Etcd replicators

Create a replicator
Delete a replicator
Replicator configuration
etcd-replicators specification
Example etcd-replicators resources

COMMERCIAL FEATURE: Access the etcd-replicators datatype in the packaged Sensu Go distribution. For more information, see the getting started guide.

NOTE: etcd-replicators is a datatype in the federation API, which is only accessible for users who have a cluster role that permits access to replication resources.

etcd-replicators allows you to manage RBAC resources in one place and mirror the changes to follower clusters. The API sets up etcd mirrors for one-way key replication.

The etcd-replicators datatype will not use a namespace because it applies cluster-wide. Therefore, only cluster role RBAC bindings will apply to it.

Create a replicator

You can use sensuctl create or the Sensu web UI to create replicators.

When you create or update a replicator, an entry is added to the store and a new replicator process will spin up. The replicator process watches the keyspace of the resource to be replicated and replicates all keys to the specified cluster in a last-write-wins fashion.

When the cluster starts up, each sensu-backend scans the stored replicator definitions and starts a replicator process for each replicator definition. Source clusters with multiple sensu-backends will cause redundant writes to occur. This is harmless but should be taken into account when designing a replicated system.

Delete a replicator

When you delete a replicator, the replicator will issue delete events to the remote cluster for all of the keys in its prefix. It will not issue a delete of the entire key prefix (just in case the prefix is shared by keys that are local to the remote cluster).

Rather than altering an existing replicator’s connection details, delete and recreate the replicator with the new connection details.

Replicator configuration

Replicator is an etcd key space replicator. It contains configuration for forwarding a set of keys from one etcd cluster to another. Replicators are configured by specifying the TLS details of the remote cluster, its URL, and a resource type.

etcd-replicators specification

Top-level attributes

type
description	Top-level attribute that specifies the `sensuctl create` resource type. This attribute should be `EtcdReplicator.`
required	true
type	String
example	`type: EtcdReplicator`

api_version
description	Top-level attribute that specifies the Sensu API version of the etcd-replicators API. Always `federation/v1`.
required	true
type	String
example	`api_version: federation/v1`

metadata
description	Top-level scope that contains the replicator `name`. Namespace is not supported in the metadata because EtcdReplicators are cluster-wide resources.
required	true
type	Map of key-value pairs
example	`metadata: name: my_replicator`

spec
description	Top-level map that includes the replicator spec attributes.
required	true
type	Map of key-value pairs
example	`spec: ca_cert: /path/to/ssl/trusted-certificate-authorities.pem cert: /path/to/ssl/cert.pem key: /path/to/ssl/key.pem insecure: false url: http://127.0.0.1:2379 api_version: core/v2 resource: Role replication_interval_seconds: 30`

Metadata attributes

name
description	The replicator name used internally by Sensu.
required	true
type	String
example	`name: my_replicator`

Spec attributes

ca_cert
description	Path to an the PEM-format CA certificate to use for TLS client authentication.
required	true if `insecure: false` (which is the default configuration). If `insecure: true`, `ca_cert` is not required.
type	String
example	`ca_cert: /path/to/trusted-certificate-authorities.pem`

cert
description	Path to the PEM-format certificate to use for TLS client authentication.
required	true if `insecure: false` (which is the default configuration). If `insecure: true`, `cert` is not required.
type	String
example	`cert: /path/to/ssl/cert.pem`

key
description	Path to the PEM-format key file associated with the `cert` to use for TLS client authentication.
required	true if `insecure: false` (which is the default configuration). If `insecure: true`, `key` is not required.
type	String
example	`key: /path/to/ssl/key.pem`

insecure
description	`true` to disable transport security. Otherwise, `false`. Default is `false`. NOTE: Disable transport security with care.
required	false
type	String
example	`insecure: false`

url
description	Destination cluster URL. If specifying more than one, use a comma to separate.
required	true
type	String
example	`url: http://127.0.0.1:2379`

api_version
description	Sensu API version of the resource to replicate. Default is `core/v2`.
required	false
type	String
example	`api_version: core/v2`

resource
description	Name of the resource to replicate.
required	true
type	String
example	`resource: Role`

namespace
description	Namespace to constrain replication to. If you do not include `namespace`, all namespaces for a given resource are replicated.
required	false
type	String
example	`namespace: default`

replication_interval_seconds
description	The interval at which the resource will be replicated. In seconds. Default is 30.
required	false
type	String
example	`replication_interval_seconds: 30`

Example etcd-replicators resources

If you replicate the following four examples for Role, RoleBinding, ClusterRole, and ClusterRoleBinding resources, you can expect a full replication of RBAC policy.

NOTE: If you do not specify a namespace when you create a replicator, all namespaces for a given resource are replicated.

Example `Role` resource

api_version: federation/v1
type: EtcdReplicator
metadata:
  name: role_replicator
spec:
  ca_cert: /path/to/ssl/trusted-certificate-authorities.pem
  cert: /path/to/ssl/cert.pem
  key: /path/to/ssl/key.pem
  insecure: false
  url: http://127.0.0.1:2379
  api_version: core/v2
  resource: Role
  replication_interval_seconds: 30

{
  "api_version": "federation/v1",
  "type": "EtcdReplicator",
  "metadata": {
    "name": "role_replicator"
  },
  "spec": {
    "ca_cert": "/path/to/ssl/trusted-certificate-authorities.pem",
    "cert": "/path/to/ssl/cert.pem",
    "key": "/path/to/ssl/key.pem",
    "insecure": false,
    "url": "http://127.0.0.1:2379",
    "api_version": "core/v2",
    "resource": "Role",
    "replication_interval_seconds": 30
  }
}

Example `RoleBinding` resource

api_version: federation/v1
type: EtcdReplicator
metadata:
  name: rolebinding_replicator
spec:
  ca_cert: /path/to/ssl/trusted-certificate-authorities.pem
  cert: /path/to/ssl/cert.pem
  key: /path/to/ssl/key.pem
  insecure: false
  url: http://127.0.0.1:2379
  api_version: core/v2
  resource: RoleBinding
  replication_interval_seconds: 30

{
  "api_version": "federation/v1",
  "type": "EtcdReplicator",
  "metadata": {
    "name": "rolebinding_replicator"
  },
  "spec": {
    "ca_cert": "/path/to/ssl/trusted-certificate-authorities.pem",
    "cert": "/path/to/ssl/cert.pem",
    "key": "/path/to/ssl/key.pem",
    "insecure": false,
    "url": "http://127.0.0.1:2379",
    "api_version": "core/v2",
    "resource": "RoleBinding",
    "replication_interval_seconds": 30
  }
}

Example `ClusterRole` resource

api_version: federation/v1
type: EtcdReplicator
metadata:
  name: clusterrole_replicator
spec:
  ca_cert: /path/to/ssl/trusted-certificate-authorities.pem
  cert: /path/to/ssl/cert.pem
  key: /path/to/ssl/key.pem
  insecure: false
  url: http://127.0.0.1:2379
  api_version: core/v2
  resource: ClusterRole
  replication_interval_seconds: 30

{
  "api_version": "federation/v1",
  "type": "EtcdReplicator",
  "metadata": {
    "name": "clusterrole_replicator"
  },
  "spec": {
    "ca_cert": "/path/to/ssl/trusted-certificate-authorities.pem",
    "cert": "/path/to/ssl/cert.pem",
    "key": "/path/to/ssl/key.pem",
    "insecure": false,
    "url": "http://127.0.0.1:2379",
    "api_version": "core/v2",
    "resource": "ClusterRole",
    "replication_interval_seconds": 30
  }
}

Example `ClusterRoleBinding` resource

api_version: federation/v1
type: EtcdReplicator
metadata:
  name: clusterrolebinding_replicator
spec:
  ca_cert: /path/to/ssl/trusted-certificate-authorities.pem
  cert: /path/to/ssl/cert.pem
  key: /path/to/ssl/key.pem
  insecure: false
  url: http://127.0.0.1:2379
  api_version: core/v2
  resource: Role
  replication_interval_seconds: 30

{
  "api_version": "federation/v1",
  "type": "EtcdReplicator",
  "metadata": {
    "name": "clusterrolebinding_replicator"
  },
  "spec": {
    "ca_cert": "/path/to/ssl/trusted-certificate-authorities.pem",
    "cert": "/path/to/ssl/cert.pem",
    "key": "/path/to/ssl/key.pem",
    "insecure": false,
    "url": "http://127.0.0.1:2379",
    "api_version": "core/v2",
    "resource": "ClusterRoleBinding",
    "replication_interval_seconds": 30
  }
}

About Sensu

The Sensu monitoring event pipeline empowers businesses to automate their monitoring workflows and gain deep visibility into their multi-cloud infrastructure, from Kubernetes to bare metal. Companies like Sony, Box.com, and Activision rely on Sensu to help deliver value faster, at scale.

Get In Touch

Our team is here to help. Contact us here or give us a call at 1-855-99-SENSU.

Join Our Community

Become a member of the Sensu community and get access to the community Slack channel and our weekly newsletter containing updates about Sensu.