Github Action for Sensu flow resource management pattern.
This github action will allow you to manage Sensu resources for a namespaces by making use of sensuctl prune and create commands. The sensu prune command is scope by the action's matching_label, matching_condition, and managed_resourcessettings. Please see the sensuctl command documentation for information.
In order to use this action, you'll need to define a Sensu user and associated role based access control.
This action uses a special directory structure, mapping subdirectory names to Sensu namespaces to process. By default the directory processed is namespaces/ but this can be overridden in the action configuration. If this directory exists, each sub directory will be processed as separate Sensu namespace. Example directory structure:
namespaces
└── test-namespace
├── checks
│ ├── check-cpu.yaml
│ ├── check-http.yaml
│ ├── false.yaml
│ └── true.yaml
├── filters
│ └── fatigue-check.yaml
├── handlers
│ └── alert
│ ├── aws-sns.yaml
│ ├── pushover.yaml
│ └── set.yaml
└── mutators
└── check-status.yaml
Using this example, this action would process the test-namespace, pruning the namespace resources according to matching_label, matching_condition, and managed_resourcessettings
If the namespaces.yaml file exists in the working directory (normally the top level of your repository) then this action will be used to create sensu namespaces before attempting to process the namespaces directory.
The Sensu backend url
The Sensu user to auth
The Sensu user password
description: "optional arguments to pass to sensuctl configure"
description: 'Optional Custom CA pem string. Use this if you want to encode the CA pem as a github secret'
description: 'Optional Custom CA file location, this will override sensu_ca_string if used'
description: "Optional directory to process default: 'namespaces' "
description: "Optional YAML file containing Sensu namespace resources to create"
description: "Option Sensu label selector, default: 'sensu.io/workflow'"
description: "Option Sensu label matching condition, default: '== sensu_flow'"
description: 'Optional comma seperated list of managed resources, default: "checks,handlers,filters,mutators,assets,secrets/v1.Secret,roles,role-bindings"'
description: 'Optional boolean argument to to disable sanity checks default: false'
jobs:
sensuflow:
runs-on: ubuntu-latest
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- name: Checkout
uses: actions/checkout@v2
- name: Sensuflow with optional settings
uses: jspaleta/sensuflow-action@v0.0.1
with:
sensu_backend_url: ${{ secrets.SENSU_BACKEND_URL }}
sensu_user: ${{ secrets.SENSU_USER }}
sensu_password: ${{ secrets.SENSU_PASSWORD }}
namespaces_dir: namespaces
matching_label: "sensu.io/workflow"
matching_condition: "== sensu_flow"
Here is an example of an expansive Sensu RBAC policy and user definition configured to use this action with default settings. You may want to use a more restrictive RBAC policy to meet your requirements.
---
type: ClusterRole
api_version: core/v2
metadata:
name: sensu_flow
spec:
rules:
- resources:
- namespaces
- roles
- rolebindings
- assets
- handlers
- checks
- filters
- mutators
- secrets
verbs:
- get
- list
- create
- update
- delete
---
type: ClusterRoleBinding
api_version: core/v2
metadata:
name: sensu_flow
spec:
role_ref:
type: ClusterRole
name: sensu_flow
subjects:
- type: Group
name: sensu_flow
---
type: User
api_version: core/v2
metadata:
name: sensu_flow
spec:
disabled: false
username: sensu_flow
groups:
- sensu_flow
If you would like to adapt this for other CI/CD, the sensuflow.sh script from this repository should all you need. The script should be self-documenting with regard to needed executable dependancies and information concerning environment variables used.
