Vault
Introduction
HashiCorp Vault is a secure data platform that provides secrets management, encryption as service, and identity based access. Vault centrally stores, accesses, and distributes dynamic secrets such as tokens, passwords, certificates, and encryption keys. Vault also keeps application data secure with centralized key management and simple APIs for data encryption.
Getting Started
Compatibility
vuSmartMaps supports the monitoring of the Vault metric using prometheus endpoint.
Data Collection Method
vuSmartMaps collects health and performance data for Vault using VuNet's Internal Data Collector.
Prerequisites
Inputs for Configuring Data Source
- Vault Server: The IP Address/FQDN of the Vault server. This field is the key to identify each server you add here.
- Vault's Endpoint: The metrics endpoint of the Vault server. Eg: http://127.0.0.1, https://127.0.0.1, http://127.0.0.1:8200 or https://127.0.0.1:8200
- Authentication Enabled on Vault Server Endpoint?: Whether the authentication has been enabled on Vault server endpoint to communicate?
- Token: Enter the authentication token for Vault server.
- Period (in seconds): Time interval for polling data from the Vault Server. Period should be between 60 seconds – 3000 seconds.
Firewall Requirement
To collect data from this O11ySource, ensure the following ports are opened:
| Source IP | Destination IP | Destination Port | Protocol | Direction |
|---|---|---|---|---|
| vuSmartMaps IP | Vault Server | 8200* | TCP | Outbound |
*Before providing the firewall requirements, please update the port based on the customer environment.
Configuring the Target
Health and Performance metrics from prometheus endpoint. Telemetry endpoint must be enabled in the vault server so that /metrics endpoint must accessible from the vuSmartMaps Server.
How to enable the telemetry endpoint in Vault serverBelow are the two methods using which telemetry endpoint can be enabled in Vault server:
- Using token based authentication tokenBelow is the instruction to create the client to authenticate the Vault telemetry endpoint:
- *Store the below read-only policy file content in the json named read-only-policy.json.
{
"policy": "path \"secret/*\" { capabilities = [\"read\"] }\npath \"sys/metrics\" { capabilities = [\"read\"] }"
}
- *Upload the read only policy to the Vault using below API.
curl --header "X-Vault-Token: <vault_root_token>" --request PUT --data @read-only-policy.json http://<vault_address>:8200/v1/sys/policies/acl/read-only-policy
- *Generate the token with read-only policy attached.
curl --header "X-Vault-Token: <vault_root_token>" --request POST --data '{"policies": ["read-only-policy"]}' http://<vault_address>:8200/v1/auth/token/create
- Using unauthenticated accessTo enable the telemetry endpoint using unauthenticated access, the below config needs to be added into the vault configuration file and restart of the server may be required to apply the configuration. Administrator is recommended to follow the unsealing procedure whenever Vault is restarted.
listener "tcp" {
address = "0.0.0.0:8200"
cluster_addr = "0.0.0.0:8201"
tls_disable = true
telemetry {
unauthenticated_metrics_access = "true"
}
}
Configuration Steps
Enablethe O11ySource.- Select the sources tab and press the
+button to add a new instance that has to be monitored. - Provide the required configurations:
-
- Vault Server
- *Vault's Endpoint
-
- Authentication Enabled on Vault Server Endpoint?
- *Token
- *Period (in seconds)
- Click
Saveto close the data source window.
Metrics Collected
| Name | Description | Data Type |
|---|---|---|
| @timestamp | Original timestamp in string format | String |
| timestamp | Precise timestamp with milliseconds | DateTime64(3) |
| o11ysource_name | Name of the O11ySource, a logical grouping | LowCardinality(String) |
| target | Target system or resource | String |
| host | Host identifier | String |
| tenant_id | Tenant ID associated with the resource | LowCardinality(String) |
| bu_id | Business unit ID | LowCardinality(String) |
| tags | Additional metadata tags | Map(LowCardinality(String), String) |
| name | Name of the event or metric | LowCardinality(String) |
| metric_name | Name of the metric being tracked | LowCardinality(String) |
| metric_value | Value of the metric | Float64 |
| metric_value_diff | Difference in metric value compared to previous | Float64 |
| interval | Interval of metric collection (in seconds) | UInt8 |
