Closed wbollock closed 5 hours ago
Right now the legacy cert/crl path is used to fetch the CRL for a PKI secrets engine, but this only accounts for the CRL of the default issuer of the secrets engine. The engine can have multiple issuers all with active CRLs.
cert/crl
https://github.com/aarnaud/vault-pki-exporter/blob/ec2a1b795c80df8db647fd6751d641f719836ee1/pkg/vault-mon/pki.go#L111-L133
It would be better to iterate over all issuers in a secrets engine and use the newer /pki/issuer/:issuer_ref/crl path. The new metric might look like:
/pki/issuer/:issuer_ref/crl
x509_crl_length{source="pki/", issuer="<some-issuer-unique-id>"}
Making an issue for discussion but I think I can pick this up eventually
Right now the legacy
cert/crlpath is used to fetch the CRL for a PKI secrets engine, but this only accounts for the CRL of the default issuer of the secrets engine. The engine can have multiple issuers all with active CRLs.https://github.com/aarnaud/vault-pki-exporter/blob/ec2a1b795c80df8db647fd6751d641f719836ee1/pkg/vault-mon/pki.go#L111-L133
It would be better to iterate over all issuers in a secrets engine and use the newer
/pki/issuer/:issuer_ref/crlpath. The new metric might look like:Making an issue for discussion but I think I can pick this up eventually