hashicorp · miagilepner · May 24, 2024 · May 15, 2024 · May 15, 2024 · May 15, 2024
@@ -11,7 +11,7 @@ The `operator usage` command allows an administrator to retrieve a
 [client count](/vault/docs/concepts/client-count) report
 for the default reporting period, or for a specific time range of months.
 
-The command output will list clients by distinct entities, non-entity tokens,
+The command output will list clients by distinct entities, non-entity tokens, ACME clients,
 secret sync clients, and total active clients for each namespace, and the total
 for the entire cluster. It may indicate that no data is available for the
 requested time range, which may be because the client count reporting is
@@ -30,11 +30,11 @@ $ vault operator usage
 Period start: 2019-11-01T00:00:00Z
 Period end: 2020-10-31T23:59:59Z
 
-Namespace path Distinct entities Non-Entity tokens Secret syncs Active clients
--------------- ----------------- ----------------- ------------ --------------
-[root] 1541 332 40 1913
+Namespace path Distinct entities Non-Entity tokens Secret syncs ACME clients Active clients
+-------------- ----------------- ----------------- ------------ ------------ --------------
+[root] 1541 332 40 60 1973
 
-Total 1541 332 40 1913
+Total 1541 332 40 60 1973
 ```
 
 Retrieve the client counts for a specific month in the past:
@@ -44,11 +44,11 @@ $ vault operator usage -start-time=2020-01 -end-time=2020-01
 Period start: 2020-01-01T00:00:00Z
 Period end: 2020-01-31T23:59:59Z
 
-Namespace path Distinct entities Non-Entity tokens Secret syncs Active clients
--------------- ----------------- ----------------- ------------ --------------
-[root] 934 176 20 1130
+Namespace path Distinct entities Non-Entity tokens Secret syncs ACME clients Active clients
+-------------- ----------------- ----------------- ------------ ------------ --------------
+[root] 934 176 20 30 1160
 
-Total 934 176 20 1130
+Total 934 176 20 30 1160
 ```
 
 ## Usage

@@ -26,17 +26,6 @@ CLIENT_COUNT_PER_CLUSTER = UNIQUE_STANDARD_ENTITIES +
 Vault does not aggregate or de-duplicate clients across clusters, but all logs
 and precomputed reports are included in DR replication.
 
-<Note heading="Certificate entities currently reported as non-entity clients">
-
- Vault currently rolls certificate entities into the non-entity client count
- in the UI and API query requests. For more detailed information on certificate
- entities, use the
- [internal counter endpoint](/vault/api-docs/system/internal-counters) to query
- monthly data for the PKI mount path or export historic data and look for
- `client_type=pki-acme`.
-
-</Note>
-
 ## How Vault tracks clients
 
 Each time a client authenticates, Vault checks whether the corresponding entity

@@ -70,7 +70,7 @@ calculations.
 For example:
 
 - ACME client requests (from the same server or separate servers) for the same
- certificate identifier (a unique combination of CN,DNS, SANS and IP SANS)
+ certificate identifier (a unique combination of CN, DNS, SANS and IP SANS)
  are treated as the same entity.
 - If an ACME client makes a request for `a.test.com`, and subsequently makes a new
  request for `b.test.com` and `*.test.com` then two distinct entities will be created,

@@ -16,14 +16,14 @@ protect against overutilization, and budget for predicted consumption. Manual
 reporting shares the minimum data required to validate license utilization as
 defined in our contracts. The reports consist of mostly computed metrics and
 will never contain Personal Identifiable Information (PII) or other sensitive
-information. 
+information.
 
 Manual license utilization shares the same data as automated license utilization
 but is more time consuming. Unless you are running in an air-gapped environment
 or have another reason to report data manually, we strongly recommend using
 automated reporting instead. If you have disabled automated license reporting,
 you can re-enable it by reversing the opt-out process described in the
-[documentation](/vault/docs/enterprise/license/utilization-reporting#opt-out). 
+[documentation](/vault/docs/enterprise/license/utilization-reporting#opt-out).
 
 If you are considering manual reporting because you’re worried about your data,
 we strongly recommend that you review the [example
@@ -37,7 +37,7 @@ reporting in favor of manual reporting.
 ### Generate a data bundle
 
 Data bundles include collections of JSON snapshots that contain license
-utilization information. 
+utilization information.
 
 1. Login into your [cluster node](/vault/tutorials/cloud/vault-access-cluster).
 1. Run this CLI command to generate a data bundle:
@@ -46,12 +46,12 @@ utilization information.
  $ vault operator utilization
  ```
 
- By default, the bundle will include all historical snapshots. 
+ By default, the bundle will include all historical snapshots.
 
  You can provide context about the conditions under which the report was
  generated and submitted by providing a comment. This optional comment will
  not be included in the license utilization bundle, but will be included in
- the Vault server logs. 
+ the Vault server logs.
 
  **Example:**
 
@@ -63,7 +63,7 @@ utilization information.
  This command will export all the persisted snapshots into a bundle. The
  message “Change Control 654987” will not be included in the bundle but will
  be included in Vault server logs. The `-output` flags specifies the output
- location of the JSON bundle. 
+ location of the JSON bundle.
 
  **Available command flags:**
 
@@ -74,8 +74,8 @@ utilization information.
 
  - `-today-only` `(bool: false)` - To include only today’s snapshot, no
  historical snapshots. If no snapshots were persisted in the last 24 hrs, it
- takes a snapshot and exports it to a bundle. (optional) 
- 
+ takes a snapshot and exports it to a bundle. (optional)
+
  - `-output` `(string: “”)` - Specifies the output path for the bundle.
  Defaults to a time-based generated file name. (optional)
 
@@ -87,18 +87,18 @@ utilization information.
 
  a. If the upload succeeded, the HCP user interface will change the file
  status to **Uploaded** in green.
- 
+
  b. If the upload failed, the file status will say **Failed** in red, and
- will include error information. 
+ will include error information.
 
 If the upload fails make sure you haven’t modified the file signature. If the
-error persists, please contact your account representative. 
+error persists, please contact your account representative.
 
 
 ## Enable manual reporting
 
 Upgrade to a release that supports manual license utilization reporting. These
-releases include: 
+releases include:
 
 - Vault Enterprise 1.16.0 and later
 - Vault Enterprise 1.15.6 and later
@@ -107,15 +107,15 @@ releases include:
 ## Configuration
 
 Administrators can manage disk space for storing snapshots by defining the
-number of days snapshots can be retained. 
+number of days snapshots can be retained.
 
 ```hcl
 reporting {
  snapshot_retention_time = "2400h"
 }
 ```
 
-The default retention period is 400 days. 
+The default retention period is 400 days.
 
 ## Data file content
 
@@ -130,6 +130,11 @@ The default retention period is 400 days.
  "product": "vault",
  "process_id": "01HP5NJS21HN50FY0CBS0SYGCH",
  "metrics": {
+ "clientcount.current_month_estimate.type.acme_client": {
+ "key": "clientcount.current_month_estimate.type.acme_client",
+ "value": 0,
+ "mode": "write"
+ },
  "clientcount.current_month_estimate.type.entity": {
  "key": "clientcount.current_month_estimate.type.entity",
  "value": 20,
@@ -145,6 +150,11 @@ The default retention period is 400 days.
  "value": 0,
  "mode": "write"
  },
+ "clientcount.previous_month_complete.type.acme_client": {
+ "key": "clientcount.previous_month_complete.type.acme_client",
+ "value": 0,
+ "mode": "write"
+ },
  "clientcount.previous_month_complete.type.entity": {
  "key": "clientcount.previous_month_complete.type.entity",
  "value": 0,
@@ -170,4 +180,4 @@ The default retention period is 400 days.
  }
 ```
 
-</CodeBlockConfig>
+</CodeBlockConfig>
@@ -330,6 +330,14 @@ alphabetic order by name.
 
 @include 'telemetry-metrics/vault/identity/num_entities.mdx'
 
+@include 'telemetry-metrics/vault/identity/pki_acme/monthly.mdx'
+
+@include 'telemetry-metrics/vault/identity/pki_acme/reporting_period.mdx'
+
+@include 'telemetry-metrics/vault/identity/secret_sync/monthly.mdx'
+
+@include 'telemetry-metrics/vault/identity/secret_sync/reporting_period.mdx'
+
 @include 'telemetry-metrics/vault/identity/upsert_entity_txn.mdx'
 
 @include 'telemetry-metrics/vault/identity/upsert_group_txn.mdx'

@@ -13,6 +13,9 @@ provided in the Vault UI and API.
 | 1.10 | UI | Displayed clients per auth mount within a namespace
 | 1.11 | API | Supported unique client export for selected billing periods
 | 1.11 | UI | Displayed month over month calculations for client count
+| 1.13 | UI | Combined current month and previous history into one dashboard
+| 1.16 | All | Added synced secrets as a new category in client counting
+| 1.17 | All | Separated PKI ACME certificates as their own category in client counting
 
 The latest GA version of the Vault binary always contains the most updated
 version of the client count computation logic.

@@ -0,0 +1,8 @@
+### vault.identity.pki_acme.active.monthly ((#vault-pkiacme-entity-active-monthly))
+
+Metric type | Value | Description
+----------- | ------- | -----------
+gauge | clients | The number of distinct ACME PKI clients during the past month
+
+Vault reports `vault.identity.pki_acme.active.monthly` at the start of each month
+when client counting is enabled.
@@ -0,0 +1,8 @@
+### vault.identity.pki_acme.active.reporting_period ((#vault-identity-pkiacme-active-reporting_period))
+
+Metric type | Value | Description
+----------- | ------- | -----------
+gauge | clients | The number of distinct ACME PKI clients during the configured reporting period
+
+Vault reports `vault.identity.pki_acme.active.reporting_period` at the start of
+each month when client counting is enabled.