The OpenTelemetry Collector, when configured with a Prometheus receiver, provides an integration with Hashicorp Vault to scrape Prometheus metrics. The Collector uses the Prometheus Receiver to fetch metrics from the configured path in the Hashicorp Vault configuration file. From there, the metrics are processed and exported to Lightstep Observability.
To complete the integration, you will:
- Configure Hashicorp Vault to use the Prometheus exporter.
- Configure the Collector to use the Hashicorp Vault endpoint as a scrape target for the Prometheus receiver.
- Enable the integration by adding it to a pipeline.
Prerequisites
You’ve configured the Collector to export metric data to Lightstep Observability.
Configure Hashicorp Vault reporting
You need to configure Hashicorp Vault to enable Prometheus and then define Prometheus ACL policy.
-
To enable Prometheus metrics in Hashicorp Vault, you need to set
prometheus_retention_time
to a non-zero value.
In the/vault/config/server.hcl
file, add the following:1 2 3 4 5 6
... telemetry { disable_hostname = true prometheus_retention_time = "12h" }
-
Define the Prometheus ACL policy.
Prometheus requires a Vault token with sufficient permissions to successfully consume metrics from the endpoint.
In the/vault/config/policies/prometheus-metrics.hcl
file, add the following:1 2 3 4 5
... path "/sys/metrics" { capabilities = ["read"] }
For more details about using Hashicorp Vault with the Prometheus exporter, see the official Hashicorp Vault documentation.
Configure the Collector receiver
In the Collector configuration file, configure the Prometheus receiver to use the Hashicorp Vault Prometheus endpoint as a scrape target.
1
2
3
4
5
6
7
8
9
10
11
12
13
receivers:
prometheus:
config:
scrape_configs:
- job_name: 'vault'
scrape_inteval: 10s
scrape_timeout: 20s
metrics_path: '/v1/sys/metrics'
params:
format: ['prometheus']
static_configs:
- targets: ['localhost:8280]
The OpenTelemetry repo’s README provides additional details about Prometheus receiver configuration.
More details about the Prometheus scrape configuration can be found here.
Enable the Collector receiver
Once the Hashicorp Vault receiver is configured, enable it by adding it to one or more pipelines as described in the Collector configuration documentation.
Validate metrics are reporting to Lightstep
You can validate that metrics are reporting to Lightstep on the Metrics details page in Project settings.
-
In Lightstep, click Project settings > Metric details.
-
Search for Hashicorp Vault metric names.
See the Hashicorp Vault for a complete list of emitted metrics.
-
If needed, click on the metric to edit the description and how the units are displayed in Lightstep.
Create a dashboard for the metrics
Use the Lightstep Terraform Provider to create a dashboard for the metrics.
Additional resources
For a more complete example that’s ready to run, see the Hashicorp Vault integration in Lightstep OpenTelemetry Examples.