monitoring: use AppRole token for OpenBao metrics scraping #23

torjus · 2026-02-05T22:52:37Z

torjus commented

2026-02-05 22:52:37 +00:00

Instead of creating a long-lived Vault token in Terraform (which gets
invalidated when Terraform recreates it), monitoring01 now uses its
existing AppRole credentials to fetch a fresh token for Prometheus.

Changes:

Add prometheus-metrics policy to monitoring01's AppRole
Remove vault_token.prometheus_metrics resource from Terraform
Remove openbao-token KV secret from Terraform
Add systemd service to fetch AppRole token on boot
Add systemd timer to refresh token every 30 minutes

This ensures Prometheus always has a valid token without depending on
Terraform state or manual intervention.

Co-Authored-By: Claude Opus 4.5 noreply@anthropic.com

Instead of creating a long-lived Vault token in Terraform (which gets invalidated when Terraform recreates it), monitoring01 now uses its existing AppRole credentials to fetch a fresh token for Prometheus. Changes: - Add prometheus-metrics policy to monitoring01's AppRole - Remove vault_token.prometheus_metrics resource from Terraform - Remove openbao-token KV secret from Terraform - Add systemd service to fetch AppRole token on boot - Add systemd timer to refresh token every 30 minutes This ensures Prometheus always has a valid token without depending on Terraform state or manual intervention. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

torjus added 1 commit 2026-02-05 22:52:38 +00:00

monitoring: use AppRole token for OpenBao metrics scraping

Run nix flake check / flake-check (push) Successful in 2m12s

Details

Run nix flake check / flake-check (pull_request) Successful in 2m19s

Details

e9857afc11

Instead of creating a long-lived Vault token in Terraform (which gets
invalidated when Terraform recreates it), monitoring01 now uses its
existing AppRole credentials to fetch a fresh token for Prometheus.

Changes:
- Add prometheus-metrics policy to monitoring01's AppRole
- Remove vault_token.prometheus_metrics resource from Terraform
- Remove openbao-token KV secret from Terraform
- Add systemd service to fetch AppRole token on boot
- Add systemd timer to refresh token every 30 minutes

This ensures Prometheus always has a valid token without depending on
Terraform state or manual intervention.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

torjus merged commit 1d90dc2181 into master

2026-02-05 22:52:43 +00:00

torjus deleted branch fix-prometheus-openbao-token

2026-02-05 22:52:43 +00:00

torjus referenced this issue from a commit

2026-02-05 22:52:44 +00:00

Merge pull request 'monitoring: use AppRole token for OpenBao metrics scraping' (#23) from fix-prometheus-openbao-token into master

Sign in to join this conversation.

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: torjus/nixos-servers#23