In order to determine the health and current state of your systems, monitoring by its very nature requires access to internal and external services. Traditionally, users have had to get creative in terms of how they expose sensitive information (secrets, like access credentials) to their monitoring tool; operators typically would leverage local environment variables or give up entirely by putting secrets in the monitoring configuration. But, by putting secrets into your configuration, you’re giving your visibility tool too much visibility, making the wrong data visible to too many eyes.
As an operator and frequent conference speaker, I’ve encountered this far too many times myself: I’d do a demo on stage, and quickly (as in immediately after the demo) have to rotate my secrets to prevent others from using those freshly exposed secrets. This had another negative consequence: the fact that my configs contained unique-to-me secrets meant it was hard for others to follow along in the demo and later reuse my examples.
Today, we’re happy to announce the release of secrets management in Sensu Go, which eliminates the need to expose secrets in your Sensu configuration. When a Sensu resource definition requires a secret (like a username or password), Sensu will be able to fetch that info from one or more external secrets providers and provide it to the Sensu component (e.g., a Sensu check) via temporary environment variables.
By leveraging secrets management, you’re able to move secrets out of your Sensu config, giving you the ability to safely, easily, and confidently share your Sensu configurations with your fellow Sensu users. Now, when I give a public demo, my configurations will use secrets management, so my fellow operators can easily follow along and reuse my configs — they simply have to choose a secrets provider and create the Sensu secrets resources referenced in the demo with a simple:
sensuctl create -f secrets.yml
Another option is to create a YAML file with each secrets resource and use the above to load it into your Sensu cluster.
How it works
As of Sensu Go 5.17 (download it here if you haven’t already), there’s a new configuration resource known as secrets, which gives you access to two secrets providers (with more coming soon): the system environment and HashiCorp Vault. You’ll configure a secrets provider for a particular namespace; once you’re done, you can create one or more Sensu secrets resources that reference secrets managed by that provider. For example, you could create a Sensu secret called
database_username that points to a specific HashiCorp Vault secret key. From there, you’d reference that Sensu secret in other resource configurations, like an event handler, and Sensu would fetch that secret — on demand — and provide to the handler at execution through an environment variable. To keep things even more secure, the Sensu backend will automatically handle leases on sensitive information, such as HashiCorp Vault secrets. Sensu will only cache a secret for the amount of time dictated by Vault. Note that this only applies to Vault: environment variables are persistent, so there’s no cache for the environment provider — it’s simply a local lookup. It also requires that you keep the environment variables consistent across every Sensu backend.
Try it out!
Secrets management is only available in our commercial distribution, which is free to use up to 100 entities. Head over to our downloads page to download the latest version of Sensu, and check out our reference documentation to try it out for yourself.
We’re so excited about this feature, not just because it means a more secure Sensu — the Vault and environment providers mean anyone can use secrets management within Sensu, which enables a free flow of configuration sharing within our community, so folks can learn even more from one another. And, whenever we create Sensu documentation or demos, we’ll be certain to use secrets management so those solutions can be reused, too. Our ultimate goal is to empower operators through sharing — with secrets management, our community can freely share their configs and solutions with other operators, so we can all learn from and support each other.
We’d love for you to share your solutions (or questions!) around secrets management in our Community Forum.