Add Vault parameters to proxy

Signed-off-by: Christos Papageorgiou <[email protected]>
oraziobattaglia · Jul 29, 2021 · 15f4127 · 15f4127
1 parent fc9d157
commit 15f4127
Show file tree

Hide file tree

Showing 4 changed files with 61 additions and 1 deletion.
diff --git a/manifests/params.pp b/manifests/params.pp
@@ -469,6 +469,9 @@
   $proxy_unreachabedelay                    = '15'
   $proxy_unreachableperiod                  = '45'
   $proxy_use_ip                             = true
+  $proxy_vaultdbpath                        = undef
+  $proxy_vaulttoken                         = undef
+  $proxy_vaulturl                           = 'https://127.0.0.1:8200'
   $proxy_vmwarecachesize                    = '8M'
   $proxy_vmwarefrequency                    = '60'
   $proxy_vmwareperffrequency                = undef

diff --git a/manifests/proxy.pp b/manifests/proxy.pp
@@ -171,6 +171,16 @@
 # [*vmwarecachesize*]
 #   Size of vmware cache, in bytes.
 #
+# [*vaultdbpath*]
+#   Vault path from where credentials for database will be retrieved by keys 'password' and 'username'.
+#
+# [*vaulttoken*]
+#   Vault authentication token that should have been generated exclusively for Zabbix proxy with read-only
+#   permission to the path specified in the optional VaultDBPath configuration parameter.
+#
+# [*vaulturl*]
+#   Vault server HTTP[S] URL. System-wide CA certificates directory will be used if SSLCALocation is not specified.
+#
 # [*snmptrapperfile*]
 #   Temporary file used for passing data from snmp trap daemon to the server.
 #
@@ -413,6 +423,9 @@
   $javagatewayport                                                            = $zabbix::params::proxy_javagatewayport,
   $startjavapollers                                                           = $zabbix::params::proxy_startjavapollers,
   $startvmwarecollectors                                                      = $zabbix::params::proxy_startvmwarecollectors,
+  Optional[String[1]] $vaultdbpath                                            = $zabbix::params::proxy_vaultdbpath,
+  Optional[String[1]] $vaulttoken                                             = $zabbix::params::proxy_vaulttoken,
+  Stdlib::HTTPSUrl $vaulturl                                                  = $zabbix::params::proxy_vaulturl,
   $vmwarefrequency                                                            = $zabbix::params::proxy_vmwarefrequency,
   $vmwareperffrequency                                                        = $zabbix::params::proxy_vmwareperffrequency,
   $vmwarecachesize                                                            = $zabbix::params::proxy_vmwarecachesize,

diff --git a/spec/classes/proxy_spec.rb b/spec/classes/proxy_spec.rb
@@ -422,6 +422,21 @@
             it { is_expected.to contain_file('/etc/zabbix/zabbix_proxy.conf').without_content %r{^LogFileSize=} }
           end
         end
+
+        describe 'with zabbix_version 5.2 and Vault parameters defined' do
+          let :params do
+            {
+              zabbix_version: '5.2',
+              vaultdbpath: 'secret/zabbix/database',
+              vaulttoken: 'FKTYPEGL156DK',
+              vaulturl: 'https://127.0.0.1:8200',
+            }
+          end
+
+          it { is_expected.to contain_file('/etc/zabbix/zabbix_proxy.conf').with_content %r{^VaultDBPath=secret/zabbix/database$} }
+          it { is_expected.to contain_file('/etc/zabbix/zabbix_proxy.conf').with_content %r{^VaultToken=FKTYPEGL156DK$} }
+          it { is_expected.to contain_file('/etc/zabbix/zabbix_proxy.conf').with_content %r{^VaultURL=https://127.0.0.1:8200$} }
+        end
       end
     end
   end

diff --git a/templates/zabbix_proxy.conf.erb b/templates/zabbix_proxy.conf.erb
@@ -644,6 +644,35 @@ LoadModulePath=<%= @loadmodulepath %>
 # Default:
 # TLSCipherAll13=
 <% if @tlscipherall %>TLSCipherAll=<%= @tlscipherall %><% end %>
-
 <% end %>
 
+<% if @zabbix_version.to_f >= 5.2 %>
+### Option: VaultToken
+#	Vault authentication token that should have been generated exclusively for Zabbix server with read only permission
+#	to paths specified in Vault macros and read only permission to path specified in optional VaultDBPath
+#	configuration parameter.
+#	It is an error if VaultToken and VAULT_TOKEN environment variable are defined at the same time.
+#
+# Mandatory: no
+# Default:
+# VaultToken=
+<% if @vaulttoken %>VaultToken=<%= @vaulttoken -%><% end %>
+
+### Option: VaultURL
+#	Vault server HTTP[S] URL. System-wide CA certificates directory will be used if SSLCALocation is not specified.
+#
+# Mandatory: no
+# Default:
+# VaultURL=https://127.0.0.1:8200
+<% if @vaulturl %>VaultURL=<%= @vaulturl -%><% end %>
+
+### Option: VaultDBPath
+#	Vault path from where credentials for database will be retrieved by keys 'password' and 'username'.
+#	Example: secret/zabbix/database
+#	This option can only be used if DBUser and DBPassword are not specified.
+#
+# Mandatory: no
+# Default:
+# VaultDBPath=
+<% if @vaultdbpath %>VaultDBPath=<%= @vaultdbpath -%><% end %>
+<% end %>