diff --git a/Dockerfiles/web-apache-mysql/alpine/Dockerfile b/Dockerfiles/web-apache-mysql/alpine/Dockerfile index 3d646ab3d..82857d7c8 100644 --- a/Dockerfiles/web-apache-mysql/alpine/Dockerfile +++ b/Dockerfiles/web-apache-mysql/alpine/Dockerfile @@ -50,6 +50,7 @@ RUN set -eux && \ INSTALL_PKGS="bash \ tzdata \ curl \ + jq \ mariadb-client \ mariadb-connector-c \ apache2 \ diff --git a/Dockerfiles/web-apache-mysql/alpine/docker-entrypoint.sh b/Dockerfiles/web-apache-mysql/alpine/docker-entrypoint.sh index 5a3ebf1cc..163bb98dc 100755 --- a/Dockerfiles/web-apache-mysql/alpine/docker-entrypoint.sh +++ b/Dockerfiles/web-apache-mysql/alpine/docker-entrypoint.sh @@ -128,6 +128,57 @@ db_tls_params() { echo $result } +get_vault_secrets() { + WAIT_TIMEOUT=5 + vault_url="${ZBX_VAULTURL}${ZBX_VAULTPREFIX}${ZBX_VAULTDBPATH}" + curl_opts=(-s -m 10 -k) + + + if [ -z "${ZBX_VAULTURL}" ] || [ -z "${ZBX_VAULTPREFIX}" ] || [ -z "${ZBX_VAULTDBPATH}" ]; then + echo "Missing variables! If ZBX_VAULT is used then ZBX_VAULTURL, ZBX_VAULTPREFIX and ZBX_VAULTDBPATH must be set" + exit 1 + fi + + if [ "${ZBX_VAULT}" == "HashiCorp" ]; then + while ! vaultdata="$(curl "${curl_opts[@]}" -H "X-Vault-Token: $VAULT_TOKEN" "$vault_url")"; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + errors=$(printf '%s' "$vaultdata" | jq -r '.errors // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.data.data.username')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.data.data.password')" + + elif [ "${ZBX_VAULT}" == "CyberArk" ]; then + cyberark_opts=(-H "Content-type: application/json" --cert "$ZBX_VAULTCERTFILE") + + # if key is defined use it + if [ -n "${ZBX_VAULTKEYFILE}" ]; then + cyberark_opts+=(--key "$ZBX_VAULTKEYFILE") + fi + while ! vaultdata=$(curl "${curl_opts[@]}" "${cyberark_opts[@]}" "$vault_url") ; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + + errors=$(printf '%s' "$vaultdata" | jq -r '.ErrorCode // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.UserName')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.Content')" + + else + echo "ZBX_VAULT has wrong value. HashiCorp or CyberArk are supported!" + exit 1 + fi + +} + check_db_connect() { echo "********************" echo "* DB_SERVER_HOST: ${DB_SERVER_HOST}" @@ -144,13 +195,22 @@ check_db_connect() { WAIT_TIMEOUT=5 + if [ -n "${ZBX_VAULT}" ]; then + unset DB_SERVER_ZBX_USER + unset DB_SERVER_ZBX_PASS + + echo "***** Connecting to vault... ******" + echo "***** VAULT URL: $ZBX_VAULTURL" + get_vault_secrets + fi + ssl_opts="$(db_tls_params)" export MYSQL_PWD="${DB_SERVER_ZBX_PASS}" while [ ! "$(mariadb-admin ping $mysql_connect_args -u ${DB_SERVER_ZBX_USER} \ --silent --skip-ssl-verify-server-cert --connect_timeout=10 $ssl_opts)" ]; do - echo "**** MySQL server is not available. Waiting $WAIT_TIMEOUT seconds..." + echo "**** MySQL server is not available. Waiting ${WAIT_TIMEOUT} seconds..." sleep $WAIT_TIMEOUT done diff --git a/Dockerfiles/web-apache-mysql/centos/Dockerfile b/Dockerfiles/web-apache-mysql/centos/Dockerfile index dcf023590..2db7a9d5c 100644 --- a/Dockerfiles/web-apache-mysql/centos/Dockerfile +++ b/Dockerfiles/web-apache-mysql/centos/Dockerfile @@ -68,6 +68,7 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ glibc-locale-source \ shadow-utils \ gzip \ + jq \ supervisor" && \ microdnf -y install \ --disablerepo="*" \ diff --git a/Dockerfiles/web-apache-mysql/centos/docker-entrypoint.sh b/Dockerfiles/web-apache-mysql/centos/docker-entrypoint.sh index d78e28164..423545814 100755 --- a/Dockerfiles/web-apache-mysql/centos/docker-entrypoint.sh +++ b/Dockerfiles/web-apache-mysql/centos/docker-entrypoint.sh @@ -128,6 +128,57 @@ db_tls_params() { echo $result } +get_vault_secrets() { + WAIT_TIMEOUT=5 + vault_url="${ZBX_VAULTURL}${ZBX_VAULTPREFIX}${ZBX_VAULTDBPATH}" + curl_opts=(-s -m 10 -k) + + + if [ -z "${ZBX_VAULTURL}" ] || [ -z "${ZBX_VAULTPREFIX}" ] || [ -z "${ZBX_VAULTDBPATH}" ]; then + echo "Missing variables! If ZBX_VAULT is used then ZBX_VAULTURL, ZBX_VAULTPREFIX and ZBX_VAULTDBPATH must be set" + exit 1 + fi + + if [ "${ZBX_VAULT}" == "HashiCorp" ]; then + while ! vaultdata="$(curl "${curl_opts[@]}" -H "X-Vault-Token: $VAULT_TOKEN" "$vault_url")"; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + errors=$(printf '%s' "$vaultdata" | jq -r '.errors // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.data.data.username')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.data.data.password')" + + elif [ "${ZBX_VAULT}" == "CyberArk" ]; then + cyberark_opts=(-H "Content-type: application/json" --cert "$ZBX_VAULTCERTFILE") + + # if key is defined use it + if [ -n "${ZBX_VAULTKEYFILE}" ]; then + cyberark_opts+=(--key "$ZBX_VAULTKEYFILE") + fi + while ! vaultdata=$(curl "${curl_opts[@]}" "${cyberark_opts[@]}" "$vault_url") ; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + + errors=$(printf '%s' "$vaultdata" | jq -r '.ErrorCode // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.UserName')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.Content')" + + else + echo "ZBX_VAULT has wrong value. HashiCorp or CyberArk are supported!" + exit 1 + fi + +} + check_db_connect() { echo "********************" echo "* DB_SERVER_HOST: ${DB_SERVER_HOST}" @@ -144,13 +195,22 @@ check_db_connect() { WAIT_TIMEOUT=5 + if [ -n "${ZBX_VAULT}" ]; then + unset DB_SERVER_ZBX_USER + unset DB_SERVER_ZBX_PASS + + echo "***** Connecting to vault... *****" + echo "***** VAULT URL: $ZBX_VAULTURL" + get_vault_secrets + fi + ssl_opts="$(db_tls_params)" export MYSQL_PWD="${DB_SERVER_ZBX_PASS}" while [ ! "$(mysqladmin ping $mysql_connect_args -u ${DB_SERVER_ZBX_USER} \ --silent --connect_timeout=10 $ssl_opts)" ]; do - echo "**** MySQL server is not available. Waiting $WAIT_TIMEOUT seconds..." + echo "**** MySQL server is not available. Waiting ${WAIT_TIMEOUT} seconds..." sleep $WAIT_TIMEOUT done diff --git a/Dockerfiles/web-apache-mysql/ol/Dockerfile b/Dockerfiles/web-apache-mysql/ol/Dockerfile index 4a1baf222..c0a891cfd 100644 --- a/Dockerfiles/web-apache-mysql/ol/Dockerfile +++ b/Dockerfiles/web-apache-mysql/ol/Dockerfile @@ -68,6 +68,7 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ php-xml \ findutils \ glibc-locale-source \ + jq \ supervisor" && \ microdnf -y install \ --disablerepo="*" \ diff --git a/Dockerfiles/web-apache-mysql/ol/docker-entrypoint.sh b/Dockerfiles/web-apache-mysql/ol/docker-entrypoint.sh index d78e28164..423545814 100755 --- a/Dockerfiles/web-apache-mysql/ol/docker-entrypoint.sh +++ b/Dockerfiles/web-apache-mysql/ol/docker-entrypoint.sh @@ -128,6 +128,57 @@ db_tls_params() { echo $result } +get_vault_secrets() { + WAIT_TIMEOUT=5 + vault_url="${ZBX_VAULTURL}${ZBX_VAULTPREFIX}${ZBX_VAULTDBPATH}" + curl_opts=(-s -m 10 -k) + + + if [ -z "${ZBX_VAULTURL}" ] || [ -z "${ZBX_VAULTPREFIX}" ] || [ -z "${ZBX_VAULTDBPATH}" ]; then + echo "Missing variables! If ZBX_VAULT is used then ZBX_VAULTURL, ZBX_VAULTPREFIX and ZBX_VAULTDBPATH must be set" + exit 1 + fi + + if [ "${ZBX_VAULT}" == "HashiCorp" ]; then + while ! vaultdata="$(curl "${curl_opts[@]}" -H "X-Vault-Token: $VAULT_TOKEN" "$vault_url")"; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + errors=$(printf '%s' "$vaultdata" | jq -r '.errors // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.data.data.username')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.data.data.password')" + + elif [ "${ZBX_VAULT}" == "CyberArk" ]; then + cyberark_opts=(-H "Content-type: application/json" --cert "$ZBX_VAULTCERTFILE") + + # if key is defined use it + if [ -n "${ZBX_VAULTKEYFILE}" ]; then + cyberark_opts+=(--key "$ZBX_VAULTKEYFILE") + fi + while ! vaultdata=$(curl "${curl_opts[@]}" "${cyberark_opts[@]}" "$vault_url") ; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + + errors=$(printf '%s' "$vaultdata" | jq -r '.ErrorCode // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.UserName')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.Content')" + + else + echo "ZBX_VAULT has wrong value. HashiCorp or CyberArk are supported!" + exit 1 + fi + +} + check_db_connect() { echo "********************" echo "* DB_SERVER_HOST: ${DB_SERVER_HOST}" @@ -144,13 +195,22 @@ check_db_connect() { WAIT_TIMEOUT=5 + if [ -n "${ZBX_VAULT}" ]; then + unset DB_SERVER_ZBX_USER + unset DB_SERVER_ZBX_PASS + + echo "***** Connecting to vault... *****" + echo "***** VAULT URL: $ZBX_VAULTURL" + get_vault_secrets + fi + ssl_opts="$(db_tls_params)" export MYSQL_PWD="${DB_SERVER_ZBX_PASS}" while [ ! "$(mysqladmin ping $mysql_connect_args -u ${DB_SERVER_ZBX_USER} \ --silent --connect_timeout=10 $ssl_opts)" ]; do - echo "**** MySQL server is not available. Waiting $WAIT_TIMEOUT seconds..." + echo "**** MySQL server is not available. Waiting ${WAIT_TIMEOUT} seconds..." sleep $WAIT_TIMEOUT done diff --git a/Dockerfiles/web-apache-mysql/ubuntu/Dockerfile b/Dockerfiles/web-apache-mysql/ubuntu/Dockerfile index fd09dcaa9..741419ca9 100644 --- a/Dockerfiles/web-apache-mysql/ubuntu/Dockerfile +++ b/Dockerfiles/web-apache-mysql/ubuntu/Dockerfile @@ -68,6 +68,7 @@ RUN --mount=type=cache,target=/var/cache/apt/,sharing=locked \ php8.5-mbstring \ php8.5-mysql \ php8.5-xml \ + jq \ supervisor" && \ apt-get -y update && \ DEBIAN_FRONTEND=noninteractive apt-get -y \ diff --git a/Dockerfiles/web-apache-mysql/ubuntu/docker-entrypoint.sh b/Dockerfiles/web-apache-mysql/ubuntu/docker-entrypoint.sh index d644cf717..57d3e6c81 100755 --- a/Dockerfiles/web-apache-mysql/ubuntu/docker-entrypoint.sh +++ b/Dockerfiles/web-apache-mysql/ubuntu/docker-entrypoint.sh @@ -128,6 +128,57 @@ db_tls_params() { echo $result } +get_vault_secrets() { + WAIT_TIMEOUT=5 + vault_url="${ZBX_VAULTURL}${ZBX_VAULTPREFIX}${ZBX_VAULTDBPATH}" + curl_opts=(-s -m 10 -k) + + + if [ -z "${ZBX_VAULTURL}" ] || [ -z "${ZBX_VAULTPREFIX}" ] || [ -z "${ZBX_VAULTDBPATH}" ]; then + echo "Missing variables! If ZBX_VAULT is used then ZBX_VAULTURL, ZBX_VAULTPREFIX and ZBX_VAULTDBPATH must be set" + exit 1 + fi + + if [ "${ZBX_VAULT}" == "HashiCorp" ]; then + while ! vaultdata="$(curl "${curl_opts[@]}" -H "X-Vault-Token: $VAULT_TOKEN" "$vault_url")"; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + errors=$(printf '%s' "$vaultdata" | jq -r '.errors // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.data.data.username')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.data.data.password')" + + elif [ "${ZBX_VAULT}" == "CyberArk" ]; then + cyberark_opts=(-H "Content-type: application/json" --cert "$ZBX_VAULTCERTFILE") + + # if key is defined use it + if [ -n "${ZBX_VAULTKEYFILE}" ]; then + cyberark_opts+=(--key "$ZBX_VAULTKEYFILE") + fi + while ! vaultdata=$(curl "${curl_opts[@]}" "${cyberark_opts[@]}" "$vault_url") ; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + + errors=$(printf '%s' "$vaultdata" | jq -r '.ErrorCode // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.UserName')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.Content')" + + else + echo "ZBX_VAULT has wrong value. HashiCorp or CyberArk are supported!" + exit 1 + fi + +} + check_db_connect() { echo "********************" echo "* DB_SERVER_HOST: ${DB_SERVER_HOST}" @@ -144,13 +195,22 @@ check_db_connect() { WAIT_TIMEOUT=5 + if [ -n "${ZBX_VAULT}" ]; then + unset DB_SERVER_ZBX_USER + unset DB_SERVER_ZBX_PASS + + echo "***** Connecting to vault... *****" + echo "***** VAULT URL: $ZBX_VAULTURL" + get_vault_secrets + fi + ssl_opts="$(db_tls_params)" export MYSQL_PWD="${DB_SERVER_ZBX_PASS}" while [ ! "$(mysqladmin ping $mysql_connect_args -u ${DB_SERVER_ZBX_USER} \ --silent --connect_timeout=10 $ssl_opts)" ]; do - echo "**** MySQL server is not available. Waiting $WAIT_TIMEOUT seconds..." + echo "**** MySQL server is not available. Waiting ${WAIT_TIMEOUT} seconds..." sleep $WAIT_TIMEOUT done diff --git a/Dockerfiles/web-apache-pgsql/alpine/Dockerfile b/Dockerfiles/web-apache-pgsql/alpine/Dockerfile index b2d3d2e3c..bb983c2da 100644 --- a/Dockerfiles/web-apache-pgsql/alpine/Dockerfile +++ b/Dockerfiles/web-apache-pgsql/alpine/Dockerfile @@ -50,6 +50,7 @@ RUN set -eux && \ INSTALL_PKGS="bash \ tzdata \ curl \ + jq \ apache2 \ apache2-proxy \ php85-bcmath \ diff --git a/Dockerfiles/web-apache-pgsql/alpine/docker-entrypoint.sh b/Dockerfiles/web-apache-pgsql/alpine/docker-entrypoint.sh index 12cacba5d..f00aeab9b 100755 --- a/Dockerfiles/web-apache-pgsql/alpine/docker-entrypoint.sh +++ b/Dockerfiles/web-apache-pgsql/alpine/docker-entrypoint.sh @@ -109,6 +109,57 @@ check_variables() { fi } +get_vault_secrets() { + WAIT_TIMEOUT=5 + vault_url="${ZBX_VAULTURL}${ZBX_VAULTPREFIX}${ZBX_VAULTDBPATH}" + curl_opts=(-s -m 10 -k) + + + if [ -z "${ZBX_VAULTURL}" ] || [ -z "${ZBX_VAULTPREFIX}" ] || [ -z "${ZBX_VAULTDBPATH}" ]; then + echo "Missing variables! If ZBX_VAULT is used then ZBX_VAULTURL, ZBX_VAULTPREFIX and ZBX_VAULTDBPATH must be set" + exit 1 + fi + + if [ "${ZBX_VAULT}" == "HashiCorp" ]; then + while ! vaultdata="$(curl "${curl_opts[@]}" -H "X-Vault-Token: $VAULT_TOKEN" "$vault_url")"; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + errors=$(printf '%s' "$vaultdata" | jq -r '.errors // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.data.data.username')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.data.data.password')" + + elif [ "${ZBX_VAULT}" == "CyberArk" ]; then + cyberark_opts=(-H "Content-type: application/json" --cert "$ZBX_VAULTCERTFILE") + + # if key is defined use it + if [ -n "${ZBX_VAULTKEYFILE}" ]; then + cyberark_opts+=(--key "$ZBX_VAULTKEYFILE") + fi + while ! vaultdata=$(curl "${curl_opts[@]}" "${cyberark_opts[@]}" "$vault_url") ; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + + errors=$(printf '%s' "$vaultdata" | jq -r '.ErrorCode // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.UserName')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.Content')" + + else + echo "ZBX_VAULT has wrong value. HashiCorp or CyberArk are supported!" + exit 1 + fi + +} + check_db_connect() { echo "********************" if [ -n "${DB_SERVER_HOST}" ]; then @@ -127,12 +178,21 @@ check_db_connect() { fi echo "********************" + WAIT_TIMEOUT=5 + + if [ -n "${ZBX_VAULT}" ]; then + unset DB_SERVER_ZBX_USER + unset DB_SERVER_ZBX_PASS + + echo "***** Connecting to vault... *****" + echo "***** VAULT URL: $ZBX_VAULTURL" + get_vault_secrets + fi + if [ -n "${DB_SERVER_ZBX_PASS}" ]; then export PGPASSWORD="${DB_SERVER_ZBX_PASS}" fi - WAIT_TIMEOUT=5 - if [ "${POSTGRES_USE_IMPLICIT_SEARCH_PATH,,}" == "false" ] && [ -n "${DB_SERVER_SCHEMA}" ]; then PGOPTIONS="--search_path=${DB_SERVER_SCHEMA}" export PGOPTIONS @@ -147,7 +207,7 @@ check_db_connect() { fi while [ ! "$(psql $psql_connect_args --username ${DB_SERVER_ZBX_USER} --dbname ${DB_SERVER_DBNAME} --list --quiet 2>/dev/null)" ]; do - echo "**** PostgreSQL server is not available. Waiting $WAIT_TIMEOUT seconds..." + echo "**** PostgreSQL server is not available. Waiting ${WAIT_TIMEOUT} seconds..." sleep $WAIT_TIMEOUT done diff --git a/Dockerfiles/web-apache-pgsql/centos/Dockerfile b/Dockerfiles/web-apache-pgsql/centos/Dockerfile index d045b743a..3b6ca963e 100644 --- a/Dockerfiles/web-apache-pgsql/centos/Dockerfile +++ b/Dockerfiles/web-apache-pgsql/centos/Dockerfile @@ -68,6 +68,7 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ glibc-locale-source \ shadow-utils \ gzip \ + jq \ supervisor" && \ microdnf -y install \ --disablerepo="*" \ diff --git a/Dockerfiles/web-apache-pgsql/centos/docker-entrypoint.sh b/Dockerfiles/web-apache-pgsql/centos/docker-entrypoint.sh index d234dc991..91bab1e04 100755 --- a/Dockerfiles/web-apache-pgsql/centos/docker-entrypoint.sh +++ b/Dockerfiles/web-apache-pgsql/centos/docker-entrypoint.sh @@ -109,6 +109,57 @@ check_variables() { fi } +get_vault_secrets() { + WAIT_TIMEOUT=5 + vault_url="${ZBX_VAULTURL}${ZBX_VAULTPREFIX}${ZBX_VAULTDBPATH}" + curl_opts=(-s -m 10 -k) + + + if [ -z "${ZBX_VAULTURL}" ] || [ -z "${ZBX_VAULTPREFIX}" ] || [ -z "${ZBX_VAULTDBPATH}" ]; then + echo "Missing variables! If ZBX_VAULT is used then ZBX_VAULTURL, ZBX_VAULTPREFIX and ZBX_VAULTDBPATH must be set" + exit 1 + fi + + if [ "${ZBX_VAULT}" == "HashiCorp" ]; then + while ! vaultdata="$(curl "${curl_opts[@]}" -H "X-Vault-Token: $VAULT_TOKEN" "$vault_url")"; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + errors=$(printf '%s' "$vaultdata" | jq -r '.errors // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.data.data.username')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.data.data.password')" + + elif [ "${ZBX_VAULT}" == "CyberArk" ]; then + cyberark_opts=(-H "Content-type: application/json" --cert "$ZBX_VAULTCERTFILE") + + # if key is defined use it + if [ -n "${ZBX_VAULTKEYFILE}" ]; then + cyberark_opts+=(--key "$ZBX_VAULTKEYFILE") + fi + while ! vaultdata=$(curl "${curl_opts[@]}" "${cyberark_opts[@]}" "$vault_url") ; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + + errors=$(printf '%s' "$vaultdata" | jq -r '.ErrorCode // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.UserName')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.Content')" + + else + echo "ZBX_VAULT has wrong value. HashiCorp or CyberArk are supported!" + exit 1 + fi + +} + check_db_connect() { echo "********************" if [ -n "${DB_SERVER_HOST}" ]; then @@ -127,12 +178,21 @@ check_db_connect() { fi echo "********************" + WAIT_TIMEOUT=5 + + if [ -n "${ZBX_VAULT}" ]; then + unset DB_SERVER_ZBX_USER + unset DB_SERVER_ZBX_PASS + + echo "***** Connecting to vault... *****" + echo "***** VAULT URL: $ZBX_VAULTURL" + get_vault_secrets + fi + if [ -n "${DB_SERVER_ZBX_PASS}" ]; then export PGPASSWORD="${DB_SERVER_ZBX_PASS}" fi - WAIT_TIMEOUT=5 - if [ "${POSTGRES_USE_IMPLICIT_SEARCH_PATH,,}" == "false" ] && [ -n "${DB_SERVER_SCHEMA}" ]; then PGOPTIONS="--search_path=${DB_SERVER_SCHEMA}" export PGOPTIONS @@ -147,7 +207,7 @@ check_db_connect() { fi while [ ! "$(psql $psql_connect_args --username ${DB_SERVER_ZBX_USER} --dbname ${DB_SERVER_DBNAME} --list --quiet 2>/dev/null)" ]; do - echo "**** PostgreSQL server is not available. Waiting $WAIT_TIMEOUT seconds..." + echo "**** PostgreSQL server is not available. Waiting ${WAIT_TIMEOUT} seconds..." sleep $WAIT_TIMEOUT done diff --git a/Dockerfiles/web-apache-pgsql/ol/Dockerfile b/Dockerfiles/web-apache-pgsql/ol/Dockerfile index fa4961eed..465baf47f 100644 --- a/Dockerfiles/web-apache-pgsql/ol/Dockerfile +++ b/Dockerfiles/web-apache-pgsql/ol/Dockerfile @@ -68,6 +68,7 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ postgresql \ findutils \ glibc-locale-source \ + jq \ supervisor" && \ microdnf -y install \ --disablerepo="*" \ diff --git a/Dockerfiles/web-apache-pgsql/ol/docker-entrypoint.sh b/Dockerfiles/web-apache-pgsql/ol/docker-entrypoint.sh index 663f8b5a9..af664709e 100755 --- a/Dockerfiles/web-apache-pgsql/ol/docker-entrypoint.sh +++ b/Dockerfiles/web-apache-pgsql/ol/docker-entrypoint.sh @@ -109,6 +109,57 @@ check_variables() { fi } +get_vault_secrets() { + WAIT_TIMEOUT=5 + vault_url="${ZBX_VAULTURL}${ZBX_VAULTPREFIX}${ZBX_VAULTDBPATH}" + curl_opts=(-s -m 10 -k) + + + if [ -z "${ZBX_VAULTURL}" ] || [ -z "${ZBX_VAULTPREFIX}" ] || [ -z "${ZBX_VAULTDBPATH}" ]; then + echo "Missing variables! If ZBX_VAULT is used then ZBX_VAULTURL, ZBX_VAULTPREFIX and ZBX_VAULTDBPATH must be set" + exit 1 + fi + + if [ "${ZBX_VAULT}" == "HashiCorp" ]; then + while ! vaultdata="$(curl "${curl_opts[@]}" -H "X-Vault-Token: $VAULT_TOKEN" "$vault_url")"; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + errors=$(printf '%s' "$vaultdata" | jq -r '.errors // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.data.data.username')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.data.data.password')" + + elif [ "${ZBX_VAULT}" == "CyberArk" ]; then + cyberark_opts=(-H "Content-type: application/json" --cert "$ZBX_VAULTCERTFILE") + + # if key is defined use it + if [ -n "${ZBX_VAULTKEYFILE}" ]; then + cyberark_opts+=(--key "$ZBX_VAULTKEYFILE") + fi + while ! vaultdata=$(curl "${curl_opts[@]}" "${cyberark_opts[@]}" "$vault_url") ; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + + errors=$(printf '%s' "$vaultdata" | jq -r '.ErrorCode // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.UserName')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.Content')" + + else + echo "ZBX_VAULT has wrong value. HashiCorp or CyberArk are supported!" + exit 1 + fi + +} + check_db_connect() { echo "********************" if [ -n "${DB_SERVER_HOST}" ]; then @@ -127,12 +178,21 @@ check_db_connect() { fi echo "********************" + WAIT_TIMEOUT=5 + + if [ -n "${ZBX_VAULT}" ]; then + unset DB_SERVER_ZBX_USER + unset DB_SERVER_ZBX_PASS + + echo "***** Connecting to vault... ******" + echo "***** VAULT URL: $ZBX_VAULTURL" + get_vault_secrets + fi + if [ -n "${DB_SERVER_ZBX_PASS}" ]; then export PGPASSWORD="${DB_SERVER_ZBX_PASS}" fi - WAIT_TIMEOUT=5 - if [ "${POSTGRES_USE_IMPLICIT_SEARCH_PATH,,}" == "false" ] && [ -n "${DB_SERVER_SCHEMA}" ]; then PGOPTIONS="--search_path=${DB_SERVER_SCHEMA}" export PGOPTIONS @@ -147,7 +207,7 @@ check_db_connect() { fi while [ ! "$(psql $psql_connect_args --username ${DB_SERVER_ZBX_USER} --dbname ${DB_SERVER_DBNAME} --list --quiet 2>/dev/null)" ]; do - echo "**** PostgreSQL server is not available. Waiting $WAIT_TIMEOUT seconds..." + echo "**** PostgreSQL server is not available. Waiting ${WAIT_TIMEOUT} seconds..." sleep $WAIT_TIMEOUT done diff --git a/Dockerfiles/web-apache-pgsql/ubuntu/Dockerfile b/Dockerfiles/web-apache-pgsql/ubuntu/Dockerfile index b136c041a..8fa8bfea0 100644 --- a/Dockerfiles/web-apache-pgsql/ubuntu/Dockerfile +++ b/Dockerfiles/web-apache-pgsql/ubuntu/Dockerfile @@ -68,6 +68,7 @@ RUN --mount=type=cache,target=/var/cache/apt/,sharing=locked \ php8.5-xml \ php8.5-pgsql \ postgresql-client \ + jq \ supervisor" && \ apt-get -y update && \ DEBIAN_FRONTEND=noninteractive apt-get -y \ diff --git a/Dockerfiles/web-apache-pgsql/ubuntu/docker-entrypoint.sh b/Dockerfiles/web-apache-pgsql/ubuntu/docker-entrypoint.sh index 25b1272a9..48a018d5c 100755 --- a/Dockerfiles/web-apache-pgsql/ubuntu/docker-entrypoint.sh +++ b/Dockerfiles/web-apache-pgsql/ubuntu/docker-entrypoint.sh @@ -109,6 +109,57 @@ check_variables() { fi } +get_vault_secrets() { + WAIT_TIMEOUT=5 + vault_url="${ZBX_VAULTURL}${ZBX_VAULTPREFIX}${ZBX_VAULTDBPATH}" + curl_opts=(-s -m 10 -k) + + + if [ -z "${ZBX_VAULTURL}" ] || [ -z "${ZBX_VAULTPREFIX}" ] || [ -z "${ZBX_VAULTDBPATH}" ]; then + echo "Missing variables! If ZBX_VAULT is used then ZBX_VAULTURL, ZBX_VAULTPREFIX and ZBX_VAULTDBPATH must be set" + exit 1 + fi + + if [ "${ZBX_VAULT}" == "HashiCorp" ]; then + while ! vaultdata="$(curl "${curl_opts[@]}" -H "X-Vault-Token: $VAULT_TOKEN" "$vault_url")"; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + errors=$(printf '%s' "$vaultdata" | jq -r '.errors // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.data.data.username')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.data.data.password')" + + elif [ "${ZBX_VAULT}" == "CyberArk" ]; then + cyberark_opts=(-H "Content-type: application/json" --cert "$ZBX_VAULTCERTFILE") + + # if key is defined use it + if [ -n "${ZBX_VAULTKEYFILE}" ]; then + cyberark_opts+=(--key "$ZBX_VAULTKEYFILE") + fi + while ! vaultdata=$(curl "${curl_opts[@]}" "${cyberark_opts[@]}" "$vault_url") ; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + + errors=$(printf '%s' "$vaultdata" | jq -r '.ErrorCode // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.UserName')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.Content')" + + else + echo "ZBX_VAULT has wrong value. HashiCorp or CyberArk are supported!" + exit 1 + fi + +} + check_db_connect() { echo "********************" if [ -n "${DB_SERVER_HOST}" ]; then @@ -127,12 +178,21 @@ check_db_connect() { fi echo "********************" + WAIT_TIMEOUT=5 + + if [ -n "${ZBX_VAULT}" ]; then + unset DB_SERVER_ZBX_USER + unset DB_SERVER_ZBX_PASS + + echo "***** Connecting to vault... *****" + echo "***** VAULT URL: $ZBX_VAULTURL" + get_vault_secrets + fi + if [ -n "${DB_SERVER_ZBX_PASS}" ]; then export PGPASSWORD="${DB_SERVER_ZBX_PASS}" fi - WAIT_TIMEOUT=5 - if [ "${POSTGRES_USE_IMPLICIT_SEARCH_PATH,,}" == "false" ] && [ -n "${DB_SERVER_SCHEMA}" ]; then PGOPTIONS="--search_path=${DB_SERVER_SCHEMA}" export PGOPTIONS @@ -147,7 +207,7 @@ check_db_connect() { fi while [ ! "$(psql $psql_connect_args --username ${DB_SERVER_ZBX_USER} --dbname ${DB_SERVER_DBNAME} --list --quiet 2>/dev/null)" ]; do - echo "**** PostgreSQL server is not available. Waiting $WAIT_TIMEOUT seconds..." + echo "**** PostgreSQL server is not available. Waiting ${WAIT_TIMEOUT} seconds..." sleep $WAIT_TIMEOUT done diff --git a/Dockerfiles/web-nginx-mysql/alpine/Dockerfile b/Dockerfiles/web-nginx-mysql/alpine/Dockerfile index 8912c0801..2a863cf0d 100644 --- a/Dockerfiles/web-nginx-mysql/alpine/Dockerfile +++ b/Dockerfiles/web-nginx-mysql/alpine/Dockerfile @@ -50,6 +50,7 @@ RUN set -eux && \ INSTALL_PKGS="bash \ tzdata \ curl \ + jq \ mariadb-client \ mariadb-connector-c \ nginx \ diff --git a/Dockerfiles/web-nginx-mysql/alpine/docker-entrypoint.sh b/Dockerfiles/web-nginx-mysql/alpine/docker-entrypoint.sh index dcea37bae..4375fd64f 100755 --- a/Dockerfiles/web-nginx-mysql/alpine/docker-entrypoint.sh +++ b/Dockerfiles/web-nginx-mysql/alpine/docker-entrypoint.sh @@ -134,6 +134,57 @@ db_tls_params() { echo $result } +get_vault_secrets() { + WAIT_TIMEOUT=5 + vault_url="${ZBX_VAULTURL}${ZBX_VAULTPREFIX}${ZBX_VAULTDBPATH}" + curl_opts=(-s -m 10 -k) + + + if [ -z "${ZBX_VAULTURL}" ] || [ -z "${ZBX_VAULTPREFIX}" ] || [ -z "${ZBX_VAULTDBPATH}" ]; then + echo "Missing variables! If ZBX_VAULT is used then ZBX_VAULTURL, ZBX_VAULTPREFIX and ZBX_VAULTDBPATH must be set" + exit 1 + fi + + if [ "${ZBX_VAULT}" == "HashiCorp" ]; then + while ! vaultdata="$(curl "${curl_opts[@]}" -H "X-Vault-Token: $VAULT_TOKEN" "$vault_url")"; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + errors=$(printf '%s' "$vaultdata" | jq -r '.errors // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.data.data.username')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.data.data.password')" + + elif [ "${ZBX_VAULT}" == "CyberArk" ]; then + cyberark_opts=(-H "Content-type: application/json" --cert "$ZBX_VAULTCERTFILE") + + # if key is defined use it + if [ -n "${ZBX_VAULTKEYFILE}" ]; then + cyberark_opts+=(--key "$ZBX_VAULTKEYFILE") + fi + while ! vaultdata=$(curl "${curl_opts[@]}" "${cyberark_opts[@]}" "$vault_url") ; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + + errors=$(printf '%s' "$vaultdata" | jq -r '.ErrorCode // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.UserName')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.Content')" + + else + echo "ZBX_VAULT has wrong value. HashiCorp or CyberArk are supported!" + exit 1 + fi + +} + check_db_connect() { echo "********************" echo "* DB_SERVER_HOST: ${DB_SERVER_HOST}" @@ -150,13 +201,22 @@ check_db_connect() { WAIT_TIMEOUT=5 + if [ -n "${ZBX_VAULT}" ]; then + unset DB_SERVER_ZBX_USER + unset DB_SERVER_ZBX_PASS + + echo "***** Connecting to vault... *****" + echo "***** VAULT URL: $ZBX_VAULTURL" + get_vault_secrets + fi + ssl_opts="$(db_tls_params)" export MYSQL_PWD="${DB_SERVER_ZBX_PASS}" while [ ! "$(mariadb-admin ping $mysql_connect_args -u ${DB_SERVER_ZBX_USER} \ --silent --skip-ssl-verify-server-cert --connect_timeout=10 $ssl_opts)" ]; do - echo "**** MySQL server is not available. Waiting $WAIT_TIMEOUT seconds..." + echo "**** MySQL server is not available. Waiting ${WAIT_TIMEOUT} seconds..." sleep $WAIT_TIMEOUT done diff --git a/Dockerfiles/web-nginx-mysql/centos/Dockerfile b/Dockerfiles/web-nginx-mysql/centos/Dockerfile index 6efbca6dd..02889edcf 100644 --- a/Dockerfiles/web-nginx-mysql/centos/Dockerfile +++ b/Dockerfiles/web-nginx-mysql/centos/Dockerfile @@ -66,6 +66,7 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ php-xml \ shadow-utils \ gzip \ + jq \ supervisor" && \ microdnf -y install \ --disablerepo="*" \ diff --git a/Dockerfiles/web-nginx-mysql/centos/docker-entrypoint.sh b/Dockerfiles/web-nginx-mysql/centos/docker-entrypoint.sh index 356398f65..653007661 100755 --- a/Dockerfiles/web-nginx-mysql/centos/docker-entrypoint.sh +++ b/Dockerfiles/web-nginx-mysql/centos/docker-entrypoint.sh @@ -134,6 +134,57 @@ db_tls_params() { echo $result } +get_vault_secrets() { + WAIT_TIMEOUT=5 + vault_url="${ZBX_VAULTURL}${ZBX_VAULTPREFIX}${ZBX_VAULTDBPATH}" + curl_opts=(-s -m 10 -k) + + + if [ -z "${ZBX_VAULTURL}" ] || [ -z "${ZBX_VAULTPREFIX}" ] || [ -z "${ZBX_VAULTDBPATH}" ]; then + echo "Missing variables! If ZBX_VAULT is used then ZBX_VAULTURL, ZBX_VAULTPREFIX and ZBX_VAULTDBPATH must be set" + exit 1 + fi + + if [ "${ZBX_VAULT}" == "HashiCorp" ]; then + while ! vaultdata="$(curl "${curl_opts[@]}" -H "X-Vault-Token: $VAULT_TOKEN" "$vault_url")"; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + errors=$(printf '%s' "$vaultdata" | jq -r '.errors // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.data.data.username')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.data.data.password')" + + elif [ "${ZBX_VAULT}" == "CyberArk" ]; then + cyberark_opts=(-H "Content-type: application/json" --cert "$ZBX_VAULTCERTFILE") + + # if key is defined use it + if [ -n "${ZBX_VAULTKEYFILE}" ]; then + cyberark_opts+=(--key "$ZBX_VAULTKEYFILE") + fi + while ! vaultdata=$(curl "${curl_opts[@]}" "${cyberark_opts[@]}" "$vault_url") ; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + + errors=$(printf '%s' "$vaultdata" | jq -r '.ErrorCode // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.UserName')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.Content')" + + else + echo "ZBX_VAULT has wrong value. HashiCorp or CyberArk are supported!" + exit 1 + fi + +} + check_db_connect() { echo "********************" echo "* DB_SERVER_HOST: ${DB_SERVER_HOST}" @@ -150,13 +201,22 @@ check_db_connect() { WAIT_TIMEOUT=5 + if [ -n "${ZBX_VAULT}" ]; then + unset DB_SERVER_ZBX_USER + unset DB_SERVER_ZBX_PASS + + echo "***** Connecting to vault... *****" + echo "***** VAULT URL: $ZBX_VAULTURL" + get_vault_secrets + fi + ssl_opts="$(db_tls_params)" export MYSQL_PWD="${DB_SERVER_ZBX_PASS}" while [ ! "$(mysqladmin ping $mysql_connect_args -u ${DB_SERVER_ZBX_USER} \ --silent --connect_timeout=10 $ssl_opts)" ]; do - echo "**** MySQL server is not available. Waiting $WAIT_TIMEOUT seconds..." + echo "**** MySQL server is not available. Waiting ${WAIT_TIMEOUT} seconds..." sleep $WAIT_TIMEOUT done diff --git a/Dockerfiles/web-nginx-mysql/ol/Dockerfile b/Dockerfiles/web-nginx-mysql/ol/Dockerfile index e1527f973..0538a5145 100644 --- a/Dockerfiles/web-nginx-mysql/ol/Dockerfile +++ b/Dockerfiles/web-nginx-mysql/ol/Dockerfile @@ -66,6 +66,7 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ php-xml \ findutils \ glibc-locale-source \ + jq \ supervisor" && \ microdnf -y install \ --disablerepo="*" \ diff --git a/Dockerfiles/web-nginx-mysql/ol/docker-entrypoint.sh b/Dockerfiles/web-nginx-mysql/ol/docker-entrypoint.sh index 356398f65..653007661 100755 --- a/Dockerfiles/web-nginx-mysql/ol/docker-entrypoint.sh +++ b/Dockerfiles/web-nginx-mysql/ol/docker-entrypoint.sh @@ -134,6 +134,57 @@ db_tls_params() { echo $result } +get_vault_secrets() { + WAIT_TIMEOUT=5 + vault_url="${ZBX_VAULTURL}${ZBX_VAULTPREFIX}${ZBX_VAULTDBPATH}" + curl_opts=(-s -m 10 -k) + + + if [ -z "${ZBX_VAULTURL}" ] || [ -z "${ZBX_VAULTPREFIX}" ] || [ -z "${ZBX_VAULTDBPATH}" ]; then + echo "Missing variables! If ZBX_VAULT is used then ZBX_VAULTURL, ZBX_VAULTPREFIX and ZBX_VAULTDBPATH must be set" + exit 1 + fi + + if [ "${ZBX_VAULT}" == "HashiCorp" ]; then + while ! vaultdata="$(curl "${curl_opts[@]}" -H "X-Vault-Token: $VAULT_TOKEN" "$vault_url")"; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + errors=$(printf '%s' "$vaultdata" | jq -r '.errors // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.data.data.username')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.data.data.password')" + + elif [ "${ZBX_VAULT}" == "CyberArk" ]; then + cyberark_opts=(-H "Content-type: application/json" --cert "$ZBX_VAULTCERTFILE") + + # if key is defined use it + if [ -n "${ZBX_VAULTKEYFILE}" ]; then + cyberark_opts+=(--key "$ZBX_VAULTKEYFILE") + fi + while ! vaultdata=$(curl "${curl_opts[@]}" "${cyberark_opts[@]}" "$vault_url") ; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + + errors=$(printf '%s' "$vaultdata" | jq -r '.ErrorCode // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.UserName')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.Content')" + + else + echo "ZBX_VAULT has wrong value. HashiCorp or CyberArk are supported!" + exit 1 + fi + +} + check_db_connect() { echo "********************" echo "* DB_SERVER_HOST: ${DB_SERVER_HOST}" @@ -150,13 +201,22 @@ check_db_connect() { WAIT_TIMEOUT=5 + if [ -n "${ZBX_VAULT}" ]; then + unset DB_SERVER_ZBX_USER + unset DB_SERVER_ZBX_PASS + + echo "***** Connecting to vault... *****" + echo "***** VAULT URL: $ZBX_VAULTURL" + get_vault_secrets + fi + ssl_opts="$(db_tls_params)" export MYSQL_PWD="${DB_SERVER_ZBX_PASS}" while [ ! "$(mysqladmin ping $mysql_connect_args -u ${DB_SERVER_ZBX_USER} \ --silent --connect_timeout=10 $ssl_opts)" ]; do - echo "**** MySQL server is not available. Waiting $WAIT_TIMEOUT seconds..." + echo "**** MySQL server is not available. Waiting ${WAIT_TIMEOUT} seconds..." sleep $WAIT_TIMEOUT done diff --git a/Dockerfiles/web-nginx-mysql/rhel/Dockerfile b/Dockerfiles/web-nginx-mysql/rhel/Dockerfile index 7175b9343..20d4d31ef 100644 --- a/Dockerfiles/web-nginx-mysql/rhel/Dockerfile +++ b/Dockerfiles/web-nginx-mysql/rhel/Dockerfile @@ -70,6 +70,7 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ set -eux && \ INSTALL_PKGS="bash \ curl-minimal \ + jq \ supervisor \ shadow-utils \ findutils \ diff --git a/Dockerfiles/web-nginx-mysql/rhel/docker-entrypoint.sh b/Dockerfiles/web-nginx-mysql/rhel/docker-entrypoint.sh index 356398f65..653007661 100755 --- a/Dockerfiles/web-nginx-mysql/rhel/docker-entrypoint.sh +++ b/Dockerfiles/web-nginx-mysql/rhel/docker-entrypoint.sh @@ -134,6 +134,57 @@ db_tls_params() { echo $result } +get_vault_secrets() { + WAIT_TIMEOUT=5 + vault_url="${ZBX_VAULTURL}${ZBX_VAULTPREFIX}${ZBX_VAULTDBPATH}" + curl_opts=(-s -m 10 -k) + + + if [ -z "${ZBX_VAULTURL}" ] || [ -z "${ZBX_VAULTPREFIX}" ] || [ -z "${ZBX_VAULTDBPATH}" ]; then + echo "Missing variables! If ZBX_VAULT is used then ZBX_VAULTURL, ZBX_VAULTPREFIX and ZBX_VAULTDBPATH must be set" + exit 1 + fi + + if [ "${ZBX_VAULT}" == "HashiCorp" ]; then + while ! vaultdata="$(curl "${curl_opts[@]}" -H "X-Vault-Token: $VAULT_TOKEN" "$vault_url")"; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + errors=$(printf '%s' "$vaultdata" | jq -r '.errors // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.data.data.username')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.data.data.password')" + + elif [ "${ZBX_VAULT}" == "CyberArk" ]; then + cyberark_opts=(-H "Content-type: application/json" --cert "$ZBX_VAULTCERTFILE") + + # if key is defined use it + if [ -n "${ZBX_VAULTKEYFILE}" ]; then + cyberark_opts+=(--key "$ZBX_VAULTKEYFILE") + fi + while ! vaultdata=$(curl "${curl_opts[@]}" "${cyberark_opts[@]}" "$vault_url") ; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + + errors=$(printf '%s' "$vaultdata" | jq -r '.ErrorCode // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.UserName')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.Content')" + + else + echo "ZBX_VAULT has wrong value. HashiCorp or CyberArk are supported!" + exit 1 + fi + +} + check_db_connect() { echo "********************" echo "* DB_SERVER_HOST: ${DB_SERVER_HOST}" @@ -150,13 +201,22 @@ check_db_connect() { WAIT_TIMEOUT=5 + if [ -n "${ZBX_VAULT}" ]; then + unset DB_SERVER_ZBX_USER + unset DB_SERVER_ZBX_PASS + + echo "***** Connecting to vault... *****" + echo "***** VAULT URL: $ZBX_VAULTURL" + get_vault_secrets + fi + ssl_opts="$(db_tls_params)" export MYSQL_PWD="${DB_SERVER_ZBX_PASS}" while [ ! "$(mysqladmin ping $mysql_connect_args -u ${DB_SERVER_ZBX_USER} \ --silent --connect_timeout=10 $ssl_opts)" ]; do - echo "**** MySQL server is not available. Waiting $WAIT_TIMEOUT seconds..." + echo "**** MySQL server is not available. Waiting ${WAIT_TIMEOUT} seconds..." sleep $WAIT_TIMEOUT done diff --git a/Dockerfiles/web-nginx-mysql/ubuntu/Dockerfile b/Dockerfiles/web-nginx-mysql/ubuntu/Dockerfile index 8474ad827..f73ad7539 100644 --- a/Dockerfiles/web-nginx-mysql/ubuntu/Dockerfile +++ b/Dockerfiles/web-nginx-mysql/ubuntu/Dockerfile @@ -68,6 +68,7 @@ RUN --mount=type=cache,target=/var/cache/apt/,sharing=locked \ php8.5-mbstring \ php8.5-mysql \ php8.5-xml \ + jq \ supervisor" && \ apt-get -y update && \ DEBIAN_FRONTEND=noninteractive apt-get -y \ diff --git a/Dockerfiles/web-nginx-mysql/ubuntu/docker-entrypoint.sh b/Dockerfiles/web-nginx-mysql/ubuntu/docker-entrypoint.sh index dbf787087..616251c98 100755 --- a/Dockerfiles/web-nginx-mysql/ubuntu/docker-entrypoint.sh +++ b/Dockerfiles/web-nginx-mysql/ubuntu/docker-entrypoint.sh @@ -134,6 +134,57 @@ db_tls_params() { echo $result } +get_vault_secrets() { + WAIT_TIMEOUT=5 + vault_url="${ZBX_VAULTURL}${ZBX_VAULTPREFIX}${ZBX_VAULTDBPATH}" + curl_opts=(-s -m 10 -k) + + + if [ -z "${ZBX_VAULTURL}" ] || [ -z "${ZBX_VAULTPREFIX}" ] || [ -z "${ZBX_VAULTDBPATH}" ]; then + echo "Missing variables! If ZBX_VAULT is used then ZBX_VAULTURL, ZBX_VAULTPREFIX and ZBX_VAULTDBPATH must be set" + exit 1 + fi + + if [ "${ZBX_VAULT}" == "HashiCorp" ]; then + while ! vaultdata="$(curl "${curl_opts[@]}" -H "X-Vault-Token: $VAULT_TOKEN" "$vault_url")"; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + errors=$(printf '%s' "$vaultdata" | jq -r '.errors // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.data.data.username')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.data.data.password')" + + elif [ "${ZBX_VAULT}" == "CyberArk" ]; then + cyberark_opts=(-H "Content-type: application/json" --cert "$ZBX_VAULTCERTFILE") + + # if key is defined use it + if [ -n "${ZBX_VAULTKEYFILE}" ]; then + cyberark_opts+=(--key "$ZBX_VAULTKEYFILE") + fi + while ! vaultdata=$(curl "${curl_opts[@]}" "${cyberark_opts[@]}" "$vault_url") ; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + + errors=$(printf '%s' "$vaultdata" | jq -r '.ErrorCode // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.UserName')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.Content')" + + else + echo "ZBX_VAULT has wrong value. HashiCorp or CyberArk are supported!" + exit 1 + fi + +} + check_db_connect() { echo "********************" echo "* DB_SERVER_HOST: ${DB_SERVER_HOST}" @@ -150,13 +201,22 @@ check_db_connect() { WAIT_TIMEOUT=5 + if [ -n "${ZBX_VAULT}" ]; then + unset DB_SERVER_ZBX_USER + unset DB_SERVER_ZBX_PASS + + echo "***** Connecting to vault... *****" + echo "***** VAULT URL: $ZBX_VAULTURL" + get_vault_secrets + fi + ssl_opts="$(db_tls_params)" export MYSQL_PWD="${DB_SERVER_ZBX_PASS}" while [ ! "$(mysqladmin ping $mysql_connect_args -u ${DB_SERVER_ZBX_USER} \ --silent --connect_timeout=10 $ssl_opts)" ]; do - echo "**** MySQL server is not available. Waiting $WAIT_TIMEOUT seconds..." + echo "**** MySQL server is not available. Waiting ${WAIT_TIMEOUT} seconds..." sleep $WAIT_TIMEOUT done diff --git a/Dockerfiles/web-nginx-pgsql/alpine/Dockerfile b/Dockerfiles/web-nginx-pgsql/alpine/Dockerfile index c44611f67..8ea8147be 100644 --- a/Dockerfiles/web-nginx-pgsql/alpine/Dockerfile +++ b/Dockerfiles/web-nginx-pgsql/alpine/Dockerfile @@ -50,6 +50,7 @@ RUN set -eux && \ INSTALL_PKGS="bash \ tzdata \ curl \ + jq \ nginx \ php85-bcmath \ php85-ctype \ diff --git a/Dockerfiles/web-nginx-pgsql/alpine/docker-entrypoint.sh b/Dockerfiles/web-nginx-pgsql/alpine/docker-entrypoint.sh index 55683eefa..396510b3f 100755 --- a/Dockerfiles/web-nginx-pgsql/alpine/docker-entrypoint.sh +++ b/Dockerfiles/web-nginx-pgsql/alpine/docker-entrypoint.sh @@ -115,6 +115,57 @@ check_variables() { fi } +get_vault_secrets() { + WAIT_TIMEOUT=5 + vault_url="${ZBX_VAULTURL}${ZBX_VAULTPREFIX}${ZBX_VAULTDBPATH}" + curl_opts=(-s -m 10 -k) + + + if [ -z "${ZBX_VAULTURL}" ] || [ -z "${ZBX_VAULTPREFIX}" ] || [ -z "${ZBX_VAULTDBPATH}" ]; then + echo "Missing variables! If ZBX_VAULT is used then ZBX_VAULTURL, ZBX_VAULTPREFIX and ZBX_VAULTDBPATH must be set" + exit 1 + fi + + if [ "${ZBX_VAULT}" == "HashiCorp" ]; then + while ! vaultdata="$(curl "${curl_opts[@]}" -H "X-Vault-Token: $VAULT_TOKEN" "$vault_url")"; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + errors=$(printf '%s' "$vaultdata" | jq -r '.errors // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.data.data.username')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.data.data.password')" + + elif [ "${ZBX_VAULT}" == "CyberArk" ]; then + cyberark_opts=(-H "Content-type: application/json" --cert "$ZBX_VAULTCERTFILE") + + # if key is defined use it + if [ -n "${ZBX_VAULTKEYFILE}" ]; then + cyberark_opts+=(--key "$ZBX_VAULTKEYFILE") + fi + while ! vaultdata=$(curl "${curl_opts[@]}" "${cyberark_opts[@]}" "$vault_url") ; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + + errors=$(printf '%s' "$vaultdata" | jq -r '.ErrorCode // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.UserName')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.Content')" + + else + echo "ZBX_VAULT has wrong value. HashiCorp or CyberArk are supported!" + exit 1 + fi + +} + check_db_connect() { echo "********************" if [ -n "${DB_SERVER_HOST}" ]; then @@ -133,11 +184,21 @@ check_db_connect() { fi echo "********************" + WAIT_TIMEOUT=5 + + if [ -n "${ZBX_VAULT}" ]; then + unset DB_SERVER_ZBX_USER + unset DB_SERVER_ZBX_PASS + + echo "***** Connecting to vault... *****" + echo "***** VAULT URL: $ZBX_VAULTURL" + get_vault_secrets + fi + if [ -n "${DB_SERVER_ZBX_PASS}" ]; then export PGPASSWORD="${DB_SERVER_ZBX_PASS}" fi - WAIT_TIMEOUT=5 if [ "${POSTGRES_USE_IMPLICIT_SEARCH_PATH,,}" == "false" ] && [ -n "${DB_SERVER_SCHEMA}" ]; then PGOPTIONS="--search_path=${DB_SERVER_SCHEMA}" diff --git a/Dockerfiles/web-nginx-pgsql/centos/Dockerfile b/Dockerfiles/web-nginx-pgsql/centos/Dockerfile index e353d34aa..47bb3aae5 100644 --- a/Dockerfiles/web-nginx-pgsql/centos/Dockerfile +++ b/Dockerfiles/web-nginx-pgsql/centos/Dockerfile @@ -66,6 +66,7 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ postgresql18 \ shadow-utils \ gzip \ + jq \ supervisor" && \ microdnf -y install \ --disablerepo="*" \ diff --git a/Dockerfiles/web-nginx-pgsql/centos/docker-entrypoint.sh b/Dockerfiles/web-nginx-pgsql/centos/docker-entrypoint.sh index 2d41d36b6..de2cd0c9e 100755 --- a/Dockerfiles/web-nginx-pgsql/centos/docker-entrypoint.sh +++ b/Dockerfiles/web-nginx-pgsql/centos/docker-entrypoint.sh @@ -115,6 +115,57 @@ check_variables() { fi } +get_vault_secrets() { + WAIT_TIMEOUT=5 + vault_url="${ZBX_VAULTURL}${ZBX_VAULTPREFIX}${ZBX_VAULTDBPATH}" + curl_opts=(-s -m 10 -k) + + + if [ -z "${ZBX_VAULTURL}" ] || [ -z "${ZBX_VAULTPREFIX}" ] || [ -z "${ZBX_VAULTDBPATH}" ]; then + echo "Missing variables! If ZBX_VAULT is used then ZBX_VAULTURL, ZBX_VAULTPREFIX and ZBX_VAULTDBPATH must be set" + exit 1 + fi + + if [ "${ZBX_VAULT}" == "HashiCorp" ]; then + while ! vaultdata="$(curl "${curl_opts[@]}" -H "X-Vault-Token: $VAULT_TOKEN" "$vault_url")"; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + errors=$(printf '%s' "$vaultdata" | jq -r '.errors // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.data.data.username')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.data.data.password')" + + elif [ "${ZBX_VAULT}" == "CyberArk" ]; then + cyberark_opts=(-H "Content-type: application/json" --cert "$ZBX_VAULTCERTFILE") + + # if key is defined use it + if [ -n "${ZBX_VAULTKEYFILE}" ]; then + cyberark_opts+=(--key "$ZBX_VAULTKEYFILE") + fi + while ! vaultdata=$(curl "${curl_opts[@]}" "${cyberark_opts[@]}" "$vault_url") ; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + + errors=$(printf '%s' "$vaultdata" | jq -r '.ErrorCode // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.UserName')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.Content')" + + else + echo "ZBX_VAULT has wrong value. HashiCorp or CyberArk are supported!" + exit 1 + fi + +} + check_db_connect() { echo "********************" if [ -n "${DB_SERVER_HOST}" ]; then @@ -133,11 +184,21 @@ check_db_connect() { fi echo "********************" + WAIT_TIMEOUT=5 + + if [ -n "${ZBX_VAULT}" ]; then + unset DB_SERVER_ZBX_USER + unset DB_SERVER_ZBX_PASS + + echo "*************** Connecting to vault... ***************************************" + echo "*************** VAULT URL: $ZBX_VAULTURL" + get_vault_secrets + fi + if [ -n "${DB_SERVER_ZBX_PASS}" ]; then export PGPASSWORD="${DB_SERVER_ZBX_PASS}" fi - WAIT_TIMEOUT=5 if [ "${POSTGRES_USE_IMPLICIT_SEARCH_PATH,,}" == "false" ] && [ -n "${DB_SERVER_SCHEMA}" ]; then PGOPTIONS="--search_path=${DB_SERVER_SCHEMA}" @@ -153,7 +214,7 @@ check_db_connect() { fi while [ ! "$(psql $psql_connect_args --username ${DB_SERVER_ZBX_USER} --dbname ${DB_SERVER_DBNAME} --list --quiet 2>/dev/null)" ]; do - echo "**** PostgreSQL server is not available. Waiting $WAIT_TIMEOUT seconds..." + echo "**** PostgreSQL server is not available. Waiting ${WAIT_TIMEOUT} seconds..." sleep $WAIT_TIMEOUT done diff --git a/Dockerfiles/web-nginx-pgsql/ol/Dockerfile b/Dockerfiles/web-nginx-pgsql/ol/Dockerfile index 3eafd1947..6d511b82f 100644 --- a/Dockerfiles/web-nginx-pgsql/ol/Dockerfile +++ b/Dockerfiles/web-nginx-pgsql/ol/Dockerfile @@ -64,6 +64,7 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ php-json \ php-xml \ postgresql \ + jq \ findutils \ glibc-locale-source \ supervisor" && \ diff --git a/Dockerfiles/web-nginx-pgsql/ol/docker-entrypoint.sh b/Dockerfiles/web-nginx-pgsql/ol/docker-entrypoint.sh index 2d41d36b6..55cd3fa02 100755 --- a/Dockerfiles/web-nginx-pgsql/ol/docker-entrypoint.sh +++ b/Dockerfiles/web-nginx-pgsql/ol/docker-entrypoint.sh @@ -115,6 +115,57 @@ check_variables() { fi } +get_vault_secrets() { + WAIT_TIMEOUT=5 + vault_url="${ZBX_VAULTURL}${ZBX_VAULTPREFIX}${ZBX_VAULTDBPATH}" + curl_opts=(-s -m 10 -k) + + + if [ -z "${ZBX_VAULTURL}" ] || [ -z "${ZBX_VAULTPREFIX}" ] || [ -z "${ZBX_VAULTDBPATH}" ]; then + echo "Missing variables! If ZBX_VAULT is used then ZBX_VAULTURL, ZBX_VAULTPREFIX and ZBX_VAULTDBPATH must be set" + exit 1 + fi + + if [ "${ZBX_VAULT}" == "HashiCorp" ]; then + while ! vaultdata="$(curl "${curl_opts[@]}" -H "X-Vault-Token: $VAULT_TOKEN" "$vault_url")"; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + errors=$(printf '%s' "$vaultdata" | jq -r '.errors // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.data.data.username')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.data.data.password')" + + elif [ "${ZBX_VAULT}" == "CyberArk" ]; then + cyberark_opts=(-H "Content-type: application/json" --cert "$ZBX_VAULTCERTFILE") + + # if key is defined use it + if [ -n "${ZBX_VAULTKEYFILE}" ]; then + cyberark_opts+=(--key "$ZBX_VAULTKEYFILE") + fi + while ! vaultdata=$(curl "${curl_opts[@]}" "${cyberark_opts[@]}" "$vault_url") ; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + + errors=$(printf '%s' "$vaultdata" | jq -r '.ErrorCode // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.UserName')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.Content')" + + else + echo "ZBX_VAULT has wrong value. HashiCorp or CyberArk are supported!" + exit 1 + fi + +} + check_db_connect() { echo "********************" if [ -n "${DB_SERVER_HOST}" ]; then @@ -133,11 +184,21 @@ check_db_connect() { fi echo "********************" + WAIT_TIMEOUT=5 + + if [ -n "${ZBX_VAULT}" ]; then + unset DB_SERVER_ZBX_USER + unset DB_SERVER_ZBX_PASS + + echo "***** Connecting to vault... *****" + echo "***** VAULT URL: $ZBX_VAULTURL" + get_vault_secrets + fi + if [ -n "${DB_SERVER_ZBX_PASS}" ]; then export PGPASSWORD="${DB_SERVER_ZBX_PASS}" fi - WAIT_TIMEOUT=5 if [ "${POSTGRES_USE_IMPLICIT_SEARCH_PATH,,}" == "false" ] && [ -n "${DB_SERVER_SCHEMA}" ]; then PGOPTIONS="--search_path=${DB_SERVER_SCHEMA}" @@ -153,7 +214,7 @@ check_db_connect() { fi while [ ! "$(psql $psql_connect_args --username ${DB_SERVER_ZBX_USER} --dbname ${DB_SERVER_DBNAME} --list --quiet 2>/dev/null)" ]; do - echo "**** PostgreSQL server is not available. Waiting $WAIT_TIMEOUT seconds..." + echo "**** PostgreSQL server is not available. Waiting ${WAIT_TIMEOUT} seconds..." sleep $WAIT_TIMEOUT done diff --git a/Dockerfiles/web-nginx-pgsql/rhel/Dockerfile b/Dockerfiles/web-nginx-pgsql/rhel/Dockerfile index 2a386f599..0f11dd6b9 100644 --- a/Dockerfiles/web-nginx-pgsql/rhel/Dockerfile +++ b/Dockerfiles/web-nginx-pgsql/rhel/Dockerfile @@ -70,6 +70,7 @@ RUN --mount=type=tmpfs,target=/var/lib/dnf/ \ set -eux && \ INSTALL_PKGS="bash \ curl-minimal \ + jq \ supervisor \ shadow-utils \ findutils \ diff --git a/Dockerfiles/web-nginx-pgsql/rhel/docker-entrypoint.sh b/Dockerfiles/web-nginx-pgsql/rhel/docker-entrypoint.sh index 2d41d36b6..55cd3fa02 100755 --- a/Dockerfiles/web-nginx-pgsql/rhel/docker-entrypoint.sh +++ b/Dockerfiles/web-nginx-pgsql/rhel/docker-entrypoint.sh @@ -115,6 +115,57 @@ check_variables() { fi } +get_vault_secrets() { + WAIT_TIMEOUT=5 + vault_url="${ZBX_VAULTURL}${ZBX_VAULTPREFIX}${ZBX_VAULTDBPATH}" + curl_opts=(-s -m 10 -k) + + + if [ -z "${ZBX_VAULTURL}" ] || [ -z "${ZBX_VAULTPREFIX}" ] || [ -z "${ZBX_VAULTDBPATH}" ]; then + echo "Missing variables! If ZBX_VAULT is used then ZBX_VAULTURL, ZBX_VAULTPREFIX and ZBX_VAULTDBPATH must be set" + exit 1 + fi + + if [ "${ZBX_VAULT}" == "HashiCorp" ]; then + while ! vaultdata="$(curl "${curl_opts[@]}" -H "X-Vault-Token: $VAULT_TOKEN" "$vault_url")"; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + errors=$(printf '%s' "$vaultdata" | jq -r '.errors // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.data.data.username')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.data.data.password')" + + elif [ "${ZBX_VAULT}" == "CyberArk" ]; then + cyberark_opts=(-H "Content-type: application/json" --cert "$ZBX_VAULTCERTFILE") + + # if key is defined use it + if [ -n "${ZBX_VAULTKEYFILE}" ]; then + cyberark_opts+=(--key "$ZBX_VAULTKEYFILE") + fi + while ! vaultdata=$(curl "${curl_opts[@]}" "${cyberark_opts[@]}" "$vault_url") ; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + + errors=$(printf '%s' "$vaultdata" | jq -r '.ErrorCode // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.UserName')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.Content')" + + else + echo "ZBX_VAULT has wrong value. HashiCorp or CyberArk are supported!" + exit 1 + fi + +} + check_db_connect() { echo "********************" if [ -n "${DB_SERVER_HOST}" ]; then @@ -133,11 +184,21 @@ check_db_connect() { fi echo "********************" + WAIT_TIMEOUT=5 + + if [ -n "${ZBX_VAULT}" ]; then + unset DB_SERVER_ZBX_USER + unset DB_SERVER_ZBX_PASS + + echo "***** Connecting to vault... *****" + echo "***** VAULT URL: $ZBX_VAULTURL" + get_vault_secrets + fi + if [ -n "${DB_SERVER_ZBX_PASS}" ]; then export PGPASSWORD="${DB_SERVER_ZBX_PASS}" fi - WAIT_TIMEOUT=5 if [ "${POSTGRES_USE_IMPLICIT_SEARCH_PATH,,}" == "false" ] && [ -n "${DB_SERVER_SCHEMA}" ]; then PGOPTIONS="--search_path=${DB_SERVER_SCHEMA}" @@ -153,7 +214,7 @@ check_db_connect() { fi while [ ! "$(psql $psql_connect_args --username ${DB_SERVER_ZBX_USER} --dbname ${DB_SERVER_DBNAME} --list --quiet 2>/dev/null)" ]; do - echo "**** PostgreSQL server is not available. Waiting $WAIT_TIMEOUT seconds..." + echo "**** PostgreSQL server is not available. Waiting ${WAIT_TIMEOUT} seconds..." sleep $WAIT_TIMEOUT done diff --git a/Dockerfiles/web-nginx-pgsql/ubuntu/Dockerfile b/Dockerfiles/web-nginx-pgsql/ubuntu/Dockerfile index 98e6cc882..39943d893 100644 --- a/Dockerfiles/web-nginx-pgsql/ubuntu/Dockerfile +++ b/Dockerfiles/web-nginx-pgsql/ubuntu/Dockerfile @@ -68,6 +68,7 @@ RUN --mount=type=cache,target=/var/cache/apt/,sharing=locked \ php8.5-xml \ php8.5-pgsql \ postgresql-client \ + jq \ supervisor" && \ apt-get -y update && \ DEBIAN_FRONTEND=noninteractive apt-get -y \ diff --git a/Dockerfiles/web-nginx-pgsql/ubuntu/docker-entrypoint.sh b/Dockerfiles/web-nginx-pgsql/ubuntu/docker-entrypoint.sh index 65b544392..4d125c7d7 100755 --- a/Dockerfiles/web-nginx-pgsql/ubuntu/docker-entrypoint.sh +++ b/Dockerfiles/web-nginx-pgsql/ubuntu/docker-entrypoint.sh @@ -115,6 +115,57 @@ check_variables() { fi } +get_vault_secrets() { + WAIT_TIMEOUT=5 + vault_url="${ZBX_VAULTURL}${ZBX_VAULTPREFIX}${ZBX_VAULTDBPATH}" + curl_opts=(-s -m 10 -k) + + + if [ -z "${ZBX_VAULTURL}" ] || [ -z "${ZBX_VAULTPREFIX}" ] || [ -z "${ZBX_VAULTDBPATH}" ]; then + echo "Missing variables! If ZBX_VAULT is used then ZBX_VAULTURL, ZBX_VAULTPREFIX and ZBX_VAULTDBPATH must be set" + exit 1 + fi + + if [ "${ZBX_VAULT}" == "HashiCorp" ]; then + while ! vaultdata="$(curl "${curl_opts[@]}" -H "X-Vault-Token: $VAULT_TOKEN" "$vault_url")"; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + errors=$(printf '%s' "$vaultdata" | jq -r '.errors // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.data.data.username')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.data.data.password')" + + elif [ "${ZBX_VAULT}" == "CyberArk" ]; then + cyberark_opts=(-H "Content-type: application/json" --cert "$ZBX_VAULTCERTFILE") + + # if key is defined use it + if [ -n "${ZBX_VAULTKEYFILE}" ]; then + cyberark_opts+=(--key "$ZBX_VAULTKEYFILE") + fi + while ! vaultdata=$(curl "${curl_opts[@]}" "${cyberark_opts[@]}" "$vault_url") ; do + echo "**** Vault is not available. Waiting ${WAIT_TIMEOUT} seconds... ****" + sleep $WAIT_TIMEOUT + done + + errors=$(printf '%s' "$vaultdata" | jq -r '.ErrorCode // empty') + if [ -n "${errors}" ]; then + echo "Error getting secrets from vault: $errors" + exit 1 + fi + DB_SERVER_ZBX_USER="$(printf '%s' "$vaultdata" | jq -r '.UserName')" + DB_SERVER_ZBX_PASS="$(printf '%s' "$vaultdata" | jq -r '.Content')" + + else + echo "ZBX_VAULT has wrong value. HashiCorp or CyberArk are supported!" + exit 1 + fi + +} + check_db_connect() { echo "********************" if [ -n "${DB_SERVER_HOST}" ]; then @@ -133,11 +184,21 @@ check_db_connect() { fi echo "********************" + WAIT_TIMEOUT=5 + + if [ -n "${ZBX_VAULT}" ]; then + unset DB_SERVER_ZBX_USER + unset DB_SERVER_ZBX_PASS + + echo "***** Connecting to vault... *****" + echo "***** VAULT URL: $ZBX_VAULTURL" + get_vault_secrets + fi + if [ -n "${DB_SERVER_ZBX_PASS}" ]; then export PGPASSWORD="${DB_SERVER_ZBX_PASS}" fi - WAIT_TIMEOUT=5 if [ "${POSTGRES_USE_IMPLICIT_SEARCH_PATH,,}" == "false" ] && [ -n "${DB_SERVER_SCHEMA}" ]; then PGOPTIONS="--search_path=${DB_SERVER_SCHEMA}" @@ -153,7 +214,7 @@ check_db_connect() { fi while [ ! "$(psql $psql_connect_args --username ${DB_SERVER_ZBX_USER} --dbname ${DB_SERVER_DBNAME} --list --quiet 2>/dev/null)" ]; do - echo "**** PostgreSQL server is not available. Waiting $WAIT_TIMEOUT seconds..." + echo "**** PostgreSQL server is not available. Waiting ${WAIT_TIMEOUT} seconds..." sleep $WAIT_TIMEOUT done