Vault With Prometheus

Vault Reference Documentation

• HashiCorp Vault Telemetry
• HashiCorp Vault Agent Annotations
• HashiCorp Vault Kubernetes Auth Method

Overview

Prometheus scraping of Vault uses the following:

• Vault Kubernetes Authentication Method
• The auth method is bound to a k8s service account
• The auth method is bound to a k8s namespace
• Vault ACL Policy Defined
• Vault Sidecar Injection
• Prometheus Configuration

Known issues:

• Big Bang Development Environment Upgrade Issues

Vault Kubernetes Authentication Method

The Kubernetes Authentication Method can be create using Vault’s web interface or by the vault cli.

See HashiCorp Vault Kubernetes Auth Method for more details

An example for Big Bang can be found in the initialization script configmap-for-vault-init.yaml .

This script creates an Auth Method called prometheus and binds the Auth Method to the monitoring-monitoring-kube-prometheus service account and monitoring namespace

Vault ACL Policy Defined

Vault exposes Prometheus metrics at the /sys/metrics url.

Since Prometheus needs read ability, we create the policy with this:

path "/sys/metrics" {
capabilities = ["read"]
}

Vault Sidecar Injection

Using a k8s MutatingWebhookConfiguration (vault-vault-agent-injector-cfg), Vault will add a sidecar to annotated pods.

See HashiCorp Vault Agent Annotations for details

The Big Bang prometheus pod is annotated with the following valules:

vault.hashicorp.com/agent-inject: "true"
vault.hashicorp.com/agent-init-first: "true"
vault.hashicorp.com/agent-inject-token: "true"
vault.hashicorp.com/role: "prometheus"

With these settings, the Vault sidecar will mount the Vault token assigned to the kubernetes/prometheus role inside the pod at /vault/secrets/token .

Mounting the token inside the pod allows the Prometheus configuration to pass the token when it scrapes data from Vault.

Prometheus Configuration

Prometheus is configured using a ServiceMonitor to scrape the metrics from Vault. We define the endpoint and location of the mounted token file to use for authentication.

(see monitoring/chart/templates/bigbang/vault-servicemonitor.yaml)

endpoints:
  - port: http
    path: /v1/sys/metrics
    bearerTokenFile: /vault/secrets/token
    scheme: http
    params:
      format: ["prometheus"]

Big Bang Development Environment Upgrade Issues

These only apply to development and testing environments which are using the Big Bang default settings

1. Earlier versions set the service account name to prometheus – it should be monitoring-monitoring-kube-prometheus
2. Fix: Using the Vault web interface, replace prometheus with monitoring-monitoring-kube-prometheus under the settings kubernetes/prometheus auth Bound service account names
3. Permission denied trying to re-authenticate after upgrade
4. see here for possible, related issue after-upgrading-to-kubernetes-1-21-kubernetes-authentication-request-to-vault-fails-with-permission-denied
5. Fix: Re-save the Access/Authentication Methods/kubernetes/Configuration/Configure settings

---

Last update: 2022-09-20 by evan.rush