refactor certificate monitor emits

Azure · Sep 18, 2023 · 0ba7aee · 0ba7aee
1 parent ba1b099
commit 0ba7aee
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 61 deletions.
diff --git a/pkg/monitor/cluster/certificateexpirationstatuses.go b/pkg/monitor/cluster/certificateexpirationstatuses.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	"crypto/x509"
 	"fmt"
-	"math"
 	"strings"
 	"time"
 
@@ -31,17 +30,20 @@ const (
 	ingressName                     = "default"
 )
 
+// report NotAfter dates for Ingress and API (on managed domains), and Geneva (always)
 func (mon *Monitor) emitCertificateExpirationStatuses(ctx context.Context) error {
-	// report NotAfter dates for Ingress and API (on managed domains), and Geneva (always)
-	var certs []*x509.Certificate
-
 	mdsdCert, err := mon.getCertificate(ctx, operator.Namespace, operator.SecretName, genevalogging.GenevaCertName)
 	if kerrors.IsNotFound(err) {
 		mon.emitGauge(secretMissingMetricName, int64(1), secretMissingMetric(operator.Namespace, operator.SecretName))
 	} else if err != nil {
 		return err
 	} else {
-		certs = append(certs, mdsdCert)
+		daysUntilExpiration := time.Until(mdsdCert.NotAfter) / (24 * time.Hour)
+		mon.emitGauge(certificateExpirationMetricName, int64(daysUntilExpiration), map[string]string{
+			"subject":   mdsdCert.Subject.CommonName,
+			"name":      operator.SecretName,
+			"namespace": operator.Namespace,
+		})
 	}
 
 	if dns.IsManagedDomain(mon.oc.Properties.ClusterProfile.Domain) {
@@ -63,19 +65,16 @@ func (mon *Monitor) emitCertificateExpirationStatuses(ctx context.Context) error
 			} else if err != nil {
 				return err
 			} else {
-				certs = append(certs, certificate)
+				daysUntilExpiration := time.Until(certificate.NotAfter) / (24 * time.Hour)
+				mon.emitGauge(certificateExpirationMetricName, int64(daysUntilExpiration), map[string]string{
+					"subject":   certificate.Subject.CommonName,
+					"name":      secretName,
+					"namespace": operator.Namespace,
+				})
 			}
 		}
 	}
 
-	for _, cert := range certs {
-		daysUntilExpiration := time.Until(cert.NotAfter) / (24 * time.Hour)
-		mon.emitGauge(certificateExpirationMetricName, 1, map[string]string{
-			"subject":             cert.Subject.CommonName,
-			"expirationDate":      cert.NotAfter.UTC().Format(time.RFC3339),
-			"daysUntilExpiration": fmt.Sprintf("%d", daysUntilExpiration),
-		})
-	}
 	return nil
 }
 
@@ -118,35 +117,21 @@ func (mon *Monitor) emitEtcdCertificateExpiry(ctx context.Context) error {
 		return err
 	}
 
-	certNearExpiry := false
-	minDaysUntilExpiration := math.MaxInt
 	for _, secret := range secretList.Items {
 		if strings.Contains(secret.ObjectMeta.Name, "etcd-peer") || strings.Contains(secret.ObjectMeta.Name, "etcd-serving") {
 			_, certs, err := pem.Parse(secret.Data[corev1.TLSCertKey])
 			if err != nil {
 				return err
 			}
 			if utilcert.IsLessThanMinimumDuration(certs[0], utilcert.DefaultMinDurationPercent) {
-				certNearExpiry = true
-				minDaysUntilExpiration = min(utilcert.DaysUntilExpiration(certs[0]), minDaysUntilExpiration)
+				mon.emitGauge(certificateExpirationMetricName, int64(utilcert.DaysUntilExpiration(certs[0])), map[string]string{
+					"namespace": "openshift-etcd",
+					"name":      secret.GetObjectMeta().GetName(),
+					"subject":   certs[0].Subject.CommonName,
+				})
 			}
 		}
 	}
 
-	if certNearExpiry {
-		mon.emitGauge("certificate.expirationdate", 1, map[string]string{
-			"daysUntilExpiration": fmt.Sprintf("%d", minDaysUntilExpiration),
-			"namespace":           "openshift-etcd",
-			"name":                "openshift-etcd-certificate",
-		})
-	}
-
 	return nil
 }
-
-func min(a, b int) int {
-	if a < b {
-		return a
-	}
-	return b
-}
diff --git a/pkg/monitor/cluster/certificateexpirationstatuses_test.go b/pkg/monitor/cluster/certificateexpirationstatuses_test.go
@@ -4,7 +4,6 @@ import (
 	"context"
 	"crypto/x509"
 	"encoding/pem"
-	"fmt"
 	"testing"
 	"time"
 
@@ -21,7 +20,6 @@ import (
 	"github.com/Azure/ARO-RP/pkg/api"
 	mock_metrics "github.com/Azure/ARO-RP/pkg/util/mocks/metrics"
 	utiltls "github.com/Azure/ARO-RP/pkg/util/tls"
-	"github.com/Azure/ARO-RP/pkg/util/uuid"
 	utilerror "github.com/Azure/ARO-RP/test/util/error"
 )
 
@@ -38,8 +36,9 @@ const (
 
 func TestEmitCertificateExpirationStatuses(t *testing.T) {
 	expiration := time.Now().Add(time.Hour * 24 * 5)
-	expirationString := expiration.UTC().Format(time.RFC3339)
-	clusterID := uuid.DefaultGenerator.Generate()
+	daysUntilExpiration := 4
+	//expirationString := expiration.UTC().Format(time.RFC3339)
+	clusterID := "00000000-0000-0000-0000-000000000000"
 
 	for _, tt := range []struct {
 		name            string
@@ -55,9 +54,9 @@ func TestEmitCertificateExpirationStatuses(t *testing.T) {
 			certsPresent: []certInfo{{"cluster", "geneva.certificate"}},
 			wantExpirations: []map[string]string{
 				{
-					"subject":             "geneva.certificate",
-					"expirationDate":      expirationString,
-					"daysUntilExpiration": "4",
+					"subject":   "geneva.certificate",
+					"name":      "cluster",
+					"namespace": "openshift-azure-operator",
 				},
 			},
 		},
@@ -71,19 +70,19 @@ func TestEmitCertificateExpirationStatuses(t *testing.T) {
 			},
 			wantExpirations: []map[string]string{
 				{
-					"subject":             "geneva.certificate",
-					"expirationDate":      expirationString,
-					"daysUntilExpiration": "4",
+					"subject":   "geneva.certificate",
+					"name":      "cluster",
+					"namespace": "openshift-azure-operator",
 				},
 				{
-					"subject":             "contoso.aroapp.io",
-					"expirationDate":      expirationString,
-					"daysUntilExpiration": "4",
+					"subject":   "contoso.aroapp.io",
+					"name":      clusterID + "-ingress",
+					"namespace": "openshift-azure-operator",
 				},
 				{
-					"subject":             "api.contoso.aroapp.io",
-					"expirationDate":      expirationString,
-					"daysUntilExpiration": "4",
+					"subject":   "api.contoso.aroapp.io",
+					"name":      clusterID + "-apiserver",
+					"namespace": "openshift-azure-operator",
 				},
 			},
 		},
@@ -106,14 +105,14 @@ func TestEmitCertificateExpirationStatuses(t *testing.T) {
 			},
 			wantExpirations: []map[string]string{
 				{
-					"subject":             "geneva.certificate",
-					"expirationDate":      expirationString,
-					"daysUntilExpiration": "4",
+					"subject":   "geneva.certificate",
+					"name":      "cluster",
+					"namespace": "openshift-azure-operator",
 				},
 				{
-					"subject":             "contoso.aroapp.io",
-					"expirationDate":      expirationString,
-					"daysUntilExpiration": "4",
+					"subject":   "contoso.aroapp.io",
+					"name":      clusterID + "-ingress",
+					"namespace": "openshift-azure-operator",
 				},
 			},
 			wantWarning: []map[string]string{
@@ -139,7 +138,7 @@ func TestEmitCertificateExpirationStatuses(t *testing.T) {
 				m.EXPECT().EmitGauge(secretMissingMetricName, int64(1), w)
 			}
 			for _, g := range tt.wantExpirations {
-				m.EXPECT().EmitGauge(certificateExpirationMetricName, int64(1), g)
+				m.EXPECT().EmitGauge(certificateExpirationMetricName, int64(daysUntilExpiration), g)
 			}
 
 			mon := buildMonitor(m, tt.domain, clusterID, secrets...)
@@ -293,12 +292,11 @@ func TestEtcdCertificateExpiry(t *testing.T) {
 				m:         m,
 			}
 
-			m.EXPECT().EmitGauge("certificate.expirationdate", int64(1), map[string]string{
-				"daysUntilExpiration": fmt.Sprintf("%d", tt.minDaysUntilExpiration),
-				"namespace":           "openshift-etcd",
-				"name":                "openshift-etcd-certificate",
+			m.EXPECT().EmitGauge(certificateExpirationMetricName, int64(tt.minDaysUntilExpiration), map[string]string{
+				"namespace": "openshift-etcd",
+				"name":      "etcd-peer-master-0",
+				"subject":   "etcd-cert",
 			})
-
 			err = mon.emitEtcdCertificateExpiry(ctx)
 			if err != nil {
 				t.Fatal(err)