feat: Add comprehensive Prometheus metrics support #397

New Issue

MrUnknownDE · 2026-04-05T21:08:14+02:00

MrUnknownDE commented

2026-04-05 21:08:14 +02:00

Originally created by @rossigee on 8/20/2025

Summary

This PR adds comprehensive Prometheus metrics support to Vaultwarden, providing observability into application performance, database health, authentication patterns, and business metrics.

Key Features

Optional metrics endpoint at /metrics (disabled by default)
Token-based authentication with support for plain text and Argon2 hashed tokens
Comprehensive metric categories: HTTP, database, authentication, business, and system metrics
Secure by default: Feature must be explicitly enabled and compiled with --features enable_metrics
Production-ready: Path normalization prevents metric explosion, proper error handling

Metrics Categories

HTTP Metrics: Request rates, response times, status codes by endpoint
Database Metrics: Connection pool utilization, query performance
Authentication Metrics: Login attempts, session counts by method and status
Business Metrics: User counts, vault items by type, organization data
System Metrics: Uptime, build information, version details

Security Considerations

Disabled by default - requires explicit ENABLE_METRICS=true
Token authentication prevents unauthorized access
Path normalization prevents high cardinality issues
Network isolation recommended for production

Documentation

Complete configuration guide in METRICS.md
Comprehensive monitoring setup in MONITORING.md
Prometheus/Grafana examples and alerting rules
Security best practices and troubleshooting

Test Plan

Metrics compilation with feature flag
Authentication (no token, valid token, invalid token)
Metric format validation (Prometheus format)
All metric categories populated correctly
Path normalization working
Docker build with metrics feature
Security token hashing (Argon2)

Breaking Changes

None - this is an optional feature that's disabled by default.

Files Added/Modified

New: src/api/metrics.rs - Metrics endpoint implementation
New: METRICS.md - Configuration and usage guide
New: MONITORING.md - Complete monitoring setup guide
New: examples/metrics-config.env - Configuration examples
New: scripts/test-metrics.sh - Testing script
Modified: Cargo.toml - Added optional prometheus dependency
Modified: README.md - Added metrics feature documentation
Modified: docker/Dockerfile.debian - Support for extra features in build

*Originally created by @rossigee on 8/20/2025* ## Summary This PR adds comprehensive Prometheus metrics support to Vaultwarden, providing observability into application performance, database health, authentication patterns, and business metrics. ### Key Features - **Optional metrics endpoint** at `/metrics` (disabled by default) - **Token-based authentication** with support for plain text and Argon2 hashed tokens - **Comprehensive metric categories**: HTTP, database, authentication, business, and system metrics - **Secure by default**: Feature must be explicitly enabled and compiled with `--features enable_metrics` - **Production-ready**: Path normalization prevents metric explosion, proper error handling ### Metrics Categories - **HTTP Metrics**: Request rates, response times, status codes by endpoint - **Database Metrics**: Connection pool utilization, query performance - **Authentication Metrics**: Login attempts, session counts by method and status - **Business Metrics**: User counts, vault items by type, organization data - **System Metrics**: Uptime, build information, version details ### Security Considerations - Disabled by default - requires explicit `ENABLE_METRICS=true` - Token authentication prevents unauthorized access - Path normalization prevents high cardinality issues - Network isolation recommended for production ### Documentation - Complete configuration guide in `METRICS.md` - Comprehensive monitoring setup in `MONITORING.md` - Prometheus/Grafana examples and alerting rules - Security best practices and troubleshooting ### Test Plan - [x] Metrics compilation with feature flag - [x] Authentication (no token, valid token, invalid token) - [x] Metric format validation (Prometheus format) - [x] All metric categories populated correctly - [x] Path normalization working - [x] Docker build with metrics feature - [x] Security token hashing (Argon2) ### Breaking Changes None - this is an optional feature that's disabled by default. ### Files Added/Modified - New: `src/api/metrics.rs` - Metrics endpoint implementation - New: `METRICS.md` - Configuration and usage guide - New: `MONITORING.md` - Complete monitoring setup guide - New: `examples/metrics-config.env` - Configuration examples - New: `scripts/test-metrics.sh` - Testing script - Modified: `Cargo.toml` - Added optional prometheus dependency - Modified: `README.md` - Added metrics feature documentation - Modified: `docker/Dockerfile.debian` - Support for extra features in build

Sign in to join this conversation.

No Label

1 Participants

Notifications

Due Date

No due date set.

Dependencies

No dependencies set.

Reference: github/vaultwarden#397