From dfc41263846e0f0940d534f07f78ded81d1f06d4 Mon Sep 17 00:00:00 2001 From: mmetc <92726601+mmetc@users.noreply.github.com> Date: Wed, 4 Jan 2023 16:43:35 +0100 Subject: [PATCH] Docker config/auth/TLS refactoring from from v1.4.4 (#1967) --- Dockerfile | 85 +++----------------------------- Dockerfile.debian | 87 ++++---------------------------- docker/README.md | 45 +++++++++++------ docker/config.yaml | 6 +-- docker/docker_start.sh | 109 +++++++++++++++++++++++++---------------- 5 files changed, 119 insertions(+), 213 deletions(-) diff --git a/Dockerfile b/Dockerfile index 297388c91..2fbece717 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,99 +10,30 @@ COPY . . # wizard.sh requires GNU coreutils RUN apk add --no-cache git gcc libc-dev make bash gettext binutils-gold coreutils && \ + echo "githubciXXXXXXXXXXXXXXXXXXXXXXXX" > /etc/machine-id && \ SYSTEM="docker" make clean release && \ cd crowdsec-v* && \ ./wizard.sh --docker-mode && \ - cd - && \ + cd - >/dev/null && \ cscli hub update && \ cscli collections install crowdsecurity/linux && \ - cscli parsers install crowdsecurity/whitelists + cscli parsers install crowdsecurity/whitelists && \ + go install github.com/mikefarah/yq/v4@v4.30.6 FROM alpine:latest as build-slim -RUN apk add --no-cache --repository=http://dl-cdn.alpinelinux.org/alpine/edge/community tzdata yq bash && \ +RUN apk add --no-cache --repository=http://dl-cdn.alpinelinux.org/alpine/edge/community tzdata bash && \ mkdir -p /staging/etc/crowdsec && \ mkdir -p /staging/var/lib/crowdsec && \ - mkdir -p /var/lib/crowdsec/data \ - yq -n '.url="http://0.0.0.0:8080"' | install -m 0600 /dev/stdin /staging/etc/crowdsec/local_api_credentials.yaml + mkdir -p /var/lib/crowdsec/data +COPY --from=build /go/bin/yq /usr/local/bin/yq COPY --from=build /etc/crowdsec /staging/etc/crowdsec COPY --from=build /usr/local/bin/crowdsec /usr/local/bin/crowdsec COPY --from=build /usr/local/bin/cscli /usr/local/bin/cscli COPY --from=build /go/src/crowdsec/docker/docker_start.sh / COPY --from=build /go/src/crowdsec/docker/config.yaml /staging/etc/crowdsec/config.yaml - -# NOTE: setting default values here would overwrite the ones set in config.yaml -# every time the container is started. We set the default in docker/config.yaml -# and document them in docker/README.md, but keep the variables empty here. - -ENV CONFIG_FILE=/etc/crowdsec/config.yaml -ENV LOCAL_API_URL= -ENV CUSTOM_HOSTNAME=localhost -ENV PLUGIN_DIR= -ENV DISABLE_AGENT=false -ENV DISABLE_LOCAL_API=false -ENV DISABLE_ONLINE_API=false -ENV DSN= -ENV TYPE= -ENV TEST_MODE=false -ENV USE_WAL= - -# register to app.crowdsec.net - -ENV ENROLL_INSTANCE_NAME= -ENV ENROLL_KEY= -ENV ENROLL_TAGS= - -# log verbosity - -ENV LEVEL_TRACE= -ENV LEVEL_DEBUG= -ENV LEVEL_INFO= - -# TLS setup ----------------------------------- # - -ENV AGENT_USERNAME= -ENV AGENT_PASSWORD= - -# TLS setup ----------------------------------- # - -ENV USE_TLS=false -ENV INSECURE_SKIP_VERIFY= - -ENV CACERT_FILE= - -ENV LAPI_CERT_FILE= -ENV LAPI_KEY_FILE= - -ENV CLIENT_CERT_FILE= -ENV CLIENT_KEY_FILE= - -# deprecated in favor of LAPI_* -ENV CERT_FILE= -ENV KEY_FILE= - -# comma-separated list of allowed OU values for TLS bouncer certificates -ENV BOUNCERS_ALLOWED_OU= - -# comma-separated list of allowed OU values for TLS agent certificates -ENV AGENTS_ALLOWED_OU= - -# Install the following hub items --------------# - -ENV COLLECTIONS= -ENV PARSERS= -ENV SCENARIOS= -ENV POSTOVERFLOWS= - -# Uninstall the following hub items ------------# - -ENV DISABLE_COLLECTIONS= -ENV DISABLE_PARSERS= -ENV DISABLE_SCENARIOS= -ENV DISABLE_POSTOVERFLOWS= - -ENV METRICS_PORT= +RUN yq -n '.url="http://0.0.0.0:8080"' | install -m 0600 /dev/stdin /staging/etc/crowdsec/local_api_credentials.yaml ENTRYPOINT /bin/bash docker_start.sh diff --git a/Dockerfile.debian b/Dockerfile.debian index 7d1a245b9..ebae4d376 100644 --- a/Dockerfile.debian +++ b/Dockerfile.debian @@ -14,17 +14,21 @@ ENV DEBCONF_NOWARNINGS="yes" # wizard.sh requires GNU coreutils RUN apt-get update && \ apt-get install -y -q git gcc libc-dev make bash gettext binutils-gold coreutils tzdata && \ - SYSTEM="docker" make release && \ + echo "githubciXXXXXXXXXXXXXXXXXXXXXXXX" > /etc/machine-id && \ + SYSTEM="docker" make clean release && \ cd crowdsec-v* && \ ./wizard.sh --docker-mode && \ - cd - && \ + cd - >/dev/null && \ cscli hub update && \ cscli collections install crowdsecurity/linux && \ cscli parsers install crowdsecurity/whitelists && \ - go install github.com/mikefarah/yq/v4@v4.30.5 + go install github.com/mikefarah/yq/v4@v4.30.6 FROM debian:bullseye-slim as build-slim +ENV DEBIAN_FRONTEND=noninteractive +ENV DEBCONF_NOWARNINGS="yes" + RUN apt-get update && \ apt-get install -y -q --install-recommends --no-install-suggests \ procps \ @@ -35,8 +39,7 @@ RUN apt-get update && \ tzdata && \ mkdir -p /staging/etc/crowdsec && \ mkdir -p /staging/var/lib/crowdsec && \ - mkdir -p /var/lib/crowdsec/data \ - yq -n '.url="http://0.0.0.0:8080"' | install -m 0600 /dev/stdin /staging/etc/crowdsec/local_api_credentials.yaml + mkdir -p /var/lib/crowdsec/data COPY --from=build /go/bin/yq /usr/local/bin/yq COPY --from=build /etc/crowdsec /staging/etc/crowdsec @@ -44,79 +47,9 @@ COPY --from=build /usr/local/bin/crowdsec /usr/local/bin/crowdsec COPY --from=build /usr/local/bin/cscli /usr/local/bin/cscli COPY --from=build /go/src/crowdsec/docker/docker_start.sh / COPY --from=build /go/src/crowdsec/docker/config.yaml /staging/etc/crowdsec/config.yaml -RUN yq eval -i ".plugin_config.group = \"nogroup\"" /staging/etc/crowdsec/config.yaml +RUN yq -n '.url="http://0.0.0.0:8080"' | install -m 0600 /dev/stdin /staging/etc/crowdsec/local_api_credentials.yaml && \ + yq eval -i ".plugin_config.group = \"nogroup\"" /staging/etc/crowdsec/config.yaml -# NOTE: setting default values here would overwrite the ones set in config.yaml -# every time the container is started. We set the default in docker/config.yaml -# and document them in docker/README.md, but keep the variables empty here. - -ENV CONFIG_FILE=/etc/crowdsec/config.yaml -ENV LOCAL_API_URL= -ENV CUSTOM_HOSTNAME=localhost -ENV PLUGIN_DIR= -ENV DISABLE_AGENT=false -ENV DISABLE_LOCAL_API=false -ENV DISABLE_ONLINE_API=false -ENV DSN= -ENV TYPE= -ENV TEST_MODE=false -ENV USE_WAL= - -# register to app.crowdsec.net - -ENV ENROLL_INSTANCE_NAME= -ENV ENROLL_KEY= -ENV ENROLL_TAGS= - -# log verbosity - -ENV LEVEL_TRACE= -ENV LEVEL_DEBUG= -ENV LEVEL_INFO= - -# TLS setup ----------------------------------- # - -ENV AGENT_USERNAME= -ENV AGENT_PASSWORD= - -# TLS setup ----------------------------------- # - -ENV USE_TLS=false -ENV INSECURE_SKIP_VERIFY= - -ENV CACERT_FILE= - -ENV LAPI_CERT_FILE= -ENV LAPI_KEY_FILE= - -ENV CLIENT_CERT_FILE= -ENV CLIENT_KEY_FILE= - -# deprecated in favor of LAPI_* -ENV CERT_FILE= -ENV KEY_FILE= - -# comma-separated list of allowed OU values for TLS bouncer certificates -ENV BOUNCERS_ALLOWED_OU= - -# comma-separated list of allowed OU values for TLS agent certificates -ENV AGENTS_ALLOWED_OU= - -# Install the following hub items --------------# - -ENV COLLECTIONS= -ENV PARSERS= -ENV SCENARIOS= -ENV POSTOVERFLOWS= - -# Uninstall the following hub items ------------# - -ENV DISABLE_COLLECTIONS= -ENV DISABLE_PARSERS= -ENV DISABLE_SCENARIOS= -ENV DISABLE_POSTOVERFLOWS= - -ENV METRICS_PORT= ENTRYPOINT /bin/bash docker_start.sh diff --git a/docker/README.md b/docker/README.md index 495dca2d9..e4520982b 100644 --- a/docker/README.md +++ b/docker/README.md @@ -179,7 +179,7 @@ To use environment variables, they should be in the format `BOUNCER_KEY_=< To use Docker secrets, the secret should be named `bouncer_key_` with a content of ``. e.g. `bouncer_key_nginx` with content `mysecretkey12345`. -A bouncer key can be any string but we recommend an alphanumeric value for consistency with the crowdsec-generated keys and to avoid problems with escaping special characters. +A bouncer key can be any string but we recommend an alphanumeric value for consistency with the keys generated by crowdsec and to avoid problems with escaping special characters. With TLS authentication: @@ -198,22 +198,33 @@ Using binds rather than named volumes ([complete explanation here](https://docs. # Reference ## Environment Variables +Note for persistent configurations (i.e. bind mount or volumes): when a +variable is set, its value may be written to the appropriate file (usually +config.yaml) each time the container is run. + + | Variable | Default | Description | | ----------------------- | ------------------------- | ----------- | | `CONFIG_FILE` | `/etc/crowdsec/config.yaml` | Configuration file location | -| `DSN` | | Process a single source in time-machine: `-e DSN="file:///var/log/toto.log"` or `-e DSN="cloudwatch:///your/group/path:stream_name?profile=dev&backlog=16h"` or `-e DSN="journalctl://filters=_SYSTEMD_UNIT=ssh.service"` | -| `TYPE` | | [`Labels.type`](https://docs.crowdsec.net/Crowdsec/v1/references/acquisition/) for file in time-machine: `-e TYPE=""` | -| `TEST_MODE` | false | Don't run the service, only test the configuration: `-e TEST_MODE=true` | -| `TZ` | | Set the [timezone](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) to ensure the logs have a local timestamp. | -| `LOCAL_API_URL` | `http://0.0.0.0:8080` | The LAPI URL, you need to change this when `DISABLE_LOCAL_API` is true: `-e LOCAL_API_URL="http://lapi-address:8080"` | | `DISABLE_AGENT` | false | Disable the agent, run a LAPI-only container | | `DISABLE_LOCAL_API` | false | Disable LAPI, run an agent-only container | | `DISABLE_ONLINE_API` | false | Disable online API registration for signal sharing | -| `CUSTOM_HOSTNAME` | localhost | Custom hostname for LAPI registration (with agent and LAPI on the same container) | +| `TEST_MODE` | false | Don't run the service, only test the configuration: `-e TEST_MODE=true` | +| `TZ` | | Set the [timezone](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) to ensure the logs have a local timestamp. | +| `LOCAL_API_URL` | `http://0.0.0.0:8080` | The LAPI URL, you need to change this when `DISABLE_LOCAL_API` is true: `-e LOCAL_API_URL="http://lapi-address:8080"` | | `PLUGIN_DIR` | `/usr/local/lib/crowdsec/plugins/` | Directory for plugins: `-e PLUGIN_DIR=""` | -| `BOUNCER_KEY_` | | Register a bouncer with the name `` and a key equal to the value of the environment variable. | | `METRICS_PORT` | 6060 | Port to expose Prometheus metrics | +| | | | +| __LAPI__ | | (useless with DISABLE_LOCAL_API) | | `USE_WAL` | false | Enable Write-Ahead Logging with SQLite | +| `CUSTOM_HOSTNAME` | localhost | Name for the local agent (running in the container with LAPI) | +| | | | +| __Agent__ | | (these don't work with DISABLE_AGENT) | +| `TYPE` | | [`Labels.type`](https://docs.crowdsec.net/Crowdsec/v1/references/acquisition/) for file in time-machine: `-e TYPE=""` | +| `DSN` | | Process a single source in time-machine: `-e DSN="file:///var/log/toto.log"` or `-e DSN="cloudwatch:///your/group/path:stream_name?profile=dev&backlog=16h"` or `-e DSN="journalctl://filters=_SYSTEMD_UNIT=ssh.service"` | +| | | | +| __Bouncers__ | | | +| `BOUNCER_KEY_` | | Register a bouncer with the name `` and a key equal to the value of the environment variable. | | | | | | __Console__ | | | | `ENROLL_KEY` | | Enroll key retrieved from [the console](https://app.crowdsec.net/) to enroll the instance. | @@ -224,14 +235,16 @@ Using binds rather than named volumes ([complete explanation here](https://docs. | `AGENT_USERNAME` | | Agent username (to register if is LAPI or to use if it's an agent): `-e AGENT_USERNAME="machine_id"` | | `AGENT_PASSWORD` | | Agent password (to register if is LAPI or to use if it's an agent): `-e AGENT_PASSWORD="machine_password"` | | | | | -| __TLS Auth/encryption | | | -| `USE_TLS` | false | Enable TLS on the LAPI | -| `CACERT_FILE` | | CA certificate bundle (optional) | +| __TLS Encryption__ | | | +| `USE_TLS` | false | Enable TLS encryption (either as a LAPI or agent) | +| `CACERT_FILE` | | CA certificate bundle (for self-signed certificates) | | `INSECURE_SKIP_VERIFY` | | Skip LAPI certificate validation | -| `CLIENT_CERT_FILE` | | Client TLS Certificate path (enables TLS auth) | +| `LAPI_CERT_FILE` | | LAPI TLS Certificate path | +| `LAPI_KEY_FILE` | | LAPI TLS Key path | +| | | | +| __TLS Authentication__ | | (these require USE_TLS=true) | +| `CLIENT_CERT_FILE` | | Client TLS Certificate path (enable TLS authentication) | | `CLIENT_KEY_FILE` | | Client TLS Key path | -| `LAPI_CERT_FILE` | | LAPI TLS Certificate path (required if USE_TLS) | -| `LAPI_KEY_FILE` | | LAPI TLS Key path (required if USE_TLS) | | `AGENTS_ALLOWED_OU` | agent-ou | OU values allowed for agents, separated by comma | | `BOUNCERS_ALLOWED_OU` | bouncer-ou | OU values allowed for bouncers, separated by comma | | | | | @@ -249,6 +262,10 @@ Using binds rather than named volumes ([complete explanation here](https://docs. | `LEVEL_INFO` | false | Force INFO level for the container log | | `LEVEL_DEBUG` | false | Force DEBUG level for the container log | | `LEVEL_TRACE` | false | Force TRACE level (VERY verbose) for the container log | +| | | | +| __Developer options__ | | | +| `CI_TESTING` | false | Used during functional tests | +| `DEBUG` | false | Trace the entrypoint | ## Volumes diff --git a/docker/config.yaml b/docker/config.yaml index 2e5426969..2be3e8bb1 100644 --- a/docker/config.yaml +++ b/docker/config.yaml @@ -16,8 +16,8 @@ crowdsec_service: acquisition_path: /etc/crowdsec/acquis.yaml parser_routines: 1 plugin_config: - user: nobody - group: nobody + user: nobody + group: nobody cscli: output: human db_config: @@ -40,7 +40,7 @@ api: - 127.0.0.1 - ::1 online_client: # Central API credentials (to push signals and receive bad IPs) - #credentials_path: /etc/crowdsec/online_api_credentials.yaml + #credentials_path: /etc/crowdsec/online_api_credentials.yaml tls: agents_allowed_ou: - agent-ou diff --git a/docker/docker_start.sh b/docker/docker_start.sh index c00b508a7..11833a049 100755 --- a/docker/docker_start.sh +++ b/docker/docker_start.sh @@ -3,14 +3,9 @@ # shellcheck disable=SC2292 # allow [ test ] syntax # shellcheck disable=SC2310 # allow "if function..." syntax with -e -#set -x -#export PS4='+(${BASH_SOURCE}:${LINENO}): ${FUNCNAME[0]:+${FUNCNAME[0]}(): }' - set -e shopt -s inherit_errexit -#- HELPER FUNCTIONS ----------------# - # match true, TRUE, True, tRuE, etc. istrue() { case "$(echo "$1" | tr '[:upper:]' '[:lower:]')" in @@ -27,6 +22,22 @@ isfalse() { fi } +if istrue "$DEBUG"; then + set -x + export PS4='+(${BASH_SOURCE}:${LINENO}): ${FUNCNAME[0]:+${FUNCNAME[0]}(): }' +fi + +if istrue "$CI_TESTING"; then + echo "githubciXXXXXXXXXXXXXXXXXXXXXXXX" >/etc/machine-id +fi + +#- DEFAULTS -----------------------# + +export CONFIG_FILE="${CONFIG_FILE:=/etc/crowdsec/config.yaml}" +export CUSTOM_HOSTNAME="${CUSTOM_HOSTNAME:=localhost}" + +#- HELPER FUNCTIONS ----------------# + # csv2yaml # generate a yaml list from a comma-separated string of values csv2yaml() { @@ -59,7 +70,18 @@ conf_set() { YAML_FILE="$CONFIG_FILE" fi YAML_CONTENT=$(cat "$YAML_FILE" 2>/dev/null || true) - echo "$YAML_CONTENT" | yq e "$1" | install -m 0600 /dev/stdin "$YAML_FILE" + NEW_CONTENT=$(echo "$YAML_CONTENT" | yq e "$1") + echo "$NEW_CONTENT" | install -m 0600 /dev/stdin "$YAML_FILE" +} + +# conf_set_if(): used to update the configuration +# only if a given variable is provided +# conf_set_if "$VAR" [file_path] +conf_set_if() { + if [ "$1" != "" ]; then + shift + conf_set "$@" + fi } # register_bouncer @@ -135,43 +157,42 @@ fi # regenerate local agent credentials (even if agent is disabled, cscli needs a # connection to the API) cscli machines delete "$CUSTOM_HOSTNAME" 2>/dev/null || true -if isfalse "$DISABLE_LOCAL_API" && isfalse "$USE_TLS"; then - echo "Regenerate local agent credentials" - cscli machines add "$CUSTOM_HOSTNAME" --auto --url "$LOCAL_API_URL" -fi - if isfalse "$DISABLE_LOCAL_API"; then - echo "Check if lapi needs to automatically register an agent" + if isfalse "$USE_TLS" || [ "$CLIENT_CERT_FILE" = "" ]; then + echo "Regenerate local agent credentials" + cscli machines add "$CUSTOM_HOSTNAME" --auto + fi + echo "Check if lapi needs to register an additional agent" # pre-registration is not needed with TLS authentication, but we can have TLS transport with user/pw if [ "$AGENT_USERNAME" != "" ] && [ "$AGENT_PASSWORD" != "" ] ; then # re-register because pw may have been changed - # doing this generates local_api_credentials.yaml from scratch, removing any tls setting - cscli machines add "$AGENT_USERNAME" --password "$AGENT_PASSWORD" --url "$LOCAL_API_URL" --force + cscli machines add "$AGENT_USERNAME" --password "$AGENT_PASSWORD" -f /dev/null --force echo "Agent registered to lapi" - elif isfalse "$USE_TLS"; then - echo "TLS is disabled, the AGENT_USERNAME and AGENT_PASSWORD must be set" >&2 fi fi +# ---------------- + lapi_credentials_path=$(conf_get '.api.client.credentials_path') -conf_set 'with(select(strenv(INSECURE_SKIP_VERIFY)!=""); .api.client.insecure_skip_verify = env(INSECURE_SKIP_VERIFY))' +conf_set_if "$LOCAL_API_URL" '.url = strenv(LOCAL_API_URL)' "$lapi_credentials_path" -# we only use the envvars that are actually defined -# in case of persistent configuration -conf_set ' - with(select(strenv(LOCAL_API_URL)!=""); .url = strenv(LOCAL_API_URL)) | - with(select(strenv(AGENT_USERNAME)!=""); .login = strenv(AGENT_USERNAME)) | - with(select(strenv(AGENT_PASSWORD)!=""); .password = strenv(AGENT_PASSWORD)) - ' "$lapi_credentials_path" +if istrue "$DISABLE_LOCAL_API"; then + # we only use the envvars that are actually defined + # in case of persistent configuration + conf_set_if "$AGENT_USERNAME" '.login = strenv(AGENT_USERNAME)' "$lapi_credentials_path" + conf_set_if "$AGENT_PASSWORD" '.password = strenv(AGENT_PASSWORD)' "$lapi_credentials_path" +fi +conf_set_if "$INSECURE_SKIP_VERIFY" '.api.client.insecure_skip_verify = env(INSECURE_SKIP_VERIFY)' + +# agent-only containers still require USE_TLS if istrue "$USE_TLS"; then - conf_set ' - with(select(strenv(CACERT_FILE)!=""); .ca_cert_path = strenv(CACERT_FILE)) | - with(select(strenv(CLIENT_KEY_FILE)!=""); .key_path = strenv(CLIENT_KEY_FILE)) | - with(select(strenv(CLIENT_CERT_FILE)!=""); .cert_path = strenv(CLIENT_CERT_FILE)) - ' "$lapi_credentials_path" + # shellcheck disable=SC2153 + conf_set_if "$CACERT_FILE" '.ca_cert_path = strenv(CACERT_FILE)' "$lapi_credentials_path" + conf_set_if "$CLIENT_KEY_FILE" '.key_path = strenv(CLIENT_KEY_FILE)' "$lapi_credentials_path" + conf_set_if "$CLIENT_CERT_FILE" '.cert_path = strenv(CLIENT_CERT_FILE)' "$lapi_credentials_path" else conf_set ' del(.ca_cert_path) | @@ -180,12 +201,18 @@ else ' "$lapi_credentials_path" fi +if istrue "$DISABLE_ONLINE_API"; then + conf_set 'del(.api.server.online_client)' +fi + # registration to online API for signal push -if isfalse "$DISABLE_ONLINE_API" && [ "$CONFIG_FILE" == "/etc/crowdsec/config.yaml" ] ; then +if isfalse "$DISABLE_ONLINE_API" ; then + CONFIG_DIR=$(conf_get '.config_paths.config_dir') config_exists=$(conf_get '.api.server.online_client | has("credentials_path")') if isfalse "$config_exists"; then - conf_set '.api.server.online_client = {"credentials_path": "/etc/crowdsec/online_api_credentials.yaml"}' - cscli capi register > /etc/crowdsec/online_api_credentials.yaml + export CONFIG_DIR + conf_set '.api.server.online_client = {"credentials_path": strenv(CONFIG_DIR) + "/online_api_credentials.yaml"}' + cscli capi register > "$CONFIG_DIR/online_api_credentials.yaml" echo "Registration to online API done" fi fi @@ -214,22 +241,20 @@ if [ "$GID" != "" ]; then fi fi +# XXX only with LAPI if istrue "$USE_TLS"; then agents_allowed_yaml=$(csv2yaml "$AGENTS_ALLOWED_OU") \ bouncers_allowed_yaml=$(csv2yaml "$BOUNCERS_ALLOWED_OU") \ - conf_set ' - with(select(strenv(CACERT_FILE)!=""); .api.server.tls.ca_cert_path = strenv(CACERT_FILE)) | - with(select(strenv(LAPI_CERT_FILE)!=""); .api.server.tls.cert_file = strenv(LAPI_CERT_FILE)) | - with(select(strenv(LAPI_KEY_FILE)!=""); .api.server.tls.key_file = strenv(LAPI_KEY_FILE)) | - with(select(strenv(BOUNCERS_ALLOWED_OU)!=""); .api.server.tls.bouncers_allowed_ou = env(bouncers_allowed_yaml)) | - with(select(strenv(AGENTS_ALLOWED_OU)!=""); .api.server.tls.agents_allowed_ou = env(agents_allowed_yaml)) | - ... comments="" - ' + conf_set_if "$CACERT_FILE" '.api.server.tls.ca_cert_path = strenv(CACERT_FILE)' + conf_set_if "$LAPI_CERT_FILE" '.api.server.tls.cert_file = strenv(LAPI_CERT_FILE)' + conf_set_if "$LAPI_KEY_FILE" '.api.server.tls.key_file = strenv(LAPI_KEY_FILE)' + conf_set_if "$BOUNCERS_ALLOWED_OU" '.api.server.tls.bouncers_allowed_ou = env(bouncers_allowed_yaml)' + conf_set_if "$AGENTS_ALLOWED_OU" '.api.server.tls.agents_allowed_ou = env(agents_allowed_yaml)' else conf_set 'del(.api.server.tls)' fi -conf_set 'with(select(strenv(PLUGIN_DIR)!=""); .config_paths.plugin_dir = strenv(PLUGIN_DIR))' +conf_set_if "$PLUGIN_DIR" '.config_paths.plugin_dir = strenv(PLUGIN_DIR)' ## Install collections, parsers, scenarios & postoverflows cscli hub update @@ -336,7 +361,7 @@ if istrue "$LEVEL_INFO"; then ARGS="$ARGS -info" fi -conf_set 'with(select(strenv(METRICS_PORT)!=""); .prometheus.listen_port=env(METRICS_PORT))' +conf_set_if "$METRICS_PORT" '.prometheus.listen_port=env(METRICS_PORT)' # shellcheck disable=SC2086 exec crowdsec $ARGS