This repo contains instructions that can be used to deploy an example Sensu Go cluster and an example application (NGINX) into Kubernetes for evaluation and/or development purposes (i.e. it has not been hardened for production use cases). It also includes configuration to reuse Nagios-style monitoring checks to monitor the example application using Sensu Go.
NOTE: this guide is a work in progress; see #TODO for more information.
Contents:
- Deploy Sensu
- Monitor Kubernetes workloads using a Sensu Agent sidecar
- Customization and troubleshooting
-
Deploy a Sensu staging environment (Kubernetes Statefulset).
Create a Sensu namespace and deploy a Sensu cluster using
kubectl
:$ kubectl create namespace sensu-example namespace/sensu-example created $ kubectl --namespace sensu-example apply -f kubernetes/ service/nginx created configmap/nginx-config created deployment.apps/nginx created service/sensu-etcd created service/sensu created service/sensu-lb created statefulset.apps/sensu-etcd created statefulset.apps/sensu-backend created job.batch/sensu-backend-init created daemonset.apps/sensu-agent created
-
Verify your Sensu staging environment.
Obtain the Sensu backend load balancer IP address using
kubectl
:$ kubectl get services/sensu-lb --namespace sensu-example NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE sensu-lb LoadBalancer 10.27.248.95 <pending> 8080:31134/TCP,8081:30968/TCP,80:30090/TCP 52s
NOTE: the IP address you need is the
EXTERNAL-IP
for thesensu-lb
service (e.g. "123.123.123.123"). If theEXTERNAL-IP
is still<pending>
, this means your Kubernetes cluster and/or cloud provider are still provisioning the load balancer; just wait a minute or two and try again.You should be able to visit the Sensu dashboard via the Sensu backend load balance IP address, as obtained above (e.g. http://123.123.123.123). Sensu does not use a default username and password – cluster administrator access credentials are configured during cluster initialization (see
sensu-backend init
). If you have not modified the Kubernetes Batch Job provided inkubernetes/sensu-backend.yaml
, the cluster admin username issensu
and the password issensu
. -
Download and configure
sensuctl
.Please visit https://sensu.io/downloads to download the Sensu CLI (
sensuctl
) for your workstation.Once installed, you may configure
sensuctl
using this IP address you obtained in the previous step.$ sensuctl configure ? Authentication method: username/password ? Sensu Backend URL: http://123.123.123.123:8080 ? Namespace: default ? Preferred output format: tabular ? Username: sensu ? Password: *****
To test your
sensuctl
configuration, run the following command:$ sensuctl cluster id sensu cluster id: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
BONUS: go visit https://sensu.io/register to register your Sensu deployment and earn cool swag! 🎉
-
Configure Sensu agent sidecar.
The Kubernetes deployment found in
kubernetes/example-nginx-deployment
uses an NGINX container as a generic web service deployment with a Sensu Agent sidecar.Please see
kubernetes/example-nginx-deployment.yaml
for more information on how to configure a Sensu Agent sidecar.If you didn't already create the example NGINX deployment, you may do so now:
$ kubectl apply -f kubernetes/example-nginx-deployment.yaml --namespace sensu-example service/nginx created configmap/nginx-config created deployment.extensions/nginx created
-
Configure monitoring check w/ Nagios plugins.
Use
sensuctl
to configure a monitoring check using a Nagios C plugin:$ sensuctl create -rf sensu/
NOTE: the
sensu/monitoring-plugins
asset is a pre-packaged collection of the Nagios C plugins from the https://monitoring-plugins.org project. Please see https://bonsai.sensu.io/assets/sensu/monitoring-plugins for more information. To learn more about Sensu Assets, please visit the Sensu Documentation; to browse publicly available assets, please visit https://bonsai.sensu.io (the Sensu Asset registry).Now visit your Sensu dashboard to see the results!
The official Sensu Docker images are based on Alpine Linux. If your organization requires all containers to share a standard base image (e.g. RHEL), the following instructions will help you get started building custom Sensu Go agent images.
-
Review the example Dockerfiles (OPTIONAL).
Both of the provided examples (
Dockerfile.el6
andDockerfile.el7
) follow a simple series of installation steps:- build from a trusted base image (e.g.
centos:6
orcentos:7
) - download an official Sensu Go binary archive (see https://sensu.io/downloads for more info)
- extract the Sensu binaries (including
sensu-agent
) - delete the Sensu binary archive
- build from a trusted base image (e.g.
-
Create custom Sensu Docker images (OPTIONAL).
Create a Sensu Agent Docker image
FROM centos:6
:$ SENSU_VERSION=6.2.5 && docker build --build-arg "SENSU_VERSION=$SENSU_VERSION" -t sensu-agent:${SENSU_VERSION}-el6 --file Dockerfile.el6 .
Create a Sensu Agent Docker image
FROM centos:7
:$ SENSU_VERSION=6.2.5 && docker build --build-arg "SENSU_VERSION=$SENSU_VERSION" -t sensu-agent:${SENSU_VERSION}-el7 --file Dockerfile.el7 .
-
Publish custom Sensu Docker images (OPTIONAL).
Publish Docker images to a Container Registry (required for use w/ Kubernetes). Container registries vary in implementation, so you'll need to adjust the following command accordingly. The steps typically involve tagging a Docker image with a domain and/or organization or repository name prefix, and then pushing the image.
Examples:
$ SENSU_VERSION=6.2.5 && docker tag sensu-agent:${SENSU_VERSION}-el6 your-repository.com/sensu-agent:${SENSU_VERSION}-el6 $ SENSU_VERSION=6.2.5 && docker push your-repository.com/sensu-agent:${SENSU_VERSION}-el6 $ SENSU_VERSION=6.2.5 && docker tag sensu-agent:${SENSU_VERSION}-el7 your-repository.com/sensu-agent:${SENSU_VERSION}-el7 $ SENSU_VERSION=6.2.5 && docker push your-repository.com/sensu-agent:${SENSU_VERSION}-el7
-
Update your Sensu sidecar configuration to use your custom images.
To use a custom Docker image as a Sensu Agent sidecar, you'll need to change the container image reference from
sensu/sensu
(the official Sensu Docker images, hosted on the Docker Hub). Please consult your container registry documentation on how to proceed.
If you are hosting Sensu Assets behind your firewall, you may see an error like the following. This error generally indicates that the host is using a custom SSL certificate, but the Sensu Agent host (or container in this case) does not have the CA certificate installed in the host system CA trust store.
error getting assets for event: error fetching asset: Get https://artifactory.my-company.com/sensu-assets/check-plugins.tar.gz: x509: certificate signed by unknown authority
There are a few way to accomplish this in a Kubernetes environment.
You can either pre-install the certificate in a custom Docker image by modifying your Dockerfile
(see above), or you can mount the CA certificate file(s) using a Kubernetes Secret or Kubernetes ConfigMap.
-
Create a Kubernetes ConfigMap from a CA certificate (e.g. .pem file).
$ kubectl create secret generic sensu-asset-server-ca-cert --from-file=path/to/sensu-ca-cert.pem
-
Modify the Sensu Agent sidecar config.
Update your Sensu Agent sidecar with the following configuration details:
volumeMounts: - name: sensu-asset-server-ca-cert mountPath: /etc/pki/ca-trust/source/anchors/sensu-ca-cert.pem # centos subPath: sensu-ca-cert.pem - name: sensu-asset-server-ca-cert mountPath: /usr/local/share/ca-certificates/sensu-ca-cert.crt # alpine/debian subPath: sensu-ca-cert.crt
Once installed, you may also need to run a certificate update command to update the CA trust store. This process differs from platform to platform (see below for more information).
NOTE: it may be possible to automate this process using a Docker ENTRYPOINT such as the attached entrypoint.sh
(experimental).
Custom CA certificates can be installed on Alpine Linux by adding the certificate file(s) in question to /usr/local/share/ca-certificates/*.crt
and running update-ca-certificates
(NOTE: this requires the ca-certificates
package to be installed, and the certificate files must use the .crt
file extension).
Custom CA certificates can be installed on Centos 6/7 by adding the certificate file(s) in question to /etc/pki/ca-trust/source/anchors/
and running update-ca-trust force-enable && update-ca-trust extract
(NOTE: this requires the ca-certificates
package to be installed).
Custom CA certificates can be installed on Debian Stretch by adding the certificate file(s) in question to /usr/local/share/ca-certificates/*.crt
and running update-ca-certificates
(NOTE: this requires the ca-certificates
package to be installed, and the certificate files must use the .crt
file extension).
Configure faster SSD persistent disks for Etcd PersistentVolumeClaims. The following example can be used to enable SSD storage on Google Cloud Platform.
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: faster
provisioner: kubernetes.io/gce-pd
parameters:
type: pd-ssd
NOTE: while most Kubernetes clusters offers support for faster SSD storage, storage provider implementations do vary from one Kubernetes distribution to another. Please consult with your Kubernetes administrator or cloud provider regarding availability of SSD storage (and how to enable it).
Add this resource to kubernetes/sensu-backend.yaml
or save it to a separate file and then enabled it via kubectl apply -f
.
Once enabled, uncomment the sensu-etcd
StatefulSet VolumeClaimTemplate.spec.storageClassName
field in kubernetes/sensu-backend.yaml
.
If you have already deployed your cluster, you may need to stop the cluster and delete the existing PersistentVolumeClaim as follows:
$ kubectl get pvc --namespace sensu-example
NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE
sensu-etcd-sensu-etcd-0 Bound pvc-xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx 20Gi RWO standard 30m
If your existing volume claim is not using the SSD storage class, you can delete it as follows:
$ kubectl delete pvc/sensu-etcd-sensu-etcd-0 --namespace sensu-example
persistentvolumeclaim "sensu-etcd-sensu-etcd-0" deleted
This guide is a work in progress. Here are some of the improvements we are planning:
- Add Hashicorp Vault (dev-mode) for secrets management
- Add instructions for packaging Nagios Perl scripts/plugins as Sensu Assets
- Add instructions for packaging Nagios Python scripts/plugins as Sensu Assets
- Add instructions for hosting/mirroring Sensu Assets using NGINX
- Add instructions for configuring your first Sensu Handler (e.g. PagerDuty)
- Add instructions for install custom CA certificates (volume mount Kubernetes Secret);
see
entrypoint.sh
(WIP/experimental)