Etcd replicators
COMMERCIAL FEATURE: Access the etcd-replicators datatype in the packaged Sensu Go distribution. For more information, see the getting started guide.
NOTE: etcd-replicators is a datatype in the federation API, which is only accessible for users who have a cluster role that permits access to replication resources.
etcd-replicators allows you to manage RBAC resources in one place and mirror the changes to follower clusters. The API sets up etcd mirrors for one-way key replication.
The etcd-replicators datatype will not use a namespace because it applies cluster-wide. Therefore, only cluster role RBAC bindings will apply to it.
Create a replicator
You can use sensuctl create
or the Sensu web UI to create replicators.
When you create or update a replicator, an entry is added to the store and a new replicator process will spin up. The replicator process watches the keyspace of the resource to be replicated and replicates all keys to the specified cluster in a last-write-wins fashion.
When the cluster starts up, each sensu-backend scans the stored replicator definitions and starts a replicator process for each replicator definition. Source clusters with multiple sensu-backends will cause redundant writes to occur. This is harmless but should be taken into account when designing a replicated system.
Delete a replicator
When you delete a replicator, the replicator will issue delete events to the remote cluster for all of the keys in its prefix. It will not issue a delete of the entire key prefix (just in case the prefix is shared by keys that are local to the remote cluster).
Rather than altering an existing replicator’s connection details, delete and recreate the replicator with the new connection details.
Replicator configuration
Replicator is an etcd key space replicator. It contains configuration for forwarding a set of keys from one etcd cluster to another. Replicators are configured by specifying the TLS details of the remote cluster, its URL, and a resource type.
etcd-replicators specification
Top-level attributes
type |
|
description |
Top-level attribute that specifies the sensuctl create resource type. This attribute should be EtcdReplicator. |
required |
true |
type |
String |
example |
|
api_version |
|
description |
Top-level attribute that specifies the Sensu API version of the etcd-replicators API. Always federation/v1 . |
required |
true |
type |
String |
example |
api_version: federation/v1
|
metadata |
|
description |
Top-level scope that contains the replicator name . Namespace is not supported in the metadata because EtcdReplicators are cluster-wide resources. |
required |
true |
type |
Map of key-value pairs |
example |
metadata:
name: my_replicator
|
spec |
|
description |
Top-level map that includes the replicator spec attributes. |
required |
true |
type |
Map of key-value pairs |
example |
spec:
ca_cert: /path/to/ssl/trusted-certificate-authorities.pem
cert: /path/to/ssl/cert.pem
key: /path/to/ssl/key.pem
insecure: false
url: http://127.0.0.1:2379
api_version: core/v2
resource: Role
replication_interval_seconds: 30
|
name |
|
description |
The replicator name used internally by Sensu. |
required |
true |
type |
String |
example |
|
Spec attributes
ca_cert |
|
description |
Path to an the PEM-format CA certificate to use for TLS client authentication. |
required |
true if insecure: false (which is the default configuration). If insecure: true , ca_cert is not required. |
type |
String |
example |
ca_cert: /path/to/trusted-certificate-authorities.pem
|
cert |
|
description |
Path to the PEM-format certificate to use for TLS client authentication. |
required |
true if insecure: false (which is the default configuration). If insecure: true , cert is not required. |
type |
String |
example |
cert: /path/to/ssl/cert.pem
|
key |
|
description |
Path to the PEM-format key file associated with the cert to use for TLS client authentication. |
required |
true if insecure: false (which is the default configuration). If insecure: true , key is not required. |
type |
String |
example |
key: /path/to/ssl/key.pem
|
insecure |
|
description |
true to disable transport security. Otherwise, false . Default is false . NOTE: Disable transport security with care. |
required |
false |
type |
String |
example |
|
url |
|
description |
Destination cluster URL. If specifying more than one, use a comma to separate. |
required |
true |
type |
String |
example |
url: http://127.0.0.1:2379
|
api_version |
|
description |
Sensu API version of the resource to replicate. Default is core/v2 . |
required |
false |
type |
String |
example |
|
resource |
|
description |
Name of the resource to replicate. |
required |
true |
type |
String |
example |
|
namespace |
|
description |
Namespace to constrain replication to. If you do not include namespace , all namespaces for a given resource are replicated. |
required |
false |
type |
String |
example |
|
replication_interval_seconds |
|
description |
The interval at which the resource will be replicated. In seconds. Default is 30. |
required |
false |
type |
String |
example |
replication_interval_seconds: 30
|
Example etcd-replicators resources
If you replicate the following four examples for Role
, RoleBinding
, ClusterRole
, and ClusterRoleBinding
resources, you can expect a full replication of RBAC policy.
NOTE: If you do not specify a namespace when you create a replicator, all namespaces for a given resource are replicated.
Example Role
resource
api_version: federation/v1
type: EtcdReplicator
metadata:
name: role_replicator
spec:
ca_cert: /path/to/ssl/trusted-certificate-authorities.pem
cert: /path/to/ssl/cert.pem
key: /path/to/ssl/key.pem
insecure: false
url: http://127.0.0.1:2379
api_version: core/v2
resource: Role
replication_interval_seconds: 30
{
"api_version": "federation/v1",
"type": "EtcdReplicator",
"metadata": {
"name": "role_replicator"
},
"spec": {
"ca_cert": "/path/to/ssl/trusted-certificate-authorities.pem",
"cert": "/path/to/ssl/cert.pem",
"key": "/path/to/ssl/key.pem",
"insecure": false,
"url": "http://127.0.0.1:2379",
"api_version": "core/v2",
"resource": "Role",
"replication_interval_seconds": 30
}
}
Example RoleBinding
resource
api_version: federation/v1
type: EtcdReplicator
metadata:
name: rolebinding_replicator
spec:
ca_cert: /path/to/ssl/trusted-certificate-authorities.pem
cert: /path/to/ssl/cert.pem
key: /path/to/ssl/key.pem
insecure: false
url: http://127.0.0.1:2379
api_version: core/v2
resource: RoleBinding
replication_interval_seconds: 30
{
"api_version": "federation/v1",
"type": "EtcdReplicator",
"metadata": {
"name": "rolebinding_replicator"
},
"spec": {
"ca_cert": "/path/to/ssl/trusted-certificate-authorities.pem",
"cert": "/path/to/ssl/cert.pem",
"key": "/path/to/ssl/key.pem",
"insecure": false,
"url": "http://127.0.0.1:2379",
"api_version": "core/v2",
"resource": "RoleBinding",
"replication_interval_seconds": 30
}
}
Example ClusterRole
resource
api_version: federation/v1
type: EtcdReplicator
metadata:
name: clusterrole_replicator
spec:
ca_cert: /path/to/ssl/trusted-certificate-authorities.pem
cert: /path/to/ssl/cert.pem
key: /path/to/ssl/key.pem
insecure: false
url: http://127.0.0.1:2379
api_version: core/v2
resource: ClusterRole
replication_interval_seconds: 30
{
"api_version": "federation/v1",
"type": "EtcdReplicator",
"metadata": {
"name": "clusterrole_replicator"
},
"spec": {
"ca_cert": "/path/to/ssl/trusted-certificate-authorities.pem",
"cert": "/path/to/ssl/cert.pem",
"key": "/path/to/ssl/key.pem",
"insecure": false,
"url": "http://127.0.0.1:2379",
"api_version": "core/v2",
"resource": "ClusterRole",
"replication_interval_seconds": 30
}
}
Example ClusterRoleBinding
resource
api_version: federation/v1
type: EtcdReplicator
metadata:
name: clusterrolebinding_replicator
spec:
ca_cert: /path/to/ssl/trusted-certificate-authorities.pem
cert: /path/to/ssl/cert.pem
key: /path/to/ssl/key.pem
insecure: false
url: http://127.0.0.1:2379
api_version: core/v2
resource: Role
replication_interval_seconds: 30
{
"api_version": "federation/v1",
"type": "EtcdReplicator",
"metadata": {
"name": "clusterrolebinding_replicator"
},
"spec": {
"ca_cert": "/path/to/ssl/trusted-certificate-authorities.pem",
"cert": "/path/to/ssl/cert.pem",
"key": "/path/to/ssl/key.pem",
"insecure": false,
"url": "http://127.0.0.1:2379",
"api_version": "core/v2",
"resource": "ClusterRoleBinding",
"replication_interval_seconds": 30
}
}