Benchmark Vault performance

27min
|
Vault
Interactive

Operating Vault in an efficient manner to support your use cases requires that you are able to accurately measure its performance. Ideally, you can benchmark and measure performance in environments which resemble production use cases to produce realistic results.

Challenge

You need to measure Vault performance in a meaningful way, and in an environment that also resembles that of your intended use case with respect to compute resources.

The Vault server under test should have the same auth methods and secrets engines enabled, along with example secrets, leases, and token data present to accurately simulate your use cases.

Solution

HashiCorp provides the open source utility vault-benchmark to help you measure Vault performance at a granular level using several of the available auth methods and secrets engines.

You can use vault-benchmark as a command line interface, as a Docker image, or as a Kubernetes workload to match the infrastructure you're using for Vault.

Personas

The end-to-end scenario and hands-on lab described in this tutorial involves one persona.

The persona is a Vault operator with privileged permissions to enable and disable auth methods and secrets engines. All the tasks in the hands-on scenario are performed as this persona.

Prerequisites

You need the following resources to complete the hands-on scenario based on whether you'll use the Vault community edition with CLI, Docker, Kubernetes, or HCP Vault Dedicated.

To complete the hands-on lab using CLI versions of Vault and vault-benchmark, you need the following:

Vault binary installed and in your system PATH.
vault-benchmark binary installed and in your system PATH.

Launch Terminal

This tutorial includes a free interactive command-line lab that lets you follow along on actual cloud infrastructure.

Versions used for this tutorial

This tutorial was last tested 11 Oct 2023 on macOS using the following software versions.

Operating System

$ sw_vers --productVersion
13.6

Vault

$ vault version
Vault v1.15.0 (b4d07277a6c5318bb50d3b94bbd6135dccb4c601), built 2023-09-22T16:53:10Z

vault-benchmark

$ vault-benchmark version
vault-benchmark v0.2.0

Docker server

$ docker version --format '{{.Server.Version}}'
24.0.6

Curl

$ curl --version | head -n 1 | awk '{print $2}'
8.1.2

$ jq --version
jq-1.7

helm

$ helm version --short
v3.13.1+g3547a4b

Minikube

$ minikube version
minikube version: v1.31.2
commit: fd7ecd9c4599bef9f04c0986c4a0187f98a4396e

Lab setup

The setup for this tutorial's hands-on lab is different depending on whether you want to experiment with vault-benchmark in the CLI with a dev mode server, in the CLI with an Vault Dedicated server, in Docker, or in Kubernetes.

Create local hands-on lab home

You can create a temporary directory to hold all the content needed for this hands-on lab and then assign its path to an environment variable for later reference.

Open a terminal, and create the directory /tmp/learn-vault-pgp.
```
$ mkdir /tmp/learn-vault-benchmark
```
Export the hands-on lab directory path as the value to the HC_LEARN_LAB environment variable.
```
$ export HC_LEARN_LAB=/tmp/learn-vault-benchmark
```

Now choose the lab set up workflow that matches the environment you want to use for this hands-on lab.

Run a Vault dev mode server as a background process from your terminal session to follow the self-hosted Vault workflow in this hands-on lab.

Open a terminal and start a Vault dev server with root as the initial root token value.
```
$ vault server \
    -dev \
    -dev-root-token-id root \
    > "$HC_LEARN_LAB"/vault-server.log 2>&1 &
```
The Vault dev server defaults to running at 127.0.0.1:8200. The server logs to the file vault-server.log in the hands-on lab working directory, and gets automatically initialized and unsealed.
Dev mode is not for production
Do not run a Vault dev server in production. This approach starts a Vault server with an in-memory database and all contents are lost when the Vault server process is stopped.
Export the environment variable for the vault CLI to address the Vault server.
```
$ export VAULT_ADDR='http://127.0.0.1:8200'
```
Export an environment variable for the vault CLI to authenticate with the Vault server.
```
$ export VAULT_TOKEN=root
```

Check Vault status.

$ vault status

Example output:

Key             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    1
Threshold       1
Version         1.15.0
Build Date      2023-09-22T16:53:10Z
Storage Type    inmem
Cluster Name    vault-cluster-becc609e
Cluster ID      96babf60-d3e2-0ea0-4879-f78763ac595c
HA Enabled      false

The Vault server is ready for you to proceed with the hands-on lab.

Run a Vault dev mode Docker container from your terminal session to follow the Docker workflow in this hands-on lab.

Create a Docker network named learn-vault that all containers in this hands-on lab use.

Create the network.

$ docker network create --attachable --subnet 10.42.74.0/24 learn-vault

Start a Vault dev mode container.

$ docker run \
   --ip 10.42.74.100 \
   --name learn-vault \
   --network learn-vault \
   --cap-add=IPC_LOCK \
   --env 'VAULT_DEV_ROOT_TOKEN_ID=root' \
   --env 'VAULT_DEV_LISTEN_ADDRESS=0.0.0.0:8200' \
   --publish 8200:8200 \
   --detach \
   --rm \
   hashicorp/vault server -dev

Example output:

Unable to find image 'hashicorp/vault:latest' locally
latest: Pulling from hashicorp/vault
7264a8db6415: Already exists
7259d51dea60: Pull complete
9dedc4f6c9a3: Pull complete
204d1f409b38: Pull complete
3880cf4bada0: Pull complete
0e0e3fbb3175: Pull complete
bc314563faa5: Pull complete
Digest: sha256:ccbb5fde9d55b3dc57cf8694dea9c988ba0127b205661b652b5264f8d5901a58
Status: Downloaded newer image for hashicorp/vault:latest
6d13077b2c5d9bdafb4e1882eebed9bed02a96b1ee22b1a2d549b767db8e5572

If you've never used the Vault image before, Docker pulls it for you and then starts a container using the image.

Dev mode is not for production

Do not run a Vault dev server in production. This approach starts a Vault server with an in-memory database and all contents are lost when the Vault server process is stopped.

Check Vault status.

$ docker run \
    --cap-add IPC_LOCK \
    --ip 10.42.74.101 \
    --name learn-vault-client \
    --network learn-vault \
    --env 'VAULT_ADDR=http://10.42.74.100:8200' \
    --rm \
    hashicorp/vault status

Example output:

Key             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    1
Threshold       1
Version         1.15.0
Build Date      2023-09-22T16:53:10Z
Storage Type    inmem
Cluster Name    vault-cluster-bcfbdbc6
Cluster ID      a38f6679-03fd-af38-5d7b-a2baad820c35
HA Enabled      false

The Vault dev mode server Docker container is ready for you to proceed with the hands-on lab.

Deploy Vault into Minikube using a Helm chart from your terminal session to follow the Kubernetes workflow in this hands-on lab.

Dive deeper

If you're unfamiliar with this process or would like to dive deeper, review the Vault installation to minikube via Helm with Integrated Storage tutorial.

Start Minikube.

$ minikube start

Example output:

😄  minikube v1.31.2 on Darwin 13.6
✨  Automatically selected the docker driver. Other choices: hyperkit, qemu2, virtualbox, ssh
📌  Using Docker Desktop driver with root privileges
👍  Starting control plane node minikube in cluster minikube
🚜  Pulling base image ...
💾  Downloading Kubernetes v1.27.4 preload ...
   > preloaded-images-k8s-v18-v1...:  393.21 MiB / 393.21 MiB  100.00% 9.37 Mi
   > gcr.io/k8s-minikube/kicbase...:  447.62 MiB / 447.62 MiB  100.00% 9.27 Mi
🔥  Creating docker container (CPUs=2, Memory=4000MB) ...
🐳  Preparing Kubernetes v1.27.4 on Docker 24.0.4 ...
   ▪ Generating certificates and keys ...
   ▪ Booting up control plane ...
   ▪ Configuring RBAC rules ...
🔗  Configuring bridge CNI (Container Networking Interface) ...
🔎  Verifying Kubernetes components...
   ▪ Using image gcr.io/k8s-minikube/storage-provisioner:v5
🌟  Enabled addons: storage-provisioner, default-storageclass
🏄  Done! kubectl is now configured to use "minikube" cluster and "default" namespace by default

Check Minikube status.

$ minikube status

Example output:

minikube
type: Control Plane
host: Running
kubelet: Running
apiserver: Running
kubeconfig: Configured

Add the HashiCorp Helm repository.

$ helm repo add hashicorp https://helm.releases.hashicorp.com

Example output:

"hashicorp" has been added to your repositories

Update all the repositories to ensure helm is aware of the latest versions.

$ helm repo update

Example output:

Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "secrets-store-csi-driver" chart repository
...Successfully got an update from the "hashicorp" chart repository
Update Complete. ⎈Happy Helming!⎈

Install the Vault server Helm chart to start a dev mode server.

$ helm install vault hashicorp/vault \
    --set "server.dev.enabled=true" \
    --set "server.dev.devRootToken=root"

Example output:

NAME: vault
LAST DEPLOYED: Tue Oct 24 15:11:26 2023
NAMESPACE: default
STATUS: deployed
REVISION: 1
NOTES:
Thank you for installing HashiCorp Vault!
...snip...

Dev mode is not for production

Do not run a Vault dev server in production. This approach starts a Vault server with an in-memory database and all contents are lost when the Vault server process is stopped.

Display all the pods within the default namespace.

$ kubectl get pods

Example output:

NAME                                    READY   STATUS    RESTARTS   AGE
vault-0                                 0/1     Running   0          67s
vault-agent-injector-7655d66c96-t24tk   1/1     Running   0          68s

The Vault dev mode server is running in the pod named vault-0. Check the status as needed, and ensure that both pods have a Running status before continuing.

Check the Vault server status.

$ kubectl exec vault-0 -- vault status

Example output:

Key             Value
---             -----
Seal Type       shamir
Initialized     true
Sealed          false
Total Shares    1
Threshold       1
Version         1.14.0
Build Date      2023-06-19T11:40:23Z
Storage Type    inmem
Cluster Name    vault-cluster-f0037191
Cluster ID      1f788714-7dcc-39f9-65a4-adcf8dc90c15
HA Enabled      false

The Vault dev mode server Docker container is ready for you to proceed with the hands-on lab.

Deploy a Vault Dedicated developer instance to follow the HCP Vault Dedicated workflow in this hands-on lab.

Dive deeper

If you're unfamiliar with this process or would like to dive deeper, review the Create a Vault cluster on HCP tutorial.

Launch the HCP Portal and login.
Click Vault in the left navigation pane.
In the Vault clusters pane, click vault-cluster.
Under Cluster URLs, click Public Cluster URL.
In a terminal, set the VAULT_ADDR environment variable to the copied address.
```
$ export VAULT_ADDR=<Public_Cluster_URL>
```
Return to the Overview page and click Generate token.
Within a few moments, a new token will be generated.
Copy the Admin Token.
Return to the terminal and set the VAULT_TOKEN environment variable.
```
$ export VAULT_TOKEN=<token>
```
Set the VAULT_NAMESPACE environment variable to admin.
```
$ export VAULT_NAMESPACE=admin
```
The admin namespace is the top-level namespace automatically created by HCP Vault. All CLI operations default to use the namespace defined in this environment variable.

Type vault status to verify your connectivity to the Vault cluster.

$ vault status

Key                      Value
---                      -----
Recovery Seal Type       shamir
Initialized              true
Sealed                   false
Total Recovery Shares    1
Threshold                1
Version                  1.9.2+ent
Storage Type             raft
...snipped...

The Vault Dedicated server is ready, you are ready to proceed with the lab.

Now that you've established a working lab, you're ready to explore vault-benchmark and its configuration.

Explore vault-benchmark

Your goal for this section is to explore vault-benchmark using a terminal session. Resources for diving deeper are provided at the section's conclusion.

Check your vault-benchmark version.
```
$ vault-benchmark version
```
Example output:
```
vault-benchmark v0.2.0
```

You can get help to discover available commands.

$ vault-benchmark --help

Example output:

Usage: vault-benchmark <command> [args]

Command list:
   run         Run vault-benchmark test(s)
   review      Review previous test results

This hands-on lab focuses on your use of the run command. Get help for the run command.

$ vault-benchmark run --help

Long example output

Usage: vault-benchmark run [options]

This command will run a vault-benchmark test.

Run a vault-benchmark test with a configuration file:

   $ vault-benchmark run -config=/etc/vault-benchmark/test.hcl

For a full list of examples, please see the documentation.

Command Options:

-annotate=<string>
      Comma-separated name=value pairs include in bench_running prometheus
      metric. Try name 'testname' for dashboard example.

-audit_path=<string>
      Path to file for audit log.

-ca_pem_file=<string>
      Path to PEM encoded CA file to verify external Vault. This can also be
      specified via the VAULT_CACERT environment variable.

-cleanup
      Cleanup benchmark artifacts after run. The default is false.

-cluster_json=<string>
      Path to cluster.json file

-config=<string>
      Path to a vault-benchmark test configuration file.

-debug
      Run vault-benchmark in Debug mode. The default is false.

-disable_http2
      Force HTTP/1.1 The default is false.

-duration=<duration>
      Test Duration. The default is 10s.

-log_level=<string>
      Level to emit logs. Options are: INFO, WARN, DEBUG, TRACE. The default
      is INFO. This can also be specified via the VAULT_BENCHMARK_LOG_LEVEL
      environment variable.

-pprof_interval=<duration>
      Collection interval for vault debug pprof profiling.

-random_mounts
      Use random mount names. The default is true.

-report_mode=<string>
      Reporting Mode. Options are: terse, verbose, json. The default is terse.

-rps=<int>
      Requests per second. Setting to 0 means as fast as possible.

-vault_addr=<string>
      Target Vault API Address. The default is http://127.0.0.1:8200. This can
      also be specified via the VAULT_ADDR environment variable.

-vault_namespace=<string>
      Vault Namespace to create test mounts. This can also be specified via
      the VAULT_NAMESPACE environment variable.

-vault_token=<string>
      Vault Token to be used for test setup. This can also be specified via
      the VAULT_TOKEN environment variable.

-workers=<int>
      Number of workers The default is 10.

Pull the vault-benchmark Docker image.

$ docker pull hashicorp/vault-benchmark

Example output:*

Using default tag: latest
latest: Pulling from hashicorp/vault-benchmark
7264a8db6415: Already exists
33d33aabda2b: Pull complete
8f54a0ca9a8e: Pull complete
Digest: sha256:87ecb39722acd7e465a227b8e274157737281a0243160aca5db0222f447447c5
Status: Downloaded newer image for hashicorp/vault-benchmark:latest
docker.io/hashicorp/vault-benchmark:latest

Check your vault-benchmark version.

$ docker run hashicorp/vault-benchmark vault-benchmark version

Example output:

vault-benchmark v0.2.0

You can get help to discover available commands.

$ docker run hashicorp/vault-benchmark vault-benchmark --help

Example output:

Usage: vault-benchmark <command> [args]

Command list:
   run         Run vault-benchmark test(s)
   review      Review previous test results

This hands-on lab focuses on your use of the run command. Get help for the run command.

$ docker run hashicorp/vault-benchmark vault-benchmark run --help

Long example output

Usage: vault-benchmark run [options]

This command will run a vault-benchmark test.

Run a vault-benchmark test with a configuration file:

   $ vault-benchmark run -config=/etc/vault-benchmark/test.hcl

For a full list of examples, please see the documentation.

Command Options:

-annotate=<string>
      Comma-separated name=value pairs include in bench_running prometheus
      metric. Try name 'testname' for dashboard example.

-audit_path=<string>
      Path to file for audit log.

-ca_pem_file=<string>
      Path to PEM encoded CA file to verify external Vault. This can also be
      specified via the VAULT_CACERT environment variable.

-cleanup
      Cleanup benchmark artifacts after run. The default is false.

-cluster_json=<string>
      Path to cluster.json file

-config=<string>
      Path to a vault-benchmark test configuration file.

-debug
      Run vault-benchmark in Debug mode. The default is false.

-disable_http2
      Force HTTP/1.1 The default is false.

-duration=<duration>
      Test Duration. The default is 10s.

-log_level=<string>
      Level to emit logs. Options are: INFO, WARN, DEBUG, TRACE. The default
      is INFO. This can also be specified via the VAULT_BENCHMARK_LOG_LEVEL
      environment variable.

-pprof_interval=<duration>
      Collection interval for vault debug pprof profiling.

-random_mounts
      Use random mount names. The default is true.

-report_mode=<string>
      Reporting Mode. Options are: terse, verbose, json. The default is terse.

-rps=<int>
      Requests per second. Setting to 0 means as fast as possible.

-vault_addr=<string>
      Target Vault API Address. The default is http://127.0.0.1:8200. This can
      also be specified via the VAULT_ADDR environment variable.

-vault_namespace=<string>
      Vault Namespace to create test mounts. This can also be specified via
      the VAULT_NAMESPACE environment variable.

-vault_token=<string>
      Vault Token to be used for test setup. This can also be specified via
      the VAULT_TOKEN environment variable.

-workers=<int>
      Number of workers The default is 10.

You can explore the vault-benchmark documentation to learn more about configuring it.

The available tests documentation describes all of the available tests and their configuration. You can use this information to configure a vault-benchmark Kubernetes job.

You'll use an example benchmark configuration that includes the Kubernetes auth method; the Kubernetes auth benchmark documentation covers all of the available parameters, caveats, and a usage example for this benchmark.

All benchmark tests are documented in a similar way.

Check your vault-benchmark version.
```
$ vault-benchmark version
```
Example output:
```
vault-benchmark v0.2.0
```

You can get help to discover available commands.

$ vault-benchmark --help

Example output:

Usage: vault-benchmark <command> [args]

Command list:
   run         Run vault-benchmark test(s)
   review      Review previous test results

This hands-on lab focuses on your use of the run command. Get help for the run command.

$ vault-benchmark run --help

Long example output

Usage: vault-benchmark run [options]

This command will run a vault-benchmark test.

Run a vault-benchmark test with a configuration file:

   $ vault-benchmark run -config=/etc/vault-benchmark/test.hcl

For a full list of examples, please see the documentation.

Command Options:

-annotate=<string>
      Comma-separated name=value pairs include in bench_running prometheus
      metric. Try name 'testname' for dashboard example.

-audit_path=<string>
      Path to file for audit log.

-ca_pem_file=<string>
      Path to PEM encoded CA file to verify external Vault. This can also be
      specified via the VAULT_CACERT environment variable.

-cleanup
      Cleanup benchmark artifacts after run. The default is false.

-cluster_json=<string>
      Path to cluster.json file

-config=<string>
      Path to a vault-benchmark test configuration file.

-debug
      Run vault-benchmark in Debug mode. The default is false.

-disable_http2
      Force HTTP/1.1 The default is false.

-duration=<duration>
      Test Duration. The default is 10s.

-log_level=<string>
      Level to emit logs. Options are: INFO, WARN, DEBUG, TRACE. The default
      is INFO. This can also be specified via the VAULT_BENCHMARK_LOG_LEVEL
      environment variable.

-pprof_interval=<duration>
      Collection interval for vault debug pprof profiling.

-random_mounts
      Use random mount names. The default is true.

-report_mode=<string>
      Reporting Mode. Options are: terse, verbose, json. The default is terse.

-rps=<int>
      Requests per second. Setting to 0 means as fast as possible.

-vault_addr=<string>
      Target Vault API Address. The default is http://127.0.0.1:8200. This can
      also be specified via the VAULT_ADDR environment variable.

-vault_namespace=<string>
      Vault Namespace to create test mounts. This can also be specified via
      the VAULT_NAMESPACE environment variable.

-vault_token=<string>
      Vault Token to be used for test setup. This can also be specified via
      the VAULT_TOKEN environment variable.

-workers=<int>
      Number of workers The default is 10.

Configure benchmark

Your goal for this section is to configure vault-benchmark for a basic benchmark run.

Vault Benchmark is configured with a HashiCorp Configuration Language (HCL) file. You can use the example configuration shown in the Usage documentation in this hands-on lab.

Here is the entire example configuration file.

vault-benchmark-config.hcl

1 2 3 4 5 6 7 8 9 1011121314151617181920212223vault_addr = "http://127.0.0.1:8200"
vault_token = "root"
vault_namespace="root"
duration = "30s"
cleanup = true

test "approle_auth" "approle_logins" {
  weight = 50
  config {
    role {
      role_name = "benchmark-role"
      token_ttl="2m"
    }
  }
}

test "kvv2_write" "static_secret_writes" {
  weight = 50
  config {
    numkvs = 100
    kvsize = 100
  }
}

Lines 1-5 are global parameters:

vault_addr: the full URL plus port for the Vault server to benchmark.
vault_token: the literal token value for a token with capabilities to enable and manage secrets engines and auth methods. In this hands-on lab, the initial root token value is used, but you should not use a root token in production this way.
vault_namespace: the name of the Enterprise namespace to use for the benchmark.
duration: number of seconds to run the benchmark.
cleanup: whether to remove all resources created by the benchmark run.

Benchmark in production not recommended

You should benchmark Vault servers dedicated to the purpose, but not production servers. The benchmark can adversely affect performance of the server, and does not make guarantees about cleanup of artifacts created during the benchmark run.

Lines 7-15 and 17-23 represent the 2 tests making up this benchmark configuration. This test configuration runs two different tests, an approle_auth test and a kvv2_write test, with the percentage of requests split evenly between the two.

The first test beginning at line 7, is for AppRole auth method logins. Note that the first parameter is weight. You can think of this as a percentage of the entire workload. This means that the benchmark performs AppRole logins 50% of the time throughout the entire run.

You can configure a test in its config stanza. In this test, role_name specifies the auth method role name benchmark-role. Each token Vault issues after an AppRole login with the benchmark-role is configured with a token_ttl value of 2 minutes to specify the token's time-to-live (TTL). You can learn more about available parameters in the AppRole auth method benchmark documentation.

The second test beginning at line 17, is for Key/Value version 2 secrets engine writes. This test takes the remaining 50% of benchmark operations with its weight setting. It also uses numkvs to specify that 100 key/value secrets be written, and kvsize to limit each value to 100 bytes. Available parameters are documented in the KV v1 and KV v2 secret benchmark documentation

You can learn more about all the tests in the vault-benchmark test documentation.

Now that you've reviewed the example configuration, you need to change it a bit to function with the Vault cluster you're using.

In the lab setup section, you set the VAULT_ADDR and VAULT_TOKEN (and VAULT_NAMESPACE for Vault Dedicated) environment variables for communicating to your Vault cluster.

Values from environment variables override anything specified in the vault-benchmark configuration file.

With this in mind, you can set the vault_addr, vault_token, and vault_namespace values to an empty string. Their values come from the environment variables you set.

root namespace by default

If you're using a Vault cluster that is not in HCP, you might recall that you did not export a VAULT_NAMESPACE environment variable during your lab setup.

vault-benchmark uses the root namespace by default when there is no value set in the configuration file. Specifying it is unnecessary unless you're using HCP Vault Dedicated or a Vault Enterprise cluster with a namespace that is not root.

These steps apply equally to self-hosted, Docker and Vault Dedicated.

Return to your terminal session and write the configuration file to /tmp/learn-vault-benchmark/vault-benchmark-config.hcl.

$ cat > "$HC_LEARN_LAB"/vault-benchmark-config.hcl << EOF
vault_addr = ""
vault_token = ""
vault_namespace=""
duration = "30s"
cleanup = true

test "approle_auth" "approle_logins" {
weight = 50
config {
   role {
      role_name = "benchmark-role"
      token_ttl="2m"
   }
}
}

test "kvv2_write" "static_secret_writes" {
weight = 50
config {
   numkvs = 100
   kvsize = 100
}
}
EOF

You've configured vault-benchmark for 2 tests, and they're now ready for you to run them.

You can configure vault-benchmark for Kubernetes as a job file. Here is the complete example from the vault-benchmark repository.

# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: vault-benchmark

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: vault-benchmark-configmap
data:
  k8s.hcl: |
    # Basic Benchmark config options
    vault_addr = "http://vault:8200"
    vault_token = "root"
    duration = "10s"
    report_mode = "terse"
    random_mounts = true
    cleanup = true

    test "kube_auth" "kube_auth_test1" {
      weight = 100
      config {
        auth {
          kubernetes_host = "https://kubernetes.default.svc"
        }
        role {
          name = "vault-benchmark-role"
          bound_service_account_names = ["vault-benchmark"]
          bound_service_account_namespaces = ["*"]
          token_max_ttl = "24h"
          token_ttl = "1h"
        }
      }
    }

---
apiVersion: batch/v1
kind: Job
metadata:
  name: vault-benchmark
spec:
  backoffLimit: 0
  template:
    metadata:
      name: vault-benchmark
      labels:
        app: vault-benchmark
    spec:
      containers:
      - name: vault-benchmark
        image: hashicorp/vault-benchmark:latest
        imagePullPolicy: IfNotPresent
        command: ["vault-benchmark"]
        args: [
          "run",
          "-config=/config/k8s.hcl",
        ]
        volumeMounts:
        - name: benchmark-config
          mountPath: "/config"
          readOnly: true
      restartPolicy: Never
      serviceAccountName: vault-benchmark
      volumes:
      - name: benchmark-config
        configMap:
          name: vault-benchmark-configmap

This benchmark has one test named kube_auth_test1, that performs Kubernetes auth method logins.

You'll work with an edited version that changes the following settings.

Benchmark duration is increased to 30s.
Adds a second test of KV v2 secret writes.
Sets each test's weight to 50.

Create the job file /tmp/learn-vault-benchmark/vault-benchmark-job.yaml, paste the following updated configuration into it, and save it.

# Copyright (c) HashiCorp, Inc.
# SPDX-License-Identifier: MPL-2.0

---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: vault-benchmark

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: vault-benchmark-configmap
data:
  k8s.hcl: |
    # Basic Benchmark config options
    vault_addr = "http://vault:8200"
    vault_token = "root"
    duration = "30s"
    report_mode = "terse"
    random_mounts = true
    cleanup = true

    test "kube_auth" "kube_auth_test1" {
      weight = 50
      config {
        auth {
          kubernetes_host = "https://kubernetes.default.svc"
        }
        role {
          name = "vault-benchmark-role"
          bound_service_account_names = ["vault-benchmark"]
          bound_service_account_namespaces = ["*"]
          token_max_ttl = "24h"
          token_ttl = "1h"
        }
      }
    }
    test "kvv2_write" "static_secret_writes" {
      weight = 50
      config {
        numkvs = 100
        kvsize = 100
      }
    }

---
apiVersion: batch/v1
kind: Job
metadata:
  name: vault-benchmark
spec:
  backoffLimit: 0
  template:
    metadata:
      name: vault-benchmark
      labels:
        app: vault-benchmark
    spec:
      containers:
      - name: vault-benchmark
        image: hashicorp/vault-benchmark:latest
        imagePullPolicy: IfNotPresent
        command: ["vault-benchmark"]
        args: [
          "run",
          "-config=/config/k8s.hcl",
        ]
        volumeMounts:
        - name: benchmark-config
          mountPath: "/config"
          readOnly: true
      restartPolicy: Never
      serviceAccountName: vault-benchmark
      volumes:
      - name: benchmark-config
        configMap:
          name: vault-benchmark-configmap

You're now ready to run the benchmark.

Run benchmark

Your goal for this section is to run vault-benchmark with the configuration that you just created.

Run the benchmark.

$ vault-benchmark run \
    -config="$HC_LEARN_LAB"/vault-benchmark-config.hcl

Example output:

2023-10-19T12:59:08.675-0400 [INFO]  vault-benchmark: setting up targets
2023-10-19T12:59:10.814-0400 [INFO]  vault-benchmark: starting benchmarks: duration=30s
2023-10-19T12:59:40.817-0400 [INFO]  vault-benchmark: cleaning up targets
2023-10-19T13:00:05.371-0400 [INFO]  vault-benchmark: benchmark complete
Target: http://127.0.0.1:8200
op                    count  rate         throughput   mean        95th%       99th%       successRatio
approle_logins        98537  3284.650546  3284.468629  1.683084ms  3.559447ms  6.001427ms  100.00%
static_secret_writes  98507  3283.561593  3283.438647  1.3473ms    2.940248ms  5.218769ms  100.00%

Run the benchmark.

$ docker run \
    --volume="$HC_LEARN_LAB":/vault/config \
    --ip 10.42.74.200 \
    --name learn-vault-benchmark \
    --network learn-vault \
    --env 'VAULT_TOKEN=root' \
    --env 'VAULT_ADDR=http://10.42.74.100:8200' \
    --rm \
    hashicorp/vault-benchmark vault-benchmark run -config=/vault/config/vault-benchmark-config.hcl

Example output:

2023-10-24T15:59:10.538Z [INFO]  vault-benchmark: setting up targets
2023-10-24T15:59:12.656Z [INFO]  vault-benchmark: starting benchmarks: duration=30s
2023-10-24T15:59:42.658Z [INFO]  vault-benchmark: cleaning up targets
2023-10-24T16:00:05.197Z [INFO]  vault-benchmark: benchmark complete
Target: http://10.42.74.100:8200
op                    count  rate         throughput   mean        95th%       99th%        successRatio
approle_logins        59367  1978.899034  1978.802035  2.733019ms  7.34808ms   13.220348ms  100.00%
static_secret_writes  59617  1987.300917  1987.183731  2.295889ms  6.376367ms  11.80409ms   100.00%

Run the benchmark.

$ kubectl apply -f "$HC_LEARN_LAB"/vault-benchmark-job.yaml

Get the pods.

$ kubectl get pods
NAME                                    READY   STATUS    RESTARTS   AGE
vault-0                                 1/1     Running   0          12m
vault-agent-injector-7655d66c96-7vfcx   1/1     Running   0          12m
vault-benchmark-ghjlq                   1/1     Running   0          7s

The benchmark is running in the vault-benchmark-ghjlq pod.

Examine the results by following the logs.

$ kubectl logs --follow vault-benchmark-ghjlq

2023-10-24T19:35:28.014Z [INFO]  vault-benchmark: setting up targets
2023-10-24T19:35:28.022Z [INFO]  vault-benchmark: starting benchmarks: duration=30s
2023-10-24T19:35:58.029Z [INFO]  vault-benchmark: cleaning up targets
2023-10-24T19:36:04.845Z [INFO]  vault-benchmark: benchmark complete
Target: http://vault:8200
op               count  rate        throughput  mean         95th%        99th%        successRatio
kube_auth_test1  16727  557.518870  557.445898  17.831411ms  64.166976ms  78.134265ms  100.00%

Run the benchmark.

$ vault-benchmark run \
    -config="$HC_LEARN_LAB"/vault-benchmark-config.hcl

Example output:

2023-10-27T14:55:09.297-0400 [INFO]  vault-benchmark: setting up targets
2023-10-27T14:55:23.300-0400 [INFO]  vault-benchmark: starting benchmarks: duration=30s
2023-10-27T14:55:53.433-0400 [INFO]  vault-benchmark: cleaning up targets
2023-10-27T14:56:20.724-0400 [INFO]  vault-benchmark: benchmark complete
Target: https://brian-benchmark-public-vault-2564be7d.3cf3a186.z1.hashicorp.cloud:8200
op                    count  rate       throughput  mean          95th%         99th%         successRatio
approle_logins        1262   42.100297  29.789826   121.145474ms  150.242326ms  184.722952ms  71.08%
static_secret_writes  1284   42.773201  30.732352   115.303956ms  140.230583ms  164.517774ms  72.12%

Review the output

The benchmark output is tabular by default. This example is from the self-hosted dev mode server, but the output will be similar for Vault in any environment.

123456782023-10-19T12:59:08.675-0400 [INFO]  vault-benchmark: setting up targets
2023-10-19T12:59:10.814-0400 [INFO]  vault-benchmark: starting benchmarks: duration=30s
2023-10-19T12:59:40.817-0400 [INFO]  vault-benchmark: cleaning up targets
2023-10-19T13:00:05.371-0400 [INFO]  vault-benchmark: benchmark complete
Target: http://127.0.0.1:8200
op                    count  rate         throughput   mean        95th%       99th%       successRatio
approle_logins        98537  3284.650546  3284.468629  1.683084ms  3.559447ms  6.001427ms  100.00%
static_secret_writes  98507  3283.561593  3283.438647  1.3473ms    2.940248ms  5.218769ms  100.00%

The first 4 lines are log outputs from vault-benchmark which describe its current actions.

The 5th line shows the benchmark target URL, and the 6th line represents headings for the metric data.

The data metrics are as follows for the last 2 lines, which represent each of the 2 benchmark tests you configured.

op: the test name.
count: the number of tests completed during the benchmark duration.
rate: the true operations per second rate of all tests of this type.
throughput: the operations per second rate of all successful tests of this type.
mean: the mean time in milliseconds per operation.
95th%: the 95th percentile time in milliseconds per operation.
99th%: the 99th percentile time in milliseconds per operation.
successRatio: the percentage of successful tests of this type. When tests are not successful, you should consult the Vault operational and audit logs for details on the unsuccessful tests.

Tip

You can also output the benchmark results as JSON with the -report_mode=json flag.

Cleanup

Follow the steps for the environment you used in the hands-on lab to clean up.

Stop the Vault dev mode server.
```
$ pkill vault
```
Remove the hands on lab directory.
```
$ rm -rf "$HC_LEARN_LAB"
```
Unset environment variables.
```
$ unset VAULT_ADDR VAULT_TOKEN
```
Remove cached Vault token.
```
$ rm -f ~/.vault-token
```

Stop the Vault dev mode container; Docker will automatically remove the container.
```
$ docker stop learn-vault
```
Remove the Docker network.
```
$ docker network rm learn-vault
```
Remove the hands on lab directory.
```
$ rm -rf "$HC_LEARN_LAB"
```
Unset environment variables.
```
$ unset VAULT_ADDR VAULT_TOKEN
```

Delete the benchmark job.

$ kubectl delete jobs/vault-benchmark

Example output:

job.batch "vault-benchmark" deleted

Uninstall the Vault server Helm chart to stop and remove the Vault pods.
```
$ helm uninstall vault
```
Example output:
```
release "vault" uninstalled
```

Delete Minikube instance to stop it.

$ minikube delete
🔥  Deleting "minikube" in docker ...
🔥  Deleting container "minikube" ...
🔥  Removing /Users/brian/.minikube/machines/minikube ...
💀  Removed all traces of the "minikube" cluster.

Remove the hands on lab directory.
```
$ rm -rf "$HC_LEARN_LAB"
```
Unset environment variables.
```
$ unset VAULT_ADDR VAULT_TOKEN
```

If you do not need your Vault Dedicated or HashiCorp Virtual Network resources any longer, access the HCP portal and delete the Vault cluster and HVN.
Remove the hands on lab directory.
```
$ rm -rf "$HC_LEARN_LAB"
```
Unset environment variables.
```
$ unset VAULT_ADDR VAULT_TOKEN
```

Next steps

You learned the basics around the Vault Benchmark tool, including how to configure and run a benchmark. You also learned about the default benchmark output, and available documentation resources for Vault Benchmark.

To dive deeper into Vault performance, consider reviewing the performance tuning and production hardening tutorials.

Help and reference

HCP Vault configuration with Terraform

Next Collection

Policies