Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add secret_name to prometheus metrics #7042

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add secret_name to prometheus metrics #7042

wants to merge 1 commit into from

Conversation

1mamute
Copy link

@1mamute 1mamute commented May 21, 2024

Pull Request Motivation

This PR adds the secret name of the Certificate CRD in the following prometheus metrics:

certmanager_certificate_expiration_timestamp_seconds
certmanager_certificate_renewal_timestamp_seconds
certmanager_certificate_ready_status

This information could be useful for many cases and closes #7040.

Kind

/kind feature

Release Note

Add secret_name labels to "certificate_expiration_timestamp_seconds", "certmanager_certificate_renewal_timestamp_seconds" and "certmanager_certificate_ready_status" metrics

@cert-manager-prow cert-manager-prow bot added kind/feature Categorizes issue or PR as related to a new feature. release-note Denotes a PR that will be considered when it comes time to generate release notes. dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. labels May 21, 2024
@cert-manager-prow
Copy link
Contributor

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign jakexks for approval. For more information see the Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@cert-manager-prow cert-manager-prow bot added area/monitoring Indicates a PR or issue relates to monitoring area/testing Issues relating to testing labels May 21, 2024
@cert-manager-prow
Copy link
Contributor

Hi @1mamute. Thanks for your PR.

I'm waiting for a cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@cert-manager-prow cert-manager-prow bot added needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. size/L Denotes a PR that changes 100-499 lines, ignoring generated files. labels May 21, 2024
wallrj
wallrj reviewed May 24, 2024
View reviewed changes
Copy link
Member

@wallrj wallrj left a comment
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks @1mamute

The changes look good, but please explain and give working examples of how you intend to use these extra labels.

You say:

This information could be useful for many cases

Please give some examples.

You say this closes #7040, where the reported problem is:

I want to build a Grafana dashboard using the Prometheus data source to list all ingresses that aren't managed by cert-manager.

But I don't see how these new labels can be used to solve that problem.
Show me the solution in the form of a prometheus query / grafana dashboard using the new labels in this PR.

Thanks.

@wallrj
Copy link
Member

wallrj commented May 24, 2024

/ok-to-test

@cert-manager-prow cert-manager-prow bot added ok-to-test and removed needs-ok-to-test Indicates a PR that requires an org member to verify it is safe to test. labels May 24, 2024
@1mamute
Copy link
Author

1mamute commented May 24, 2024
edited

The issue #7040 was made by me and I decided to open the PR because I saw it was a minor change.

Show me the solution in the form of a prometheus query / grafana dashboard using the new labels in this PR.

We have a scenario where we issue certificates for Ingress TLS termination with an external CA and an internal private CA.
The internal private CA certificate issuing is managed entirely by cert-manager and they don't need monitoring since its all automated. External certificates are generated manually and deployed on K8s as TLS secrets.

I want to create a Grafana table with our external certificates' expiration dates so we have a unified place to visualize them and create alerts.

I queried kube_ingress_tls{} and it gave me the secret_name of all the TLS configured hosts for each ingress.

Then, I wanted to filter out the cert-manager's certificates, since they don't need monitoring and I queried certmanager_certificate_expiration_timestamp_seconds{} to get the certificates managed by cert-manager.

Now, I could use the CRD name to filter out the results of kube_ingress_tls{} using the tls_host label, but I didn't felt confident enough that the CRD name would match exactly the tls_hosts on the kube_ingress_tls{} query.

  • What if the CRD name has dashes instead of dots (example-com instead of example.com)?
  • What if the TLS host is a different DNS subdomain name than of the CRD name (www.example.com instead of example.com)?

If the certmanager_certificate_expiration_timestamp_seconds{} and the other queries had the secret_name label, I could simply filter out each secret_name that exists in both queries, thus eliminating all of the cert-manager's managed ones.

kube_ingress_tls
- on(secret_name) group_left()
  certmanager_certificate_expiration_timestamp_seconds

I think this is more reliable than comparing to the Certificate's CRD name since the secret_name on the ingress would be the same on the cert-manager Certificate CRD.

Sorry, I couldn't think of any other examples besides this scenario I'm in.

Also, the secret_name is a required field in the Certificate CRD. Maybe other people could find it useful to have this information. I guess the only issue would be the additional data sent to Prometheus.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wallrj wallrj wallrj left review comments

Assignees
No one assigned
Labels
area/monitoring Indicates a PR or issue relates to monitoring area/testing Issues relating to testing dco-signoff: yes Indicates that all commits in the pull request have the valid DCO sign-off message. kind/feature Categorizes issue or PR as related to a new feature. ok-to-test release-note Denotes a PR that will be considered when it comes time to generate release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add more certificate information into prometheus metrics
2 participants
@1mamute @wallrj