[VAULT-2776] Add prefix_filter option to Vault #12025
Conversation
| case '-': | ||
| telemetryBlockedPrefixes = append(telemetryBlockedPrefixes, rule[1:]) | ||
| default: | ||
| log.Printf("Filter rule must begin with either '+' or '-': %q", rule) |
There was a problem hiding this comment.
We never use the stdlib log in Vault. I would add an error return value to this func instead.
There was a problem hiding this comment.
Ah yeah I wasn't sure if I should use log here. I think the only reason I didn't do error return, is cause the equivalent consul code logs out a warning when the filter is improperly formatted versus failing https://github.com/hashicorp/consul/blob/main/agent/config/builder.go#L652, so I was looking to maintain that pattern. Maybe opts.UI.Warn would make sense https://github.com/hashicorp/vault/blob/main/internalshared/configutil/telemetry.go#L371 ?
| @@ -51,6 +51,17 @@ The following options are available on all telemetry configurations. | |||
| - `add_lease_metrics_namespace_labels` `(bool: false)` - If this value is set to true, then `vault.expire.leases.by_expiration` | |||
| will break down expiring leases by both time and namespace. This parameter is disabled by default because enabling it can lead | |||
| to a large-cardinality metric. | |||
| - `filter_default` - This controls whether to allow metrics that have not been specified by the filter. | |||
There was a problem hiding this comment.
Please add (bool: true) to describe this param.
|
|
||
| allowedPrefixes, blockedPrefixes := parsePrefixFilter(prefixFilters) | ||
|
|
||
| assert.Equal(t, len(allowedPrefixes), 1) |
There was a problem hiding this comment.
You can say assert.Len to check the length with testify.
There was a problem hiding this comment.
I ended up just doing an assert.Equal against an expected array, while refactoring the test
6a28af2
|
I know Consul doesn't treat a config error here as a failure and will start up with warnings, but I would prefer we were stricter. I think it's a bad UX to ignore config errors. Also, could you add fixture-based test(s) like we do for most other config parsing code? Look under |
Roger, i would concur with that tbh, will change it to error out.
Will do! |
|
|
|
||
| allowedPrefixes, blockedPrefixes, err := parsePrefixFilter(tc.inputFilters) | ||
|
|
||
| if err != nil { |
There was a problem hiding this comment.
It's fine with the cases you have now, but I consider it best practice when you have an expected error field in your test case type to do something like
if err != nil { compare with expected error }
else { assert expected error empty}
There was a problem hiding this comment.
ah that makes sense! added that here 6c2ad99
.gitignore
Outdated
| @@ -48,7 +48,7 @@ Vagrantfile | |||
| # Configs | |||
| *.hcl | |||
| !command/agent/config/test-fixtures/*.hcl | |||
| !command/server/test-fixtures/*.hcl | |||
| !command/server/test-fixtures/*/*.hcl | |||
There was a problem hiding this comment.
Should this be **/*.hcl instead of */*.hcl?
* [VAULT-2776] Add prefix_filter support to vault * [VAULT-2776] Add filter_default config, update docs * [VAULT-2776] Add changelog file * [VAULT-2776] Update telemetry tests and error handling * [VAULT-2776] Add test fixtures, update test * [VAULT-2776] Update gitignore hcl filter
prefix_filteroption to the telemetry configs, that can explicitly allow or block certain metric prefixes.filter_defaultoption to the telemetry configs, which is required in conjunction with the config above, to decide whether all metrics are allowed or denied by default. This is currently always true, but users may want to control this in their vault config along withprefix_filter.Note that this attempts to maintain parity with this config in consul https://www.consul.io/docs/agent/options#telemetry-prefix_filter
Also, the logic for parsing the prefixFilter config is pretty much lifted from here https://github.com/hashicorp/consul/blob/main/agent/config/builder.go#L640-L654
Related GH issue: #3792