Sensu Go 6.x Agent Entity Management

sensu / sensu-go-chef

Chef Library Cookbook for Sensu Go

https://sensu.io

MIT License

11 stars 22 forks source link

Sensu Go 6.x Agent Entity Management #106

Open calebhailey opened 3 years ago

calebhailey commented 3 years ago

In Sensu Go 6.0 the source of truth for a Sensu Agent's entity moved from the agent.yaml file to the API. Initial Agent entity configuration is still provided via agent.yaml, but subsequent updates to existing Agent Entities must be made via the Entities API.

See here for reference:

https://docs.sensu.io/sensu-go/latest/observability-pipeline/observe-entities/entities/#create-and-manage-agent-entities
https://docs.sensu.io/sensu-go/latest/api/entities/
Canonical reference for the Entity attributes which are now managed via the API: https://github.com/sensu/sensu-go/blob/master/api/core/v3/entity_config.proto#L17-L49
This blog post offers a helpful reference for how we approached this in Ansible: https://blog.sensu.io/managing-sensu-go-6-using-ansible

kovukono commented 3 years ago

This has been addressed in the README in this commit: https://github.com/sensu/sensu-go-chef/pull/98/commits/46e94620d5cc98b3845fcfdd7f0e302627b68a66

Functionally, this already exists. Is there somewhere else that you would have this noted?

webframp commented 3 years ago

Did some local testing and it seems like this can already be covered by the sensu_entity resource. What's a bit unclear is that if someone has used the agent resource to do initial configuration they would need to switch to the entity resource for day 2 management of a resource.

It seems like that user experience could be improved.

In theory this could be handled by using the load_current_value and converge_if_changed methods of the custom resource DSL so that current values for agent propeties are derived from the API and not node local yaml files on subsequent chef-client converges. Then the converge_if_changed method will result in node updates if api values differ for the specified properties. How this could impact the initial converge still would need to be tested.

kovukono commented 3 years ago

Yes, if someone creates an entity with sensu_agent in Sensu 6, it requires any and all updates be done via sensu_entity. It will ignore any changes to annotations, labels, redactions, and subscriptions in the agent.yml, even if the service is restarted. The only way to get Sensu to acknowledge the entity's update from agent.yml is to delete the entity and have it reregister itself.

We're also seeing in 6.0.0 that if sensu_entity is created before the sensu-agent service on the machine is able to reach out to the backend, this will break the entity and require deletion form the etcd db (fixed in 6.0.1).

We need sensu_agent to install the package and start the service, but we need sensu_entity to manage the update of any properties for the entity. We could theoretically get sensu_agent to also handle the API updates, though it would need to make sure that it's only for relevant sensu_entity items, not something like keepalive or ports or log-level.