From cd761dfa0a56ed079cdfa92172bf03f99d5109c4 Mon Sep 17 00:00:00 2001 From: Scott Miller Date: Thu, 26 Oct 2023 10:07:34 -0500 Subject: [PATCH] Document the seal HA metrics and use labels for seal names (#23837) * Document the seal HA metrics and use labels for seal names * changelog --- changelog/23837.txt | 3 ++ vault/seal/seal.go | 22 ++++++------- .../telemetry/metrics/core-system.mdx | 32 ++++++++++++------- .../vault/core/seal_decrypt.mdx | 11 +++++++ .../vault/core/seal_encrypt.mdx | 11 +++++++ .../vault/core/seal_unreachable.mdx | 6 ++++ 6 files changed, 61 insertions(+), 24 deletions(-) create mode 100644 changelog/23837.txt create mode 100644 website/content/partials/telemetry-metrics/vault/core/seal_decrypt.mdx create mode 100644 website/content/partials/telemetry-metrics/vault/core/seal_encrypt.mdx create mode 100644 website/content/partials/telemetry-metrics/vault/core/seal_unreachable.mdx diff --git a/changelog/23837.txt b/changelog/23837.txt new file mode 100644 index 0000000000..b3e17a00c9 --- /dev/null +++ b/changelog/23837.txt @@ -0,0 +1,3 @@ +```release-note:change +telemetry: Seal wrap encrypt/decrypt metrics now differentiate between seals using a metrics label of seal name rather than separate metric names. +``` \ No newline at end of file diff --git a/vault/seal/seal.go b/vault/seal/seal.go index 472539041b..0caa453053 100644 --- a/vault/seal/seal.go +++ b/vault/seal/seal.go @@ -599,18 +599,17 @@ GATHER_RESULTS: func (a *access) tryEncrypt(ctx context.Context, sealWrapper *SealWrapper, plaintext []byte, options ...wrapping.Option) (*wrapping.BlobInfo, error) { now := time.Now() var encryptErr error + mLabels := []metrics.Label{{Name: "seal_wrapper_name", Value: sealWrapper.Name}} + defer func(now time.Time) { - metrics.MeasureSince([]string{"seal", "encrypt", "time"}, now) - metrics.MeasureSince([]string{"seal", sealWrapper.Name, "encrypt", "time"}, now) + metrics.MeasureSinceWithLabels([]string{"seal", "encrypt", "time"}, now, mLabels) if encryptErr != nil { - metrics.IncrCounter([]string{"seal", "encrypt", "error"}, 1) - metrics.IncrCounter([]string{"seal", sealWrapper.Name, "encrypt", "error"}, 1) + metrics.IncrCounterWithLabels([]string{"seal", "encrypt", "error"}, 1, mLabels) } }(now) - metrics.IncrCounter([]string{"seal", "encrypt"}, 1) - metrics.IncrCounter([]string{"seal", sealWrapper.Name, "encrypt"}, 1) + metrics.IncrCounterWithLabels([]string{"seal", "encrypt"}, 1, mLabels) ciphertext, encryptErr := sealWrapper.Wrapper.Encrypt(ctx, plaintext, options...) if encryptErr != nil { @@ -744,18 +743,17 @@ GATHER_RESULTS: func (a *access) tryDecrypt(ctx context.Context, sealWrapper *SealWrapper, ciphertextByKeyId map[string]*wrapping.BlobInfo, options []wrapping.Option) ([]byte, bool, error) { now := time.Now() var decryptErr error + mLabels := []metrics.Label{{Name: "seal_wrapper_name", Value: sealWrapper.Name}} + defer func(now time.Time) { - metrics.MeasureSince([]string{"seal", "decrypt", "time"}, now) - metrics.MeasureSince([]string{"seal", sealWrapper.Name, "decrypt", "time"}, now) + metrics.MeasureSinceWithLabels([]string{"seal", "decrypt", "time"}, now, mLabels) if decryptErr != nil { - metrics.IncrCounter([]string{"seal", "decrypt", "error"}, 1) - metrics.IncrCounter([]string{"seal", sealWrapper.Name, "decrypt", "error"}, 1) + metrics.IncrCounterWithLabels([]string{"seal", "decrypt", "error"}, 1, mLabels) } }(now) - metrics.IncrCounter([]string{"seal", "decrypt"}, 1) - metrics.IncrCounter([]string{"seal", sealWrapper.Name, "decrypt"}, 1) + metrics.IncrCounterWithLabels([]string{"seal", "decrypt"}, 1, mLabels) var pt []byte diff --git a/website/content/docs/internals/telemetry/metrics/core-system.mdx b/website/content/docs/internals/telemetry/metrics/core-system.mdx index 90476dd3b7..46508c8051 100644 --- a/website/content/docs/internals/telemetry/metrics/core-system.mdx +++ b/website/content/docs/internals/telemetry/metrics/core-system.mdx @@ -42,10 +42,6 @@ Vault instance. @include 'telemetry-metrics/vault/core/performance_standby.mdx' -@include 'telemetry-metrics/vault/core/post_unseal.mdx' - -@include 'telemetry-metrics/vault/core/pre_seal.mdx' - @include 'telemetry-metrics/vault/core/replication/dr/primary.mdx' @include 'telemetry-metrics/vault/core/replication/dr/secondary.mdx' @@ -56,16 +52,8 @@ Vault instance. @include 'telemetry-metrics/vault/core/replication/write_undo_logs.mdx' -@include 'telemetry-metrics/vault/core/seal_internal.mdx' - -@include 'telemetry-metrics/vault/core/seal_with_request.mdx' - @include 'telemetry-metrics/vault/core/step_down.mdx' -@include 'telemetry-metrics/vault/core/unseal.mdx' - -@include 'telemetry-metrics/vault/core/unsealed.mdx' - ## Barrier metrics @include 'telemetry-metrics/vault/barrier/delete.mdx' @@ -157,3 +145,23 @@ Vault instance. @include 'telemetry-metrics/vault/runtime/total_gc_pause_ns.mdx' @include 'telemetry-metrics/vault/runtime/total_gc_runs.mdx' + +## Seal metrics + +@include 'telemetry-metrics/vault/core/post_unseal.mdx' + +@include 'telemetry-metrics/vault/core/pre_seal.mdx' + +@include 'telemetry-metrics/vault/core/seal_encrypt.mdx' + +@include 'telemetry-metrics/vault/core/seal_decrypt.mdx' + +@include 'telemetry-metrics/vault/core/seal_internal.mdx' + +@include 'telemetry-metrics/vault/core/seal_unreachable.mdx' + +@include 'telemetry-metrics/vault/core/seal_with_request.mdx' + +@include 'telemetry-metrics/vault/core/unseal.mdx' + +@include 'telemetry-metrics/vault/core/unsealed.mdx' diff --git a/website/content/partials/telemetry-metrics/vault/core/seal_decrypt.mdx b/website/content/partials/telemetry-metrics/vault/core/seal_decrypt.mdx new file mode 100644 index 0000000000..540c5cad13 --- /dev/null +++ b/website/content/partials/telemetry-metrics/vault/core/seal_decrypt.mdx @@ -0,0 +1,11 @@ +### vault.core.seal.decrypt ((#vault-core-seal)) + +Metric type | Value | Description +----------- | ------ | ----------- +counter | number | The number of times a seal-wrapped value has been decrypted + +### vault.core.seal.decrypt.time ((#vault-core-seal)) + +Metric type | Value | Description +----------- | ----- | ----------- +summary | ms | The time taken to seal decrypt a seal-wrapped value. diff --git a/website/content/partials/telemetry-metrics/vault/core/seal_encrypt.mdx b/website/content/partials/telemetry-metrics/vault/core/seal_encrypt.mdx new file mode 100644 index 0000000000..f1bdce02d4 --- /dev/null +++ b/website/content/partials/telemetry-metrics/vault/core/seal_encrypt.mdx @@ -0,0 +1,11 @@ +### vault.core.seal.encrypt ((#vault-core-seal)) + +Metric type | Value | Description +----------- | ------ | ----------- +counter | number | The number of times a seal-wrapped value has been encrypted + +### vault.core.seal.encrypt.time ((#vault-core-seal)) + +Metric type | Value | Description +----------- | ----- | ----------- +summary | ms | The time taken to seal encrypt a seal-wrapped value. diff --git a/website/content/partials/telemetry-metrics/vault/core/seal_unreachable.mdx b/website/content/partials/telemetry-metrics/vault/core/seal_unreachable.mdx new file mode 100644 index 0000000000..20a1f4881c --- /dev/null +++ b/website/content/partials/telemetry-metrics/vault/core/seal_unreachable.mdx @@ -0,0 +1,6 @@ +### vault.core.seal.unreachable.time ((#vault-core-seal)) + +Metric type | Value | Description +----------- | ----- | ----------- +summary | ms | The total time a seal has been unreachable by health check. +