Support prometheus metrics #73
Conversation
cert-manager-prow
bot
added
the
dco-signoff: yes
|
Hi @7ing. Thanks for your PR. I'm waiting for a cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
cert-manager-prow
bot
added
needs-ok-to-test
|
/ok-to-test |
cert-manager-prow
bot
added
ok-to-test
and removed
needs-ok-to-test
There was a problem hiding this comment.
This looks great, thanks Jing 🙌 the integration and unit tests here make it far easier to review confidently!
My main questions/concerns are around the construction logic in the metrics subpackage, which I think we need to decouple from net.Listener (and allow more flexibility for projects that already have their own prometheus.Registry they'd like to re-use).
metrics/metrics.go
Outdated
| } | ||
|
|
||
| // NewServer registers Prometheus metrics and returns a new Prometheus metrics HTTP server. | ||
| func (m *Metrics) NewServer(ln net.Listener) *http.Server { |
There was a problem hiding this comment.
This isn't called outside of test cases, and I guess that is by design as it is expected that the corresponding implementation should call NewServer on metrics.Metrics to register their Listener.
Could you possibly update the example/ implementation in the root of this repository to demonstrate how to actually add the /metrics endpoint? I also wonder if the Managed should be extended to be able to auto-serve this endpoint in cases where a user doesn't need to provide their own listener (but does want metrics to be served).
There was a problem hiding this comment.
What if we renamed this to Register(*prometheus.Registry) rather than tying the net.Listener logic into the registration?
We can always have/find some kind of csihelpers.Handle(*http.Server, *prometheus.Registry) function elsewhere then, which needn't be opinionated about csi-lib.
There was a problem hiding this comment.
Could you possibly update the example/ implementation in the root of this repository to demonstrate how to actually add the /metrics endpoint?
Yes, it is there. And modified accordingly based on recent changes.
https://github.com/7ing/csi-lib/blob/abf15631238fa809d10d9c206178c414d9495b4f/test/integration/metrics_test.go#L83-L95
There was a problem hiding this comment.
Thanks for the suggestions. I have changed to use a DefaultHandler instead, which could be served as a reference implementation for http handler.
|
@munnerz Thank you for your valuable inputs. Sorry took so long to make the change. But I guess this version addressed most of your concerns. |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
cert-manager-prow
bot
added
size/XXL
test/integration/metrics_test.go
Outdated
|
|
||
| // Should expose that CertificateRequest as ready with expiry and renewal time | ||
| // node="f56fd9f8b" is the hash value of "test-node" defined in driver_testing.go | ||
| expectedOutputTemplate := `# HELP certmanager_csi_certificate_request_expiration_timestamp_seconds The date after which the certificate request expires. Expressed as a Unix Epoch Time. |
There was a problem hiding this comment.
Will certmanager_csi_... be the prefix for the metrics when exposed in https://github.com/cert-manager/csi-driver?
Can we make sure they are all using similar names? Does this happen automatically?
Could you provide an example of before and after for https://github.com/cert-manager/csi-driver with these changes applied?
There was a problem hiding this comment.
Thank you @inteon for your review.
Yes, certmanager_csi_... will be the prefix for the metrics when in the csi-driver. It is part of the definition from:
https://github.com/7ing/csi-lib/blob/b9186bad5b6f9af9bc93dbd28571d2d9219700e6/metrics/metrics.go#L27-L31
We choose this name based on cert-manager.io definition: https://github.com/cert-manager/cert-manager/blob/5e09ef6c0552df0bde64746c735cb1ff324b6261/pkg/metrics/metrics.go#L44
All cert-manager controllers have certmanager_.. prefix.
Our https://github.com/cert-manager/csi-driver does not have any certmanager related metrics. Currently it only serves k8s components metrics, like cpu / mem etc. That's why this PR exist. This test files show the expected output regarding certmanager metrics (besides the k8s metrics upon driver configuration).
|
@7ing We have made some major dependency upgrades in this module. Are you able to rebase your PR, preparing for another round of review? Sorry for the inconvenience and for the delays in review. 😒 |
|
/retest |
|
@erikgb done with rebase |
There was a problem hiding this comment.
This is great stuff! Thanks @7ing! I did my first pass on this PR now, and I think I would prefer using a Prometheus collector to avoid the add/remove metrics for metrics based on API resources. Please take a look and let me know what you think! It's not a blocker, but a pattern we are adopting in cert-manager projects nowadays.
|
Updated the certificate requests' metrics implementation with collector pattern, to align with cert-manager.io project. Basically the collector will periodically scan the certificaterequest sharedinformer (for expiry) and host metadata files (for renewal time), then record the metrics. |
There was a problem hiding this comment.
Pull Request Overview
This PR adds Prometheus metrics support to the CSI library to expose operational metrics about certificate management. The implementation includes metrics for certificate request expiration timestamps, ready status, renewal times, driver issue call counts, and managed volume/certificate counts.
Key changes:
- Added comprehensive metrics collection system with Prometheus integration
- Implemented certificate request collector for tracking certificate lifecycle metrics
- Added metrics tracking to the manager for monitoring issue calls and errors
- Created extensive test coverage for metrics functionality
Reviewed Changes
Copilot reviewed 8 out of 9 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| test/util/testutil.go | Exported function to support metrics testing |
| test/integration/metrics_test.go | Added comprehensive integration test for metrics server functionality |
| test/driver/driver_testing.go | Added metrics support to test driver infrastructure |
| metrics/metrics.go | Core metrics implementation with Prometheus registry and HTTP handler |
| metrics/certificaterequest_test.go | Unit tests for certificate request metrics collection |
| metrics/certificaterequest_collector.go | Prometheus collector for certificate request lifecycle metrics |
| manager/manager.go | Integrated metrics tracking into certificate issuance operations |
| go.mod | Added prometheus client dependency |
Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.
|
This looks really great, @7ing! Since the PR is large, I will need some time to review it thoroughly. I've already asked @hjoshi123 for some help in review. I would also appreciate it if @munnerz could take another look. Most maintainers from CyberArk are busy with other stuff right now, so our capacity to review PRs is rather low. |
|
Yes @erikgb. Set myself a reminder to review it today. |
metrics/metrics.go
Outdated
| } | ||
|
|
||
| // New creates a Metrics struct and populates it with prometheus metric types. | ||
| func New(logger *logr.Logger, registry *prometheus.Registry) *Metrics { |
There was a problem hiding this comment.
I do understand the need for the registry to come from the user but shouldnt we call this New function to set up the metrics? Also we need to call this function SetupCertificateRequestCollector too otherwise the collector would never work.. I am a bit confused now.. @erikgb if I understand correctly the proposal was to take the registry as an input right?
There was a problem hiding this comment.
I am also a bit confused now. It would have been interesting to see how this would actually be used in a real application. Are you planning to plug in this new feature into https://github.com/cert-manager/csi-driver, or into some other closed-source Apple csi-driver, @7ing? Maybe this will become clearer if the API metrics, obtained through the collector, are more clearly separated from the "normal" code metrics? 🤔
There was a problem hiding this comment.
Added a sample implementation to simple-csi example. The idea is to support cert-manager/csi-driver project.
Yup, we could make SetupCertificateRequestCollector as part of New function if required.
There was a problem hiding this comment.
In the example, I create the registry and start the metrics server in the same function. It can be separated and provided by the user as input as well. Really depends on how the driver implementation specifies.
@erikgb @hjoshi123 hope this version clarifies your questions.
There was a problem hiding this comment.
Hmm.. I was looking at the example @7ing.. are we saying SetupCertificateRequestCollector this function is optional.. meaning that those metrics are optional to be exposed? Thought being what happens if the user forgets to call the function? I understand the need to not create new registry and handler since that should come from the user but I do feel the collector should be registered if the metrics server is running
There was a problem hiding this comment.
@hjoshi123 I have removed the SetupCertificateRequestCollector function. So user need to call New(*) func to initialize all metrics data.
cert-manager-prow
bot
added
the
needs-rebase
Following metrics added: certmanager_csi_certificate_request_expiration_timestamp_seconds certmanager_csi_certificate_request_ready_status certmanager_csi_certificate_request_renewal_timestamp_seconds certmanager_csi_driver_issue_call_count certmanager_csi_driver_issue_error_count certmanager_csi_managed_certificate_count certmanager_csi_managed_volume_count fixes: cert-manager#60 Signed-off-by: Jing Liu <[email protected]>
fixes: cert-manager#60 Signed-off-by: Jing Liu <[email protected]>
Signed-off-by: Jing Liu <[email protected]>
Signed-off-by: Jing Liu <[email protected]>
Signed-off-by: Jing Liu <[email protected]>
Signed-off-by: Jing Liu <[email protected]>
cert-manager-prow
bot
removed
the
needs-rebase
|
/retest-required |
Signed-off-by: Jing Liu <[email protected]>
certmanager_csi_certificate_request_expiration_timestamp_seconds certmanager_csi_certificate_request_ready_status
certmanager_csi_certificate_request_renewal_timestamp_seconds certmanager_csi_driver_issue_call_count_total
certmanager_csi_driver_issue_error_count_total
certmanager_csi_managed_certificate_count_total
certmanager_csi_managed_volume_count_total
fixes: #60