Changed Kubelet client and serving cert TTL/Expiry certs to use gaugefunc for calculating time remaining.

Kubernetes-commit: aba0b315269dab469694af7fca879438a7f87e41
2025-09-16 15:18:24 +00:00 · 2019-12-03 16:01:56 -08:00
parent bc9b51d240
commit 41735bf478
6 changed files with 45 additions and 79 deletions
--- a/plugin/pkg/client/auth/exec/exec.go
+++ b/plugin/pkg/client/auth/exec/exec.go
@@ -262,7 +262,6 @@ func (a *Authenticator) cert() (*tls.Certificate, error) {
 func (a *Authenticator) getCreds() (*credentials, error) {
 	a.mu.Lock()
 	defer a.mu.Unlock()
-	defer expirationMetrics.report(time.Now)

 	if a.cachedCreds != nil && !a.credsExpired() {
 		return a.cachedCreds, nil
--- a/plugin/pkg/client/auth/exec/metrics.go
+++ b/plugin/pkg/client/auth/exec/metrics.go
@@ -24,20 +24,25 @@ import (
 )

 type certificateExpirationTracker struct {
-	mu       sync.RWMutex
-	m        map[*Authenticator]time.Time
-	earliest time.Time
+	mu        sync.RWMutex
+	m         map[*Authenticator]time.Time
+	metricSet func(*time.Time)
 }

-var expirationMetrics = &certificateExpirationTracker{m: map[*Authenticator]time.Time{}}
+var expirationMetrics = &certificateExpirationTracker{
+	m: map[*Authenticator]time.Time{},
+	metricSet: func(e *time.Time) {
+		metrics.ClientCertExpiry.Set(e)
+	},
+}

-// set stores the given expiration time and updates the updates earliest.
+// set stores the given expiration time and updates the updates the certificate
+// expiry metric to the earliest expiration time.
 func (c *certificateExpirationTracker) set(a *Authenticator, t time.Time) {
 	c.mu.Lock()
 	defer c.mu.Unlock()
 	c.m[a] = t

-	// update earliest
 	earliest := time.Time{}
 	for _, t := range c.m {
 		if t.IsZero() {
@@ -47,18 +52,9 @@ func (c *certificateExpirationTracker) set(a *Authenticator, t time.Time) {
 			earliest = t
 		}
 	}
-	c.earliest = earliest
-}
-
-// report reports the ttl to the earliest reported expiration time.
-// If no Authenticators have reported a certificate expiration, this reports nil.
-func (c *certificateExpirationTracker) report(now func() time.Time) {
-	c.mu.RLock()
-	defer c.mu.RUnlock()
-	if c.earliest.IsZero() {
-		metrics.ClientCertTTL.Set(nil)
+	if earliest.IsZero() {
+		c.metricSet(nil)
 	} else {
-		ttl := c.earliest.Sub(now())
-		metrics.ClientCertTTL.Set(&ttl)
+		c.metricSet(&earliest)
 	}
 }
--- a/plugin/pkg/client/auth/exec/metrics_test.go
+++ b/plugin/pkg/client/auth/exec/metrics_test.go
@@ -19,36 +19,27 @@ package exec
 import (
 	"testing"
 	"time"
-
-	"k8s.io/client-go/tools/metrics"
 )

-type mockTTLGauge struct {
-	v *time.Duration
+type mockExpiryGauge struct {
+	v *time.Time
 }

-func (m *mockTTLGauge) Set(d *time.Duration) {
-	m.v = d
+func (m *mockExpiryGauge) Set(t *time.Time) {
+	m.v = t
 }

-func ptr(d time.Duration) *time.Duration {
-	return &d
+func ptr(t time.Time) *time.Time {
+	return &t
 }

 func TestCertificateExpirationTracker(t *testing.T) {
 	now := time.Now()
-	nowFn := func() time.Time { return now }
-	mockMetric := &mockTTLGauge{}
-	realMetric := metrics.ClientCertTTL
-	metrics.ClientCertTTL = mockMetric
-	defer func() {
-		metrics.ClientCertTTL = realMetric
-	}()
+	mockMetric := &mockExpiryGauge{}

-	tracker := &certificateExpirationTracker{m: map[*Authenticator]time.Time{}}
-	tracker.report(nowFn)
-	if mockMetric.v != nil {
-		t.Error("empty tracker should record nil value")
+	tracker := &certificateExpirationTracker{
+		m:         map[*Authenticator]time.Time{},
+		metricSet: mockMetric.Set,
 	}

 	firstAuthenticator := &Authenticator{}
@@ -57,31 +48,31 @@ func TestCertificateExpirationTracker(t *testing.T) {
 		desc string
 		auth *Authenticator
 		time time.Time
-		want *time.Duration
+		want *time.Time
 	}{
 		{
 			desc: "ttl for one authenticator",
 			auth: firstAuthenticator,
 			time: now.Add(time.Minute * 10),
-			want: ptr(time.Minute * 10),
+			want: ptr(now.Add(time.Minute * 10)),
 		},
 		{
 			desc: "second authenticator shorter ttl",
 			auth: secondAuthenticator,
 			time: now.Add(time.Minute * 5),
-			want: ptr(time.Minute * 5),
+			want: ptr(now.Add(time.Minute * 5)),
 		},
 		{
 			desc: "update shorter to be longer",
 			auth: secondAuthenticator,
 			time: now.Add(time.Minute * 15),
-			want: ptr(time.Minute * 10),
+			want: ptr(now.Add(time.Minute * 10)),
 		},
 		{
 			desc: "update shorter to be zero time",
 			auth: firstAuthenticator,
 			time: time.Time{},
-			want: ptr(time.Minute * 15),
+			want: ptr(now.Add(time.Minute * 15)),
 		},
 		{
 			desc: "update last to be zero time records nil",
@@ -93,13 +84,12 @@ func TestCertificateExpirationTracker(t *testing.T) {
 		// Must run in series as the tests build off each other.
 		t.Run(tc.desc, func(t *testing.T) {
 			tracker.set(tc.auth, tc.time)
-			tracker.report(nowFn)
 			if mockMetric.v != nil && tc.want != nil {
-				if mockMetric.v.Seconds() != tc.want.Seconds() {
-					t.Errorf("got: %v; want: %v", mockMetric.v, tc.want)
+				if !mockMetric.v.Equal(*tc.want) {
+					t.Errorf("got: %s; want: %s", mockMetric.v, tc.want)
 				}
 			} else if mockMetric.v != tc.want {
-				t.Errorf("got: %v; want: %v", mockMetric.v, tc.want)
+				t.Errorf("got: %s; want: %s", mockMetric.v, tc.want)
 			}
 		})
 	}