New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[VAULT-2776] Add prefix_filter option to Vault #12025
Changes from 3 commits
7305528
6447939
73d3e97
6a28af2
6c2ad99
beae728
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
```release-note:improvement | ||
core: Add `prefix_filter` to telemetry config | ||
``` |
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,19 @@ | ||
package configutil | ||
|
||
import ( | ||
"testing" | ||
|
||
"github.com/stretchr/testify/assert" | ||
) | ||
|
||
func TestParsePrefixFilters(t *testing.T) { | ||
prefixFilters := []string{"", "+vault.abc", "-vault.abc", "vault.abc"} | ||
|
||
allowedPrefixes, blockedPrefixes := parsePrefixFilter(prefixFilters) | ||
|
||
assert.Equal(t, len(allowedPrefixes), 1) | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. You can say There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I ended up just doing an |
||
assert.Equal(t, allowedPrefixes[0], prefixFilters[1][1:]) | ||
|
||
assert.Equal(t, len(blockedPrefixes), 1) | ||
assert.Equal(t, blockedPrefixes[0], prefixFilters[2][1:]) | ||
} |
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -51,6 +51,17 @@ The following options are available on all telemetry configurations. | |
- `add_lease_metrics_namespace_labels` `(bool: false)` - If this value is set to true, then `vault.expire.leases.by_expiration` | ||
will break down expiring leases by both time and namespace. This parameter is disabled by default because enabling it can lead | ||
to a large-cardinality metric. | ||
- `filter_default` - This controls whether to allow metrics that have not been specified by the filter. | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. Please add There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. |
||
Defaults to `true`, which will allow all metrics when no filters are provided. | ||
When set to `false` with no filters, no metrics will be sent. | ||
- `prefix_filter` `(string array: [])` - This is a list of filter rules to apply for allowing/blocking metrics by | ||
prefix in the following format: | ||
```json | ||
["+vault.token", "-vault.expire", "+vault.expire.num_leases"] | ||
``` | ||
A leading "**+**" will enable any metrics with the given prefix, and a leading "**-**" will block them. | ||
If there is overlap between two rules, the more specific rule will take precedence. Blocking will take priority if the same prefix is listed multiple times. | ||
|
||
|
||
### `statsite` | ||
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We never use the stdlib
log
in Vault. I would add anerror
return value to this func instead.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah yeah I wasn't sure if I should use
log
here. I think the only reason I didn't do error return, is cause the equivalent consul code logs out a warning when the filter is improperly formatted versus failing https://github.com/hashicorp/consul/blob/main/agent/config/builder.go#L652, so I was looking to maintain that pattern. Maybeopts.UI.Warn
would make sense https://github.com/hashicorp/vault/blob/main/internalshared/configutil/telemetry.go#L371 ?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
6a28af2