Hello folks!
I’m trying to scrape vault metrics via Prometheus ServiceMonitor , in order to allow the servicemonitor to authenticate with vault I generate a token and it’s been added to the ServiceMonitor as bearerTokenSecret , but looks Prometheus operator doesn’t work as expected with the bearer token as a secret, since it starts throwing HTTP 400 error when it tries to scrape the metrics.
As a fix for above, I used bearerTokenFile instead following below steps:
- create serviceaccount without the token.
- create a secret which has vault token.
- add the secret to the service account created in step 1
And after that I created the ServiceMonitor as below manifest, then I start getting 500 errors when promethues scraped the metrics and vault logs were dropping:
[ERROR] core: failed to lookup acl token: error=“failed to look up namespace from the token: no namespace”
apiVersion: v1
kind: ServiceAccount
metadata:
name: prometheus-vault
namespace: vault
labels:
release: prometheus
automountServiceAccountToken: false
secrets:
- name: vault-prometheus-token
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: vault-servicemonitor
namespace: vault
labels:
release: prometheus
spec:
selector:
matchLabels:
app.kubernetes.io/name: vault
endpoints:
- interval: 20s
path: /v1/sys/metrics
port: http
params:
format:
- prometheus
tlsConfig:
insecureSkipVerify: true
bearerTokenFile: "/var/run/secrets/kubernetes.io/serviceaccount/token"
Notes:
- vault version 10.1.2 - helm chart deployment.
- Promethues version is 2.35.0 - helm chart deployment.
I would truly appreciate your guidance.
Abeer