[Helm][Kubernetes] How to add a Pre-Shared Key to zabbix_values.yaml before install
I'm trying to get a Kubernetes cluster Zabbix agent (deployed via Helm) reporting in to a non-Kubernetes Zabbix server via a Zabbix Proxy, but I can't find documentation on how to add a PSK to zabbix_values.yaml on the Zabbix agent before installing it.
I found this previous post but it didn't seem to work for me - https://www.zabbix.com/forum/zabbix-...psk-encryption
The error I get looks like this
This is my zabbix_values.yaml file
As per the forum post, I applied the following configmap after installing the Zabbix agent
I'm happy to provide any additional information,
Thanks in advance!
I found this previous post but it didn't seem to work for me - https://www.zabbix.com/forum/zabbix-...psk-encryption
The error I get looks like this
Code:
kubectl -n monitoring logs pods/zabbix-agent-12345 2023/04/20 10:48:48.370604 [101] no active checks on server [my.zabbix.proxy:10051]: connection of type "unencrypted" is not allowed for host "my.kubernetes.host" 2023/04/20 10:49:17.118673 Zabbix Agent 2 stopped. (6.0.16)
Code:
cat zabbix/zabbix_values.yaml
## nameOverride -- Override name of app
nameOverride: ""
## fullnameOverride -- Override the full qualified app name
fullnameOverride: ""
## kubeStateMetricsEnabled -- If true, deploys the kube-state-metrics deployment
kubeStateMetricsEnabled: true
## Service accoun for Kubernetes API
rbac:
## rbac.create Specifies whether the RBAC resources should be created
create: true
additionalRulesForClusterRole: []
## - apiGroups: [ "" ]
## resources:
## - nodes/proxy
## verbs: [ "get", "list", "watch" ]
serviceAccount:
## serviceAccount.create Specifies whether a service account should be created
create: true
## serviceAccount.name The name of the service account to use. If not set name is generated using the fullname template
name: zabbix-service-account
## **Zabbix proxy** configurations
zabbixProxy:
## Enables use of **Zabbix proxy**
enabled: false
## **Zabbix agent** configurations
zabbixAgent:
## Enables use of Zabbix agent
enabled: true
resources: {}
## requests:
## cpu: 100m
## memory: 54Mi
## limits:
## cpu: 100m
## memory: 54Mi
securityContext: {}
# fsGroup: 65534
# runAsGroup: 65534
# runAsNonRoot: true
# runAsUser: 65534
containerSecurityContext: {}
## capabilities:
## add:
## - SYS_TIME
## Expose the service to the host network
hostNetwork: true
# Specify dns configuration options for agent containers e.g ndots
## ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config
dnsConfig: {}
# options:
# - name: ndots
# value: "1"
## Share the host process ID namespace
hostPID: true
## If true, agent pods mounts host / at /host/root
##
hostRootFsMount: true
extraHostVolumeMounts: []
## - name: <mountName>
## hostPath: <hostPath>
## mountPath: <mountPath>
## readOnly: true|false
## mountPropagation: None|HostToContainer|Bidirectional
image:
## Zabbix agent Docker image name
repository: zabbix/zabbix-agent2
## Tag of Docker image of Zabbix agent
tag: alpine-6.0.16
pullPolicy: IfNotPresent
## List of dockerconfig secrets names to use when pulling images
pullSecrets: []
env:
## Zabbix server host
- name: ZBX_SERVER_HOST
value: my.zabbix.proxy
## Zabbix server port
- name: ZBX_SERVER_PORT
value: 10051
## This variable is boolean (true or false) and enables or disables feature of passive checks. By default, value is true
- name: ZBX_PASSIVE_ALLOW
value: false
## The variable is comma separated list of allowed Zabbix server or proxy hosts for connections to Zabbix agent container.
- name: ZBX_PASSIVESERVERS
value: 0.0.0.0/0
## This variable is boolean (true or false) and enables or disables feature of active checks
- name: ZBX_ACTIVE_ALLOW
value: true
## The variable is used to specify debug level, from 0 to 5
- name: ZBX_DEBUGLEVEL
value: 3
## The variable is used to specify timeout for processing checks. By default, value is 4.
- name: ZBX_TIMEOUT
value: 4
## List can be extended with other environment variables listed here: https://github.com/zabbix/zabbix-docker/tree/6.0/Dockerfiles/agent2/alpine#other-variables
## For example:
## The variable is comma separated list of allowed Zabbix server or proxy hosts for connections to Zabbix agent container. You may specify port.
## - name: ZBX_ACTIVESERVERS
## value: ''
## The variable is list of comma separated loadable Zabbix modules. It works with volume /var/lib/zabbix/modules.
## - name: ZBX_LOADMODULE
## value: ''
## Node selector for Agent. Only supports Linux.
nodeSelector:
kubernetes.io/os: linux
## Tolerations configurations
tolerations:
- effect: NoSchedule
key: node-role.kubernetes.io/master
## Affinity configurations
affinity: {}
serviceAccount:
## Specifies whether a ServiceAccount should be created
create: true
## The name of the ServiceAccount to use.
## If not set and create is true, a name is generated using the fullname template
name: zabbix-agent-service-account
annotations: {}
imagePullSecrets: []
automountServiceAccountToken: false
service:
type: ClusterIP
port: 10050
targetPort: 10050
nodePort: 10050
portName: zabbix-agent
listenOnAllInterfaces: true
annotations:
agent.zabbix/monitor: "true"
rbac:
## If true, create & use RBAC resources
##
create: true
## If true, create & use Pod Security Policy resources
## https://kubernetes.io/docs/concepts/policy/pod-security-policy/
## PodSecurityPolicies disabled by default because they are deprecated in Kubernetes 1.21 and will be removed in Kubernetes 1.25.
## If you are using PodSecurityPolicies you can enable the previous behaviour by setting `rbac.pspEnabled: true`
pspEnabled: false
pspAnnotations: {}
Code:
cat zabbix/zabbix_psk.yaml
kind: ConfigMap
apiVersion: v1
metadata:
name: zabbix-agent-psk-key
namespace: monitoring
labels:
app=zabbix
controller-revision-hash=5748f4568b
name=zabbix-agent
pod-template-generation=1
data:
zabbix-agent-psk-key: <my_key>
Thanks in advance!