I’m running a Vault 1.13.1 in HA mode (3 replicas) with internal Raft storage in a Kubernetes cluster. Vault is installed via vault-helm
as a sub chart with some extensions (mainly snapshot / backup related resources) and managed by a GitOps Controller (Argo CD).
Prometheus Operator in the form of a kube-prometheus-stack
is present in the cluster. Vault is configured to allow unauthenticated access to its metrics API. However, Prometheus shows the target vault-active
as ‘down’:
server returned HTTP status 403 Forbidden
The relevant portions of the Vault Chart values look like this:
global:
tlsDisable: true
serverTelemetry:
prometheusOperator: true
server:
ha:
enabled: true
replicas: 3
config: >
disable_mlock: true
ui = true
listener "tcp" {
tls_disable = true
address = "[::]:8200"
cluster_address = "[::]:8201"
telemetry {
unauthenticated_metrics_access = true
}
}
telemetry {
prometheus_retention_time = "24h"
disable_hostname = true
}
serverTelemetry:
serviceMonitor:
enabled: true
Does anyone have a clue why Vault reports HTTP 403 when accessing /v1/sys/metrics
?
Any hints appreciated, thanks in advance.