add vault.agent.authenticated metric

fix metric name
hashicorp · May 9, 2024 · d1e0696 · d1e0696
1 parent 842dff8
commit d1e0696
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 0 deletions.
diff --git a/changelog/26570.txt b/changelog/26570.txt
@@ -0,0 +1,3 @@
+```release-note:improvement
+agent: Add metric (vault.agent.authenticated) that is set to 1 when vault agent has a valid token and zero if it does not.
+```
diff --git a/command/agentproxyshared/auth/auth.go b/command/agentproxyshared/auth/auth.go
@@ -144,12 +144,18 @@ func (ah *AuthHandler) Run(ctx context.Context, am AuthMethod) error {
 	backoffCfg := newAutoAuthBackoff(ah.minBackoff, ah.maxBackoff, ah.exitOnError)
 
 	ah.logger.Info("starting auth handler")
+
+	// Set unauthenticated when starting up
+	metrics.SetGauge([]string{ah.metricsSignifier, "authenticated"}, 0)
+
 	defer func() {
 		am.Shutdown()
 		close(ah.OutputCh)
 		close(ah.TemplateTokenCh)
 		close(ah.ExecTokenCh)
 		ah.logger.Info("auth handler stopped")
+		// Set unauthenticated when shutting down
+		metrics.SetGauge([]string{ah.metricsSignifier, "authenticated"}, 0)
 	}()
 
 	credCh := am.NewCreds()
@@ -216,6 +222,8 @@ func (ah *AuthHandler) Run(ctx context.Context, am AuthMethod) error {
 			if err != nil {
 				ah.logger.Error("error creating client for authentication call", "error", err, "backoff", backoffCfg)
 				metrics.IncrCounter([]string{ah.metricsSignifier, "auth", "failure"}, 1)
+				// Set unauthenticated when authentication fails
+				metrics.SetGauge([]string{ah.metricsSignifier, "authenticated"}, 0)
 
 				if backoffSleep(ctx, backoffCfg) {
 					continue
@@ -243,6 +251,8 @@ func (ah *AuthHandler) Run(ctx context.Context, am AuthMethod) error {
 			if err != nil {
 				ah.logger.Error("could not look up token", "err", err, "backoff", backoffCfg)
 				metrics.IncrCounter([]string{ah.metricsSignifier, "auth", "failure"}, 1)
+				// Set unauthenticated when authentication fails
+				metrics.SetGauge([]string{ah.metricsSignifier, "authenticated"}, 0)
 
 				if backoffSleep(ctx, backoffCfg) {
 					continue
@@ -263,6 +273,8 @@ func (ah *AuthHandler) Run(ctx context.Context, am AuthMethod) error {
 			if err != nil {
 				ah.logger.Error("error getting path or data from method", "error", err, "backoff", backoffCfg)
 				metrics.IncrCounter([]string{ah.metricsSignifier, "auth", "failure"}, 1)
+				// Set unauthenticated when authentication fails
+				metrics.SetGauge([]string{ah.metricsSignifier, "authenticated"}, 0)
 
 				if backoffSleep(ctx, backoffCfg) {
 					continue
@@ -276,6 +288,7 @@ func (ah *AuthHandler) Run(ctx context.Context, am AuthMethod) error {
 			if err != nil {
 				ah.logger.Error("error creating client for wrapped call", "error", err, "backoff", backoffCfg)
 				metrics.IncrCounter([]string{ah.metricsSignifier, "auth", "failure"}, 1)
+				metrics.SetGauge([]string{ah.metricsSignifier, "authenticated"}, 0)
 
 				if backoffSleep(ctx, backoffCfg) {
 					continue
@@ -314,6 +327,8 @@ func (ah *AuthHandler) Run(ctx context.Context, am AuthMethod) error {
 			if err != nil {
 				ah.logger.Error("error authenticating", "error", err, "backoff", backoffCfg)
 				metrics.IncrCounter([]string{ah.metricsSignifier, "auth", "failure"}, 1)
+				// Set unauthenticated when authentication fails
+				metrics.SetGauge([]string{ah.metricsSignifier, "authenticated"}, 0)
 
 				if backoffSleep(ctx, backoffCfg) {
 					continue
@@ -329,6 +344,8 @@ func (ah *AuthHandler) Run(ctx context.Context, am AuthMethod) error {
 			if secret.WrapInfo == nil {
 				ah.logger.Error("authentication returned nil wrap info", "backoff", backoffCfg)
 				metrics.IncrCounter([]string{ah.metricsSignifier, "auth", "failure"}, 1)
+				// Set unauthenticated when authentication fails
+				metrics.SetGauge([]string{ah.metricsSignifier, "authenticated"}, 0)
 
 				if backoffSleep(ctx, backoffCfg) {
 					continue
@@ -338,6 +355,8 @@ func (ah *AuthHandler) Run(ctx context.Context, am AuthMethod) error {
 			if secret.WrapInfo.Token == "" {
 				ah.logger.Error("authentication returned empty wrapped client token", "backoff", backoffCfg)
 				metrics.IncrCounter([]string{ah.metricsSignifier, "auth", "failure"}, 1)
+				// Set unauthenticated when authentication fails
+				metrics.SetGauge([]string{ah.metricsSignifier, "authenticated"}, 0)
 
 				if backoffSleep(ctx, backoffCfg) {
 					continue
@@ -348,6 +367,8 @@ func (ah *AuthHandler) Run(ctx context.Context, am AuthMethod) error {
 			if err != nil {
 				ah.logger.Error("failed to encode wrapinfo", "error", err, "backoff", backoffCfg)
 				metrics.IncrCounter([]string{ah.metricsSignifier, "auth", "failure"}, 1)
+				// Set unauthenticated when authentication fails
+				metrics.SetGauge([]string{ah.metricsSignifier, "authenticated"}, 0)
 
 				if backoffSleep(ctx, backoffCfg) {
 					continue
@@ -387,6 +408,8 @@ func (ah *AuthHandler) Run(ctx context.Context, am AuthMethod) error {
 				if secret == nil || secret.Data == nil {
 					ah.logger.Error("token file validation failed, token may be invalid", "backoff", backoffCfg)
 					metrics.IncrCounter([]string{ah.metricsSignifier, "auth", "failure"}, 1)
+					// Set unauthenticated when authentication fails
+					metrics.SetGauge([]string{ah.metricsSignifier, "authenticated"}, 0)
 
 					if backoffSleep(ctx, backoffCfg) {
 						continue
@@ -397,6 +420,8 @@ func (ah *AuthHandler) Run(ctx context.Context, am AuthMethod) error {
 				if !ok || token == "" {
 					ah.logger.Error("token file validation returned empty client token", "backoff", backoffCfg)
 					metrics.IncrCounter([]string{ah.metricsSignifier, "auth", "failure"}, 1)
+					// Set unauthenticated when authentication fails
+					metrics.SetGauge([]string{ah.metricsSignifier, "authenticated"}, 0)
 
 					if backoffSleep(ctx, backoffCfg) {
 						continue
@@ -413,6 +438,7 @@ func (ah *AuthHandler) Run(ctx context.Context, am AuthMethod) error {
 					Renewable:     renewable,
 				}
 				ah.logger.Info("authentication successful, sending token to sinks")
+
 				ah.OutputCh <- token
 				if ah.enableTemplateTokenCh {
 					ah.TemplateTokenCh <- token
@@ -429,6 +455,8 @@ func (ah *AuthHandler) Run(ctx context.Context, am AuthMethod) error {
 				if secret == nil || secret.Auth == nil {
 					ah.logger.Error("authentication returned nil auth info", "backoff", backoffCfg)
 					metrics.IncrCounter([]string{ah.metricsSignifier, "auth", "failure"}, 1)
+					// Set unauthenticated when authentication fails
+					metrics.SetGauge([]string{ah.metricsSignifier, "authenticated"}, 0)
 
 					if backoffSleep(ctx, backoffCfg) {
 						continue
@@ -438,6 +466,8 @@ func (ah *AuthHandler) Run(ctx context.Context, am AuthMethod) error {
 				if secret.Auth.ClientToken == "" {
 					ah.logger.Error("authentication returned empty client token", "backoff", backoffCfg)
 					metrics.IncrCounter([]string{ah.metricsSignifier, "auth", "failure"}, 1)
+					// Set unauthenticated when authentication fails
+					metrics.SetGauge([]string{ah.metricsSignifier, "authenticated"}, 0)
 
 					if backoffSleep(ctx, backoffCfg) {
 						continue
@@ -470,6 +500,8 @@ func (ah *AuthHandler) Run(ctx context.Context, am AuthMethod) error {
 		if err != nil {
 			ah.logger.Error("error creating lifetime watcher", "error", err, "backoff", backoffCfg)
 			metrics.IncrCounter([]string{ah.metricsSignifier, "auth", "failure"}, 1)
+			// Set unauthenticated when authentication fails
+			metrics.SetGauge([]string{ah.metricsSignifier, "authenticated"}, 0)
 
 			if backoffSleep(ctx, backoffCfg) {
 				continue
@@ -478,6 +510,7 @@ func (ah *AuthHandler) Run(ctx context.Context, am AuthMethod) error {
 		}
 
 		metrics.IncrCounter([]string{ah.metricsSignifier, "auth", "success"}, 1)
+		metrics.SetGauge([]string{ah.metricsSignifier, "authenticated"}, 1)
 		// We don't want to trigger the renewal process for tokens with
 		// unlimited TTL, such as the root token.
 		if leaseDuration == 0 && isTokenFileMethod {
@@ -499,12 +532,16 @@ func (ah *AuthHandler) Run(ctx context.Context, am AuthMethod) error {
 				ah.logger.Info("lifetime watcher done channel triggered")
 				if err != nil {
 					metrics.IncrCounter([]string{ah.metricsSignifier, "auth", "failure"}, 1)
+					// Set unauthenticated when authentication fails
+					metrics.SetGauge([]string{ah.metricsSignifier, "authenticated"}, 0)
 					ah.logger.Error("error renewing token", "error", err)
 				}
 				break LifetimeWatcherLoop
 
 			case <-watcher.RenewCh():
 				metrics.IncrCounter([]string{ah.metricsSignifier, "auth", "success"}, 1)
+				// Set authenticated when authentication succeeds
+				metrics.SetGauge([]string{ah.metricsSignifier, "authenticated"}, 1)
 				ah.logger.Info("renewed auth token")
 
 			case <-credCh:

diff --git a/website/content/docs/agent-and-proxy/agent/index.mdx b/website/content/docs/agent-and-proxy/agent/index.mdx
@@ -288,6 +288,8 @@ runtime metrics about its performance, the auto-auth and the cache status:
 
 | Metric                           | Description                                          | Type    |
 | -------------------------------- | ---------------------------------------------------- | ------- |
+| `vault.agent.authenticated`      | Current authentication status (1 - has valid token,  | gauge   |
+|                                  | 0 - no valid token)                                  |         |
 | `vault.agent.auth.failure`       | Number of authentication failures                    | counter |
 | `vault.agent.auth.success`       | Number of authentication successes                   | counter |
 | `vault.agent.proxy.success`      | Number of requests successfully proxied              | counter |