Add sensitive support

voxpupuli · Jul 28, 2022 · cdf64db · cdf64db
1 parent f4796f1
commit cdf64db
Show file tree

Hide file tree

Showing 14 changed files with 830 additions and 385 deletions.
diff --git a/manifests/database.pp b/manifests/database.pp
@@ -64,23 +64,23 @@
 #   the zabbix_server and zabbix_web parameter.
 # @author Werner Dijkerman [email protected]
 class zabbix::database (
-  $zabbix_type                     = 'server',
-  $zabbix_web                      = $zabbix::params::zabbix_web,
-  $zabbix_web_ip                   = $zabbix::params::zabbix_web_ip,
-  $zabbix_server                   = $zabbix::params::zabbix_server,
-  $zabbix_server_ip                = $zabbix::params::zabbix_server_ip,
-  $zabbix_proxy                    = $zabbix::params::zabbix_proxy,
-  $zabbix_proxy_ip                 = $zabbix::params::zabbix_proxy_ip,
-  $manage_database                 = $zabbix::params::manage_database,
-  Zabbix::Databases $database_type = $zabbix::params::database_type,
-  $database_schema_path            = $zabbix::params::database_schema_path,
-  $database_name                   = $zabbix::params::server_database_name,
-  $database_user                   = $zabbix::params::server_database_user,
-  $database_password               = $zabbix::params::server_database_password,
-  $database_host                   = $zabbix::params::server_database_host,
-  $database_host_ip                = $zabbix::params::server_database_host_ip,
-  $database_charset                = $zabbix::params::server_database_charset,
-  $database_collate                = $zabbix::params::server_database_collate,
+  $zabbix_type                                                          = 'server',
+  $zabbix_web                                                           = $zabbix::params::zabbix_web,
+  $zabbix_web_ip                                                        = $zabbix::params::zabbix_web_ip,
+  $zabbix_server                                                        = $zabbix::params::zabbix_server,
+  $zabbix_server_ip                                                     = $zabbix::params::zabbix_server_ip,
+  $zabbix_proxy                                                         = $zabbix::params::zabbix_proxy,
+  $zabbix_proxy_ip                                                      = $zabbix::params::zabbix_proxy_ip,
+  $manage_database                                                      = $zabbix::params::manage_database,
+  Zabbix::Databases $database_type                                      = $zabbix::params::database_type,
+  $database_schema_path                                                 = $zabbix::params::database_schema_path,
+  $database_name                                                        = $zabbix::params::server_database_name,
+  $database_user                                                        = $zabbix::params::server_database_user,
+  Optional[Variant[String[1], Sensitive[String[1]]]] $database_password = $zabbix::params::server_database_password,
+  $database_host                                                        = $zabbix::params::server_database_host,
+  $database_host_ip                                                     = $zabbix::params::server_database_host_ip,
+  $database_charset                                                     = $zabbix::params::server_database_charset,
+  $database_collate                                                     = $zabbix::params::server_database_collate,
   Optional[String[1]] $database_tablespace = $zabbix::params::server_database_tablespace,
 ) inherits zabbix::params {
   # So lets create the databases and load all files. This can only be

diff --git a/manifests/database/mysql.pp b/manifests/database/mysql.pp
@@ -11,18 +11,24 @@
 # @param database_path Path to the database executable
 # @author Werner Dijkerman <[email protected]>
 class zabbix::database::mysql (
-  $zabbix_type                                        = '',
-  $zabbix_version                                     = $zabbix::params::zabbix_version,
-  $database_schema_path                               = '',
-  $database_name                                      = '',
-  $database_user                                      = '',
-  $database_password                                  = '',
-  $database_host                                      = '',
-  Optional[Stdlib::Port::Unprivileged] $database_port = undef,
-  $database_path                                      = $zabbix::params::database_path,
+  $zabbix_type                                                          = '',
+  $zabbix_version                                                       = $zabbix::params::zabbix_version,
+  $database_schema_path                                                 = '',
+  $database_name                                                        = '',
+  $database_user                                                        = '',
+  Optional[Variant[String[1], Sensitive[String[1]]]] $database_password = '',
+  $database_host                                                        = '',
+  Optional[Stdlib::Port::Unprivileged] $database_port                   = undef,
+  $database_path                                                        = $zabbix::params::database_path,
 ) inherits zabbix::params {
   assert_private()
 
+  $database_password_unsensitive = if $database_password =~ Sensitive[String] {
+    $database_password.unwrap
+  } else {
+    $database_password
+  }
+
   if ($database_schema_path == false) or ($database_schema_path == '') {
     if versioncmp($zabbix_version, '5.4') >= 0 {
       $schema_path = '/usr/share/doc/zabbix-sql-scripts/mysql/'
@@ -43,28 +49,30 @@
   case $zabbix_type {
     'proxy': {
       $zabbix_proxy_create_sql = versioncmp($zabbix_version, '6.0') >= 0 ? {
-        true  => "cd ${schema_path} && mysql -h '${database_host}' -u '${database_user}' -p'${database_password}' ${port}-D '${database_name}' < proxy.sql && touch /etc/zabbix/.schema.done",
-        false => "cd ${schema_path} && if [ -f schema.sql.gz ]; then gunzip -f schema.sql.gz ; fi && mysql -h '${database_host}' -u '${database_user}' -p'${database_password}' ${port}-D '${database_name}' < schema.sql && touch /etc/zabbix/.schema.done"
+        true  => "cd ${schema_path} && mysql -h '${database_host}' -u '${database_user}' -p\"\${database_password}\" ${port}-D '${database_name}' < proxy.sql && touch /etc/zabbix/.schema.done",
+        false => "cd ${schema_path} && if [ -f schema.sql.gz ]; then gunzip -f schema.sql.gz ; fi && mysql -h '${database_host}' -u '${database_user}' -p\"\${database_password}\" ${port}-D '${database_name}' < schema.sql && touch /etc/zabbix/.schema.done"
       }
     }
     default: {
       $zabbix_server_create_sql = versioncmp($zabbix_version, '6.0') >= 0 ? {
-        true  => "cd ${schema_path} && if [ -f server.sql.gz ]; then gunzip -f server.sql.gz ; fi && mysql -h '${database_host}' -u '${database_user}' -p'${database_password}' ${port}-D '${database_name}' < server.sql && touch /etc/zabbix/.schema.done",
-        false => "cd ${schema_path} && if [ -f create.sql.gz ]; then gunzip -f create.sql.gz ; fi && mysql -h '${database_host}' -u '${database_user}' -p'${database_password}' ${port}-D '${database_name}' < create.sql && touch /etc/zabbix/.schema.done"
+        true  => "cd ${schema_path} && if [ -f server.sql.gz ]; then gunzip -f server.sql.gz ; fi && mysql -h '${database_host}' -u '${database_user}' -p\"\${database_password}\" ${port}-D '${database_name}' < server.sql && touch /etc/zabbix/.schema.done",
+        false => "cd ${schema_path} && if [ -f create.sql.gz ]; then gunzip -f create.sql.gz ; fi && mysql -h '${database_host}' -u '${database_user}' -p\"\${database_password}\" ${port}-D '${database_name}' < create.sql && touch /etc/zabbix/.schema.done"
       }
       $zabbix_server_images_sql = 'touch /etc/zabbix/.images.done'
       $zabbix_server_data_sql   = 'touch /etc/zabbix/.data.done'
     }
   }
 
   # Loading the sql files.
+  $_mysql_env = [ "database_password=${database_password_unsensitive}" ]
   case $zabbix_type {
     'proxy'  : {
       exec { 'zabbix_proxy_create.sql':
         command  => $zabbix_proxy_create_sql,
         path     => "/bin:/usr/bin:/usr/local/sbin:/usr/local/bin:${database_path}",
         unless   => 'test -f /etc/zabbix/.schema.done',
         provider => 'shell',
+        environment => $_mysql_env,
       }
     }
     'server' : {
@@ -73,18 +81,21 @@
         path     => "/bin:/usr/bin:/usr/local/sbin:/usr/local/bin:${database_path}",
         unless   => 'test -f /etc/zabbix/.schema.done',
         provider => 'shell',
+        environment => $_mysql_env,
       }
       -> exec { 'zabbix_server_images.sql':
         command  => $zabbix_server_images_sql,
         path     => "/bin:/usr/bin:/usr/local/sbin:/usr/local/bin:${database_path}",
         unless   => 'test -f /etc/zabbix/.images.done',
         provider => 'shell',
+        environment => $_mysql_env,
       }
       -> exec { 'zabbix_server_data.sql':
         command  => $zabbix_server_data_sql,
         path     => "/bin:/usr/bin:/usr/local/sbin:/usr/local/bin:${database_path}",
         unless   => 'test -f /etc/zabbix/.data.done',
         provider => 'shell',
+        environment => $_mysql_env,
       }
     }
     default  : {

diff --git a/manifests/database/postgresql.pp b/manifests/database/postgresql.pp
@@ -11,18 +11,24 @@
 # @param database_path Path to the database executable
 # @author Werner Dijkerman <[email protected]>
 class zabbix::database::postgresql (
-  $zabbix_type                                        = '',
-  $zabbix_version                                     = $zabbix::params::zabbix_version,
-  $database_schema_path                               = '',
-  $database_name                                      = '',
-  $database_user                                      = '',
-  $database_password                                  = '',
-  $database_host                                      = '',
-  Optional[Stdlib::Port::Unprivileged] $database_port = undef,
-  $database_path                                      = $zabbix::params::database_path,
+  $zabbix_type                                                          = '',
+  $zabbix_version                                                       = $zabbix::params::zabbix_version,
+  $database_schema_path                                                 = '',
+  $database_name                                                        = '',
+  $database_user                                                        = '',
+  Optional[Variant[String[1], Sensitive[String[1]]]] $database_password = undef,
+  $database_host                                                        = '',
+  Optional[Stdlib::Port::Unprivileged] $database_port                   = undef,
+  $database_path                                                        = $zabbix::params::database_path,
 ) inherits zabbix::params {
   assert_private()
 
+  $database_password_unsensitive = if $database_password =~ Sensitive[String] {
+    $database_password.unwrap
+  } else {
+    $database_password
+  }
+
   if ($database_schema_path == false) or ($database_schema_path == '') {
     if member(['CentOS', 'RedHat', 'OracleLinux', 'VirtuozzoLinux'], $facts['os']['name']) {
       if versioncmp($zabbix_version, '5.4') >= 0 {
@@ -65,9 +71,9 @@
   }
 
   exec { 'update_pgpass':
-    command => "echo ${database_host}:5432:${database_name}:${database_user}:${database_password} >> /root/.pgpass",
+    command => "echo ${database_host}:5432:${database_name}:${database_user}:${database_password_unsensitive} >> /root/.pgpass",
     path    => "/bin:/usr/bin:/usr/local/sbin:/usr/local/bin:${database_path}",
-    unless  => "grep \"${database_host}:5432:${database_name}:${database_user}:${database_password}\" /root/.pgpass",
+    unless  => "grep \"${database_host}:5432:${database_name}:${database_user}:${database_password_unsensitive}\" /root/.pgpass",
     require => File['/root/.pgpass'],
   }
 

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -249,7 +249,7 @@
   Optional[Stdlib::Absolutepath] $ldap_clientkey                              = $zabbix::params::ldap_clientkey,
   Optional[Enum['never', 'allow', 'try', 'demand', 'hard']] $ldap_reqcert     = $zabbix::params::ldap_reqcert,
   $zabbix_api_user                                                            = $zabbix::params::server_api_user,
-  $zabbix_api_pass                                                            = $zabbix::params::server_api_pass,
+  Optional[Variant[String[1], Sensitive[String[1]]]] $zabbix_api_pass         = $zabbix::params::server_api_pass,
   $listenport                                                                 = $zabbix::params::server_listenport,
   $sourceip                                                                   = $zabbix::params::server_sourceip,
   Enum['console', 'file', 'system'] $logtype                                  = $zabbix::params::server_logtype,
@@ -262,7 +262,7 @@
   $database_schema                                                            = $zabbix::params::server_database_schema,
   Boolean $database_double_ieee754                                            = $zabbix::params::server_database_double_ieee754,
   $database_user                                                              = $zabbix::params::server_database_user,
-  $database_password                                                          = $zabbix::params::server_database_password,
+  Optional[Variant[String[1], Sensitive[String[1]]]] $database_password       = $zabbix::params::server_database_password,
   $database_socket                                                            = $zabbix::params::server_database_socket,
   $database_port                                                              = $zabbix::params::server_database_port,
   $database_charset                                                           = $zabbix::params::server_database_charset,

diff --git a/manifests/params.pp b/manifests/params.pp
@@ -182,7 +182,7 @@
   $ldap_clientcert                          = undef
   $ldap_clientkey                           = undef
   $ldap_reqcert                             = undef
-  $server_api_pass                          = 'zabbix'
+  $server_api_pass                          = Sensitive('zabbix')
   $server_api_user                          = 'Admin'
   $server_database_double_ieee754           = false
   $saml_sp_key                              = undef
@@ -203,7 +203,7 @@
   $server_database_host                     = 'localhost'
   $server_database_host_ip                  = '127.0.0.1'
   $server_database_name                     = 'zabbix_server'
-  $server_database_password                 = 'zabbix_server'
+  $server_database_password                 = Sensitive('zabbix_server')
   $server_database_port                     = undef
   $server_database_schema                   = undef
   $server_database_socket                   = undef
@@ -240,6 +240,7 @@
   $server_snmptrapperfile                   = '/tmp/zabbix_traps.tmp'
   $server_sourceip                          = undef
   $server_sshkeylocation                    = undef
+  $server_sslcalocation                     = undef
   $server_sslcertlocation                   = '/usr/lib/zabbix/ssl/certs'
   $server_sslkeylocation                    = '/usr/lib/zabbix/ssl/keys'
   $server_startdbsyncers                    = '4'
@@ -288,6 +289,7 @@
   $server_vaulturl                          = 'https://127.0.0.1:8200'
   $server_vmwarecachesize                   = '8M'
   $server_vmwarefrequency                   = '60'
+  $server_vmwareperffrequency               = undef
   $server_vmwaretimeout                     = undef
   $server_socketdir                         = undef
 
@@ -369,7 +371,7 @@
   $proxy_configfrequency                    = '3600'
   $proxy_database_host                      = 'localhost'
   $proxy_database_name                      = 'zabbix_proxy'
-  $proxy_database_password                  = 'zabbix-proxy'
+  $proxy_database_password                  = Sensitive('zabbix-proxy')
   $proxy_database_port                      = undef
   $proxy_database_schema                    = undef
   $proxy_database_socket                    = undef