feat(healthchecks): introduce healtchecks and simple metrics

.github/workflows/goreleaser.yml

@@ -9,7 +9,7 @@ on:
 permissions:
   contents: write
   packages: write
-  id-token: write 
+  id-token: write
 
 jobs:
   goreleaser:
@@ -27,7 +27,7 @@ jobs:
         with:
           go-version: '1.22.6'
           cache: false
-          
+
       - uses: sigstore/cosign-installer@v3.6.0
       - uses: anchore/sbom-action/download-syft@v0.17.2
       -
@@ -63,7 +63,7 @@ jobs:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           COSIGN_PASSWORD: ${{ secrets.COSIGN_PASSWORD }}
 
-      - 
+      -
         name: Docker Hub Description
         uses: peter-evans/dockerhub-description@v4
         if: startsWith(github.ref, 'refs/tags/v')

Makefile

@@ -31,6 +31,38 @@ setup-vault: ## setup a local vault dev server with transit engine + key
 setup-registry: ## setup a local docker registry for pulling in kind
 	./scripts/local-registry.sh
 
+.PHONY: setup-prometheus
+setup-prometheus: ## setup prometheus locally
+	docker run \
+		--rm \
+		-v "${PWD}/assets/prometheus.yml:/etc/prometheus/prometheus.yml" \
+		--name prometheus \
+		-p 9090:9090 \
+		prom/prometheus:latest
+
+.PHONY: gen-load
+gen-load: ## generate load on KMS plugin
+	while true; do \
+		go run cmd/v2_client/main.go $(shell openssl rand -base64 12);\
+	done;
+
+.PHONY: gen-secrets
+gen-secrets: ## generate secrets on KMS plugin
+	while true; do \
+		kubectl create secret generic $(shell openssl rand -base64 12) -n default --from-literal=$(shell openssl rand -base64 12)=$(shell openssl rand -base64 12);\
+	done;
+
+.PHONY: setup-grafana
+setup-grafana: ## setup grafana locally
+	docker run \
+		--rm \
+		-v "${PWD}/assets/grafana_datasource.yml:/etc/grafana/provisioning/datasources/grafana_datasource.yml" \
+		-v "${PWD}/assets/grafana_dashboard.yml:/etc/grafana/provisioning/dashboards/grafana_dashboard.yml" \
+		-v "${PWD}/assets/dashboard.json:/var/lib/grafana/dashboards/dashboard.json" \
+		--name grafana \
+		-p 3000:3000 \
+		grafana/grafana:latest
+
 .PHONY: setup-kind
 setup-kind: ## setup kind cluster with encrpytion provider configured
 	kind delete cluster --name=kms || true

README.md

@@ -17,7 +17,7 @@ Since the key used for encrypting secrets is not stored in Kubernetes, an attack
 
 `vault-kubernetes-kms` is supposed to run as a static pod on every control plane node or on  that node where the `kube-apiserver` will run.
 
-The plugin creates a Unix-Socket and receive encryption requests through that socket from the `kube-apiserver`. The plugin will then use the specified Vault transit encryption key to encrypt the data and send it back to the `kube-apiserver`, who will then store the encrypted response in `etcd`.
+`vault-kubernetes-kms` will start a UNIX domain socket and listens for encryption requests from the `kube-apiserver`. The plugin will then use the specified Vault transit encryption key to encrypt the data and send it back to the `kube-apiserver`, who will then store the encrypted response in `etcd`.
 
 To do so, you will have to enable Data at Rest encryption, by configuring the `kube-apiserver` to use a `EncryptionConfiguration` (See [https://falcosuessgott.github.io/vault-kubernetes-kms/configuration/](https://falcosuessgott.github.io/vault-kubernetes-kms/configuration/) for more details).
 

assets/dashboard.json

@@ -0,0 +1,202 @@
+{
+  "annotations": {
+    "list": [
+      {
+        "builtIn": 1,
+        "datasource": {
+          "type": "grafana",
+          "uid": "-- Grafana --"
+        },
+        "enable": true,
+        "hide": true,
+        "iconColor": "rgba(0, 211, 255, 1)",
+        "name": "Annotations & Alerts",
+        "type": "dashboard"
+      }
+    ]
+  },
+  "editable": true,
+  "fiscalYearStartMonth": 0,
+  "graphTooltip": 0,
+  "links": [],
+  "panels": [
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "PBFA97CFB590B2093"
+      },
+      "description": "Test ",
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
+          },
+          "mappings": [],
+          "min": -46,
+          "thresholds": {
+            "mode": "absolute",
+            "steps": [
+              {
+                "color": "green",
+                "value": null
+              },
+              {
+                "color": "red",
+                "value": 80
+              }
+            ]
+          },
+          "unit": "none"
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 8,
+        "w": 12,
+        "x": 0,
+        "y": 0
+      },
+      "id": 4,
+      "options": {
+        "minVizHeight": 75,
+        "minVizWidth": 75,
+        "orientation": "auto",
+        "reduceOptions": {
+          "calcs": [
+            "lastNotNull"
+          ],
+          "fields": "",
+          "values": false
+        },
+        "showThresholdLabels": false,
+        "showThresholdMarkers": true,
+        "sizing": "auto"
+      },
+      "pluginVersion": "11.1.4",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "PBFA97CFB590B2093"
+          },
+          "editorMode": "code",
+          "exemplar": false,
+          "expr": "vault_kubernetes_kms_vault_requests_total",
+          "instant": true,
+          "legendFormat": "__auto",
+          "range": false,
+          "refId": "A"
+        }
+      ],
+      "title": "vault_kubernetes_kms_vault_requests_total",
+      "transparent": true,
+      "type": "gauge"
+    },
+    {
+      "datasource": {
+        "type": "prometheus",
+        "uid": "PBFA97CFB590B2093"
+      },
+      "fieldConfig": {
+        "defaults": {
+          "color": {
+            "mode": "palette-classic"
+          },
+          "custom": {
+            "hideFrom": {
+              "legend": false,
+              "tooltip": false,
+              "viz": false
+            }
+          },
+          "mappings": []
+        },
+        "overrides": []
+      },
+      "gridPos": {
+        "h": 8,
+        "w": 12,
+        "x": 12,
+        "y": 0
+      },
+      "id": 3,
+      "options": {
+        "displayLabels": [
+          "value",
+          "name"
+        ],
+        "legend": {
+          "displayMode": "list",
+          "placement": "bottom",
+          "showLegend": true
+        },
+        "pieType": "pie",
+        "reduceOptions": {
+          "calcs": [
+            "lastNotNull"
+          ],
+          "fields": "",
+          "values": false
+        },
+        "tooltip": {
+          "mode": "single",
+          "sort": "none"
+        }
+      },
+      "pluginVersion": "11.1.4",
+      "targets": [
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "PBFA97CFB590B2093"
+          },
+          "disableTextWrap": false,
+          "editorMode": "code",
+          "expr": "vault_kubernetes_kms_encryption_operations_total",
+          "format": "time_series",
+          "fullMetaSearch": false,
+          "includeNullMetadata": true,
+          "instant": false,
+          "legendFormat": "encryption_operations",
+          "range": true,
+          "refId": "vault_kubernetes_kms_encryption_operations_total",
+          "useBackend": false
+        },
+        {
+          "datasource": {
+            "type": "prometheus",
+            "uid": "PBFA97CFB590B2093"
+          },
+          "disableTextWrap": false,
+          "editorMode": "code",
+          "expr": "vault_kubernetes_kms_decryption_operations_total",
+          "fullMetaSearch": false,
+          "hide": false,
+          "includeNullMetadata": false,
+          "instant": false,
+          "legendFormat": "decryption_operations",
+          "range": true,
+          "refId": "vault_kubernetes_kms_decryption_operations_total",
+          "useBackend": false
+        }
+      ],
+      "title": "vault_kubernetes_kms_encryption_operations_total",
+      "type": "piechart"
+    }
+  ],
+  "schemaVersion": 39,
+  "tags": [],
+  "templating": {
+    "list": []
+  },
+  "time": {
+    "from": "now-6h",
+    "to": "now"
+  },
+  "timepicker": {},
+  "timezone": "browser",
+  "title": "vault-kubernetes-kms",
+  "uid": "ddvn6anc8ldkwa",
+  "version": 1,
+  "weekStart": ""
+}

assets/grafana_dashboard.yml

@@ -0,0 +1,12 @@
+apiVersion: 1
+
+providers:
+  - name: 'vault_kubernetes_kms'
+    orgId: 1
+    type: file
+    disableDeletion: false
+    updateIntervalSeconds: 10
+    allowUiUpdates: false
+    options:
+      path: /var/lib/grafana/dashboards
+      foldersFromFilesStructure: true

assets/grafana_datasource.yml

@@ -0,0 +1,8 @@
+apiVersion: 1
+
+datasources:
+  - name: Prometheus
+    type: prometheus
+    access: proxy
+    orgId: 1
+    url: http://host.docker.internal:9090

assets/prometheus.yml

@@ -0,0 +1,8 @@
+global:
+  scrape_interval: 5s
+
+scrape_configs:
+  - job_name: vault-kubernetes-kms
+    metrics_path: /metrics
+    static_configs:
+      - targets: ['host.docker.internal:8080']

assets/vault-kubernetes-kms.yml

@@ -19,6 +19,14 @@ spec:
         # mount /opt/kms host directory
         - name: kms
           mountPath: /opt/kms
+      livenessProbe:
+        httpGet:
+          path: /healthz
+          port: 8080
+      readinessProbe:
+        httpGet:
+          path: /livez
+          port: 8080
       resources:
         requests:
           cpu: 100m