Skip to content

Commit

Permalink
Merge pull request #131 from gardener/expire-metrics
Browse files Browse the repository at this point in the history 
Add metrics for certificate expiration date
  • Loading branch information
@MartinWeindel
MartinWeindel authored Jun 13, 2023
2 parents 608fe14 + 1efddde commit 6f6d92e
Show file tree
Hide file tree
Showing 4 changed files with 47 additions and 10 deletions.
19 changes: 10 additions & 9 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -888,15 +888,16 @@ Metrics are exposed for Prometheus if the command line option `--server-port-htt
The endpoint URL is `http://<pod-ip>:<port>/metrics`.
Besides the default Go metrics, the following cert-management specific metrics are provided:

| Name | Labels | Description |
| -------------------------------------------- | -------------------- | ---------------------------------------------- |
| cert_management_acme_account_registrations | uri, email, issuer | ACME account registrations |
| cert_management_acme_orders | issuer, success, dns_challenges, renew | Number of ACME orders |
| cert_management_cert_entries | issuer, issuertype | Total number of certificate objects per issuer |
| cert_management_acme_active_dns_challenges | issuer | Currently active number of ACME DNS challenges |
| cert_management_overdue_renewal_certificates | - | Number of certificate objects with certificate's renewal overdue |
| cert_management_revoked_certificates | - | Number of certificate objects with revoked certificate |
| cert_management_secrets | classification | Number of certificate secrets per classification (only updated on startup and every 24h on GC of secrets). Currently there are three classifications: `total` = total number of certificate secrets on the source cluster, `revoked` = number of revoked certificate secrets, `backup`= number of backups of certificate secrets (every certificate has a backup secret in the `kube-system` namespace to allow revocation even if it is not used anymore) |
| Name | Labels | Description |
|----------------------------------------------|----------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
| cert_management_acme_account_registrations | uri, email, issuer | ACME account registrations |
| cert_management_acme_orders | issuer, success, dns_challenges, renew | Number of ACME orders |
| cert_management_cert_entries | issuer, issuertype | Total number of certificate objects per issuer |
| cert_management_cert_object_expire | namespace, name | Expire date as Unix time (the number of seconds elapsed since January 1, 1970 UTC) |
| cert_management_acme_active_dns_challenges | issuer | Currently active number of ACME DNS challenges |
| cert_management_overdue_renewal_certificates | - | Number of certificate objects with certificate's renewal overdue |
| cert_management_revoked_certificates | - | Number of certificate objects with revoked certificate |
| cert_management_secrets | classification | Number of certificate secrets per classification (only updated on startup and every 24h on GC of secrets). Currently there are three classifications: `total` = total number of certificate secrets on the source cluster, `revoked` = number of revoked certificate secrets, `backup`= number of backups of certificate secrets (every certificate has a backup secret in the `kube-system` namespace to allow revocation even if it is not used anymore) |


## Troubleshooting
Expand Down
2 changes: 1 addition & 1 deletion build/Dockerfile
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
# SPDX-License-Identifier: Apache-2.0

############# builder #############
FROM golang:1.20.4 AS builder
FROM golang:1.20.5 AS builder

WORKDIR /build
COPY . .
Expand Down
20 changes: 20 additions & 0 deletions pkg/cert/metrics/metrics.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,6 +20,7 @@ func init() {
prometheus.MustRegister(ACMETotalOrders)
prometheus.MustRegister(ACMEActiveDNSChallenges)
prometheus.MustRegister(CertEntries)
prometheus.MustRegister(CertObjectExpire)
prometheus.MustRegister(OverdueCertificates)
prometheus.MustRegister(RevokedCertificates)
prometheus.MustRegister(CertificateSecrets)
Expand Down Expand Up @@ -64,6 +65,15 @@ var (
[]string{"issuertype", "issuer"},
)

// CertObjectExpire is the cert_management_cert_entries_expire gauge.
CertObjectExpire = prometheus.NewGaugeVec(
prometheus.GaugeOpts{
Name: "cert_management_cert_object_expire",
Help: "Expire date as Unix time (the number of seconds elapsed since January 1, 1970 UTC) for each certificate object",
},
[]string{"namespace", "name"},
)

// OverdueCertificates is the cert_management_overdue_renewal_certificates gauge.
OverdueCertificates = prometheus.NewGauge(
prometheus.GaugeOpts{
Expand Down Expand Up @@ -138,3 +148,13 @@ func ReportRevokedCerts(count int) {
func ReportCertificateSecrets(classification string, count int) {
CertificateSecrets.WithLabelValues(classification).Set(float64(count))
}

// ReportCertObjectExpire sets a CertObjectExpire gauge entry.
func ReportCertObjectExpire(namespace, name string, unixSeconds int64) {
CertObjectExpire.WithLabelValues(namespace, name).Set(float64(unixSeconds))
}

// DeleteObjectEntriesExpire deletes a CertObjectExpire gauge entry.
func DeleteObjectEntriesExpire(namespace, name string) {
CertObjectExpire.DeleteLabelValues(namespace, name)
}
16 changes: 16 additions & 0 deletions pkg/controller/issuer/core/support.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -389,6 +389,7 @@ func updateTypeStatus(mod *resources.ModificationState, status **runtime.RawExte
func (s *Support) AddCertificate(cert *api.Certificate) {
certObjName, issuerKey := s.calcAssocObjectNames(cert)
s.state.AddCertAssoc(issuerKey, certObjName)
s.reportCertificateExpires(cert.Namespace, cert.Name, cert.Status.ExpirationDate)
s.reportCertificateMetrics(issuerKey)
}

Expand All @@ -397,6 +398,7 @@ func (s *Support) RemoveCertificate(certObjName resources.ObjectName) {
s.state.RemoveCertAssoc(certObjName)
s.ClearCertRenewalOverdue(certObjName)
s.ClearCertRevoked(certObjName)
s.reportCertificateExpiresRemoved(certObjName.Namespace(), certObjName.Name())
s.reportAllCertificateMetrics()
}

Expand All @@ -411,6 +413,20 @@ func (s *Support) reportAllCertificateMetrics() {
}
}

func (s *Support) reportCertificateExpires(namespace, name string, expires *string) {
var seconds int64 = 0
if expires != nil {
if expireTime, err := time.Parse(time.RFC3339, *expires); err == nil {
seconds = expireTime.Unix()
}
}
metrics.ReportCertObjectExpire(namespace, name, seconds)
}

func (s *Support) reportCertificateExpiresRemoved(namespace, name string) {
metrics.DeleteObjectEntriesExpire(namespace, name)
}

func (s *Support) calcAssocObjectNames(cert *api.Certificate) (resources.ObjectName, utils.IssuerKey) {
certObjName := newObjectName(cert.Namespace, cert.Name)

Expand Down

0 comments on commit 6f6d92e

Please sign in to comment.