From ff6ade73ce450ec53605defb0477d9604c6dba28 Mon Sep 17 00:00:00 2001 From: mmetc <92726601+mmetc@users.noreply.github.com> Date: Tue, 3 Jan 2023 14:45:33 +0100 Subject: [PATCH] docker entrypoint/configuration fixes + refactoring (#1959) --- .dockerignore | 1 + Dockerfile | 84 +++---------------------------- Dockerfile.debian | 90 +++++----------------------------- docker/README.md | 43 +++++++++++----- docker/config.yaml | 2 +- docker/docker_start.sh | 109 +++++++++++++++++++++++++---------------- 6 files changed, 119 insertions(+), 210 deletions(-) diff --git a/.dockerignore b/.dockerignore index 1deda365c..3366a0a82 100644 --- a/.dockerignore +++ b/.dockerignore @@ -1,3 +1,4 @@ # We include .git in the build context because excluding it would break the # "make release" target, which uses git to retrieve the build version and tag. #.git +/tests/ansible diff --git a/Dockerfile b/Dockerfile index 297388c91..f2e11cef6 100644 --- a/Dockerfile +++ b/Dockerfile @@ -4,105 +4,37 @@ ARG GOVERSION=1.19 FROM golang:${GOVERSION}-alpine AS build +RUN go install github.com/mikefarah/yq/v4@v4.30.6 + WORKDIR /go/src/crowdsec COPY . . # wizard.sh requires GNU coreutils RUN apk add --no-cache git gcc libc-dev make bash gettext binutils-gold coreutils && \ + echo "githubciXXXXXXXXXXXXXXXXXXXXXXXX" > /etc/machine-id && \ SYSTEM="docker" make clean release && \ cd crowdsec-v* && \ ./wizard.sh --docker-mode && \ - cd - && \ + cd - >/dev/null && \ cscli hub update && \ cscli collections install crowdsecurity/linux && \ cscli parsers install crowdsecurity/whitelists FROM alpine:latest as build-slim -RUN apk add --no-cache --repository=http://dl-cdn.alpinelinux.org/alpine/edge/community tzdata yq bash && \ +RUN apk add --no-cache --repository=http://dl-cdn.alpinelinux.org/alpine/edge/community tzdata bash && \ mkdir -p /staging/etc/crowdsec && \ mkdir -p /staging/var/lib/crowdsec && \ - mkdir -p /var/lib/crowdsec/data \ - yq -n '.url="http://0.0.0.0:8080"' | install -m 0600 /dev/stdin /staging/etc/crowdsec/local_api_credentials.yaml + mkdir -p /var/lib/crowdsec/data +COPY --from=build /go/bin/yq /usr/local/bin/yq COPY --from=build /etc/crowdsec /staging/etc/crowdsec COPY --from=build /usr/local/bin/crowdsec /usr/local/bin/crowdsec COPY --from=build /usr/local/bin/cscli /usr/local/bin/cscli COPY --from=build /go/src/crowdsec/docker/docker_start.sh / COPY --from=build /go/src/crowdsec/docker/config.yaml /staging/etc/crowdsec/config.yaml - -# NOTE: setting default values here would overwrite the ones set in config.yaml -# every time the container is started. We set the default in docker/config.yaml -# and document them in docker/README.md, but keep the variables empty here. - -ENV CONFIG_FILE=/etc/crowdsec/config.yaml -ENV LOCAL_API_URL= -ENV CUSTOM_HOSTNAME=localhost -ENV PLUGIN_DIR= -ENV DISABLE_AGENT=false -ENV DISABLE_LOCAL_API=false -ENV DISABLE_ONLINE_API=false -ENV DSN= -ENV TYPE= -ENV TEST_MODE=false -ENV USE_WAL= - -# register to app.crowdsec.net - -ENV ENROLL_INSTANCE_NAME= -ENV ENROLL_KEY= -ENV ENROLL_TAGS= - -# log verbosity - -ENV LEVEL_TRACE= -ENV LEVEL_DEBUG= -ENV LEVEL_INFO= - -# TLS setup ----------------------------------- # - -ENV AGENT_USERNAME= -ENV AGENT_PASSWORD= - -# TLS setup ----------------------------------- # - -ENV USE_TLS=false -ENV INSECURE_SKIP_VERIFY= - -ENV CACERT_FILE= - -ENV LAPI_CERT_FILE= -ENV LAPI_KEY_FILE= - -ENV CLIENT_CERT_FILE= -ENV CLIENT_KEY_FILE= - -# deprecated in favor of LAPI_* -ENV CERT_FILE= -ENV KEY_FILE= - -# comma-separated list of allowed OU values for TLS bouncer certificates -ENV BOUNCERS_ALLOWED_OU= - -# comma-separated list of allowed OU values for TLS agent certificates -ENV AGENTS_ALLOWED_OU= - -# Install the following hub items --------------# - -ENV COLLECTIONS= -ENV PARSERS= -ENV SCENARIOS= -ENV POSTOVERFLOWS= - -# Uninstall the following hub items ------------# - -ENV DISABLE_COLLECTIONS= -ENV DISABLE_PARSERS= -ENV DISABLE_SCENARIOS= -ENV DISABLE_POSTOVERFLOWS= - -ENV METRICS_PORT= +RUN yq -n '.url="http://0.0.0.0:8080"' | install -m 0600 /dev/stdin /staging/etc/crowdsec/local_api_credentials.yaml ENTRYPOINT /bin/bash docker_start.sh diff --git a/Dockerfile.debian b/Dockerfile.debian index 7d1a245b9..74da6c73d 100644 --- a/Dockerfile.debian +++ b/Dockerfile.debian @@ -4,6 +4,8 @@ ARG GOVERSION=1.19 FROM golang:${GOVERSION}-bullseye AS build +RUN go install github.com/mikefarah/yq/v4@v4.30.6 + WORKDIR /go/src/crowdsec COPY . . @@ -14,17 +16,20 @@ ENV DEBCONF_NOWARNINGS="yes" # wizard.sh requires GNU coreutils RUN apt-get update && \ apt-get install -y -q git gcc libc-dev make bash gettext binutils-gold coreutils tzdata && \ - SYSTEM="docker" make release && \ + echo "githubciXXXXXXXXXXXXXXXXXXXXXXXX" > /etc/machine-id && \ + SYSTEM="docker" make clean release && \ cd crowdsec-v* && \ ./wizard.sh --docker-mode && \ - cd - && \ + cd - >/dev/null && \ cscli hub update && \ cscli collections install crowdsecurity/linux && \ - cscli parsers install crowdsecurity/whitelists && \ - go install github.com/mikefarah/yq/v4@v4.30.5 + cscli parsers install crowdsecurity/whitelists FROM debian:bullseye-slim as build-slim +ENV DEBIAN_FRONTEND=noninteractive +ENV DEBCONF_NOWARNINGS="yes" + RUN apt-get update && \ apt-get install -y -q --install-recommends --no-install-suggests \ procps \ @@ -35,8 +40,7 @@ RUN apt-get update && \ tzdata && \ mkdir -p /staging/etc/crowdsec && \ mkdir -p /staging/var/lib/crowdsec && \ - mkdir -p /var/lib/crowdsec/data \ - yq -n '.url="http://0.0.0.0:8080"' | install -m 0600 /dev/stdin /staging/etc/crowdsec/local_api_credentials.yaml + mkdir -p /var/lib/crowdsec/data COPY --from=build /go/bin/yq /usr/local/bin/yq COPY --from=build /etc/crowdsec /staging/etc/crowdsec @@ -44,79 +48,9 @@ COPY --from=build /usr/local/bin/crowdsec /usr/local/bin/crowdsec COPY --from=build /usr/local/bin/cscli /usr/local/bin/cscli COPY --from=build /go/src/crowdsec/docker/docker_start.sh / COPY --from=build /go/src/crowdsec/docker/config.yaml /staging/etc/crowdsec/config.yaml -RUN yq eval -i ".plugin_config.group = \"nogroup\"" /staging/etc/crowdsec/config.yaml +RUN yq -n '.url="http://0.0.0.0:8080"' | install -m 0600 /dev/stdin /staging/etc/crowdsec/local_api_credentials.yaml && \ + yq eval -i ".plugin_config.group = \"nogroup\"" /staging/etc/crowdsec/config.yaml -# NOTE: setting default values here would overwrite the ones set in config.yaml -# every time the container is started. We set the default in docker/config.yaml -# and document them in docker/README.md, but keep the variables empty here. - -ENV CONFIG_FILE=/etc/crowdsec/config.yaml -ENV LOCAL_API_URL= -ENV CUSTOM_HOSTNAME=localhost -ENV PLUGIN_DIR= -ENV DISABLE_AGENT=false -ENV DISABLE_LOCAL_API=false -ENV DISABLE_ONLINE_API=false -ENV DSN= -ENV TYPE= -ENV TEST_MODE=false -ENV USE_WAL= - -# register to app.crowdsec.net - -ENV ENROLL_INSTANCE_NAME= -ENV ENROLL_KEY= -ENV ENROLL_TAGS= - -# log verbosity - -ENV LEVEL_TRACE= -ENV LEVEL_DEBUG= -ENV LEVEL_INFO= - -# TLS setup ----------------------------------- # - -ENV AGENT_USERNAME= -ENV AGENT_PASSWORD= - -# TLS setup ----------------------------------- # - -ENV USE_TLS=false -ENV INSECURE_SKIP_VERIFY= - -ENV CACERT_FILE= - -ENV LAPI_CERT_FILE= -ENV LAPI_KEY_FILE= - -ENV CLIENT_CERT_FILE= -ENV CLIENT_KEY_FILE= - -# deprecated in favor of LAPI_* -ENV CERT_FILE= -ENV KEY_FILE= - -# comma-separated list of allowed OU values for TLS bouncer certificates -ENV BOUNCERS_ALLOWED_OU= - -# comma-separated list of allowed OU values for TLS agent certificates -ENV AGENTS_ALLOWED_OU= - -# Install the following hub items --------------# - -ENV COLLECTIONS= -ENV PARSERS= -ENV SCENARIOS= -ENV POSTOVERFLOWS= - -# Uninstall the following hub items ------------# - -ENV DISABLE_COLLECTIONS= -ENV DISABLE_PARSERS= -ENV DISABLE_SCENARIOS= -ENV DISABLE_POSTOVERFLOWS= - -ENV METRICS_PORT= ENTRYPOINT /bin/bash docker_start.sh diff --git a/docker/README.md b/docker/README.md index 244141ae8..bef24a855 100644 --- a/docker/README.md +++ b/docker/README.md @@ -198,22 +198,33 @@ Using binds rather than named volumes ([complete explanation here](https://docs. # Reference ## Environment Variables +Note for persistent configurations (i.e. bind mount or volumes): when a +variable is set, its value may be written to the appropriate file (usually +config.yaml) each time the container is run. + + | Variable | Default | Description | | ----------------------- | ------------------------- | ----------- | | `CONFIG_FILE` | `/etc/crowdsec/config.yaml` | Configuration file location | -| `DSN` | | Process a single source in time-machine: `-e DSN="file:///var/log/toto.log"` or `-e DSN="cloudwatch:///your/group/path:stream_name?profile=dev&backlog=16h"` or `-e DSN="journalctl://filters=_SYSTEMD_UNIT=ssh.service"` | -| `TYPE` | | [`Labels.type`](https://docs.crowdsec.net/Crowdsec/v1/references/acquisition/) for file in time-machine: `-e TYPE=""` | -| `TEST_MODE` | false | Don't run the service, only test the configuration: `-e TEST_MODE=true` | -| `TZ` | | Set the [timezone](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) to ensure the logs have a local timestamp. | -| `LOCAL_API_URL` | `http://0.0.0.0:8080` | The LAPI URL, you need to change this when `DISABLE_LOCAL_API` is true: `-e LOCAL_API_URL="http://lapi-address:8080"` | | `DISABLE_AGENT` | false | Disable the agent, run a LAPI-only container | | `DISABLE_LOCAL_API` | false | Disable LAPI, run an agent-only container | | `DISABLE_ONLINE_API` | false | Disable online API registration for signal sharing | -| `CUSTOM_HOSTNAME` | localhost | Custom hostname for LAPI registration (with agent and LAPI on the same container) | +| `TEST_MODE` | false | Don't run the service, only test the configuration: `-e TEST_MODE=true` | +| `TZ` | | Set the [timezone](https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) to ensure the logs have a local timestamp. | +| `LOCAL_API_URL` | `http://0.0.0.0:8080` | The LAPI URL, you need to change this when `DISABLE_LOCAL_API` is true: `-e LOCAL_API_URL="http://lapi-address:8080"` | | `PLUGIN_DIR` | `/usr/local/lib/crowdsec/plugins/` | Directory for plugins: `-e PLUGIN_DIR=""` | -| `BOUNCER_KEY_` | | Register a bouncer with the name `` and a key equal to the value of the environment variable. | | `METRICS_PORT` | 6060 | Port to expose Prometheus metrics | +| | | | +| __LAPI__ | | (useless with DISABLE_LOCAL_API) | | `USE_WAL` | false | Enable Write-Ahead Logging with SQLite | +| `CUSTOM_HOSTNAME` | localhost | Name for the local agent (running in the container with LAPI) | +| | | | +| __Agent__ | | (these don't work with DISABLE_AGENT) | +| `TYPE` | | [`Labels.type`](https://docs.crowdsec.net/Crowdsec/v1/references/acquisition/) for file in time-machine: `-e TYPE=""` | +| `DSN` | | Process a single source in time-machine: `-e DSN="file:///var/log/toto.log"` or `-e DSN="cloudwatch:///your/group/path:stream_name?profile=dev&backlog=16h"` or `-e DSN="journalctl://filters=_SYSTEMD_UNIT=ssh.service"` | +| | | | +| __Bouncers__ | | | +| `BOUNCER_KEY_` | | Register a bouncer with the name `` and a key equal to the value of the environment variable. | | | | | | __Console__ | | | | `ENROLL_KEY` | | Enroll key retrieved from [the console](https://app.crowdsec.net/) to enroll the instance. | @@ -224,14 +235,16 @@ Using binds rather than named volumes ([complete explanation here](https://docs. | `AGENT_USERNAME` | | Agent username (to register if is LAPI or to use if it's an agent): `-e AGENT_USERNAME="machine_id"` | | `AGENT_PASSWORD` | | Agent password (to register if is LAPI or to use if it's an agent): `-e AGENT_PASSWORD="machine_password"` | | | | | -| __TLS Auth/encryption | | | -| `USE_TLS` | false | Enable TLS on the LAPI | -| `CACERT_FILE` | | CA certificate bundle (optional) | +| __TLS Encryption__ | | | +| `USE_TLS` | false | Enable TLS encryption (either as a LAPI or agent) | +| `CACERT_FILE` | | CA certificate bundle (for self-signed certificates) | | `INSECURE_SKIP_VERIFY` | | Skip LAPI certificate validation | -| `CLIENT_CERT_FILE` | | Client TLS Certificate path (enables TLS auth) | +| `LAPI_CERT_FILE` | | LAPI TLS Certificate path | +| `LAPI_KEY_FILE` | | LAPI TLS Key path | +| | | | +| __TLS Authentication__ | | (these require USE_TLS=true) | +| `CLIENT_CERT_FILE` | | Client TLS Certificate path (enable TLS authentication) | | `CLIENT_KEY_FILE` | | Client TLS Key path | -| `LAPI_CERT_FILE` | | LAPI TLS Certificate path (required if USE_TLS) | -| `LAPI_KEY_FILE` | | LAPI TLS Key path (required if USE_TLS) | | `AGENTS_ALLOWED_OU` | agent-ou | OU values allowed for agents, separated by comma | | `BOUNCERS_ALLOWED_OU` | bouncer-ou | OU values allowed for bouncers, separated by comma | | | | | @@ -249,6 +262,10 @@ Using binds rather than named volumes ([complete explanation here](https://docs. | `LEVEL_INFO` | false | Force INFO level for the container log | | `LEVEL_DEBUG` | false | Force DEBUG level for the container log | | `LEVEL_TRACE` | false | Force TRACE level (VERY verbose) for the container log | +| | | | +| __Developer options__ | | | +| `CI_TESTING` | false | Used during functional tests | +| `DEBUG` | false | Trace the entrypoint | ## Volumes diff --git a/docker/config.yaml b/docker/config.yaml index 8c62b3cb1..fd3c2a62d 100644 --- a/docker/config.yaml +++ b/docker/config.yaml @@ -41,7 +41,7 @@ api: - 127.0.0.1 - ::1 online_client: # Central API credentials (to push signals and receive bad IPs) - #credentials_path: /etc/crowdsec/online_api_credentials.yaml + #credentials_path: /etc/crowdsec/online_api_credentials.yaml tls: agents_allowed_ou: - agent-ou diff --git a/docker/docker_start.sh b/docker/docker_start.sh index c00b508a7..11833a049 100755 --- a/docker/docker_start.sh +++ b/docker/docker_start.sh @@ -3,14 +3,9 @@ # shellcheck disable=SC2292 # allow [ test ] syntax # shellcheck disable=SC2310 # allow "if function..." syntax with -e -#set -x -#export PS4='+(${BASH_SOURCE}:${LINENO}): ${FUNCNAME[0]:+${FUNCNAME[0]}(): }' - set -e shopt -s inherit_errexit -#- HELPER FUNCTIONS ----------------# - # match true, TRUE, True, tRuE, etc. istrue() { case "$(echo "$1" | tr '[:upper:]' '[:lower:]')" in @@ -27,6 +22,22 @@ isfalse() { fi } +if istrue "$DEBUG"; then + set -x + export PS4='+(${BASH_SOURCE}:${LINENO}): ${FUNCNAME[0]:+${FUNCNAME[0]}(): }' +fi + +if istrue "$CI_TESTING"; then + echo "githubciXXXXXXXXXXXXXXXXXXXXXXXX" >/etc/machine-id +fi + +#- DEFAULTS -----------------------# + +export CONFIG_FILE="${CONFIG_FILE:=/etc/crowdsec/config.yaml}" +export CUSTOM_HOSTNAME="${CUSTOM_HOSTNAME:=localhost}" + +#- HELPER FUNCTIONS ----------------# + # csv2yaml # generate a yaml list from a comma-separated string of values csv2yaml() { @@ -59,7 +70,18 @@ conf_set() { YAML_FILE="$CONFIG_FILE" fi YAML_CONTENT=$(cat "$YAML_FILE" 2>/dev/null || true) - echo "$YAML_CONTENT" | yq e "$1" | install -m 0600 /dev/stdin "$YAML_FILE" + NEW_CONTENT=$(echo "$YAML_CONTENT" | yq e "$1") + echo "$NEW_CONTENT" | install -m 0600 /dev/stdin "$YAML_FILE" +} + +# conf_set_if(): used to update the configuration +# only if a given variable is provided +# conf_set_if "$VAR" [file_path] +conf_set_if() { + if [ "$1" != "" ]; then + shift + conf_set "$@" + fi } # register_bouncer @@ -135,43 +157,42 @@ fi # regenerate local agent credentials (even if agent is disabled, cscli needs a # connection to the API) cscli machines delete "$CUSTOM_HOSTNAME" 2>/dev/null || true -if isfalse "$DISABLE_LOCAL_API" && isfalse "$USE_TLS"; then - echo "Regenerate local agent credentials" - cscli machines add "$CUSTOM_HOSTNAME" --auto --url "$LOCAL_API_URL" -fi - if isfalse "$DISABLE_LOCAL_API"; then - echo "Check if lapi needs to automatically register an agent" + if isfalse "$USE_TLS" || [ "$CLIENT_CERT_FILE" = "" ]; then + echo "Regenerate local agent credentials" + cscli machines add "$CUSTOM_HOSTNAME" --auto + fi + echo "Check if lapi needs to register an additional agent" # pre-registration is not needed with TLS authentication, but we can have TLS transport with user/pw if [ "$AGENT_USERNAME" != "" ] && [ "$AGENT_PASSWORD" != "" ] ; then # re-register because pw may have been changed - # doing this generates local_api_credentials.yaml from scratch, removing any tls setting - cscli machines add "$AGENT_USERNAME" --password "$AGENT_PASSWORD" --url "$LOCAL_API_URL" --force + cscli machines add "$AGENT_USERNAME" --password "$AGENT_PASSWORD" -f /dev/null --force echo "Agent registered to lapi" - elif isfalse "$USE_TLS"; then - echo "TLS is disabled, the AGENT_USERNAME and AGENT_PASSWORD must be set" >&2 fi fi +# ---------------- + lapi_credentials_path=$(conf_get '.api.client.credentials_path') -conf_set 'with(select(strenv(INSECURE_SKIP_VERIFY)!=""); .api.client.insecure_skip_verify = env(INSECURE_SKIP_VERIFY))' +conf_set_if "$LOCAL_API_URL" '.url = strenv(LOCAL_API_URL)' "$lapi_credentials_path" -# we only use the envvars that are actually defined -# in case of persistent configuration -conf_set ' - with(select(strenv(LOCAL_API_URL)!=""); .url = strenv(LOCAL_API_URL)) | - with(select(strenv(AGENT_USERNAME)!=""); .login = strenv(AGENT_USERNAME)) | - with(select(strenv(AGENT_PASSWORD)!=""); .password = strenv(AGENT_PASSWORD)) - ' "$lapi_credentials_path" +if istrue "$DISABLE_LOCAL_API"; then + # we only use the envvars that are actually defined + # in case of persistent configuration + conf_set_if "$AGENT_USERNAME" '.login = strenv(AGENT_USERNAME)' "$lapi_credentials_path" + conf_set_if "$AGENT_PASSWORD" '.password = strenv(AGENT_PASSWORD)' "$lapi_credentials_path" +fi +conf_set_if "$INSECURE_SKIP_VERIFY" '.api.client.insecure_skip_verify = env(INSECURE_SKIP_VERIFY)' + +# agent-only containers still require USE_TLS if istrue "$USE_TLS"; then - conf_set ' - with(select(strenv(CACERT_FILE)!=""); .ca_cert_path = strenv(CACERT_FILE)) | - with(select(strenv(CLIENT_KEY_FILE)!=""); .key_path = strenv(CLIENT_KEY_FILE)) | - with(select(strenv(CLIENT_CERT_FILE)!=""); .cert_path = strenv(CLIENT_CERT_FILE)) - ' "$lapi_credentials_path" + # shellcheck disable=SC2153 + conf_set_if "$CACERT_FILE" '.ca_cert_path = strenv(CACERT_FILE)' "$lapi_credentials_path" + conf_set_if "$CLIENT_KEY_FILE" '.key_path = strenv(CLIENT_KEY_FILE)' "$lapi_credentials_path" + conf_set_if "$CLIENT_CERT_FILE" '.cert_path = strenv(CLIENT_CERT_FILE)' "$lapi_credentials_path" else conf_set ' del(.ca_cert_path) | @@ -180,12 +201,18 @@ else ' "$lapi_credentials_path" fi +if istrue "$DISABLE_ONLINE_API"; then + conf_set 'del(.api.server.online_client)' +fi + # registration to online API for signal push -if isfalse "$DISABLE_ONLINE_API" && [ "$CONFIG_FILE" == "/etc/crowdsec/config.yaml" ] ; then +if isfalse "$DISABLE_ONLINE_API" ; then + CONFIG_DIR=$(conf_get '.config_paths.config_dir') config_exists=$(conf_get '.api.server.online_client | has("credentials_path")') if isfalse "$config_exists"; then - conf_set '.api.server.online_client = {"credentials_path": "/etc/crowdsec/online_api_credentials.yaml"}' - cscli capi register > /etc/crowdsec/online_api_credentials.yaml + export CONFIG_DIR + conf_set '.api.server.online_client = {"credentials_path": strenv(CONFIG_DIR) + "/online_api_credentials.yaml"}' + cscli capi register > "$CONFIG_DIR/online_api_credentials.yaml" echo "Registration to online API done" fi fi @@ -214,22 +241,20 @@ if [ "$GID" != "" ]; then fi fi +# XXX only with LAPI if istrue "$USE_TLS"; then agents_allowed_yaml=$(csv2yaml "$AGENTS_ALLOWED_OU") \ bouncers_allowed_yaml=$(csv2yaml "$BOUNCERS_ALLOWED_OU") \ - conf_set ' - with(select(strenv(CACERT_FILE)!=""); .api.server.tls.ca_cert_path = strenv(CACERT_FILE)) | - with(select(strenv(LAPI_CERT_FILE)!=""); .api.server.tls.cert_file = strenv(LAPI_CERT_FILE)) | - with(select(strenv(LAPI_KEY_FILE)!=""); .api.server.tls.key_file = strenv(LAPI_KEY_FILE)) | - with(select(strenv(BOUNCERS_ALLOWED_OU)!=""); .api.server.tls.bouncers_allowed_ou = env(bouncers_allowed_yaml)) | - with(select(strenv(AGENTS_ALLOWED_OU)!=""); .api.server.tls.agents_allowed_ou = env(agents_allowed_yaml)) | - ... comments="" - ' + conf_set_if "$CACERT_FILE" '.api.server.tls.ca_cert_path = strenv(CACERT_FILE)' + conf_set_if "$LAPI_CERT_FILE" '.api.server.tls.cert_file = strenv(LAPI_CERT_FILE)' + conf_set_if "$LAPI_KEY_FILE" '.api.server.tls.key_file = strenv(LAPI_KEY_FILE)' + conf_set_if "$BOUNCERS_ALLOWED_OU" '.api.server.tls.bouncers_allowed_ou = env(bouncers_allowed_yaml)' + conf_set_if "$AGENTS_ALLOWED_OU" '.api.server.tls.agents_allowed_ou = env(agents_allowed_yaml)' else conf_set 'del(.api.server.tls)' fi -conf_set 'with(select(strenv(PLUGIN_DIR)!=""); .config_paths.plugin_dir = strenv(PLUGIN_DIR))' +conf_set_if "$PLUGIN_DIR" '.config_paths.plugin_dir = strenv(PLUGIN_DIR)' ## Install collections, parsers, scenarios & postoverflows cscli hub update @@ -336,7 +361,7 @@ if istrue "$LEVEL_INFO"; then ARGS="$ARGS -info" fi -conf_set 'with(select(strenv(METRICS_PORT)!=""); .prometheus.listen_port=env(METRICS_PORT))' +conf_set_if "$METRICS_PORT" '.prometheus.listen_port=env(METRICS_PORT)' # shellcheck disable=SC2086 exec crowdsec $ARGS