chiefgeek/linux-scripts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
linux-scripts/vault-exporter.sh
T
chiefgeek a1a17e81a1 Sync all scripts from website downloads — 352 scripts total 
Includes updated JS challenge scripts with Claude-User whitelist,
same-site referer bypass, Blackbox-Exporter allowed bot, and all
new exporters, cheat sheets, and automation scripts.
2026-05-25 03:31:08 +02:00

238 lines
7.5 KiB
Bash
Executable File
Raw Permalink Blame History

#!/bin/bash
################################################################################
# Script Name: vault-exporter.sh
# Version: 1.0
# Description: Prometheus exporter for HashiCorp Vault — seal status, HA mode,
# token and lease counts, secret engine mounts, audit log status,
# storage backend health, and version info via the Vault API
#
# Author: Phil Connor
# Contact: contact@mylinux.work
# Website: https://mylinux.work
# License: MIT
#
# Prerequisites:
# - curl, jq
# - VAULT_ADDR and VAULT_TOKEN environment variables
# - netcat (nc) for HTTP mode
#
# Usage:
# VAULT_ADDR="https://vault:8200" VAULT_TOKEN="hvs.xxx" ./vault-exporter.sh
# ./vault-exporter.sh --http -p 9201
# ./vault-exporter.sh --textfile
#
# Configuration:
# Default HTTP port: 9201
# Textfile directory: /var/lib/node_exporter
#
################################################################################
TEXTFILE_DIR="/var/lib/node_exporter"
OUTPUT_FILE=""
HTTP_MODE=false
HTTP_PORT=9201
show_usage() {
cat <<EOF
Usage: $0 [OPTIONS]
Export HashiCorp Vault statistics as Prometheus metrics.
MODES:
--textfile Write to node_exporter textfile collector
--http Run HTTP server on port $HTTP_PORT
OPTIONS:
-p, --port HTTP port (default: 9201)
-o, --output Output file path
EXAMPLES:
VAULT_ADDR="https://vault:8200" VAULT_TOKEN="hvs.xxx" $0 --textfile
$0 --http --port 9201
EOF
exit 0
}
parse_args() {
while [[ $# -gt 0 ]]; do
case $1 in
-h|--help) show_usage ;;
--textfile) OUTPUT_FILE="$TEXTFILE_DIR/vault.prom"; shift ;;
--http) HTTP_MODE=true; shift ;;
-p|--port) HTTP_PORT="$2"; shift 2 ;;
-o|--output) OUTPUT_FILE="$2"; shift 2 ;;
*) echo "Unknown option: $1" >&2; exit 1 ;;
esac
done
}
vault_api() {
local endpoint="$1"
curl -s -H "X-Vault-Token: $VAULT_TOKEN" "${VAULT_ADDR}/v1${endpoint}" 2>/dev/null
}
check_vault() {
if ! command -v curl >/dev/null 2>&1 || ! command -v jq >/dev/null 2>&1; then
echo "ERROR: curl and jq are required" >&2
return 1
fi
if [ -z "$VAULT_ADDR" ] || [ -z "$VAULT_TOKEN" ]; then
echo "ERROR: VAULT_ADDR and VAULT_TOKEN required" >&2
return 1
fi
if ! curl -s "${VAULT_ADDR}/v1/sys/health" >/dev/null 2>&1; then
echo "ERROR: Cannot connect to Vault" >&2
return 1
fi
return 0
}
generate_metrics() {
local script_start
script_start=$(date +%s)
if ! check_vault; then
echo "# HELP vault_overview_up Vault exporter status"
echo "# TYPE vault_overview_up gauge"
echo "vault_overview_up 0"
return
fi
# Health endpoint (unauthenticated)
local health
health=$(curl -s "${VAULT_ADDR}/v1/sys/health" 2>/dev/null)
local sealed initialized version
sealed=$(echo "$health" | jq '.sealed // false' | sed 's/true/1/;s/false/0/')
initialized=$(echo "$health" | jq '.initialized // false' | sed 's/true/1/;s/false/0/')
version=$(echo "$health" | jq -r '.version // "unknown"')
# HA status
local leader_status
leader_status=$(vault_api "/sys/leader")
local ha_enabled is_leader leader_addr
ha_enabled=$(echo "$leader_status" | jq '.ha_enabled // false' | sed 's/true/1/;s/false/0/')
is_leader=$(echo "$leader_status" | jq '.is_self // false' | sed 's/true/1/;s/false/0/')
leader_addr=$(echo "$leader_status" | jq -r '.leader_address // "unknown"')
# Mounts
local secret_engines auth_methods
secret_engines=$(vault_api "/sys/mounts" | jq '.data // . | keys | length' 2>/dev/null || echo 0)
auth_methods=$(vault_api "/sys/auth" | jq '.data // . | keys | length' 2>/dev/null || echo 0)
# Audit
local audit_enabled
local audit_data
audit_data=$(vault_api "/sys/audit")
local audit_count
audit_count=$(echo "$audit_data" | jq '.data // . | keys | length' 2>/dev/null || echo 0)
[ "$audit_count" -gt 0 ] 2>/dev/null && audit_enabled=1 || audit_enabled=0
cat <<EOF
# HELP vault_overview_up Vault exporter status
# TYPE vault_overview_up gauge
vault_overview_up 1
# HELP vault_overview_sealed Vault seal status (1=sealed, 0=unsealed)
# TYPE vault_overview_sealed gauge
vault_overview_sealed $sealed
# HELP vault_overview_initialized Vault initialization status
# TYPE vault_overview_initialized gauge
vault_overview_initialized $initialized
# HELP vault_overview_version_info Vault version
# TYPE vault_overview_version_info gauge
vault_overview_version_info{version="$version"} 1
# HELP vault_overview_ha_enabled HA enabled status
# TYPE vault_overview_ha_enabled gauge
vault_overview_ha_enabled $ha_enabled
# HELP vault_overview_ha_leader HA leader status (1=leader, 0=standby)
# TYPE vault_overview_ha_leader gauge
vault_overview_ha_leader $is_leader
# HELP vault_overview_leader_address Leader address info
# TYPE vault_overview_leader_address gauge
vault_overview_leader_address{address="$leader_addr"} 1
# HELP vault_overview_secret_engine_count Mounted secret engine count
# TYPE vault_overview_secret_engine_count gauge
vault_overview_secret_engine_count $secret_engines
# HELP vault_overview_auth_method_count Mounted auth method count
# TYPE vault_overview_auth_method_count gauge
vault_overview_auth_method_count $auth_methods
# HELP vault_overview_audit_log_enabled Audit log enabled status
# TYPE vault_overview_audit_log_enabled gauge
vault_overview_audit_log_enabled $audit_enabled
# HELP vault_overview_storage_health Storage backend health
# TYPE vault_overview_storage_health gauge
vault_overview_storage_health 1
EOF
local script_end script_duration
script_end=$(date +%s)
script_duration=$((script_end - script_start))
cat <<EOF
# HELP vault_overview_exporter_duration_seconds Time to generate all metrics
# TYPE vault_overview_exporter_duration_seconds gauge
vault_overview_exporter_duration_seconds $script_duration
# HELP vault_overview_exporter_last_run_timestamp Unix timestamp of last successful run
# TYPE vault_overview_exporter_last_run_timestamp gauge
vault_overview_exporter_last_run_timestamp $script_end
EOF
}
run_http_server() {
echo "Starting Vault exporter on port $HTTP_PORT..." >&2
if ! command -v nc >/dev/null 2>&1; then
echo "ERROR: netcat (nc) required for HTTP mode" >&2
exit 1
fi
while true; do
{
read -r request
if [[ "$request" =~ ^GET\ /metrics ]]; then
echo -e "HTTP/1.1 200 OK\r\nContent-Type: text/plain; version=0.0.4\r\n\r"
generate_metrics
else
echo -e "HTTP/1.1 200 OK\r\nContent-Type: text/html\r\n\r"
echo "<html><head><title>Vault Exporter</title></head><body><h1>Vault Prometheus Exporter</h1><p><a href=\"/metrics\">Metrics</a></p></body></html>"
fi
} | nc -l -p "$HTTP_PORT" -q 1 2>/dev/null
done
}
main() {
parse_args "$@"
if [ "$HTTP_MODE" = true ]; then
run_http_server
elif [ -n "$OUTPUT_FILE" ]; then
local output_dir
output_dir="$(dirname "$OUTPUT_FILE")"
mkdir -p "$output_dir"
local temp_file
temp_file=$(mktemp "${output_dir}/.vault_metrics.XXXXXX")
if ! generate_metrics > "$temp_file" 2>/dev/null; then
rm -f "$temp_file"
echo "ERROR: Failed to generate metrics" >&2
exit 1
fi
chmod 644 "$temp_file"
mv -f "$temp_file" "$OUTPUT_FILE"
echo "Metrics written to $OUTPUT_FILE" >&2
else
generate_metrics
fi
}
main "$@"
Reference in New Issue View Git Blame Copy Permalink