Vault Helm DeploymentAudit logging
· One min read
Aurelian Shuttleworth
Site Reliability EngineerThe chart in question is the Hashicorp Vault Chart
Audit Log Persistent Volume (PV)
note
The Audit PV will not be used unless you configure vault to write to it.
vault audit enable file file_path=<server.auditStorage.mountPath>/vault_audit.log
Log Rotation
A possible way to implement reliable log rotation would be to add a side car log rotator like honestbee/logrotate
Enabling Audit logging to PV Can't be easier, simpy setting server.auditStorage.enabled to true will generate a PV and
mount it on all vault pods.
Helm Values
server:
auditStorage:
enabled: false
# Size of the PVC created
size: 10Gi
# Location where the PVC will be mounted.
mountPath: "/vault/audit"
# Name of the storage class to use. If null it will use the
# configured default Storage Class.
storageClass: null
# Access Mode of the storage device being used for the PVC
accessMode: ReadWriteOnce
# Annotations to apply to the PVC
annotations: { }
Problems
- Vault does not handle log rotation
- Has to be configured after vault init
- Potential issues from HA configuration