Export Hashicorp Vault metrics to Prometheus.
Acknowledgements: this is a fork/copy of the code from the deleted github repository https://github.com/grapeshot/vault_exporter as it was mid-2019 before it got deleted
Metric | Meaning | Labels |
---|---|---|
vault_up | Was the last query of Vault successful, | |
vault_initialized | Is the Vault initialised (according to this node). | |
vault_sealed | Is the Vault node sealed. | |
vault_standby | Is this Vault node in standby. | |
vault_replication_dr_primary | Is this Vault node a primary disaster recovery replica. | |
vault_replication_dr_secondary | Is this Vault node a secondary disaster recovery replica. | |
vault_replication_performance_primary | Is this Vault node a primary performance replica. | |
vault_replication_performance_secondary | Is this Vault node a secondary performance replica. | |
vault_info | Various info about the Vault node. | version, cluster_name, cluster_id |
Example dashboards and alerts for this exporter are included in the mixin directory, in the form of a jsonnet monitoring mixin. They are designed to be combined with the prometheus-ksonnet package.
To install this mixin, use ksonnet:
$ ks registry add vaulteexporter https://github.com/app-sre/vault-exporter
$ ks pkg install vault-exporter/vault-mixin
Then to use, in your main.jsonnet
file:
local prometheus = (import "prometheus-ksonnet/prometheus-ksonnet.libsonnet");
local vault = (import "vault-mixin/mixin.libsonnet");
prometheus + vault {
jobs+: {
vault: "<my vault namespace>/<my value name label>",
},
}
$ ./vault-exporter -h
usage: vault-exporter [<flags>]
Flags:
-h, --help Show context-sensitive help (also try --help-long and --help-man).
--web.listen-address=":9410"
Address to listen on for web interface and telemetry.
--web.telemetry-path="/metrics"
Path under which to expose metrics.
--vault-tls-cacert=VAULT-TLS-CACERT
The path to a PEM-encoded CA cert file to use to verify the Vault server SSL certificate.
--vault-tls-client-cert=VAULT-TLS-CLIENT-CERT
The path to the certificate for Vault communication.
--vault-tls-client-key=VAULT-TLS-CLIENT-KEY
The path to the private key for Vault communication.
--insecure-ssl Set SSL to ignore certificate validation.
--log.level="info" Only log messages with the given severity or above. Valid levels: [debug, info, warn, error, fatal]
--log.format="logger:stderr"
Set the log target and format. Example: "logger:syslog?appname=bob&local=7" or "logger:stdout?json=true"
--version Show application version.
Note that environment variables can be overwritten by flags.
VAULT_ADDR
– Sets the address of Vault in the client, The format of address should be "://:" (defaults tohttps://127.0.0.1:8200
)VAULT_CACERT
– CACert is the path to a PEM-encoded CA cert file to use to verify the Vault server SSL certificate (defaults to empty)VAULT_CAPATH
– CAPath is the path to a directory of PEM-encoded CA cert files to verify the Vault server SSL certificate (defaults to empty)VAULT_CLIENT_CERT
– ClientCert is the path to the certificate for Vault communication (defaults to empty)VAULT_CLIENT_KEY
– ClientKey is the path to the private key for Vault communication (defaults to empty)VAULT_CLIENT_TIMEOUT
– Timeout is for setting custom timeout parameter in the Http-client (defaults to0
)VAULT_SKIP_VERIFY
– SkipVerify enables or disables SSL verification (defaults tofalse
)VAULT_TLS_SERVER_NAME
– TLSServerName, if set, is used to set the SNI host when connecting via TLS (defaults to empty)VAULT_MAX_RETRIES
– MaxRetries controls the maximum number of times to retry when a 5xx error occurs (defaults to0
)VAULT_TOKEN
– Token is the access token used by client