Certificate Status Monitor Refactor #4103
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ArrisLee
requested review from
jewzaam,
bennerv,
hawkowl,
rogbas,
petrkotas,
jharrington22,
cblecker,
cadenmarchese,
UlrichSchlueter,
SudoBrendan,
yjst2012,
jaitaiwan,
anshulvermapatel,
hlipsig,
tiguelu,
mociarain,
kimorris27,
tsatam,
bitoku,
fahlmant and
sankur-codes
as code owners
ArrisLee
added
skippy
|
/azp run ci |
|
Azure Pipelines successfully started running 1 pipeline(s). |
ArrisLee
changed the base branch from
master
to
yjst2012/hotfix-dns-renaming
ArrisLee
changed the base branch from
yjst2012/hotfix-dns-renaming
to
master
ArrisLee
force-pushed
the
arris/refactor/certstatusmon
branch
from
f2966e1 to
0453877
Compare
ArrisLee
force-pushed
the
arris/refactor/certstatusmon
branch
from
2b0a9f9 to
796738b
Compare
edisonLcardenas
approved these changes
Mar 3, 2025
kimorris27
requested changes
Mar 4, 2025
| mon.emitGauge(secretMissingMetricName, 1, secretMissingMetric(operator.Namespace, operator.SecretName)) | ||
| return nil | ||
| } | ||
| return fmt.Errorf("emitting MDSD certificate expiration metrics: %w", err) |
There was a problem hiding this comment.
IMO there's not a lot of value in "customizing" the error messages throughout these functions by wrapping the underlying err in a new call to fmt.Errorf. We can seek an opinion from another reviewer too.
Or do you have some experiences from on call that led you to make these types of changes?
| } | ||
|
|
||
| if ic.Spec.DefaultCertificate == nil { | ||
| return fmt.Errorf("ingresscontroller spec invalid, unable to get default certificate name") | ||
| return fmt.Errorf("ingress controller spec invalid, default certificate name not found") |
There was a problem hiding this comment.
For clarity when visually parsing logs:
Suggested change
| return fmt.Errorf("ingress controller spec invalid, default certificate name not found") | |
| return fmt.Errorf("error: ingress controller spec invalid, default certificate name not found") |
| if err != nil { | ||
| return err | ||
| // Log the error and continue processing other secrets. | ||
| mon.log.Printf("warning: parsing certificate in secret %q: %v", secretName, err) |
There was a problem hiding this comment.
Using Warningf will ensure the log level is set in the way I assume you want it:
Suggested change
| mon.log.Printf("warning: parsing certificate in secret %q: %v", secretName, err) | |
| mon.log.Warningf("error parsing certificate in secret %q: %v", secretName, err) |
| continue | ||
| } | ||
| if len(certs) == 0 { | ||
| mon.log.Printf("warning: no certificates found in secret %q", secretName) |
There was a problem hiding this comment.
Suggested change
| mon.log.Printf("warning: no certificates found in secret %q", secretName) | |
| mon.log.Warningf("no certificates found in secret %q", secretName) |
| } | ||
| certData, ok := secret.Data[secretKey] | ||
| if !ok { | ||
| return nil, fmt.Errorf("secret %q in namespace %q does not contain key %q", secretName, secretNamespace, secretKey) |
There was a problem hiding this comment.
Suggested change
| return nil, fmt.Errorf("secret %q in namespace %q does not contain key %q", secretName, secretNamespace, secretKey) | |
| return nil, fmt.Errorf(error: "secret %q in namespace %q does not contain key %q", secretName, secretNamespace, secretKey) |
Comment on lines
+77
to
+83
| // Build a set of secret names to process, avoid duplicate processing. | ||
| secretNames := map[string]struct{}{ | ||
| ingressSecretName: {}, | ||
| } | ||
| // Also process the API Server certificate variant if it differs. | ||
| apiserverSecretName := strings.Replace(ingressSecretName, "-ingress", "-apiserver", 1) | ||
| secretNames[apiserverSecretName] = struct{}{} |
There was a problem hiding this comment.
Aren't the names of the two secrets always different? In what situation would the previous code have processed duplicates?
Comment on lines
+115
to
147
| secretList, err := mon.cli.CoreV1().Secrets(etcdNamespace).List(ctx, metav1.ListOptions{ | ||
| FieldSelector: fmt.Sprintf("type=%s", corev1.SecretTypeTLS), | ||
| }) | ||
| if err != nil { | ||
| return err | ||
| return fmt.Errorf("listing secrets in %q: %w", etcdNamespace, err) | ||
| } | ||
|
|
||
| for _, secret := range secretList.Items { | ||
| // Parse secrets with name containing "etcd-peer", "etcd-serving", "etcd-serving-metrics" | ||
| if strings.Contains(secret.ObjectMeta.Name, "etcd-peer") || strings.Contains(secret.ObjectMeta.Name, "etcd-serving") { | ||
| _, certs, err := pem.Parse(secret.Data[corev1.TLSCertKey]) | ||
| secretName := secret.ObjectMeta.Name | ||
| // Only process secrets with names indicating ETCD certificates. | ||
| if strings.Contains(secretName, "etcd-peer") || strings.Contains(secretName, "etcd-serving") { | ||
| certData, ok := secret.Data[corev1.TLSCertKey] | ||
| if !ok { | ||
| mon.emitGauge(secretMissingMetricName, 1, secretMissingMetric(etcdNamespace, secretName)) | ||
| continue | ||
| } | ||
| _, certs, err := pem.Parse(certData) | ||
| if err != nil { | ||
| return err | ||
| // Log the error and continue processing other secrets. | ||
| mon.log.Printf("warning: parsing certificate in secret %q: %v", secretName, err) | ||
| continue | ||
| } | ||
| if len(certs) == 0 { | ||
| mon.log.Printf("warning: no certificates found in secret %q", secretName) | ||
| continue | ||
| } | ||
| mon.emitGauge(certificateExpirationMetricName, int64(utilcert.DaysUntilExpiration(certs[0])), map[string]string{ | ||
| "namespace": "openshift-etcd", | ||
| "name": secret.GetObjectMeta().GetName(), | ||
| "namespace": etcdNamespace, | ||
| "name": secretName, | ||
| "subject": certs[0].Subject.CommonName, | ||
| }) | ||
| } | ||
| } |
There was a problem hiding this comment.
Instead of listing the Secrets and then iterating over them and calling mon.emitGauge yourself, why not rework this to leverage the new utility function you added (processCertificate)?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Which issue this PR addresses:
https://issues.redhat.com/browse/ARO-13644
What this PR does / why we need it:
Test plan for issue: