New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[VAULT-2776] Add prefix_filter option to Vault #12025
Conversation
case '-': | ||
telemetryBlockedPrefixes = append(telemetryBlockedPrefixes, rule[1:]) | ||
default: | ||
log.Printf("Filter rule must begin with either '+' or '-': %q", rule) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We never use the stdlib log
in Vault. I would add an error
return value to this func instead.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah yeah I wasn't sure if I should use log
here. I think the only reason I didn't do error return, is cause the equivalent consul code logs out a warning when the filter is improperly formatted versus failing https://github.com/hashicorp/consul/blob/main/agent/config/builder.go#L652, so I was looking to maintain that pattern. Maybe opts.UI.Warn
would make sense https://github.com/hashicorp/vault/blob/main/internalshared/configutil/telemetry.go#L371 ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@@ -51,6 +51,17 @@ The following options are available on all telemetry configurations. | |||
- `add_lease_metrics_namespace_labels` `(bool: false)` - If this value is set to true, then `vault.expire.leases.by_expiration` | |||
will break down expiring leases by both time and namespace. This parameter is disabled by default because enabling it can lead | |||
to a large-cardinality metric. | |||
- `filter_default` - This controls whether to allow metrics that have not been specified by the filter. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please add (bool: true)
to describe this param.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
|
||
allowedPrefixes, blockedPrefixes := parsePrefixFilter(prefixFilters) | ||
|
||
assert.Equal(t, len(allowedPrefixes), 1) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You can say assert.Len
to check the length with testify.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I ended up just doing an assert.Equal
against an expected array, while refactoring the test
6a28af2
I know Consul doesn't treat a config error here as a failure and will start up with warnings, but I would prefer we were stricter. I think it's a bad UX to ignore config errors. Also, could you add fixture-based test(s) like we do for most other config parsing code? Look under |
Roger, i would concur with that tbh, will change it to error out.
Will do! |
|
|
||
allowedPrefixes, blockedPrefixes, err := parsePrefixFilter(tc.inputFilters) | ||
|
||
if err != nil { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's fine with the cases you have now, but I consider it best practice when you have an expected error field in your test case type to do something like
if err != nil { compare with expected error }
else { assert expected error empty}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
ah that makes sense! added that here 6c2ad99
.gitignore
Outdated
@@ -48,7 +48,7 @@ Vagrantfile | |||
# Configs | |||
*.hcl | |||
!command/agent/config/test-fixtures/*.hcl | |||
!command/server/test-fixtures/*.hcl | |||
!command/server/test-fixtures/*/*.hcl |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should this be **/*.hcl
instead of */*.hcl
?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
it should! beae728
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, possibly modulo the .gitignore change.
* [VAULT-2776] Add prefix_filter support to vault * [VAULT-2776] Add filter_default config, update docs * [VAULT-2776] Add changelog file * [VAULT-2776] Update telemetry tests and error handling * [VAULT-2776] Add test fixtures, update test * [VAULT-2776] Update gitignore hcl filter
prefix_filter
option to the telemetry configs, that can explicitly allow or block certain metric prefixes.filter_default
option to the telemetry configs, which is required in conjunction with the config above, to decide whether all metrics are allowed or denied by default. This is currently always true, but users may want to control this in their vault config along withprefix_filter
.Note that this attempts to maintain parity with this config in consul https://www.consul.io/docs/agent/options#telemetry-prefix_filter
Also, the logic for parsing the prefixFilter config is pretty much lifted from here https://github.com/hashicorp/consul/blob/main/agent/config/builder.go#L640-L654
Related GH issue: #3792