Comments (19)
The tricky bit which took me a while to work out is that the unauthenticated_metrics_access needs to be within your listener config e.g.
listener "tcp" {
telemetry {
unauthenticated_metrics_access = "true"
}
}
telemetry {
prometheus_retention_time = "30s",
disable_hostname = true
}
from vault-helm.
The tricky bit which took me a while to work out is that the unauthenticated_metrics_access needs to be within your listener config e.g.
listener "tcp" { telemetry { unauthenticated_metrics_access = "true" } } telemetry { prometheus_retention_time = "30s", disable_hostname = true }
thanks basically this is the answer, create separate section for every telemetry, i have had wasted almost 5 hours fixing this issue, thanks
from vault-helm.
have translated the prom config to a pod monitor
---
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
name: vault
namespace: secops
labels:
app.kubernetes.io/instance: vault
app.kubernetes.io/managed-by: fluxcd
app.kubernetes.io/name: vault
spec:
namespaceSelector:
matchNames:
- secops
selector:
matchLabels:
app.kubernetes.io/instance: vault
app.kubernetes.io/name: vault
vault-active: "true"
podMetricsEndpoints:
- path: /v1/sys/metrics
params:
format: ["prometheus"]
port: http
relabelings:
- action: keep
sourceLabels: ["__meta_kubernetes_namespace", "__meta_kubernetes_pod_container_port_number"]
regex: secops;8200
assure your namesapce matches when you copy it ;)
from vault-helm.
Since this post helped with the undocumented telemetry settings, I wanted to share this:
I deployed the Prometheus Helm Chart
Add the following to https://github.com/prometheus-community/helm-charts/blob/main/charts/kube-prometheus-stack/values.yaml
This automatically imports the endpoints and sets them as targets in Prometheus.
prometheus:
prometheusSpec:
additionalScrapeConfigs:
- job_name: 'vault'
metrics_path: '/v1/sys/metrics'
params:
format: ['prometheus']
scheme: https
tls_config:
ca_file: '/etc/prometheus/secrets/my-secret/ca.crt'
insecure_skip_verify: true
kubernetes_sd_configs:
- role: endpoints
relabel_configs:
- source_labels:
[
__meta_kubernetes_namespace,
__meta_kubernetes_pod_container_port_number,
]
action: keep
regex: vault;8200
from vault-helm.
@june07 restart is not related to vault, it is the default kubernetes functionality to not restart pods when the config-map or secret changes (they are loaded into the container but most applications read config only start in the lifecycle. To bypass this limitation, have a look at https://github.com/stakater/Reloader.
from vault-helm.
$ git branch
- master
from vault-helm.
while I can get a json format metrics using curl -X GET "http://localhost:8236/v1/sys/metrics -H "X-Vault-Token: <root_token>"
from vault-helm.
Hi @zhangzheyu2simple, I wasn't able to reproduce this bug with your given values file; the telemetry stanza appears correct for enabling prometheus. Since the json format metrics were accessible, it sounds like the config from your helm values isn't making it into the ConfigMap.
I'd suggest double-checking which values are being used in the deployment (helm get values vault
), and also checking the deployed config map. If you run kubectl describe configmap vault-config
, that should contain the telemetry stanza with the prometheus_retention_time
setting.
from vault-helm.
#215 Should help you get up and running with Prometheus a little more easily.
from vault-helm.
Thanks @cablespaghetti, we'll take a look.
Closing this issue for now, let us know if you run into further issues @zhangzheyu2simple.
from vault-helm.
Hello,
I think that your issue is connected to the fact that you are running Vault in HA with 3 instances.
Accordingly to the docs:
"The /v1/sys/metrics endpoint is only accessible on active nodes and automatically disabled on standby nodes. You can enable the /v1/sys/metrics endpoint on standby nodes by enabling unauthenticated metrics access."
https://www.vaultproject.io/docs/configuration/telemetry#prometheus
Your issue would be probably solved by adding unauthenticated_metrics_access = true
to your telemetry
stanza - it worked for me when deployed HA with 3 Vault instances. When running 1 Vault instance, the directive is not needed.
Really hope that this will help with your issue, cheers!
from vault-helm.
@tvoran We're seeing a similar behaviour - thought not to open a new issue since this one is quite recently closed.
chart: hashicorp/vault
version: 0.6.0
The relevant bits from the values.yaml
:
ha:
enabled: true
replicas: 3
config: |
ui = true
log_format = "json"
listener "tcp" {
tls_disable = 1
address = "[::]:8200"
cluster_address = "[::]:8201"
}
telemetry {
unauthenticated_metrics_access = true
prometheus_retention_time = "24h"
disable_hostname = true
}
storage "consul" {
path = "vault"
address = "vault-consul-server.vault.svc.cluster.local:8500"
}
I've checked the configmap and container and the configuration made it ok there:
/ $ cat /tmp/storageconfig.hcl
...
telemetry {
unauthenticated_metrics_access = true
prometheus_retention_time = "24h"
disable_hostname = true
}
...
ps axf
...
9 vault 0:02 vault server -config=/tmp/storageconfig.hcl
...
However, when trying to scrape with prometheus we get 400 Bad Request
curl http://10.4.80.34:8200/v1/sys/metrics?format=prometheus
prometheus is not enabled
from vault-helm.
@one1zero1one can you try `curl -X GET 'http://$YOUR_VAULT_INSTANCE/v1/sys/metrics?format=prometheus' -H "X-Vault-Token:$YOUR_TOKEN" ? Ditch the 8200 in curl.
from vault-helm.
@cablespaghetti yeah, the docs are a little bit misleading in this case.
As described here, the unauthenticated_metrics_access
telemetry directive has to declared within the listener
, just like you did:
https://www.vaultproject.io/docs/configuration/listener/tcp#configuring-unauthenticated-metrics-access
But, when looking for the telemetry
configuration docs for Prometheus, you are also instructed to use a telemetry
stanza - just not embedded into the listener
config. Confusing, should be unified in my opinion.
from vault-helm.
@cablespaghetti thanks, that solved it.
/ # curl http://10.4.80.40:8200/v1/sys/metrics?format=prometheus
# HELP go_gc_duration_seconds A summary of the pause duration of garbage collection
...
@damianfedeczko thanks - but didn't get a chance to try it as my colleague ran the new config faster than I could check - but I would assume would have worked to use the service and token. Issue was that we aimed for unauthenticated scrape from the get go.
+1 for ultimately having the telemetry
stanza unified to avoid confusion.
from vault-helm.
@one1zero1one cool, no worries - @cablespaghetti answer nailed it
from vault-helm.
the above solution works. After adding the above configuration, if you are running vault on Prometheus you will have to restart the pods.
from vault-helm.
Heads up for anyone else to come across this... a restart is needed for the settings to take effect. Simple reload was not sufficient. Maybe someone more familiar with the code base can confirm as well.
Was trying to avoid needing to unlock vault again. Ah well.
from vault-helm.
The tricky bit which took me a while to work out is that the unauthenticated_metrics_access needs to be within your listener config e.g.
listener "tcp" { telemetry { unauthenticated_metrics_access = "true" } } telemetry { prometheus_retention_time = "30s", disable_hostname = true }
That worked for me, tks!
from vault-helm.
Related Issues (20)
- Latest vault helm chart (0.27.0) does not work with GCPCKMS
- Add a way to create Secrets in the values.yaml
- allow to pin IPs of vault services HOT 3
- json formatted server config converts to a freak vault-config k8s secret which is both hcl and json
- Chart prevents synchronisation with ArgoCD when using custom sync label HOT 3
- Add support to external Vault running with tls HOT 2
- Configuring vault ha with raft and ingress HOT 1
- [Feature] Allow the vault sidecar injector to be configured to point to the vault-active service
- storage.raft.fsm: failed to store data: error="input/output error"
- Expose ports for the injector so that a podmonitor can scrape the metrics
- Got unseal error HOT 8
- Bug: Error Creating a raft cluster on OpenShift
- Would violate PodSecurity "restricted:latest" when installing Helm chart
- Vault Agent Injector not working on EKS 1.25 HOT 1
- Ability to have top level label on StatefullSet
- Cannot use HOSTNAME env var in VAULT_API_ADDR env var
- helm value server.logLevel does not set the log level but just logs all entries using this value
- Sidecar agent in CSI can't estabish a TLS connection with an external vault using a custom CA
- Deploying vault on OCI gives seal type Shamir not OCIKMS HOT 1
- Tests Assert that HA Should not be able to set the dataStorage StorageClass
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from vault-helm.