search

hashicorp / vault-k8s

First-class support for Vault and Kubernetes.
Mozilla Public License 2.0
786 stars 169 forks source link

vault agent export container port for scape metrics through podmonitor #634

Open Danny5487401 opened 5 months ago

Danny5487401 commented 5 months ago

Is your feature request related to a problem? Please describe.

there is some need to get metrics like vault.agent.auth.failure from vault agent sidecar

Describe the solution you'd like

expose a port for podmonitor to scrape metrics

Describe alternatives you've considered

add container ports in k8s yaml

Additional context Add any other context or screenshots about the feature request here.

LS80 commented 4 days ago

A PodMonitor requires a port to be defined as a containerPort. You can add that with the existing annotations

vault.hashicorp.com/agent-telemetry-prometheus_retention_time: 2m
vault.hashicorp.com/agent-json-patch: '[{"op": "replace", "path": "/ports", "value": [{"containerPort": 8200, "name": "metrics"}]}]'
apiVersion: monitoring.coreos.com/v1
kind: PodMonitor
metadata:
  name: my-app
spec:
  jobLabel: app
  selector:
    matchLabels:
      app: my-app
  podMetricsEndpoints:
    - port: metrics
      params:
        format:
          - prometheus
      interval: 1m
      filterRunning: true

But Prometheus won't be able to connect as the Vault agent only listens on localhost. You could use a proxy sidecar as mentioned in https://github.com/hashicorp/vault-k8s/issues/331#issuecomment-2407364711.

Ideally we would have a single annotation to add all the required configuration.