Hello, not sure this is the right section but I am having some troubles understating how (well, if) zabbix handles macro's values transfer to the proxies, for example:
I have a proxy with no access the the server's db, monitoring an asset via it's api, I can set a macro of type secret on the host and it will saved on server's db an be passed to the proxy for the check, isn't it?
Now, I've set up hascicorp vault, tested it and it works, but if the asset is monitored by a proxy this works only for some templates and not for all. I have a vmware host that don't get the password from vault and an ibm storewize template that uses an external bash script that is working fine with the password saved in the vault (It uses ssh that does not have a cache, I am guessing there's an ssh agent configured but I cannot check at the moment and it's unlikely), both share the same zabbix proxy
At the same moment, I have another vmware cluster monitored by another proxy, that I did not configure to access vault, and it's working with the vault secret.
Reading the docs (better, RE-reading the docs to see what I did wrong) I understand that also proxies should be configured to access the vault, but this is not necessary for other types of secrets, why?
Is it really necessary for the proxy to be able to reach the vault? is it because the server passes just the string representing the secret's path?
I have a proxy with no access the the server's db, monitoring an asset via it's api, I can set a macro of type secret on the host and it will saved on server's db an be passed to the proxy for the check, isn't it?
Now, I've set up hascicorp vault, tested it and it works, but if the asset is monitored by a proxy this works only for some templates and not for all. I have a vmware host that don't get the password from vault and an ibm storewize template that uses an external bash script that is working fine with the password saved in the vault (It uses ssh that does not have a cache, I am guessing there's an ssh agent configured but I cannot check at the moment and it's unlikely), both share the same zabbix proxy
At the same moment, I have another vmware cluster monitored by another proxy, that I did not configure to access vault, and it's working with the vault secret.
Reading the docs (better, RE-reading the docs to see what I did wrong) I understand that also proxies should be configured to access the vault, but this is not necessary for other types of secrets, why?
Is it really necessary for the proxy to be able to reach the vault? is it because the server passes just the string representing the secret's path?
Comment