Vault benchmark is an open source tool that tests the performance of HashiCorp Vault auth methods and secrets engines.
Load testing is an important part of releasing a reliable API or application. It gives organizations the confidence that the infrastructure, applications, and workloads will work well under a defined load. This testing is also important to ensure that self-managed HashiCorp Vault clusters can handle a large number of concurrent requests — sometimes thousands per second — in a real-world scenario. Because if Vault goes down, secure access to secrets and encryption as a service go down.
This post discusses how the Vault benchmark tool our engineers have built can give operators confidence in the reliability of their secrets management lifecycle.
Vault benchmark is designed to test the performance of Vault authentication methods and secrets engines. Its load-testing capabilities are powered by the HTTP load testing utility Vegeta.
The benefits of benchmarking your Vault workloads include:
Prerequisites for using Vault benchmark include:
To use Vault benchmark, run the
vault-benchmark binary along with a benchmark configuration file. Use the file to configure any resources on the Vault instance that are required to perform tests. Before running the binary, set up any infrastructure dependencies, such as a database.
Depending on the configuration, Vault benchmark may put a great deal of stress on the Vault cluster and the underlying infrastructure during testing. Vault benchmark is intended to be run against non-production Vault clusters that are isolated from production systems or any other systems that might negatively impact the end-user experience.
Through load testing, engineering teams may discover aspects of their architecture that are performing well, as well as opportunities for improvement. We recommend using Vault’s production hardening guidelines and reference architecture in addition to load testing to improve and tune overall performance.
You can download the Vault benchmark release binary from our release page. Documentation for Vault benchmark, which includes usage examples and test configurations, can be found in the project’s GitHub repository docs folder.
“[Vault benchmark] makes codifying your regular traffic and benchmarking clusters really easy. Just like you define your infrastructure as code, you define your traffic patterns and stress tests as code.
The tool already supports a comprehensive set of off-backends and secret engines, so you can easily map your standard client interactions and reproduce them in lower environments. This is an invaluable tool to understand how your current configuration and, more importantly, how any future configuration changes could impact cluster performance.” — Mark Billow, SRE, Indeed
For more information about best practices for self-managed Vault Community and Vault Enterprise, visit HashiCorp Developer and check out the full Vault knowledge base. If you’re interested in outsourcing Vault operations and reliability engineering to HashiCorp, try HCP Vault or HCP Vault Secrets, our cloud-managed versions of HashiCorp Vault.
In this blog post, we’ll look at practical public key certificate management in HashiCorp Vault using dynamic secrets rotation.
Discover how HashiCorp Developer Advocate Rosemary Wang uses HashiCorp Boundary on live streams to automate access to servers and record commands to build into future automation.
Eight new HashiCorp Vault ecosystem integrations extend security use cases for customers.