Telemetry
The SCION CA setup based on HashiCorp Vault and a vaultca
service provided by Anapaya. Both processes expose telemetry in the form of Prometheus metrics. The
following subsections describe the exposed metrics as well how to setup the monitoring stack for the
SCION CA.
Metrics
Vault instances configured by Anapaya expose two categories of Prometheus metrics:
-
Built-in metrics as defined by HashiCorp Vault
For a list of all the metrics exposed by HashiCorp Vault, please refer to the official documentation. Metrics of high importance are the seal status of the Vault instance and the number of existing mount points. At the time of writing, the metric names for these features are
vault.core.unsealedandvault.core.mount_table.num_entries. -
Anapaya-defined metrics that relate to the SCION CA operations of the host
To ensure that the Vault instances are operating correctly as SCION CAs, Anapaya has defined some additional metrics that are exposed:
vaultca metrics
| Metric | Description | Labels | Type |
|---|---|---|---|
vaultca_build_info | vaultca build information | version | gauge |
vaultca_certificate_matching_distinguished_name | Indicate that the distinguished name in the certificate contains the expected value for this engine. | isd_as, type, dn | gauge |
vaultca_certificate_not_after_time | The NotAfter time of the last certificate that was successfully updated in vault | isd_as, type | gauge |
vaultca_certificate_not_before_time | The NotBefore time of the last certificate that was successfully updated in vault | isd_as, type | gauge |
vaultca_instance_id | The instance identifier of the last CA certificate that was successfully updated in vault. This is the number of the instance in the CommonName of the CA certificate. E.g., for CA certificate with CommonName 'Anapaya CA - GEN I 2021.42', the instance identifier is 42. If the CA certificate does not have a instance identifier in the CommonName, the value is set to -1. | isd_as, type | gauge |
vaultca_latest_trc_base_version | The base version of the latest TRC stored in the secret engine for the given ISD. | isd_as | gauge |
vaultca_latest_trc_contains_root_certificate | Indicates if the current root certificate is included in the latest TRC. | isd_as | gauge |
vaultca_latest_trc_not_after_time | The NotAfter time of the latest TRC stored in the secret engine for the given ISD. | isd_as | gauge |
vaultca_latest_trc_not_before_time | The NotBefore time of the latest TRC stored in the secret engine for the given ISD. | isd_as | gauge |
vaultca_latest_trc_serial_version | The serial version of the latest TRC stored in the secret engine for the given ISD. | isd_as | gauge |
vaultca_update_task_enabled | Indicates if the periodic vaultca update task is enabled. | None | gauge |
vaultca_update_task_errors_total | The amount of errors in runs of the vaultca update periodic task. | None | counter |
vaultca_update_task_successes_total | The amount of successful runs of the vaultca update periodic task. | None | counter |
Setting up monitoring for vault instances
The monitoring of the Anapaya CA stack is based on Prometheus, Grafana, Loki and AlertManager. They are all open-source tools with abundant online documentation and support.
The correct functionality of the stack requires:
-
The management interface of the target vault instances must be reachable from the monitoring host.
-
Firewall must allow HTTP(S) connections to the monitoring port(s) of of the vault instances.
The following sections describe required steps to setup the monitoring in more detail.
Enabling Telemetry on the Vault instance
If you are enabling telemetry in an instance of Vault, ensure that the Vault
configuration (usually stored in /etc/vault.d/vault.hcl) contains the section:
telemetry {
# retention time of metrics, only new metrics (updated < 1m ago) would be exposed
prometheus_retention_time = "1m"
disable_hostname = true
}
Setting up monitoring stack
To setup the monitoring stack follow the instructions under Set up a monitoring host.
Configure alert rules
It is recommended to install the alert rules provided by Anapaya for the SCION CA product, on your
Prometheus instance. The alert rules can be found under the name anapaya-alerts-scion-ca on
Anapaya's cloudsmith repository. To download them, use the following command:
The links below require an access token to download the packages. Enter your token to generate
a copyable command. Alternatively, manually set the $ACCESS_TOKEN placeholder in the
commands below.
curl -O https://dl.cloudsmith.io/$ACCESS_TOKEN/anapaya/stable/raw/names/anapaya-alerts-scion-ca/versions/<version>/anapaya-alerts-scion-ca-<version>.yml
If you do not have an access token, contact Anapaya customer success team.
To install the alert rules on the Prometheus instance follow the official instructions on adding an alert rule file to your Prometheus configuration.
Configure dashboards
It is recommended to install the dashboards provided by Anapaya for the SCION CA product on your
Grafana instance. The dashboards can be found under the name anapaya-dashboards-scion-ca on
Anapaya's cloudsmith repository. To download them, use the following command:
The links below require an access token to download the packages. Enter your token to generate
a copyable command. Alternatively, manually set the $ACCESS_TOKEN placeholder in the
commands below.
curl -1sLf -O 'https://dl.cloudsmith.io/$ACCESS_TOKEN/anapaya/stable/raw/names/anapaya-dashboards-scion-ca/versions/<version>/anapaya-dashboards-scion-ca-<version>.zip'
If you do not have an access token, contact Anapaya customer success team.
In order to import a JSON dashboard on Grafana, follow the official instructions.