VaultProvider is not working

Sensu Go
1

Hello,

I am using the latest version of Sensu 6.4 ee
Since yesterday I try to marry sensu with vault.
Unfortunately without success.

I use a vault KV v2

vault kv get monitoring/d03/ttza/prod/00001.01
====== Metadata ======
Key              Value
---              -----
created_time     2021-08-12T15:08:20.997820358Z
deletion_time    n/a
destroyed        false
version          1

====== Data ======
Key         Value
---         -----
name        00001.01
password    TOPSECRET

In sensu I have configured the following.


---
type: Secret
api_version: secrets/v1
metadata:
  labels:
    sensu.io/workflow: sensu-flow
  name: 00001_password
spec:
  provider: vault
  id: monitoring/d03/ttza/prod#00001.01#password


---
type: VaultProvider
api_version: secrets/v1
metadata:
  labels:
    sensu.io/workflow: sensu-flow
  name: vault
spec:
  client:
    address: https://vault.domain.example:8200
    token: s.12343535345345345345
    version: v2
    tls:
      insecure: true
    max_retries: 2
    timeout: 20s
    rate_limiter:
      limit: 10
      burst: 100

---
type: CheckConfig
api_version: core/v2
metadata:
  annotations:
    fatigue_check/occurrences: "3"
  labels:
    sensu.io/workflow: sensu-flow
  name: sensu-check-client
spec:
  command: echo "$USERNAME $PASSWORD"
  secrets:
  - name: PASSWORD
    secret: 00001_password
  env_vars:
    - USERNAME={{ .labels.username }}
  handlers:
    - opsgenie
  high_flap_threshold: 60
  interval: 120
  low_flap_threshold: 20
  output_metric_format: ""
  proxy_entity_name: check-client
  proxy_requests:
    entity_attributes:
      - entity.entity_class == 'proxy'
      - entity.labels.proxy_type == 'check-client'
    splay: true
    splay_coverage: 90
  publish: true
  round_robin: true
  runtime_assets:
    - sensu-check-client
  stdin: false
  subscriptions:
    - proxy
  timeout: 80
  ttl: 0

The output always looks like this:

00001.01 PASSWORD

So not the password is used but the variable name.
In logs I also don’t see any attempt or error message
Also I don’t see any request from Vault Server

The Sensu server is set to debug logging.

sensu-backend start --insecure-skip-tls-verify --log-level debug --debug

2

Working from memory here as I don’t have a running environment using Vault at the moment, but the first thing that I see is that the id for your Secret appears to be wrong. If I’m not mistaken, it should be this:

---
type: Secret
api_version: secrets/v1
metadata:
  labels:
    sensu.io/workflow: sensu-flow
  name: 00001_password
spec:
  provider: vault
  id: monitoring/d03/ttza/prod/00001.01#password
3

In the docu it says to use the write form with two # for v2

This example uses the id format for the Vault KV Secrets Engine v1: secret/pagerduty#key . If you are using the Vault KV Secrets Engine v2, the format is secrets/sensu#pagerduty#key .

4

So lets be sure your config is consistent.

Can you confirm what vault keystore version is v1 or v2?

Can you double check your Sensu VaultProvider configuration and make sure the spec.client.version matches the vault keystore version v1 or v2

Possible mismatch and the VaultProvider is configured with the wrong keystore version, so its not able to look up keys as expected.

5

Hi jspaleta,

i test i with a kv v1 keystore and a kv v2 keystore

I have tried the most different variants in 5 hours.
What bothers me about it. I don’t see any attempt or error message in any log.
Neither on the Vault side nor on the Sensu backend or agent side.