torjus/nixos-servers
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

monitoring: use AppRole token for OpenBao metrics scraping
All checks were successful
Run nix flake check / flake-check (push) Successful in 2m12s
Details
Run nix flake check / flake-check (pull_request) Successful in 2m19s
Details

Browse Source 
Instead of creating a long-lived Vault token in Terraform (which gets
invalidated when Terraform recreates it), monitoring01 now uses its
existing AppRole credentials to fetch a fresh token for Prometheus.

Changes:
- Add prometheus-metrics policy to monitoring01's AppRole
- Remove vault_token.prometheus_metrics resource from Terraform
- Remove openbao-token KV secret from Terraform
- Add systemd service to fetch AppRole token on boot
- Add systemd timer to refresh token every 30 minutes

This ensures Prometheus always has a valid token without depending on
Terraform state or manual intervention.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
This commit is contained in:
Torjus Håkestad
2026-02-05 23:51:11 +01:00
parent 88e9036cb4
commit e9857afc11
4 changed files with 74 additions and 31 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
terraform/vault/secrets.tf
View File

@@ -92,13 +92,6 @@ locals {
auto_generate = false
data = { token = var.actions_token_1 }
}
# Prometheus OpenBao token for scraping metrics
# Token is created by vault_token.prometheus_metrics in policies.tf
"hosts/monitoring01/openbao-token" = {
auto_generate = false
data = { token = vault_token.prometheus_metrics.client_token }
}
}
}