Introduction
Users have reported 307 redirect errors while hitting the "/sys/metrics" endpoint in the Vault standby node when using an authenticated metric.
Understanding Behaviour
When a user is using authenticated metrics in their Vault cluster and performance standby is either disabled or not included as part of the Vault license then the only node that can respond to sys/metrics request would be the active node of the cluster. Hence, the standby nodes cannot serve authenticated read requests which is an expected behavior. For all the requests hitting the load balancer IP/DNS from standby nodes will end up in a redirection loop.
Recommended Action
- Users will need to enable unauthenticated metrics as true in their vault config.
- Alternatively, the Users can request for performance standby feature in their Vault license which will allow them to use authenticated metrics and all standby nodes acting as performance standbys will also be able to respond to "sys/metrics" API calls.
Reference
https://developer.hashicorp.com/vault/docs/configuration/listener/tcp#unauthenticated_metrics_acc