCERTFILE") + + # if key is defined use it + if [ -n "${ZBX_VAULTKEYFILE}" ]; then + cyberark_opts+=(--key "$ZBX_VAULTKEYFILE") + fi + while ! vaultdata=$(curl "${curl_opts[@]}" "${cyberark_opts[@]}" "$vault_url") ; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + + errors=$(printf '%s' "$vaultdata" | jq -r '.ErrorCode // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.UserName')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.Content')" + + else + echo "ZBX_VAULT has wrong value. HashiCorp or CyberArk are supported!" + exit 1 + fi + +} + check_db_connect() { echo "********************" if [ -n "${DB_SERVER_HOST}" ]; then @@ -133,11 +184,21 @@ check_db_connect() { fi echo "********************" + WAIT_TIMEOUT=5 + + if [ -n "${ZBX_VAULT}" ]; then + unset DB_SERVER_ZBX_USER + unset DB_SERVER_ZBX_PASS + + echo "***** Connecting to vault... *****" + echo "***** VAULT URL: $ZBX_VAULTURL" + get_vault_secrets + fi + if [ -n "${DB_SERVER_ZBX_PASS}" ]; then export PGPASSWORD="${DB_SERVER_ZBX_PASS}" fi - WAIT_TIMEOUT=5 if [ "${POSTGRES_USE_IMPLICIT_SEARCH_PATH,,}" == "false" ] && [ -n "${DB_SERVER_SCHEMA}" ]; then PGOPTIONS="--search_path=${DB_SERVER_SCHEMA}" @@ -153,7 +214,7 @@ check_db_connect() { fi while [ ! "$(psql $psql_connect_args --username ${DB_SERVER_ZBX_USER} --dbname ${DB_SERVER_DBNAME} --list --quiet 2>/dev/null)" ]; do - echo "**** PostgreSQL server is not available. Waiting $WAIT_TIMEOUT seconds..." + echo "**** PostgreSQL server is not available. Waiting ${WAIT_TIMEOUT} seconds..." sleep $WAIT_TIMEOUT done diff --git a/Dockerfiles/web-nginx-pgsql/rhel/Dockerfile b/Dockerfiles/web-nginx-pgsql/rhel/Dockerfile index e7ddcd1db..cbf15c688 100644 --- a/Dockerfiles/web-nginx-pgsql/rhel/Dockerfile +++ b/Dockerfiles/web-nginx-pgsql/rhel/Dockerfile @@ -71,6 +71,7 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ set -eux && \ INSTALL_PKGS="bash \ curl-minimal \ + jq \ supervisor \ shadow-utils \ findutils \ diff --git a/Dockerfiles/web-nginx-pgsql/rhel/docker-entrypoint.sh b/Dockerfiles/web-nginx-pgsql/rhel/docker-entrypoint.sh index 2d41d36b6..55cd3fa02 100755 --- a/Dockerfiles/web-nginx-pgsql/rhel/docker-entrypoint.sh +++ b/Dockerfiles/web-nginx-pgsql/rhel/docker-entrypoint.sh @@ -115,6 +115,57 @@ check_variables() { fi } +get_vault_secrets() { + WAIT_TIMEOUT=5 + vault_url="${ZBX_VAULTURL}${ZBX_VAULTPREFIX}${ZBX_VAULTDBPATH}" + curl_opts=(-s -m 10 -k) + + + if [ -z "${ZBX_VAULTURL}" ] || [ -z "${ZBX_VAULTPREFIX}" ] || [ -z "${ZBX_VAULTDBPATH}" ]; then + echo "Missing variables! If ZBX_VAULT is used then ZBX_VAULTURL, ZBX_VAULTPREFIX and ZBX_VAULTDBPATH must be set" + exit 1 + fi + + if [ "${ZBX_VAULT}" == "HashiCorp" ]; then + while ! vaultdata="$(curl "${curl_opts[@]}" -H "X-Vault-Token: $VAULT_TOKEN" "$vault_url")"; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + errors=$(printf '%s' "$vaultdata" | jq -r '.errors // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.data.data.username')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.data.data.password')" + + elif [ "${ZBX_VAULT}" == "CyberArk" ]; then + cyberark_opts=(-H "Content-type: application/json" --cert "$ZBX_VAULTCERTFILE") + + # if key is defined use it + if [ -n "${ZBX_VAULTKEYFILE}" ]; then + cyberark_opts+=(--key "$ZBX_VAULTKEYFILE") + fi + while ! vaultdata=$(curl "${curl_opts[@]}" "${cyberark_opts[@]}" "$vault_url") ; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + + errors=$(printf '%s' "$vaultdata" | jq -r '.ErrorCode // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.UserName')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.Content')" + + else + echo "ZBX_VAULT has wrong value. HashiCorp or CyberArk are supported!" + exit 1 + fi + +} + check_db_connect() { echo "********************" if [ -n "${DB_SERVER_HOST}" ]; then @@ -133,11 +184,21 @@ check_db_connect() { fi echo "********************" + WAIT_TIMEOUT=5 + + if [ -n "${ZBX_VAULT}" ]; then + unset DB_SERVER_ZBX_USER + unset DB_SERVER_ZBX_PASS + + echo "***** Connecting to vault... *****" + echo "***** VAULT URL: $ZBX_VAULTURL" + get_vault_secrets + fi + if [ -n "${DB_SERVER_ZBX_PASS}" ]; then export PGPASSWORD="${DB_SERVER_ZBX_PASS}" fi - WAIT_TIMEOUT=5 if [ "${POSTGRES_USE_IMPLICIT_SEARCH_PATH,,}" == "false" ] && [ -n "${DB_SERVER_SCHEMA}" ]; then PGOPTIONS="--search_path=${DB_SERVER_SCHEMA}" @@ -153,7 +214,7 @@ check_db_connect() { fi while [ ! "$(psql $psql_connect_args --username ${DB_SERVER_ZBX_USER} --dbname ${DB_SERVER_DBNAME} --list --quiet 2>/dev/null)" ]; do - echo "**** PostgreSQL server is not available. Waiting $WAIT_TIMEOUT seconds..." + echo "**** PostgreSQL server is not available. Waiting ${WAIT_TIMEOUT} seconds..." sleep $WAIT_TIMEOUT done diff --git a/Dockerfiles/web-nginx-pgsql/ubuntu/Dockerfile b/Dockerfiles/web-nginx-pgsql/ubuntu/Dockerfile index e90234dbc..3404cbc4f 100644 --- a/Dockerfiles/web-nginx-pgsql/ubuntu/Dockerfile +++ b/Dockerfiles/web-nginx-pgsql/ubuntu/Dockerfile @@ -68,6 +68,7 @@ RUN --mount=type=cache,target=/var/cache/apt/,sharing=locked \ php8.3-xml \ php8.3-pgsql \ postgresql-client-17 \ + jq \ supervisor" && \ apt-get -y update && \ DEBIAN_FRONTEND=noninteractive apt-get -y \ diff --git a/Dockerfiles/web-nginx-pgsql/ubuntu/docker-entrypoint.sh b/Dockerfiles/web-nginx-pgsql/ubuntu/docker-entrypoint.sh index c9d9ca806..e5e72616b 100755 --- a/Dockerfiles/web-nginx-pgsql/ubuntu/docker-entrypoint.sh +++ b/Dockerfiles/web-nginx-pgsql/ubuntu/docker-entrypoint.sh @@ -115,6 +115,57 @@ check_variables() { fi } +get_vault_secrets() { + WAIT_TIMEOUT=5 + vault_url="${ZBX_VAULTURL}${ZBX_VAULTPREFIX}${ZBX_VAULTDBPATH}" + curl_opts=(-s -m 10 -k) + + + if [ -z "${ZBX_VAULTURL}" ] || [ -z "${ZBX_VAULTPREFIX}" ] || [ -z "${ZBX_VAULTDBPATH}" ]; then + echo "Missing variables! If ZBX_VAULT is used then ZBX_VAULTURL, ZBX_VAULTPREFIX and ZBX_VAULTDBPATH must be set" + exit 1 + fi + + if [ "${ZBX_VAULT}" == "HashiCorp" ]; then + while ! vaultdata="$(curl "${curl_opts[@]}" -H "X-Vault-Token: $VAULT_TOKEN" "$vault_url")"; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + errors=$(printf '%s' "$vaultdata" | jq -r '.errors // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.data.data.username')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.data.data.password')" + + elif [ "${ZBX_VAULT}" == "CyberArk" ]; then + cyberark_opts=(-H "Content-type: application/json" --cert "$ZBX_VAULTCERTFILE") + + # if key is defined use it + if [ -n "${ZBX_VAULTKEYFILE}" ]; then + cyberark_opts+=(--key "$ZBX_VAULTKEYFILE") + fi + while ! vaultdata=$(curl "${curl_opts[@]}" "${cyberark_opts[@]}" "$vault_url") ; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + + errors=$(printf '%s' "$vaultdata" | jq -r '.ErrorCode // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.UserName')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.Content')" + + else + echo "ZBX_VAULT has wrong value. HashiCorp or CyberArk are supported!" + exit 1 + fi + +} + check_db_connect() { echo "********************" if [ -n "${DB_SERVER_HOST}" ]; then @@ -133,11 +184,21 @@ check_db_connect() { fi echo "********************" + WAIT_TIMEOUT=5 + + if [ -n "${ZBX_VAULT}" ]; then + unset DB_SERVER_ZBX_USER + unset DB_SERVER_ZBX_PASS + + echo "***** Connecting to vault... *****" + echo "***** VAULT URL: $ZBX_VAULTURL" + get_vault_secrets + fi + if [ -n "${DB_SERVER_ZBX_PASS}" ]; then export PGPASSWORD="${DB_SERVER_ZBX_PASS}" fi - WAIT_TIMEOUT=5 if [ "${POSTGRES_USE_IMPLICIT_SEARCH_PATH,,}" == "false" ] && [ -n "${DB_SERVER_SCHEMA}" ]; then PGOPTIONS="--search_path=${DB_SERVER_SCHEMA}" @@ -153,7 +214,7 @@ check_db_connect() { fi while [ ! "$(psql $psql_connect_args --username ${DB_SERVER_ZBX_USER} --dbname ${DB_SERVER_DBNAME} --list --quiet 2>/dev/null)" ]; do - echo "**** PostgreSQL server is not available. Waiting $WAIT_TIMEOUT seconds..." + echo "**** PostgreSQL server is not available. Waiting ${WAIT_TIMEOUT} seconds..." sleep $WAIT_TIMEOUT done