Observability
Cerbos is designed from the ground up to be cloud native and has first-class support for observability via OpenTelemetry metrics and distributed traces.
Metrics
By default, Cerbos exposes a metrics endpoint at /_cerbos/metrics
that can be scraped by Prometheus or other metrics scrapers that support the Prometheus metrics format. This endpoint can be disabled by setting server.metricsEnabled
configuration value to false
(see Server block).
Cerbos also has support for OpenTelemetry protocol (OTLP) push metrics. It can be configured using OpenTelemetry environment variables. The following environment variables are supported.
Environment variable | Description |
---|---|
|
Address of the OTLP metrics receiver (for example: |
|
Skip validating the TLS certificate of the endpoint |
|
Path to the certificate to use for validating the server’s TLS credentials. |
|
Path to the client certificate to use for mTLS |
|
Path to the client key to use for mTLS |
|
OTLP protocol. Supported values are |
|
The export interval in milliseconds. Defaults to 60000. |
|
Timeout for exporting the data in milliseconds. Defaults to 30000. |
|
Set to |
Refer to https://opentelemetry.io/docs/specs/otel/protocol/exporter/ for more information about exporter configuration through environment variables. Note that the OpenTelemetry Go SDK used by Cerbos might not have full support for some of the environment variables listed on the OpenTelemetry specification.
OTEL_METRICS_EXPORTER and OTEL_EXPORTER_OTLP_METRICS_ENDPOINT are the only required environment variables to enable OTLP metrics.
|
Traces
Cerbos supports distributed tracing to provide insights into application performance and request lifecycle. Traces from Cerbos can be exported to any compatible collector that supports the OpenTelemetry protocol (OTLP).
Trace configuration should be done using OpenTelemetry environment variables. The following environment variables are supported.
If you are upgrading from a Cerbos version older than 0.33.0, refer to migration instructions for information about mapping file-based configuration to environment variables. |
Environment variable | Description |
---|---|
|
Service name reported in the traces. Defaults to |
|
Trace sampler. Defaults to
|
|
Set the sampling ratio when |
|
Address of the OTLP collector (for example: |
|
Skip validating the TLS certificate of the endpoint |
|
Path to the certificate to use for validating the server’s TLS credentials. |
|
Path to the client certificate to use for mTLS |
|
Path to the client key to use for mTLS |
|
OTLP protocol. Supported values are |
Refer to https://opentelemetry.io/docs/specs/otel/protocol/exporter/ for more information about exporter configuration through environment variables. Note that the OpenTelemetry Go SDK used by Cerbos might not have full support for some of the environment variables listed on the OpenTelemetry specification.
OTEL_EXPORTER_OTLP_TRACES_ENDPOINT is the only required environment variable to enable OTLP trace exports.
|