pkg/registry: rename pod logs metrics

The pod_logs subsystem was inadvertently made redundant in the following kube-apiserver metrics: - kube_apiserver_pod_logs_pods_logs_backend_tls_failure_total - kube_apiserver_pod_logs_pods_logs_insecure_backend_total To safely rename them, it is required to deprecate them in 1.27 whilst introducing the new metrics replacing them. Signed-off-by: Damien Grisonnet <dgrisonn@redhat.com>
2025-07-20 10:20:51 +00:00 · 2022-12-14 23:40:21 +01:00 · 2022-12-14 23:40:21 +01:00 · 1efa1a65ee
commit 1efa1a65ee
parent c7d47e4c94
3 changed files with 51 additions and 9 deletions
--- a/pkg/registry/core/pod/rest/log.go
+++ b/pkg/registry/core/pod/rest/log.go
@ -94,13 +94,14 @@ func (r *LogREST) Get(ctx context.Context, name string, opts runtime.Object) (ru
 		return nil, err
 	}
 	return &genericrest.LocationStreamer{
-		Location:                    location,
-		Transport:                   transport,
-		ContentType:                 "text/plain",
-		Flush:                       logOpts.Follow,
-		ResponseChecker:             genericrest.NewGenericHttpResponseChecker(api.Resource("pods/log"), name),
-		RedirectChecker:             genericrest.PreventRedirects,
-		TLSVerificationErrorCounter: podLogsTLSFailure,
+		Location:                              location,
+		Transport:                             transport,
+		ContentType:                           "text/plain",
+		Flush:                                 logOpts.Follow,
+		ResponseChecker:                       genericrest.NewGenericHttpResponseChecker(api.Resource("pods/log"), name),
+		RedirectChecker:                       genericrest.PreventRedirects,
+		TLSVerificationErrorCounter:           podLogsTLSFailure,
+		DeprecatedTLSVerificationErrorCounter: deprecatedPodLogsTLSFailure,
 	}, nil
 }

@ -116,6 +117,13 @@ func countSkipTLSMetric(insecureSkipTLSVerifyBackend bool) {
 		return
 	}
 	counter.Inc()
+
+	deprecatedCounter, err := deprecatedPodLogsUsage.GetMetricWithLabelValues(usageType)
+	if err != nil {
+		utilruntime.HandleError(err)
+		return
+	}
+	deprecatedCounter.Inc()
 }

 // NewGetOptions creates a new options object
--- a/pkg/registry/core/pod/rest/metrics.go
+++ b/pkg/registry/core/pod/rest/metrics.go
@ -37,23 +37,48 @@ var (
 		&metrics.CounterOpts{
 			Namespace:      namespace,
 			Subsystem:      subsystem,
-			Name:           "pods_logs_insecure_backend_total",
+			Name:           "insecure_backend_total",
 			Help:           "Total number of requests for pods/logs sliced by usage type: enforce_tls, skip_tls_allowed, skip_tls_denied",
 			StabilityLevel: metrics.ALPHA,
 		},
 		[]string{"usage"},
 	)

+	// deprecatedPodLogsUsage counts and categorizes how the insecure backend skip TLS option is used and allowed.
+	deprecatedPodLogsUsage = metrics.NewCounterVec(
+		&metrics.CounterOpts{
+			Namespace:         namespace,
+			Subsystem:         subsystem,
+			Name:              "pods_logs_insecure_backend_total",
+			Help:              "Total number of requests for pods/logs sliced by usage type: enforce_tls, skip_tls_allowed, skip_tls_denied",
+			StabilityLevel:    metrics.ALPHA,
+			DeprecatedVersion: "1.27.0",
+		},
+		[]string{"usage"},
+	)
+
 	// podLogsTLSFailure counts how many attempts to get pod logs fail on tls verification
 	podLogsTLSFailure = metrics.NewCounter(
 		&metrics.CounterOpts{
 			Namespace:      namespace,
 			Subsystem:      subsystem,
-			Name:           "pods_logs_backend_tls_failure_total",
+			Name:           "backend_tls_failure_total",
 			Help:           "Total number of requests for pods/logs that failed due to kubelet server TLS verification",
 			StabilityLevel: metrics.ALPHA,
 		},
 	)
+
+	// deprecatedPodLogsTLSFailure counts how many attempts to get pod logs fail on tls verification
+	deprecatedPodLogsTLSFailure = metrics.NewCounter(
+		&metrics.CounterOpts{
+			Namespace:         namespace,
+			Subsystem:         subsystem,
+			Name:              "pods_logs_backend_tls_failure_total",
+			Help:              "Total number of requests for pods/logs that failed due to kubelet server TLS verification",
+			StabilityLevel:    metrics.ALPHA,
+			DeprecatedVersion: "1.27.0",
+		},
+	)
 )

 var registerMetricsOnce sync.Once
@ -62,5 +87,7 @@ func registerMetrics() {
 	registerMetricsOnce.Do(func() {
 		legacyregistry.MustRegister(podLogsUsage)
 		legacyregistry.MustRegister(podLogsTLSFailure)
+		legacyregistry.MustRegister(deprecatedPodLogsUsage)
+		legacyregistry.MustRegister(deprecatedPodLogsTLSFailure)
 	})
 }
--- a/staging/src/k8s.io/apiserver/pkg/registry/generic/rest/streamer.go
+++ b/staging/src/k8s.io/apiserver/pkg/registry/generic/rest/streamer.go
@ -46,6 +46,10 @@ type LocationStreamer struct {
 	// TLSVerificationErrorCounter is an optional value that will Inc every time a TLS error is encountered.  This can
 	// be wired a single prometheus counter instance to get counts overall.
 	TLSVerificationErrorCounter CounterMetric
+	// DeprecatedTLSVerificationErrorCounter is a temporary field used to rename
+	// the kube_apiserver_pod_logs_pods_logs_backend_tls_failure_total metric
+	// with a one release deprecation period in 1.27.0.
+	DeprecatedTLSVerificationErrorCounter CounterMetric
 }

 // a LocationStreamer must implement a rest.ResourceStreamer
@ -87,6 +91,9 @@ func (s *LocationStreamer) InputStream(ctx context.Context, apiVersion, acceptHe
 		// TODO prefer segregate TLS errors more reliably, but we do want to increment a count
 		if strings.Contains(err.Error(), "x509:") && s.TLSVerificationErrorCounter != nil {
 			s.TLSVerificationErrorCounter.Inc()
+			if s.DeprecatedTLSVerificationErrorCounter != nil {
+				s.DeprecatedTLSVerificationErrorCounter.Inc()
+			}
 		}
 		return nil, false, "", err
 	}