Vault cache implementations

Dear all

Could you please tell me what cache will be instroduced by this config parameter “disable_cache:false” at Vault? Does this cache config is related to the Vault Cache Agent?

As I understand there is also a cache which can be configured for the Transit secret engine.

Are three any other cache implementation available at Vault (Im using v. 1.7)?

Thank you for your feedback
Cheers

Hello!

The disable_cache configuration item is part of the Vault Server configuration. This cache system is different from Vault Agent Caching, which works on the client-side to cache responses containing newly created tokens and leased secrets.

It is important to note that setting disable_cache: true within the Vault Server Configuration will very significantly impact Vault Server performance.

Hi @michaelkosir

Thank you for your feedback!
Since the Transit secret engine has its own cache. Will read operations will be cached be Vault Server or Transit secret engine cache?

You can set a custom caching strategy for the Transit engine only if caching is enabled at the global level. It appears that the Transit engine checks the disable_cache server configuration item during setup/initialization.

Setting disable_cache: true means the Vault server won’t use caching, and neither will the Transit engine.

Hi @michaelkosir

Thank you for your explanation!
It there a way to monitor cache entries or cache size at Vault?

If you are collecting Vault telemetry data, there are a few metrics related to caching.

Telemetry is configured through the Vault Server configuration. You will need an upstream system that will receive the data published by Vault (statsd, dogstatsd, prometheus, etc). Additionally, you will likely want a visualization tool to explore and monitor the metrics (Kibana, Datadog, Grafana, etc).

Review the guide on Vault Observability - Monitoring at Scale. For your case, specifically the section around Telemetry.

Thank you very much @michaelkosir .
It s exactly what I was looking for.