Sensu Go token expansion and redaction

I have two entity definitions (that actually point to the same entity). One with redacted labels and one without. Against both entities, I’m running two almost identical checks that use the redacted labels in the command. For each almost identical check, I implemented two versions using the ‘index .labels “ldap.password”’ and in the other I use “labels.ldap.password”.

All the checks that run against the entity where the labels are not redacted succeed. All the checks that run against the entity where the labels are redacted fail. Is there an issue with using a redacted label in the command line? If not, can you help me figure out what I’m doing wrong?

I’m running Sensu Go 5.17.2 backend server and agent.

alex.yml

type: Entity
api_version: core/v2
sensu_agent_version: 1.0.0
metadata:
  labels:
    hardware: "synology"
    ldap_server:  "true"
    ldap_password: "3vr52000"
    ldap_port: "389"
    ldap_user: "'uid=root,cn=users,dc=alexandria,dc=cyberbears,dc=net'"
    ldap_base: "'dc=alexandria,dc=cyberbears,dc=net'"
    snmp_password: "public"
  name: alex.cyberbears.net
  namespace: default
spec:
  deregister: false
  deregistration: {}
  entity_class: proxy
  last_seen: 0
  redact: 
  system:
    network:
      interfaces: null

alexandria.yml

type: Entity
api_version: core/v2
sensu_agent_version: 1.0.0
metadata:
  labels:
    hardware: "synology"
    ldap_server:  "true"
    ldap_password: "3vr52000"
    ldap_port: "389"
    ldap_user: "'uid=root,cn=users,dc=alexandria,dc=cyberbears,dc=net'"
    ldap_base: "'dc=alexandria,dc=cyberbears,dc=net'"
    snmp_password: "public"
  name: alexandria.cyberbears.net
  namespace: default
spec:
  deregister: false
  deregistration: {}
  entity_class: proxy
  last_seen: 0
  redact: 
  - snmp_password
  - ldap_password
  system:
    network:
      interfaces: null

Entity Differences

diff alex.yml alexandria.yml 
13c13
<   name: alex.cyberbears.net
---
>   name: alexandria.cyberbears.net
20a21,22
>   - snmp_password
>   - ldap_password

ldap_server1.yml

type: CheckConfig
api_version: core/v2
metadata:
  name: ldap_server1
  namespace: default
spec:
  command: check_ldap -H {{ .name }}  -b {{ index .labels "ldap_base" }} -D {{ index .labels "ldap_user" }} -3 -P {{ index .labels "ldap_password" }} -p  {{ index .labels "ldap_port" | default 389 }}
  interval: 10
  proxy_requests:
    entity_attributes:
    - entity.entity_class == 'proxy'
    - entity.labels.ldap_server == 'true'
  publish: true
  subscriptions:
  - sensu-proxy
  runtime_assets:
  - base_nagios_plugins

ldap_server2.yml

type: CheckConfig
api_version: core/v2
metadata:
  name: ldap_server2
  namespace: default
spec:
  command: check_ldap -H {{ .name }}  -b {{ index .labels "ldap_base" }} -D {{ index .labels "ldap_user" }} -3 -P {{ .labels.ldap_password  }} -p  {{ index .labels "ldap_port" | default 389 }}
  interval: 10
  proxy_requests:
    entity_attributes:
    - entity.entity_class == 'proxy'
    - entity.labels.ldap_server == 'true'
  publish: true
  subscriptions:
  - sensu-proxy
  runtime_assets:
  - base_nagios_plugins

synology_status1.yml

type: CheckConfig
api_version: core/v2
metadata:
  name: synology_status1
  namespace: default
spec:
  command: check_snmp_synology -2 {{ .labels.snmp_password }} -h {{ .name }} -v
  interval: 10
  proxy_requests:
    entity_attributes:
    - entity.entity_class == 'proxy'
    - entity.labels.hardware == 'synology'
  publish: true
  subscriptions:
  - sensu-proxy
  runtime_assets:
  - synology_plugins

synology_status2.yml

type: CheckConfig
api_version: core/v2
metadata:
  name: synology_status2
  namespace: default
spec:
  command: check_snmp_synology -2 {{ index .labels "snmp_password" }} -h {{ .name }} -v
  interval: 10
  proxy_requests:
    entity_attributes:
    - entity.entity_class == 'proxy'
    - entity.labels.hardware == 'synology'
  publish: true
  subscriptions:
  - sensu-proxy
  runtime_assets:
  - synology_plugins

I found this on sensu’s github; the posting is kind of old. Have there been any updates?

Hi @KendallChenoweth,

We released secrets management (guide & reference docs) in 5.17 which solves this exact problem. Using token substitution & redaction with proxy entities is simply not possible with the current architecture.

Thanks

1 Like