Update to 2023-01-12 00:02

roles/vault/defaults/main.yml

@@ -78,6 +78,10 @@ vault_base_conf:
       # Default is False which means you can reach vault both directly or through your reverse proxy
       x_forwarded_for_reject_not_present: False
 
+      telemetry:
+        # Allow unauthenticated access to /v1/sys/metrics
+        unauthenticated_metrics_access: True
+
   # URL of the API to advertise
   api_addr: https://{{ inventory_hostname }}:{{ vault_services.api.port }}
   # URL of the inter-node communication endpoint to advertise
@@ -115,6 +119,7 @@ vault_base_conf:
   telemetry:
     prometheus_retention_time: 1h
     disable_hostname: True
+    enable_hostname_label: True
 
 # You can add additional paramters in vault_extra_conf (or vault_host_conf)
 # they will be merged into the vault_base_conf before rendering

roles/vault/templates/vault.hcl.j2

@@ -18,6 +18,11 @@ listener "tcp" {
   x_forwarded_for_authorized_addrs = "{{ listener.x_forwarded_for_authorized_addrs | join(',') }}"
   x_forwarded_for_reject_not_present = {{ listener.x_forwarded_for_reject_not_present | ternary('true', 'false') }}
 {% endif %}
+{% if listener.telemetry.unauthenticated_metrics_access %}
+  telemetry {
+    unauthenticated_metrics_access = true
+  }
+{% endif %}
 }
 {% endfor %}
 
@@ -62,7 +67,7 @@ telemetry {
 {% for key in ['prometheus_retention_time'] %}
   {{ key }} = "{{ vault_conf.telemetry[key] }}"
 {% endfor %}
-{% for key in ['disable_hostname'] %}
+{% for key in ['disable_hostname', 'enable_hostname_label'] %}
   {{ key }} = {{ vault_conf.telemetry[key] | ternary('true', 'false') }}
 {% endfor %}
 }