This repo contains instructions that can be used to deploy an example Sensu Go cluster and an example application (NGINX) into Kubernetes for evaluation and/or development purposes (i.e. it has not been hardened for production use cases). It also includes configuration to reuse Nagios-style monitoring checks to monitor the example application using Sensu Go.
NOTE: this guide is a work in progress; see #TODO for more information.
Contents:
Deploy a Sensu staging environment (Kubernetes Statefulset).
Create a Sensu namespace and deploy a Sensu cluster using kubectl:
$ kubectl create namespace sensu-example
namespace/sensu-example created
$ kubectl --namespace sensu-example apply -f kubernetes/
service/nginx created
configmap/nginx-config created
deployment.apps/nginx created
service/sensu-etcd created
service/sensu created
service/sensu-lb created
statefulset.apps/sensu-etcd created
statefulset.apps/sensu-backend created
job.batch/sensu-backend-init created
daemonset.apps/sensu-agent createdVerify your Sensu staging environment.
Obtain the Sensu backend load balancer IP address using kubectl:
$ kubectl get services/sensu-lb --namespace sensu-example
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
sensu-lb LoadBalancer 10.27.248.95 <pending> 8080:31134/TCP,8081:30968/TCP,80:30090/TCP 52sNOTE: the IP address you need is the
EXTERNAL-IPfor thesensu-lbservice (e.g. "123.123.123.123"). If theEXTERNAL-IPis still<pending>, this means your Kubernetes cluster and/or cloud provider are still provisioning the load balancer; just wait a minute or two and try again.
You should be able to visit the Sensu dashboard via the Sensu backend load balance IP address, as obtained above (e.g. http://123.123.123.123).
Sensu does not use a default username and password – cluster administrator access credentials are configured during cluster initialization (see sensu-backend init).
If you have not modified the Kubernetes Batch Job provided in kubernetes/sensu-backend.yaml, the cluster admin username is sensu and the password is sensu.
Download and configure sensuctl.
Please visit https://sensu.io/downloads to download the Sensu CLI (sensuctl) for your workstation.
Once installed, you may configure sensuctl using this IP address you obtained in the previous step.
$ sensuctl configure
? Authentication method: username/password
? Sensu Backend URL: http://123.123.123.123:8080
? Namespace: default
? Preferred output format: tabular
? Username: sensu
? Password: *****To test your sensuctl configuration, run the following command:
$ sensuctl cluster id
sensu cluster id: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"BONUS: go visit https://sensu.io/register to register your Sensu deployment and earn cool swag! :tada:
Configure Sensu agent sidecar.
The Kubernetes deployment found in kubernetes/example-nginx-deployment uses an NGINX container as a generic web service deployment with a Sensu Agent sidecar.
Please see kubernetes/example-nginx-deployment.yaml for more information on how to configure a Sensu Agent sidecar.
If you didn't already create the example NGINX deployment, you may do so now:
$ kubectl apply -f kubernetes/example-nginx-deployment.yaml --namespace sensu-example
service/nginx created
configmap/nginx-config created
deployment.extensions/nginx createdConfigure monitoring check w/ Nagios plugins.
Use sensuctl to configure a monitoring check using a Nagios C plugin:
$ sensuctl create -rf sensu/NOTE: the
sensu/monitoring-pluginsasset is a pre-packaged collection of the Nagios C plugins from the https://monitoring-plugins.org project. Please see https://bonsai.sensu.io/assets/sensu/monitoring-plugins for more information. To learn more about Sensu Assets, please visit the Sensu Documentation; to browse publicly available assets, please visit https://bonsai.sensu.io (the Sensu Asset registry).
Now visit your Sensu dashboard to see the results!
The official Sensu Docker images are based on Alpine Linux. If your organization requires all containers to share a standard base image (e.g. RHEL), the following instructions will help you get started building custom Sensu Go agent images.
Review the example Dockerfiles (OPTIONAL).
Both of the provided examples (Dockerfile.el6 and Dockerfile.el7) follow a simple series of installation steps:
centos:6 or centos:7)sensu-agent)Create custom Sensu Docker images (OPTIONAL).
Create a Sensu Agent Docker image FROM centos:6:
$ SENSU_VERSION=6.2.5 && docker build --build-arg "SENSU_VERSION=$SENSU_VERSION" -t sensu-agent:${SENSU_VERSION}-el6 --file Dockerfile.el6 .Create a Sensu Agent Docker image FROM centos:7:
$ SENSU_VERSION=6.2.5 && docker build --build-arg "SENSU_VERSION=$SENSU_VERSION" -t sensu-agent:${SENSU_VERSION}-el7 --file Dockerfile.el7 .Publish custom Sensu Docker images (OPTIONAL).
Publish Docker images to a Container Registry (required for use w/ Kubernetes). Container registries vary in implementation, so you'll need to adjust the following command accordingly. The steps typically involve tagging a Docker image with a domain and/or organization or repository name prefix, and then pushing the image.
Examples:
$ SENSU_VERSION=6.2.5 && docker tag sensu-agent:${SENSU_VERSION}-el6 your-repository.com/sensu-agent:${SENSU_VERSION}-el6
$ SENSU_VERSION=6.2.5 && docker push your-repository.com/sensu-agent:${SENSU_VERSION}-el6
$ SENSU_VERSION=6.2.5 && docker tag sensu-agent:${SENSU_VERSION}-el7 your-repository.com/sensu-agent:${SENSU_VERSION}-el7
$ SENSU_VERSION=6.2.5 && docker push your-repository.com/sensu-agent:${SENSU_VERSION}-el7Update your Sensu sidecar configuration to use your custom images.
To use a custom Docker image as a Sensu Agent sidecar, you'll need to change the container image reference from sensu/sensu (the official Sensu Docker images, hosted on the Docker Hub).
Please consult your container registry documentation on how to proceed.
If you are hosting Sensu Assets behind your firewall, you may see an error like the following. This error generally indicates that the host is using a custom SSL certificate, but the Sensu Agent host (or container in this case) does not have the CA certificate installed in the host system CA trust store.
error getting assets for event: error fetching asset: Get https://artifactory.my-company.com/sensu-assets/check-plugins.tar.gz: x509: certificate signed by unknown authorityThere are a few way to accomplish this in a Kubernetes environment.
You can either pre-install the certificate in a custom Docker image by modifying your Dockerfile (see above), or you can mount the CA certificate file(s) using a Kubernetes Secret or Kubernetes ConfigMap.
Create a Kubernetes ConfigMap from a CA certificate (e.g. .pem file).
$ kubectl create secret generic sensu-asset-server-ca-cert --from-file=path/to/sensu-ca-cert.pemModify the Sensu Agent sidecar config.
Update your Sensu Agent sidecar with the following configuration details:
volumeMounts:
- name: sensu-asset-server-ca-cert
mountPath: /etc/pki/ca-trust/source/anchors/sensu-ca-cert.pem # centos
subPath: sensu-ca-cert.pem
- name: sensu-asset-server-ca-cert
mountPath: /usr/local/share/ca-certificates/sensu-ca-cert.crt # alpine/debian
subPath: sensu-ca-cert.crtOnce installed, you may also need to run a certificate update command to update the CA trust store. This process differs from platform to platform (see below for more information).
NOTE: it may be possible to automate this process using a Docker ENTRYPOINT such as the attached entrypoint.sh (experimental).
Custom CA certificates can be installed on Alpine Linux by adding the certificate file(s) in question to /usr/local/share/ca-certificates/*.crt and running update-ca-certificates (NOTE: this requires the ca-certificates package to be installed, and the certificate files must use the .crt file extension).
Custom CA certificates can be installed on Centos 6/7 by adding the certificate file(s) in question to /etc/pki/ca-trust/source/anchors/ and running update-ca-trust force-enable && update-ca-trust extract (NOTE: this requires the ca-certificates package to be installed).
Custom CA certificates can be installed on Debian Stretch by adding the certificate file(s) in question to /usr/local/share/ca-certificates/*.crt and running update-ca-certificates (NOTE: this requires the ca-certificates package to be installed, and the certificate files must use the .crt file extension).
Configure faster SSD persistent disks for Etcd PersistentVolumeClaims. The following example can be used to enable SSD storage on Google Cloud Platform.
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: faster
provisioner: kubernetes.io/gce-pd
parameters:
type: pd-ssdNOTE: while most Kubernetes clusters offers support for faster SSD storage, storage provider implementations do vary from one Kubernetes distribution to another. Please consult with your Kubernetes administrator or cloud provider regarding availability of SSD storage (and how to enable it).
Add this resource to kubernetes/sensu-backend.yaml or save it to a separate file and then enabled it via kubectl apply -f.
Once enabled, uncomment the sensu-etcd StatefulSet VolumeClaimTemplate.spec.storageClassName field in kubernetes/sensu-backend.yaml.
If you have already deployed your cluster, you may need to stop the cluster and delete the existing PersistentVolumeClaim as follows:
$ kubectl get pvc --namespace sensu-example
NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE
sensu-etcd-sensu-etcd-0 Bound pvc-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 20Gi RWO standard 30mIf your existing volume claim is not using the SSD storage class, you can delete it as follows:
$ kubectl delete pvc/sensu-etcd-sensu-etcd-0 --namespace sensu-example
persistentvolumeclaim "sensu-etcd-sensu-etcd-0" deletedThis guide is a work in progress. Here are some of the improvements we are planning:
entrypoint.sh (WIP/experimental)