Check and manage the health and availability of Cyral sidecar clusters and instances.
Click the Sidecars tab to display a list of sidecars.
In the main Sidecars list, each row provides a summary of a sidecar cluster:
- The leftmost column provides a registration/health summary indicator icon. This icon shows:
|Sidecar is registered, and all its instances are fully healthy.|
|Sidecar is registered, but not all sidecar instances are fully healthy. Some sidecar services may be down.|
|Sidecar has been registered, but none of its instances are fully healthy, or the sidecar is not reachable now.|
|Metrics cannot be found for this sidecar. This status might indicate that someone has created the sidecar in the Cyral UI but has not deployed the sidecar, or that the Cyral control plane's sidecar monitoring service is not operating.|
- Name is the name you gave to this sidecar cluster
- Tags are tags that you or your deployment framework have applied to identify this sidecar cluster
- Platform is the cloud platform that hosts this sidecar cluster
- Active Instances shows how many sidecar instances in this sidecar cluster are active and able to serve requests.
- Data Repositories shows how many data repositories this sidecar cluster protects. Click on the row and then click Data Repositories to list them.
- Passthrough shows a checkmark if this sidecar cluster is running in passthrough mode, meaning that it allows all requests to be served without policy enforcement, logging, or other Cyral services.
Usually a Cyral sidecar runs as an autoscaling cluster on your cloud platform. After you've checked the sidecar cluster status, you can check the status of individual sidecar instances in the sidecar cluster.
To check the status of individual sidecar instances in the sidecar cluster, click Sidecars: click the name of your sidecar, and click Instances. For each instance, the UI shows:
- Health: A sidecar instance is fully operational when all of its services are healthy.
- green: All of this instance's services are healthy
- yellow: Some but not all of this instance's services are healthy
- red: None of this instance's services are healthy
- Instance ID: Number that identifies this sidecar instance
- Sidecar version: Cyral version number of this sidecar instance
- Age: Time since this sidecar was deployed or upgraded
How to check and manage Cyral sidecar services for your repositories.
Cyral sidecars can be run in passthrough mode to help troubleshoot performance problems, or better onboard new applications before turning on analysis.
In passthrough mode, the sidecar acts as a layer-4 load balancer and forwards all requests through to the repositories assigned to it. In passthrough mode, the Cyral sidecar provides:
- no SSO authentication; instead, data users must use their native repository credentials to connect through the sidecar.
- no policy enforcement
- no logging or alerting
Note: Don't confuse passthrough mode with turning off all sidecar services for a repository. See Turn sidecar coverage on or off for a repository.
To place a sidecar in passthrough mode, navigate to Sidecars: click your sidecar's name, and click Edit. In the Edit Sidecar window, click the Passthrough checkbox. Click Save.
To check whether a sidecar is running in passthrough mode, click the Sidecars tab in the Cyral control plane UI and find your sidecar in the list. The Passthrough column shows a checkmark if the sidecar is running in passthrough mode.
To provide a stable address on the network where users can always reach their repositories, add an endpoint alias address for the sidecar.
Important: Adding an endpoint alias requires that you first set up this alias in your network routing service using a CNAME or A record, as explained in Add a CNAME or A record for the sidecar.
Once your network routing service has been set up to route the alias you intend to use, you can add the Endpoint Alias in Cyral as follows:
- Navigate to Sidecars: click your sidecar's name, and click Edit.
- In the Edit Sidecar window, click the Endpoint Alias checkbox.
- In the field that appears, type the alias. This must be a valid domain
name that can be routed on your network, such as
db-acess.example.com. This address will resolve to the sidecar load balancer address, giving your data users access to the repositories protected by the sidecar.
- Click Save.
To add a tag that will help you identify a sidecar, follow these steps:
- Click Sidecars in the Cyral control plane UI, click your sidecar's name, and click Edit.
- In the Edit Sidecar window, type each tag in the Add Tags field and press enter to save it.
- Click Save.
You can turn on and turn off the sidecar's coverage for a repository. Once a sidecar's coverage is turned off for a repository, the sidecar stops accepting connections on the sidecar endpoint port assigned to the repository. This means that the sidecar will not see requests and as a result will not handle authentication or authorization for the repository. (Keep in mind that another sidecar might be providing coverage for the repository.)
Note: Don't confuse turning off coverage with passthrough mode. See Passthrough mode.
To turn a sidecar's coverage on or off for a given repository, follow these steps:
- Navigate to Sidecars, click your sidecar's name, click Data Repositories, and find your repository in the list.
- In the Status column, toggle the switch to the right for coverage,
or to the left for no coverage.
To check whether a repository is being protected by a sidecar, follow these steps:
- In the Cyral management console, click Data Repos and click the name of your repository in the list. In the SIDECARS section, note the name of the sidecar through which users connect. (There may be more than one sidecar for the repository.)
- Click Sidecars in the menu on the left. Find the sidecar whose name
you just noted, using the Search tool if needed. Check the following:
- A green checkmark icon should appear on the left. If any other icon is shown here, click the name of the sidecar and click the Instances tab to investigate.
- The status should be shown as Active. If any other status is
shown here, click the name of the sidecar and click Edit.
Passthrough mode may have been enabled. See Passthrough mode.
- Check whether sidecar coverage is on:
- Click the name of your sidecar. The Sidecar Details page appears.
- In the Data Repositories tab, find your repository in the list.
- Make sure the Status toggle on the right is in the
ONposition (toggled to the right). If it's not, someone may have disabled sidecar coverage for this repository. See Turn sidecar coverage on or off for a repository.
- Check that you've turned on all the desired services in your sidecar's configuration settings.
Communications between the Cyral control plane and sidecar are secured using a client secret, which has an associated client ID. Cyral automatically creates each sidecar's initial client ID and client secret when you create the sidecar's deployment template.
When you deploy a new sidecar, you'll see its Client ID and Client
Secret specified in the
parameters of the deployment template.
Once a sidecar is deployed and running, you can replace its client secret at any time. This is typically called rotating the sidecar credentials. Follow these steps:
- In the Cyral control plane UI, click Sidecars, click the name of your sidecar, and click Sidecar registration.
- Click the
+sign to generate a new client ID and client secret.
- The generated values appear in the pop-up window. Use the
copy buttons to copy the values so that you can paste them
into your secrets manager.
Important! You will see the client secret only once, so be sure to keep this window open until you've copied it. If you do lose your newly created secret, you can create another new one by following this process again. If you create a client secret but don't wish to use it, click the delete button to remove it.
- Open your secrets manager, such as AWS Secrets Manager or
Hashicorp Vault. Find the secret record for the sidecar
and edit it, pasting the new client ID and client secret
values. Below, we show an example of doing this in AWS.
Once the sidecar has connected to the Cyral control plane with its new client ID and secret, the old client ID row will disappear from the Sidecar Registration tab in Cyral, and the new, active client ID will remain visible in the tab as long as its secret is active.
Follow these steps to delete a sidecar:
- If the sidecar you're planning to delete is currently protecting repositories, move those repositories to a new sidecar if you wish to continue Cyral services for the repositories. See Unassign a repository from a sidecar
- Remove the sidecar from the Cyral control plane inventory. Navigate to Sidecars: click your sidecar's name, and click Edit. In the Edit Sidecar window, click Delete, and click to confirm the deletion.
- Deprovision and delete the sidecar cluster and its instances using the commands provided by your cloud platform. See Uninstall a sidecar
© Copyright 2021 Cyral Inc. All rights reserved.