github/client-go
1
0
Fork 0
mirror of https://github.com/kubernetes/client-go.git synced 2025-06-29 00:17:46 +00:00
Code Issues Projects Releases Wiki Activity

kubelet: add certificate rotation error metric

Browse Source 
Kubernetes-commit: 8e50c55e6bf715d9067376a9e7f136ffacb0a3ee
This commit is contained in:
Ryan Phillips 2019-11-05 16:51:40 -06:00 committed by Kubernetes Publisher
parent e9644b2e3e
commit 52589237eb
1 changed files with 38 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
util/certificate/certificate_manager.go
View File

@ -124,6 +124,9 @@ type Config struct {
// allows one to setup monitoring and alerting of unexpected rotation // allows one to setup monitoring and alerting of unexpected rotation
// behavior and track trends in rotation frequency. // behavior and track trends in rotation frequency.
CertificateRotation Histogram CertificateRotation Histogram
// CertifcateRenewFailure will record a metric that keeps track of
// certificate renewal failures.
CertificateRenewFailure Counter
} }
// Store is responsible for getting and updating the current certificate. // Store is responsible for getting and updating the current certificate.
@ -154,6 +157,11 @@ type Histogram interface {
Observe(float64) Observe(float64)
} }
// Counter will wrap a counter with labels
type Counter interface {
Inc()
}
// NoCertKeyError indicates there is no cert/key currently available. // NoCertKeyError indicates there is no cert/key currently available.
type NoCertKeyError string type NoCertKeyError string
@ -179,6 +187,7 @@ type manager struct {
certificateExpiration Gauge certificateExpiration Gauge
certificateRotation Histogram certificateRotation Histogram
certificateRenewFailure Counter
// the following variables must only be accessed under certAccessLock // the following variables must only be accessed under certAccessLock
certAccessLock sync.RWMutex certAccessLock sync.RWMutex
@ -223,6 +232,7 @@ func NewManager(config *Config) (Manager, error) {
forceRotation: forceRotation, forceRotation: forceRotation,
certificateExpiration: config.CertificateExpiration, certificateExpiration: config.CertificateExpiration,
certificateRotation: config.CertificateRotation, certificateRotation: config.CertificateRotation,
certificateRenewFailure: config.CertificateRenewFailure,
now: time.Now, now: time.Now,
} }
@ -404,6 +414,9 @@ func (m *manager) rotateCerts() (bool, error) {
template, csrPEM, keyPEM, privateKey, err := m.generateCSR() template, csrPEM, keyPEM, privateKey, err := m.generateCSR()
if err != nil { if err != nil {
utilruntime.HandleError(fmt.Errorf("Unable to generate a certificate signing request: %v", err)) utilruntime.HandleError(fmt.Errorf("Unable to generate a certificate signing request: %v", err))
if m.certificateRenewFailure != nil {
m.certificateRenewFailure.Inc()
}
return false, nil return false, nil
} }
@ -411,6 +424,9 @@ func (m *manager) rotateCerts() (bool, error) {
client, err := m.getClient() client, err := m.getClient()
if err != nil { if err != nil {
utilruntime.HandleError(fmt.Errorf("Unable to load a client to request certificates: %v", err)) utilruntime.HandleError(fmt.Errorf("Unable to load a client to request certificates: %v", err))
if m.certificateRenewFailure != nil {
m.certificateRenewFailure.Inc()
}
return false, nil return false, nil
} }
@ -419,6 +435,9 @@ func (m *manager) rotateCerts() (bool, error) {
req, err := csr.RequestCertificate(client, csrPEM, "", m.usages, privateKey) req, err := csr.RequestCertificate(client, csrPEM, "", m.usages, privateKey)
if err != nil { if err != nil {
utilruntime.HandleError(fmt.Errorf("Failed while requesting a signed certificate from the master: %v", err)) utilruntime.HandleError(fmt.Errorf("Failed while requesting a signed certificate from the master: %v", err))
if m.certificateRenewFailure != nil {
m.certificateRenewFailure.Inc()
}
return false, m.updateServerError(err) return false, m.updateServerError(err)
} }
@ -433,12 +452,18 @@ func (m *manager) rotateCerts() (bool, error) {
crtPEM, err := csr.WaitForCertificate(ctx, client, req) crtPEM, err := csr.WaitForCertificate(ctx, client, req)
if err != nil { if err != nil {
utilruntime.HandleError(fmt.Errorf("certificate request was not signed: %v", err)) utilruntime.HandleError(fmt.Errorf("certificate request was not signed: %v", err))
if m.certificateRenewFailure != nil {
m.certificateRenewFailure.Inc()
}
return false, nil return false, nil
} }
cert, err := m.certStore.Update(crtPEM, keyPEM) cert, err := m.certStore.Update(crtPEM, keyPEM)
if err != nil { if err != nil {
utilruntime.HandleError(fmt.Errorf("Unable to store the new cert/key pair: %v", err)) utilruntime.HandleError(fmt.Errorf("Unable to store the new cert/key pair: %v", err))
if m.certificateRenewFailure != nil {
m.certificateRenewFailure.Inc()
}
return false, nil return false, nil
} }