Sensu Cant Find or Reads Env Variables
Employ secrets management in Sensu
COMMERCIAL FEATURE: Access the Env and VaultProvider secrets provider datatypes in the packaged Sensu Go distribution. For more than information, read Get started with commercial features.
Sensu's secrets management allows you lot to avoid exposing secrets like usernames, passwords, and access keys in your Sensu configuration. In this guide, you'll learn how to use Sensu'south built-in secrets provider, Env, or HashiCorp Vault as your external secrets provider and authenticate without exposing your secrets. Y'all'll fix up your PagerDuty Integration Cardinal as a clandestine, create a PagerDuty handler definition that requires the secret, and configure a pipeline that includes the PagerDuty handler. Your Sensu backend can then execute the pipeline with any cheque.
To follow this guide, you'll need to install the Sensu backend, have at least 1 Sensu agent running, and install and configure sensuctl.
Secrets are configured via secrets resources. A secret resource definition refers to the secrets provider (Env or VaultProvider) and an ID (the named hugger-mugger to fetch from the secrets provider).
This guide only covers the handler use instance, merely you can apply secrets management in handler, mutator, and check execution. When a check configuration references a hugger-mugger, the Sensu backend will only transmit the check's execution requests to agents that are connected via mutually authenticated transport layer security (mTLS)-encrypted WebSockets.
The hugger-mugger included in your Sensu handler will be exposed to Sensu services at runtime as an environment variable. Sensu only exposes secrets to Sensu services like environment variables and automatically redacts secrets from all logs, the API, and the web UI.
The example in this guide uses the PagerDuty Integration Primal as a undercover and a PagerDuty handler definition that requires the secret.
Here'due south how to detect your Integration Key in PagerDuty so you can set it up equally your undercover:
- Log in to your PagerDuty account.
- In the Services drop-downward carte du jour, select Service Directory.
- Enter the name of your Sensu service in the search field.
- Click to select your Sensu service from the list of search results.
- Click the Integrations tab.
- Click the drop-down arrow for the Events API. The Integration Fundamental is listed in the 2d field.
Make a note of your Integration Key — you'll need it to create your backend environs variable or HashiCorp Vault hugger-mugger.
Use Env for secrets management
The Sensu Get commercial distribution includes a built-in secrets provider, Env, that exposes secrets from environment variables on your Sensu backend nodes. The Env secrets provider is automatically created with an empty spec when you lot kickoff your Sensu backend.
Create your backend environment variable
To use the built-in Env secrets provider, y'all will add your secret as a backend surroundings variable.
Showtime, brand sure you have created the files you demand to store backend surround variables.
Then, run the following code, replacing INTEGRATION_KEY with your PagerDuty Integration Key:
echo 'SENSU_PAGERDUTY_KEY=INTEGRATION_KEY' | sudo tee -a /etc/default/sensu-backend echo 'SENSU_PAGERDUTY_KEY=INTEGRATION_KEY' | sudo tee -a /etc/sysconfig/sensu-backend Restart the sensu-backend:
sudo systemctl restart sensu-backend This configures the SENSU_PAGERDUTY_KEY environment variable to your PagerDuty Integration Primal in the context of the sensu-backend process.
Create your Env hugger-mugger
Now you'll apply sensuctl create to create your secret. This code creates a secret named pagerduty_key that refers to the environment variable ID SENSU_PAGERDUTY_KEY. Run:
cat << EOF | sensuctl create --- type: Secret api_version: secrets/v1 metadata: proper name: pagerduty_key spec: id: SENSU_PAGERDUTY_KEY provider: env EOF cat << EOF | sensuctl create { "type": "Secret", "api_version": "secrets/v1", "metadata": { "name": "pagerduty_key" }, "spec": { "id": "SENSU_PAGERDUTY_KEY", "provider": "env" } } EOF You tin deeply pass your PagerDuty Integration Key in Sensu checks, handlers, and mutators by referring to the pagerduty_key secret. Skip to the add together a handler department, where you'll apply your pagerduty_key secret in your handler definition.
Utilise HashiCorp Vault for secrets direction
This section explains how to use HashiCorp Vault equally your external secrets provider to authenticate via the HashiCorp Vault integration's token auth method or TLS certificate auth method.
Notation: You must fix HashiCorp Vault to employ VaultProvider secrets management in production. The examples in this guide employ the Vault dev server, which is useful for learning and experimenting. The Vault dev server gives you lot admission to a preconfigured, running Vault server with in-retention storage that you can use correct abroad. Follow the HashiCorp Learn curriculum when you are set up to set up a production server in Vault.
In addition, this guide uses the Vault KV secrets engine. Using the Vault KV secrets engine with the Vault dev server requires v2 connections. For this reason, in the VaultProvider spec in these examples, the customer version value is v2.
Configure your Vault hallmark method (token or TLS)
If you use HashiCorp Vault equally your external secrets provider, you tin can authenticate via the HashiCorp Vault integration's token or transport layer security (TLS) certificate authentication method.
Vault token authentication
Follow the steps in this section to use HashiCorp Vault as your external secrets provider to authenticate with the HashiCorp Vault integration's token auth method.
Call back your Vault root token
NOTE: The examples in this guide use the Root Token for the the Vault dev server, which gives yous access to a preconfigured, running Vault server with in-memory storage that you can use right away. Follow the HashiCorp Learn curriculum when you are ready to prepare a production server in Vault.
To retrieve your Vault root token:
- Download and install the Vault edition for your operating system.
- Open a terminal window and run
vault server -dev.
The command output includes a Root Token line. Detect this line in your command output and copy the Root Token value. You will use it next to create your Vault secrets provider.
Leave the Vault dev server running. Because you aren't using TLS, you will demand to set VAULT_ADDR=http://127.0.0.1:8200 in your crush environs.
Create your Vault secrets provider
NOTE: In Vault'due south dev server, TLS is not enabled, and then you won't exist able to use certificate-based hallmark.
Use sensuctl create to create your secrets provider, vault. In the lawmaking beneath, supercede <root_token> with the Root Token value for your Vault dev server. And so, run:
cat << EOF | sensuctl create --- blazon: VaultProvider api_version: secrets/v1 metadata: name: vault spec: client: address: http://localhost:8200 token: <root_token> version: v2 tls: null max_retries: ii timeout: 20s rate_limiter: limit: 10 burst: 100 EOF true cat << EOF | sensuctl create { "blazon": "VaultProvider", "api_version": "secrets/v1", "metadata": { "name": "vault" }, "spec": { "customer": { "address": "http://localhost:8200", "token": "<root_token>", "version": "v2", "tls": zip, "max_retries": 2, "timeout": "20s", "rate_limiter": { "limit": ten, "outburst": 100 } } } } EOF To continue, skip ahead to create your Vault secret.
Vault TLS certificate authentication
This section explains how use HashiCorp Vault as your external secrets provider to authenticate with the HashiCorp Vault integration's TLS certificate auth method.
Annotation: You will demand to set HashiCorp Vault in production to use TLS document-based hallmark. In Vault's dev server, TLS is not enabled. Follow the HashiCorp Learn curriculum when you are ready to prepare a production server in Vault.
First, in your Vault, enable and configure document authentication. For example, your Vault might be configured for certificate authentication like this:
vault write auth/cert/certs/sensu-backend \ display_name =sensu-backend \ policies =sensu-backend-policy \ document =@sensu-backend-vault.pem \ ttl = 3600 2nd, configure your VaultProvider in Sensu:
--- blazon : VaultProvider api_version : secrets/v1 metadata : name : vault spec : customer : address : https://vault.case.com: 8200 version : v2 tls : ca_cert : /path/to/your/ca.pem client_cert : /etc/sensu/ssl/sensu-backend-vault.pem client_key : /etc/sensu/ssl/sensu-backend-vault-key.pem cname : sensu-backend.instance.com max_retries : 2 timeout : 20s rate_limiter : limit : 10 burst : 100 { "blazon": "VaultProvider", "api_version": "secrets/v1", "metadata": { "name": "vault" }, "spec": { "client": { "accost": "https://vault.example.com:8200", "version": "v2", "tls": { "ca_cert": "/path/to/your/ca.pem", "client_cert": "/etc/sensu/ssl/sensu-backend-vault.pem", "client_key": "/etc/sensu/ssl/sensu-backend-vault-key.pem", "cname": "sensu-backend.example.com" }, "max_retries": 2, "timeout": "20s", "rate_limiter": { "limit": 10, "burst": 100 } } } } The certificate you specify for tls.client_cert should exist the same certificate you configured in your Vault for document authentication.
Next, create your Vault undercover.
Create your Vault secret
First, remember your PagerDuty Integration Key (the hole-and-corner you will set up in Vault).
Next, open a new terminal and run vault kv put secret/pagerduty fundamental=<integration_key>. Replace <integration_key> with your PagerDuty Integration Key. This writes your secret into Vault.
In this example, the name of the secret is pagerduty. The pagerduty cloak-and-dagger contains a primal, and you specified that the key value is your PagerDuty Integration Key.
Notation: The Vault dev server is preconfigured with the secret keyspace already set upward, so we recommend using the secret/ path for the id value while you are learning and getting started with Vault secrets management.
This example uses the id format for the Vault KV Secrets Engine v1: secret/pagerduty#key. If yous are using the Vault KV Secrets Engine v2, the format is secrets/sensu#pagerduty#cardinal.
Run vault kv become secret/pagerduty to view the secret y'all but set upward.
Employ sensuctl create to create your vault hole-and-corner:
true cat << EOF | sensuctl create --- type: Clandestine api_version: secrets/v1 metadata: proper noun: pagerduty_key spec: id: secret/pagerduty#key provider: vault EOF cat << EOF | sensuctl create { "blazon": "Secret", "api_version": "secrets/v1", "metadata": { "name": "pagerduty_key" }, "spec": { "id": "secret/pagerduty#central", "provider": "vault" } } EOF Now you lot tin deeply laissez passer your PagerDuty Integration Key in the handlers, and mutators past referring to the pagerduty_key surreptitious. In the add a handler section, y'all'll use your pagerduty_key hole-and-corner in your handler definition.
Add a handler
Register the PagerDuty Handler dynamic runtime asset
To begin, register the Sensu PagerDuty Handler dynamic runtime asset with sensuctl asset add:
sensuctl asset add sensu/sensu-pagerduty-handler:ii.2.0 -r pagerduty-handler This example uses the -r (rename) flag to specify a shorter name for the dynamic runtime asset: pagerduty-handler.
Run sensuctl asset list --format yaml to confirm that the dynamic runtime nugget is ready to use.
With this handler, Sensu can trigger and resolve PagerDuty incidents. Nonetheless, you notwithstanding need to add together your secret to the handler spec and so that it requires your backend to request secrets from your secrets provider.
Add together your surreptitious to the handler spec
To create a handler definition that uses your pagerduty_key surreptitious, run:
cat << EOF | sensuctl create --- api_version: core/v2 blazon: Handler metadata: name: pagerduty spec: type: pipe command: pagerduty-handler --token $PD_TOKEN secrets: - name: PD_TOKEN cloak-and-dagger: pagerduty_key runtime_assets: - pagerduty-handler timeout: 10 EOF cat << EOF | sensuctl create { "api_version": "cadre/v2", "blazon": "Handler", "metadata": { "name": "pagerduty" }, "spec": { "type": "pipage", "command": "pagerduty-handler --token $PD_TOKEN", "secrets": [ { "proper noun": "PD_TOKEN", "secret": "pagerduty_key" } ], "runtime_assets": [ "pagerduty-handler" ], "timeout": ten } } EOF Configure a pipeline
Now that your handler is set upward and Sensu tin can create incidents in PagerDuty, y'all can configure a pipeline to start receiving alerts based on the events your checks create. A single pipeline workflow can include one or more filters, 1 mutator, and one handler.
In this case, the pipeline volition include the built-in is_incident event filter and the pagerduty handler you created in the previous step. You tin add this pipeline to whatsoever cheque to receive a PagerDuty alert for every alert (1) or critical (2) consequence the bank check generates, as well as for resolution events.
To create the pipeline, run:
cat << EOF | sensuctl create --- type: Pipeline api_version: core/v2 metadata: proper name: incident_alerts spec: workflows: - proper noun: pagerduty_incidents filters: - proper name: is_incident blazon: EventFilter api_version: core/v2 handler: proper noun: pagerduty type: Handler api_version: core/v2 EOF true cat << EOF | sensuctl create { "type": "Pipeline", "api_version": "core/v2", "metadata": { "name": "incident_alerts" }, "spec": { "workflows": [ { "name": "pagerduty_incidents", "filters": [ { "name": "is_incident", "type": "EventFilter", "api_version": "core/v2" } ], "handler": { "name": "pagerduty", "type": "Handler", "api_version": "cadre/v2" } } ] } } EOF To automate this workflow, include the incident_alerts pipeline in any Sensu check definition in the check's pipelines attribute. When you listing a pipeline in a check definition, all the observability events that the cheque produces will exist processed according to the pipeline's workflows.
Next steps
Add your pipeline to whatsoever bank check to start receiving PagerDuty alerts based on observability consequence data. Read Transport PagerDuty alerts with Sensu for an example that shows how to edit a check definition to add a pipeline.
Read the secrets or secrets providers reference for in-depth secrets management documentation.
Source: https://docs.sensu.io/sensu-go/latest/operations/manage-secrets/secrets-management/
Post a Comment for "Sensu Cant Find or Reads Env Variables"