open-consul/agent/consul/leader_metrics.go

package consul

import (
	"context"
	"crypto/x509"
	"errors"
	"fmt"
	"strings"
	"time"

	"github.com/armon/go-metrics"
	"github.com/armon/go-metrics/prometheus"
	"github.com/hashicorp/go-hclog"

	"github.com/hashicorp/consul/agent/connect"
	"github.com/hashicorp/consul/agent/connect/ca"
	"github.com/hashicorp/consul/logging"
	"github.com/hashicorp/consul/tlsutil"
)

var metricsKeyMeshRootCAExpiry = []string{"mesh", "active-root-ca", "expiry"}
var metricsKeyMeshActiveSigningCAExpiry = []string{"mesh", "active-signing-ca", "expiry"}

var CertExpirationGauges = []prometheus.GaugeDefinition{
	{
		Name: metricsKeyMeshRootCAExpiry,
		Help: "Seconds until the service mesh root certificate expires. Updated every hour",
	},
	{
		Name: metricsKeyMeshActiveSigningCAExpiry,
		Help: "Seconds until the service mesh signing certificate expires. Updated every hour",
	},
	{
		Name: metricsKeyAgentTLSCertExpiry,
		Help: "Seconds until the agent tls certificate expires. Updated every hour",
	},
}

func rootCAExpiryMonitor(s *Server) CertExpirationMonitor {
	return CertExpirationMonitor{
		Key: metricsKeyMeshRootCAExpiry,
		Labels: []metrics.Label{
			{Name: "datacenter", Value: s.config.Datacenter},
		},
		Logger: s.logger.Named(logging.Connect),
		Query: func() (time.Duration, error) {
			return getRootCAExpiry(s)
		},
	}
}

func getRootCAExpiry(s *Server) (time.Duration, error) {
	state := s.fsm.State()
	_, root, err := state.CARootActive(nil)
	switch {
	case err != nil:
		return 0, fmt.Errorf("failed to retrieve root CA: %w", err)
	case root == nil:
		return 0, fmt.Errorf("no active root CA")
	}

	return time.Until(root.NotAfter), nil
}

func signingCAExpiryMonitor(s *Server) CertExpirationMonitor {
	isPrimary := s.config.Datacenter == s.config.PrimaryDatacenter
	if isPrimary {
		return CertExpirationMonitor{
			Key: metricsKeyMeshActiveSigningCAExpiry,
			Labels: []metrics.Label{
				{Name: "datacenter", Value: s.config.Datacenter},
			},
			Logger: s.logger.Named(logging.Connect),
			Query: func() (time.Duration, error) {
				provider, _ := s.caManager.getCAProvider()

				if _, ok := provider.(ca.PrimaryUsesIntermediate); ok {
					return getActiveIntermediateExpiry(s)
				}
				return getRootCAExpiry(s)
			},
		}
	}

	return CertExpirationMonitor{
		Key: metricsKeyMeshActiveSigningCAExpiry,
		Labels: []metrics.Label{
			{Name: "datacenter", Value: s.config.Datacenter},
		},
		Logger: s.logger.Named(logging.Connect),
		Query: func() (time.Duration, error) {
			return getActiveIntermediateExpiry(s)
		},
	}
}

func getActiveIntermediateExpiry(s *Server) (time.Duration, error) {
	state := s.fsm.State()
	_, root, err := state.CARootActive(nil)
	if err != nil {
		return 0, err
	}

	// the CA used in a secondary DC is the active intermediate,
	// which is the last in the IntermediateCerts stack
	if len(root.IntermediateCerts) == 0 {
		return 0, errors.New("no intermediate available")
	}
	cert, err := connect.ParseCert(root.IntermediateCerts[len(root.IntermediateCerts)-1])
	if err != nil {
		return 0, err
	}
	return time.Until(cert.NotAfter), nil
}

type CertExpirationMonitor struct {
	Key    []string
	Labels []metrics.Label
	Logger hclog.Logger
	// Query is called at each interval. It should return the duration until the
	// certificate expires, or an error if the query failed.
	Query func() (time.Duration, error)
}

const certExpirationMonitorInterval = time.Hour

func (m CertExpirationMonitor) Monitor(ctx context.Context) error {
	ticker := time.NewTicker(certExpirationMonitorInterval)
	defer ticker.Stop()

	logger := m.Logger.With("metric", strings.Join(m.Key, "."))

	for {
		select {
		case <-ctx.Done():
			return nil
		case <-ticker.C:
			d, err := m.Query()
			if err != nil {
				logger.Warn("failed to emit certificate expiry metric", "error", err)
				continue
			}

			if d < 24*time.Hour {
				logger.Warn("certificate will expire soon",
					"time_to_expiry", d, "expiration", time.Now().Add(d))
			}

			expiry := d / time.Second
			metrics.SetGaugeWithLabels(m.Key, float32(expiry), m.Labels)
		}
	}
}

var metricsKeyAgentTLSCertExpiry = []string{"agent", "tls", "cert", "expiry"}

// AgentTLSCertExpirationMonitor returns a CertExpirationMonitor which will
// monitor the expiration of the certificate used for agent TLS.
func AgentTLSCertExpirationMonitor(c *tlsutil.Configurator, logger hclog.Logger, dc string) CertExpirationMonitor {
	return CertExpirationMonitor{
		Key: metricsKeyAgentTLSCertExpiry,
		Labels: []metrics.Label{
			{Name: "node", Value: c.Base().NodeName},
			{Name: "datacenter", Value: dc},
		},
		Logger: logger,
		Query: func() (time.Duration, error) {
			raw := c.Cert()
			if raw == nil {
				return 0, fmt.Errorf("tls not enabled")
			}

			cert, err := x509.ParseCertificate(raw.Certificate[0])
			if err != nil {
				return 0, fmt.Errorf("failed to parse agent tls cert: %w", err)
			}
			return time.Until(cert.NotAfter), nil
		},
	}
}
connect: emit a metric for the number of seconds until root CA expiration 2021-03-24 21:40:10 +00:00			`package consul`

			`import (`
			`"context"`
telemetry: add a metric for agent TLS cert expiry 2021-08-04 17:05:10 +00:00			`"crypto/x509"`
Add ca certificate metrics (#10504) * add intermediate ca metric routine * add Gauge config for intermediate cert * Stop metrics routine when stopping leader * add changelog entry * updage changelog Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> * use variables instead of a map * go imports sort * Add metrics for primary and secondary ca * start metrics routine in the right DC * add telemetry documentation * update docs * extract expiry fetching in a func * merge metrics for primary and secondary into signing ca metric Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> 2021-07-07 13:41:01 +00:00			`"errors"`
connect: emit a metric for the number of seconds until root CA expiration 2021-03-24 21:40:10 +00:00			`"fmt"`
telemetry: fix a couple bugs in cert expiry metrics 1. do not emit the metric if Query fails 2. properly check for PrimaryUsersIntermediate, the logic was inverted Also improve the logging by including the metric name in the log message 2021-08-04 17:26:36 +00:00			`"strings"`
connect: emit a metric for the number of seconds until root CA expiration 2021-03-24 21:40:10 +00:00			`"time"`

			`"github.com/armon/go-metrics"`
			`"github.com/armon/go-metrics/prometheus"`
Add ca certificate metrics (#10504) * add intermediate ca metric routine * add Gauge config for intermediate cert * Stop metrics routine when stopping leader * add changelog entry * updage changelog Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> * use variables instead of a map * go imports sort * Add metrics for primary and secondary ca * start metrics routine in the right DC * add telemetry documentation * update docs * extract expiry fetching in a func * merge metrics for primary and secondary into signing ca metric Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> 2021-07-07 13:41:01 +00:00			`"github.com/hashicorp/go-hclog"`
telemetry: add a metric for agent TLS cert expiry 2021-08-04 17:05:10 +00:00
			`"github.com/hashicorp/consul/agent/connect"`
			`"github.com/hashicorp/consul/agent/connect/ca"`
			`"github.com/hashicorp/consul/logging"`
			`"github.com/hashicorp/consul/tlsutil"`
connect: emit a metric for the number of seconds until root CA expiration 2021-03-24 21:40:10 +00:00			`)`

Add ca certificate metrics (#10504) * add intermediate ca metric routine * add Gauge config for intermediate cert * Stop metrics routine when stopping leader * add changelog entry * updage changelog Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> * use variables instead of a map * go imports sort * Add metrics for primary and secondary ca * start metrics routine in the right DC * add telemetry documentation * update docs * extract expiry fetching in a func * merge metrics for primary and secondary into signing ca metric Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> 2021-07-07 13:41:01 +00:00			`var metricsKeyMeshRootCAExpiry = []string{"mesh", "active-root-ca", "expiry"}`
			`var metricsKeyMeshActiveSigningCAExpiry = []string{"mesh", "active-signing-ca", "expiry"}`

connect: emit a metric for the number of seconds until root CA expiration 2021-03-24 21:40:10 +00:00			`var CertExpirationGauges = []prometheus.GaugeDefinition{`
			`{`
			`Name: metricsKeyMeshRootCAExpiry,`
Add ca certificate metrics (#10504) * add intermediate ca metric routine * add Gauge config for intermediate cert * Stop metrics routine when stopping leader * add changelog entry * updage changelog Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> * use variables instead of a map * go imports sort * Add metrics for primary and secondary ca * start metrics routine in the right DC * add telemetry documentation * update docs * extract expiry fetching in a func * merge metrics for primary and secondary into signing ca metric Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> 2021-07-07 13:41:01 +00:00			`Help: "Seconds until the service mesh root certificate expires. Updated every hour",`
			`},`
			`{`
			`Name: metricsKeyMeshActiveSigningCAExpiry,`
			`Help: "Seconds until the service mesh signing certificate expires. Updated every hour",`
connect: emit a metric for the number of seconds until root CA expiration 2021-03-24 21:40:10 +00:00			`},`
telemetry: add a metric for agent TLS cert expiry 2021-08-04 17:05:10 +00:00			`{`
			`Name: metricsKeyAgentTLSCertExpiry,`
			`Help: "Seconds until the agent tls certificate expires. Updated every hour",`
			`},`
connect: emit a metric for the number of seconds until root CA expiration 2021-03-24 21:40:10 +00:00			`}`

telemetry: add a metric for agent TLS cert expiry 2021-08-04 17:05:10 +00:00			`func rootCAExpiryMonitor(s *Server) CertExpirationMonitor {`
			`return CertExpirationMonitor{`
connect: emit a metric for the number of seconds until root CA expiration 2021-03-24 21:40:10 +00:00			`Key: metricsKeyMeshRootCAExpiry,`
			`Labels: []metrics.Label{`
			`{Name: "datacenter", Value: s.config.Datacenter},`
			`},`
			`Logger: s.logger.Named(logging.Connect),`
			`Query: func() (time.Duration, error) {`
Add ca certificate metrics (#10504) * add intermediate ca metric routine * add Gauge config for intermediate cert * Stop metrics routine when stopping leader * add changelog entry * updage changelog Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> * use variables instead of a map * go imports sort * Add metrics for primary and secondary ca * start metrics routine in the right DC * add telemetry documentation * update docs * extract expiry fetching in a func * merge metrics for primary and secondary into signing ca metric Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> 2021-07-07 13:41:01 +00:00			`return getRootCAExpiry(s)`
connect: emit a metric for the number of seconds until root CA expiration 2021-03-24 21:40:10 +00:00			`},`
			`}`
			`}`

Add ca certificate metrics (#10504) * add intermediate ca metric routine * add Gauge config for intermediate cert * Stop metrics routine when stopping leader * add changelog entry * updage changelog Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> * use variables instead of a map * go imports sort * Add metrics for primary and secondary ca * start metrics routine in the right DC * add telemetry documentation * update docs * extract expiry fetching in a func * merge metrics for primary and secondary into signing ca metric Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> 2021-07-07 13:41:01 +00:00			`func getRootCAExpiry(s *Server) (time.Duration, error) {`
			`state := s.fsm.State()`
			`_, root, err := state.CARootActive(nil)`
			`switch {`
			`case err != nil:`
			`return 0, fmt.Errorf("failed to retrieve root CA: %w", err)`
			`case root == nil:`
			`return 0, fmt.Errorf("no active root CA")`
			`}`

			`return time.Until(root.NotAfter), nil`
			`}`

telemetry: add a metric for agent TLS cert expiry 2021-08-04 17:05:10 +00:00			`func signingCAExpiryMonitor(s *Server) CertExpirationMonitor {`
Add ca certificate metrics (#10504) * add intermediate ca metric routine * add Gauge config for intermediate cert * Stop metrics routine when stopping leader * add changelog entry * updage changelog Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> * use variables instead of a map * go imports sort * Add metrics for primary and secondary ca * start metrics routine in the right DC * add telemetry documentation * update docs * extract expiry fetching in a func * merge metrics for primary and secondary into signing ca metric Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> 2021-07-07 13:41:01 +00:00			`isPrimary := s.config.Datacenter == s.config.PrimaryDatacenter`
			`if isPrimary {`
telemetry: add a metric for agent TLS cert expiry 2021-08-04 17:05:10 +00:00			`return CertExpirationMonitor{`
Add ca certificate metrics (#10504) * add intermediate ca metric routine * add Gauge config for intermediate cert * Stop metrics routine when stopping leader * add changelog entry * updage changelog Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> * use variables instead of a map * go imports sort * Add metrics for primary and secondary ca * start metrics routine in the right DC * add telemetry documentation * update docs * extract expiry fetching in a func * merge metrics for primary and secondary into signing ca metric Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> 2021-07-07 13:41:01 +00:00			`Key: metricsKeyMeshActiveSigningCAExpiry,`
			`Labels: []metrics.Label{`
			`{Name: "datacenter", Value: s.config.Datacenter},`
			`},`
			`Logger: s.logger.Named(logging.Connect),`
			`Query: func() (time.Duration, error) {`
			`provider, _ := s.caManager.getCAProvider()`

telemetry: fix a couple bugs in cert expiry metrics 1. do not emit the metric if Query fails 2. properly check for PrimaryUsersIntermediate, the logic was inverted Also improve the logging by including the metric name in the log message 2021-08-04 17:26:36 +00:00			`if _, ok := provider.(ca.PrimaryUsesIntermediate); ok {`
Add ca certificate metrics (#10504) * add intermediate ca metric routine * add Gauge config for intermediate cert * Stop metrics routine when stopping leader * add changelog entry * updage changelog Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> * use variables instead of a map * go imports sort * Add metrics for primary and secondary ca * start metrics routine in the right DC * add telemetry documentation * update docs * extract expiry fetching in a func * merge metrics for primary and secondary into signing ca metric Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> 2021-07-07 13:41:01 +00:00			`return getActiveIntermediateExpiry(s)`
			`}`
			`return getRootCAExpiry(s)`
			`},`
			`}`
telemetry: add a metric for agent TLS cert expiry 2021-08-04 17:05:10 +00:00			`}`

			`return CertExpirationMonitor{`
			`Key: metricsKeyMeshActiveSigningCAExpiry,`
			`Labels: []metrics.Label{`
			`{Name: "datacenter", Value: s.config.Datacenter},`
			`},`
			`Logger: s.logger.Named(logging.Connect),`
			`Query: func() (time.Duration, error) {`
			`return getActiveIntermediateExpiry(s)`
			`},`
Add ca certificate metrics (#10504) * add intermediate ca metric routine * add Gauge config for intermediate cert * Stop metrics routine when stopping leader * add changelog entry * updage changelog Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> * use variables instead of a map * go imports sort * Add metrics for primary and secondary ca * start metrics routine in the right DC * add telemetry documentation * update docs * extract expiry fetching in a func * merge metrics for primary and secondary into signing ca metric Co-authored-by: Daniel Nephin <dnephin@hashicorp.com> 2021-07-07 13:41:01 +00:00			`}`
			`}`

			`func getActiveIntermediateExpiry(s *Server) (time.Duration, error) {`
			`state := s.fsm.State()`
			`_, root, err := state.CARootActive(nil)`
			`if err != nil {`
			`return 0, err`
			`}`

			`// the CA used in a secondary DC is the active intermediate,`
			`// which is the last in the IntermediateCerts stack`
			`if len(root.IntermediateCerts) == 0 {`
			`return 0, errors.New("no intermediate available")`
			`}`
			`cert, err := connect.ParseCert(root.IntermediateCerts[len(root.IntermediateCerts)-1])`
			`if err != nil {`
			`return 0, err`
			`}`
			`return time.Until(cert.NotAfter), nil`
			`}`

telemetry: add a metric for agent TLS cert expiry 2021-08-04 17:05:10 +00:00			`type CertExpirationMonitor struct {`
connect: emit a metric for the number of seconds until root CA expiration 2021-03-24 21:40:10 +00:00			`Key []string`
			`Labels []metrics.Label`
			`Logger hclog.Logger`
			`// Query is called at each interval. It should return the duration until the`
			`// certificate expires, or an error if the query failed.`
			`Query func() (time.Duration, error)`
			`}`

			`const certExpirationMonitorInterval = time.Hour`

telemetry: add a metric for agent TLS cert expiry 2021-08-04 17:05:10 +00:00			`func (m CertExpirationMonitor) Monitor(ctx context.Context) error {`
connect: emit a metric for the number of seconds until root CA expiration 2021-03-24 21:40:10 +00:00			`ticker := time.NewTicker(certExpirationMonitorInterval)`
			`defer ticker.Stop()`

telemetry: fix a couple bugs in cert expiry metrics 1. do not emit the metric if Query fails 2. properly check for PrimaryUsersIntermediate, the logic was inverted Also improve the logging by including the metric name in the log message 2021-08-04 17:26:36 +00:00			`logger := m.Logger.With("metric", strings.Join(m.Key, "."))`

connect: emit a metric for the number of seconds until root CA expiration 2021-03-24 21:40:10 +00:00			`for {`
			`select {`
			`case <-ctx.Done():`
			`return nil`
			`case <-ticker.C:`
			`d, err := m.Query()`
			`if err != nil {`
telemetry: fix a couple bugs in cert expiry metrics 1. do not emit the metric if Query fails 2. properly check for PrimaryUsersIntermediate, the logic was inverted Also improve the logging by including the metric name in the log message 2021-08-04 17:26:36 +00:00			`logger.Warn("failed to emit certificate expiry metric", "error", err)`
			`continue`
connect: emit a metric for the number of seconds until root CA expiration 2021-03-24 21:40:10 +00:00			`}`
telemetry: add log message when certs are about to expire 2021-08-04 18:18:59 +00:00
			`if d < 24*time.Hour {`
			`logger.Warn("certificate will expire soon",`
			`"time_to_expiry", d, "expiration", time.Now().Add(d))`
			`}`

connect: emit a metric for the number of seconds until root CA expiration 2021-03-24 21:40:10 +00:00			`expiry := d / time.Second`
			`metrics.SetGaugeWithLabels(m.Key, float32(expiry), m.Labels)`
			`}`
			`}`
			`}`
telemetry: add a metric for agent TLS cert expiry 2021-08-04 17:05:10 +00:00
			`var metricsKeyAgentTLSCertExpiry = []string{"agent", "tls", "cert", "expiry"}`

			`// AgentTLSCertExpirationMonitor returns a CertExpirationMonitor which will`
			`// monitor the expiration of the certificate used for agent TLS.`
			`func AgentTLSCertExpirationMonitor(c *tlsutil.Configurator, logger hclog.Logger, dc string) CertExpirationMonitor {`
			`return CertExpirationMonitor{`
			`Key: metricsKeyAgentTLSCertExpiry,`
			`Labels: []metrics.Label{`
			`{Name: "node", Value: c.Base().NodeName},`
			`{Name: "datacenter", Value: dc},`
			`},`
			`Logger: logger,`
			`Query: func() (time.Duration, error) {`
			`raw := c.Cert()`
			`if raw == nil {`
			`return 0, fmt.Errorf("tls not enabled")`
			`}`

			`cert, err := x509.ParseCertificate(raw.Certificate[0])`
			`if err != nil {`
			`return 0, fmt.Errorf("failed to parse agent tls cert: %w", err)`
			`}`
			`return time.Until(cert.NotAfter), nil`
			`},`
			`}`
			`}`