[ "$GOPATH" ] || export GOPATH="$HOME/go"
go get -u github.com/madrisan/hashicorp-vault-monitor
export PATH="$PATH:$GOPATH/bin"
$GOPATH/bin/hashicorp-vault-monitor -version
Optionally if you want to compile this tool for all the supported operating systems:
make -C $GOPATH/src/github.com/madrisan/hashicorp-vault-monitor bootstrap dev
You'll find the compiled binaries in the folder $GOPATH//src/github.com/madrisan/hashicorp-vault-monitor/pkg/
.
Export the Hashicorp Vault server url in the variable VAULT_ADDR
export VAULT_ADDR='https://myvaultserver.mydomain.com:8200'
If you do not have a running Vault server and you want to test this monitoring tool,
you can run a dockerized version of the latest version
(requires Docker or Podman).
Then run the export VAULT_ADDR ...
command from the terminal output
(replace docker
by podman
if you use the latter and do not have the
podman Docker CLI emulation configured).
docker run -it -p 8200:8200 --cap-add=IPC_LOCK vault:latest
Unable to find image 'vault:latest' locally
latest: Pulling from library/vault
8e3ba11ec2a2: Pull complete
9d3c08966c5f: Pull complete
8c2e0f2bce8e: Pull complete
5752743f26bd: Pull complete
fd7271f646fb: Pull complete
Digest: sha256:85d4e6f0a52ba10d5f1d07c3f06aa64469c209237c04ed3fe1d5728f7c11fba6
Status: Downloaded newer image for vault:latest
==> Vault server configuration:
Api Address: http://0.0.0.0:8200
Cgo: disabled
Cluster Address: https://0.0.0.0:8201
Listener 1: tcp (addr: "0.0.0.0:8200", cluster address: "0.0.0.0:8201", max_request_duration: "999999h0m0s", max_request_size: "33554432", tls: "disabled")
Log Level: info
Mlock: supported: true, enabled: false
Storage: inmem
Version: Vault v0.10.4
Version Sha: e21712a687889de1125e0a12a980420b1a4f72d3
WARNING! dev mode is enabled! In this mode, Vault runs entirely in-memory
and starts unsealed with a single unseal key. The root token is already
authenticated to the CLI, so you can immediately begin using Vault.
You may need to set the following environment variable:
$ export VAULT_ADDR='http://0.0.0.0:8200'
The unseal key and root token are displayed below in case you want to
seal/unseal the Vault or re-authenticate.
Unseal Key: VJCtYcgcsmAUFaT70tZoS4uYliEz6XVbxRvcNvg/hqQ=
Root Token: 39d2c714-6dce-6d96-513f-4cb250bf7fe8
Development mode should NOT be used in production installations!
export VAULT_ADDR='http://0.0.0.0:8200'
We can now create (in a different terminal, if you run the dockerized version of the Vault server) a Vault policy that we'll use later in the examples (you can find the binary vault here):
cat > accessor_lookup_policy.hcl <<__END
path "auth/token/lookup-accessor" {
capabilities = ["update", "sudo", "read", "list"]
}
__END
vault login
# enter the root token (or an admin token with sufficient permissions)
vault policy write accessor-policy accessor_lookup_policy.hcl
and two extra (non-root) tokens:
vault token create -policy=accessor-policy -renewable -period=768h
Key Value
--- -----
token s.iJPhLRp25r9FRwg4vrxfd0I7
token_accessor NzHyqTGPITcSYMiA31goyEXh
token_duration 768h
token_renewable true
token_policies ["default" "accessor-policy"]
identity_policies []
policies ["default" "accessor-policy"]
vault token create -policy=default -renewable -period=768h
Key Value
--- -----
token s.EFI8PMCZF1KInfCj1yyI7Rpy
token_accessor ljXiSqQDdSZBYthO7IsrFMD2
token_duration 768h
token_renewable true
token_policies ["default"]
identity_policies []
policies ["default"]
Note that the policies applied to the tokens are different.
$GOPATH/bin/hashicorp-vault-monitor status \
-address=$VAULT_ADDR
Add the output modifier -output=nagios
if this tool is intented to
be used with the Nagios monitoring.
$GOPATH/bin/hashicorp-vault-monitor status \
-output=nagios -address=$VAULT_ADDR
# default output message
Vault (vault-cluster-50531563) is unsealed
# with the '-output=nagios' switch
vault OK - Vault (vault-cluster-50531563) is unsealed
$GOPATH/bin/hashicorp-vault-monitor hastatus \
-address=$VAULT_ADDR
Add -output=nagios
as above if you monitor Vault with Nagios.
# default output message
Vault HA (vault-cluster-50531563) is enabled, Standby Node (Active Node Address: https://192.168.1.8:8200)
# error message displayed when the HA mode is not enabled
Vault HA (vault-cluster-50531563) is not enabled
# with the '-output=nagios' switch
vault OK - Vault HA (vault-cluster-50531563) is enabled, Standby Node (Active Node Address: https://192.168.1.8:8200)
vault CRITICAL - Vault HA (vault-cluster-50531563) is not enabled
$GOPATH/bin/hashicorp-vault-monitor policies \
-address $VAULT_ADDR -token "39d2c714-6dce-6d96-513f-4cb250bf7fe8" \
root saltstack
Add the flag -output=nagios
if you monitor Vault with Nagios.
$GOPATH/bin/hashicorp-vault-monitor get \
-address $VAULT_ADDR -token "39d2c714-6dce-6d96-513f-4cb250bf7fe8" \
-field foo secret/mysecret
$GOPATH/bin/hashicorp-vault-monitor get \
-address $VAULT_ADDR -token "39d2c714-6dce-6d96-513f-4cb250bf7fe8" \
-field foo secret/data/mysecret
The -output=nagios
switch must be added as usual to make the output compliance with Nagios.
# default output message
found a value for the key foo: 'this-is-a-secret'
# with the '-output=nagios' switch
vault OK - found a value for the key foo: 'this-is-a-secret-for-checking-vault'
$GOPATH/bin/hashicorp-vault-monitor token-lookup \
-address=$VAULT_ADDR -token="s.EFI8PMCZF1KInfCj1yyI7Rpy" \
-warning=120h -critical=72h
The -warning
and -critical
switches are optional and default to 168h (7 days)
and 72h (3 days) respectively.
As usual, add -output=nagios
to get an output compliant with the Nagios specifications.
# default output message
This (renewable) token will expire on Mon, 07 Oct 2019 14:25:06 UTC (4 weeks 3 days 23 hours 55 minutes 35 seconds left)
# with the '-output=nagios' switch
vault OK - This (renewable) token will expire on Mon, 07 Oct 2019 14:25:06 UTC (4 weeks 3 days 23 hours 55 minutes 35 seconds left)
To avoid exposing the tokens in your monitoring setup, you can make use of their associated Token Accessors.
$GOPATH/bin/hashicorp-vault-monitor token-lookup \
-address=$VAULT_ADDR -token="s.iJPhLRp25r9FRwg4vrxfd0I7" \
-token-accessor="ljXiSqQDdSZBYthO7IsrFMD2" \
-warning=120h -critical=72h
The -warning
and -critical
switches are optional and default to 168h (7 days)
and 72h (3 days) respectively, as described above.
Add -output=nagios
to get an output compliant with the Nagios specifications.
Note that you should replace 39d2c7...
with the generated Root token from
your output. The same for the values of the two other tokens used in the examples.
You can omit the -address
and -token
flags by setting the environment
variables VAULT_ADDR
and VAULT_TOKEN
as shown in the following example:
export VAULT_ADDR="http://127.0.0.1:8200"
export VAULT_TOKEN="39d2c714-6dce-6d96-513f-4cb250bf7fe8"
$GOPATH/bin/hashicorp-vault-monitor status
$GOPATH/bin/hashicorp-vault-monitor policies root saltstack
$GOPATH/bin/hashicorp-vault-monitor get -field foo secret/mysecret
$GOPATH/bin/hashicorp-vault-monitor get -field foo secret/data/mysecret
The Root Token can also be used to login to the Vault web interface at the URL
https://myvaultserver.mydomain.com:8200/ui
or, if you're using the dockerized Vault server:
http://127.0.0.1:8200/ui
Some extra actions that may be usefull to project developers.
Just run in the top source folder ($GOPATH/src/github.com/madrisan/hashicorp-vault-monitor
):
make test
Go to the top source folder and enter the command:
make cover
Run the golint
, the official linter for Go source code:
go get -u golang.org/x/lint/golint
# the golint binary is now available in:
# go list -f {{.Target}} golang.org/x/lint/golint
cd $GOPATH/src/github.com/madrisan/hashicorp-vault-monitor
export PATH="$PATH:$GOPATH/bin"
golint -set_exit_status ./... | grep -v ^vendor
Run the GolangCI-Lint
linters aggregator:
go get -u github.com/golangci/golangci-lint/cmd/golangci-lint
cd $GOPATH/src/github.com/madrisan/hashicorp-vault-monitor
export PATH="$PATH:$GOPATH/bin"
golangci-lint run ./...
or just execute (requires hashicorp-vault-monitor
version > 0.8.2):
make -C $GOPATH/src/github.com/madrisan/hashicorp-vault-monitor lint
Run the Go source code static analysis tool vet
to find any common errors.
make -C $GOPATH/src/github.com/madrisan/hashicorp-vault-monitor vet
This command is available with hashicorp-vault-monitor
version > 0.8.2.