KES status check causes log spam in Vault
ianroberts opened this issue · comments
Bug describtion
I have an installation of kes using Hashicorp Vault as the backing keystore, and every minute I see the following in the Vault logs:
[INFO] http: TLS handshake error from {kes-ip}:{random-port}: EOF
This appears to be inevitable given the way that the once-per-minute status check in internal/vault/vault.go
first attempts a simple TCP reachability check
Line 150 in 884c3bc
before going on to make a proper TLS connection to fetch the Vault health data. This TCP check does not complete the TLS handshake, which triggers the error message on the server side.
Expected behavior
Since the Status
function always follows the TCP check with a proper TLS connection, there seems little value in doing both checks - just the properly handshaken fetch of the health data would be sufficient to also check reachability.
Additional context
This kind of log spam is a known issue for anything that does plain TCP health checks against Vault, e.g. hashicorp/vault#7471