Creating Global ENV Secrets

We attempted to remove the metadata tag for namespaces. However, that didn’t solve the issue. We are looking for something similar to the global tag “–all-namespaces.”

The Reference Article: Use secrets management in Sensu - Sensu Docs

For example, we have ~30 namespaces that all rely on the same Pagerduty API key. However, the namespace is a required field for env secret creation. This requires us to make a new secret and handler for each namespace.

Sensu version 6.2.5, Cluster Setup with ENV secrets.

I currently don’t see a Github issue for this particular issue.

1 Like


I think I’m missing part of this conversation. You refer to an unsolved issue, but its not clear what you are referring to.

Are you looking for a feature in sensuctl that will allow you to use sensuctl create and populate all namespaces if the namespace metadata in the resource file is blank?

Yes, that’s correct. If there was an option for sensuctl create to apply to all namespaces, that would help with this and adding assets.

real quick,
you can do this sort of thing with small shell script.

Bash shell example:
let’s say I want to create a secret called test_secret using the env secrets provider referencing the backend envvar SECRET_TEST_TOKEN

I’d create a resource definition test_secret.yml like this:

type: Secret
api_version: secrets/v1
  name: test_secret
  provider: env

No namespace defined in the file.

I can individually call sensuctl create -f test_secret.yml --namespace <whatever>
For each namespace, or I can use a small shell for loop using sensuctl and jq to do it for all namespaces.

First lets get all the namespaces with jq

namespaces=$(sensuctl namespace list --format json | jq -r '.[].name')

Note: that -r option (raw output) to jq is critical in this situation, usually need that if you want to use jq output to drive in sort of scripted action.

Now loop over namespaces:

for name in $namespaces; do sensuctl create -f test_secret.yml --namespace $name; done

Assuming your have sensuctl configured wtih full cluster admin access, that should propagate the secret in all namespaces.

Hopefully this helps.

Thank you that certainly helps, however just for others that run into similar issues, they’ll need to put quotes around ".[].name"

Weird, worked for me me locally in my terminal shell just now.

Also you may be interesting in this…

This is a reference implementation for a way to make it possible to manage Sensu resources from CI/CD. The idea being, making it possible to manage resources in namespaces using git based CI/CD workflows

We have a GitHub Action reference integration up and available now, but the underlying script logic should be usable in other CI/CD platforms with a little work.

We are currently using Sensu Flow as well. In version 4.0, the pruning ability isn’t working due to an issue parsing the INPUT_MATCHING_CONDITION. However, it looks like your most recent commit fixed that issue. Any indication when the new version of flow will be released?

working on it.
I expect an 0.5 release today or tomorrow.
I think if you set the matching condition explicitly in your github action or env, it works…its just the default fallback value doesn’t work as intended in 0.4.