Ingest Vault Metrics Configuration with OpenTelemetry (Otel) and Apica Ascent
This document outlines the steps to configure an OpenTelemetry (Otel) Collector to scrape Vault metrics and ingest them into Apica Ascent.
Prerequisites
Ensure the following are available:
Vault installed in the cluster
OpenTelemetry Helm chart repository added
Apica Ascent credentials (URL and token)
Steps
Create new OpenTelemetry Collector configuration as a DaemonSet.
Step 1: Add Helm Repositories
helm repo add prometheus-community https://prometheus-community.github.io/helm-charts
helm repo update
helm repo add open-telemetry https://open-telemetry.github.io/opentelemetry-helm-charts
helm repo update
Step 2: Create Namespace for OpenTelemetry
kubectl create namespace otel
Step 3: Apply Service Account and RBAC
kubectl apply -f 1-apica-svc-rbac.yaml -notel
Step 4: Install OpenTelemetry Operator
helm install opentelemetry-operator open-telemetry/opentelemetry-operator \
--set "manager.collectorImage.repository=logiqai/opentelemetry-collector-k8s" \
--set "manager.collectorImage.tag=v1-0.105.0" \
--set "admissionWebhooks.certManager.enabled=false" \
--set "admissionWebhooks.autoGenerateCert.enabled=true" \
-notel --debug
Step 5: Update Configuration Values in 2-apica-otel-config.yaml
Before creating the ConfigMap, update the following values:
APICA_URL: Host URL of the Ascent to ingest the metrics
APICA_TOKEN: Replace with the ingest token of Ascent (Settings > Account > Copy Ingest Token)
RUNTIME: Add the runtime identifier
CUSTOMER: Add the customer identifier
Apply the updated configuration:
kubectl apply -f 2-apica-otel-config.yaml -notel
Step 6: Deploy OpenTelemetry Collector as DaemonSet
kubectl apply -f 3-apica-otel-collector-operator-daemon.yaml -notel
Step 7: Verify Vault Metrics
Check the logs to ensure Vault metrics are being scraped:
kubectl logs pod/<pod-name> -notel | grep 'Name'
Update the existing OpenTelemetry Collector configuration.
Edit the OpenTelemetryCollector resource:
kubectl edit OpenTelemetryCollector/apica-otel-collector -notel
Add New Receiver for Vault Metrics
receivers:
prometheus:
config:
scrape_configs:
- job_name: vault-metrics-collector
metrics_path: /v1/sys/metrics
scrape_interval: 60s
static_configs:
- targets:
- vault.vault.svc.cluster.local:8200 # Verify the Vault service endpoint
Add Exporter for Metrics
exporters:
otlphttp/apicametrics:
compression: gzip
disable_keep_alives: true
encoding: proto
metrics_endpoint: "${APICA_URL}/v1/metrics"
headers:
Authorization: "Bearer ${APICA_TOKEN}"
tls:
insecure: false
insecure_skip_verify: true
Add processors
processors:
attributes/apica_labels:
actions:
- action: insert
key: runtime
value: ${RUNTIME} # Replace with runtime identifier
- action: insert
key: customer
value: ${CUSTOMER} # Replace with customer identifier
Update Service Pipeline
If a metrics pipeline already exists, update the exporters, processors, and receivers as needed:
service:
pipelines:
metrics:
exporters:
- otlphttp/apicametrics
- debug
processors:
- memory_limiter
- batch
- resourcedetection/system
- transform/metrics
- attributes/apica_labels
receivers:
- prometheus
Notes
Replace placeholders (${APICA_URL}, ${APICA_TOKEN}, ${RUNTIME}, ${CUSTOMER}) with actual values before applying the configurations.
Ensure the Vault service endpoint is reachable at vault.vault.svc.cluster.local:8200.
Use the logs to verify the scraping process and troubleshoot if necessary.
