2018-07-07 17:46:18 +00:00
|
|
|
/*
|
|
|
|
|
Copyright 2018 The Kubernetes Authors.
|
|
|
|
|
|
|
|
|
|
Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
|
you may not use this file except in compliance with the License.
|
|
|
|
|
You may obtain a copy of the License at
|
|
|
|
|
|
|
|
|
|
http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
|
|
|
|
|
|
Unless required by applicable law or agreed to in writing, software
|
|
|
|
|
distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
|
See the License for the specific language governing permissions and
|
|
|
|
|
limitations under the License.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
package metric
|
|
|
|
|
|
2018-12-04 19:59:54 +00:00
|
|
|
import (
|
|
|
|
|
"k8s.io/apimachinery/pkg/util/sets"
|
|
|
|
|
"k8s.io/ingress-nginx/internal/ingress"
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// NewDummyCollector returns a dummy metric collector
|
|
|
|
|
func NewDummyCollector() Collector {
|
|
|
|
|
return &DummyCollector{}
|
|
|
|
|
}
|
2018-07-07 17:46:18 +00:00
|
|
|
|
|
|
|
|
// DummyCollector dummy implementation for mocks in tests
|
|
|
|
|
type DummyCollector struct{}
|
|
|
|
|
|
|
|
|
|
// ConfigSuccess ...
|
|
|
|
|
func (dc DummyCollector) ConfigSuccess(uint64, bool) {}
|
|
|
|
|
|
2021-11-02 17:54:34 +00:00
|
|
|
// SetAdmissionMetrics ...
|
|
|
|
|
func (dc DummyCollector) SetAdmissionMetrics(float64, float64, float64, float64, float64, float64) {}
|
|
|
|
|
|
2018-07-07 17:46:18 +00:00
|
|
|
// IncReloadCount ...
|
|
|
|
|
func (dc DummyCollector) IncReloadCount() {}
|
|
|
|
|
|
|
|
|
|
// IncReloadErrorCount ...
|
|
|
|
|
func (dc DummyCollector) IncReloadErrorCount() {}
|
|
|
|
|
|
2019-02-21 19:45:21 +00:00
|
|
|
// IncCheckCount ...
|
|
|
|
|
func (dc DummyCollector) IncCheckCount(string, string) {}
|
|
|
|
|
|
|
|
|
|
// IncCheckErrorCount ...
|
|
|
|
|
func (dc DummyCollector) IncCheckErrorCount(string, string) {}
|
|
|
|
|
|
2018-07-07 17:46:18 +00:00
|
|
|
// RemoveMetrics ...
|
Add a certificate info metric (#8253)
When the ingress controller loads certificates (new ones or following a
secret update), it performs a series of check to ensure its validity.
In our systems, we detected a case where, when the secret object is
compromised, for example when the certificate does not match the secret
key, different pods of the ingress controller are serving a different
version of the certificate.
This behaviour is due to the cache mechanism of the ingress controller,
keeping the last known certificate in case of corruption. When this
happens, old ingress-controller pods will keep serving the old one,
while new pods, by failing to load the corrupted certificates, would
use the default certificate, causing invalid certificates for its
clients.
This generates a random error on the client side, depending on the
actual pod instance it reaches.
In order to allow detecting occurences of those situations, add a metric
to expose, for all ingress controlller pods, detailed informations of
the currently loaded certificate.
This will, for example, allow setting an alert when there is a
certificate discrepency across all ingress controller pods using a query
similar to `sum(nginx_ingress_controller_ssl_certificate_info{host="name.tld"})by(serial_number)`
This also allows to catch other exceptions loading certificates (failing
to load the certificate from the k8s API, ...
Co-authored-by: Daniel Ricart <danielricart@users.noreply.github.com>
Co-authored-by: Daniel Ricart <danielricart@users.noreply.github.com>
2022-02-24 15:08:32 +00:00
|
|
|
func (dc DummyCollector) RemoveMetrics(ingresses, endpoints, certificates []string) {}
|
2018-07-07 17:46:18 +00:00
|
|
|
|
|
|
|
|
// Start ...
|
2021-11-02 17:54:34 +00:00
|
|
|
func (dc DummyCollector) Start(admissionStatus string) {}
|
2018-07-07 17:46:18 +00:00
|
|
|
|
|
|
|
|
// Stop ...
|
2021-11-02 17:54:34 +00:00
|
|
|
func (dc DummyCollector) Stop(admissionStatus string) {}
|
2018-07-07 17:46:18 +00:00
|
|
|
|
Add a certificate info metric (#8253)
When the ingress controller loads certificates (new ones or following a
secret update), it performs a series of check to ensure its validity.
In our systems, we detected a case where, when the secret object is
compromised, for example when the certificate does not match the secret
key, different pods of the ingress controller are serving a different
version of the certificate.
This behaviour is due to the cache mechanism of the ingress controller,
keeping the last known certificate in case of corruption. When this
happens, old ingress-controller pods will keep serving the old one,
while new pods, by failing to load the corrupted certificates, would
use the default certificate, causing invalid certificates for its
clients.
This generates a random error on the client side, depending on the
actual pod instance it reaches.
In order to allow detecting occurences of those situations, add a metric
to expose, for all ingress controlller pods, detailed informations of
the currently loaded certificate.
This will, for example, allow setting an alert when there is a
certificate discrepency across all ingress controller pods using a query
similar to `sum(nginx_ingress_controller_ssl_certificate_info{host="name.tld"})by(serial_number)`
This also allows to catch other exceptions loading certificates (failing
to load the certificate from the k8s API, ...
Co-authored-by: Daniel Ricart <danielricart@users.noreply.github.com>
Co-authored-by: Daniel Ricart <danielricart@users.noreply.github.com>
2022-02-24 15:08:32 +00:00
|
|
|
// SetSSLInfo ...
|
|
|
|
|
func (dc DummyCollector) SetSSLInfo([]*ingress.Server) {}
|
|
|
|
|
|
2018-07-07 17:46:18 +00:00
|
|
|
// SetSSLExpireTime ...
|
|
|
|
|
func (dc DummyCollector) SetSSLExpireTime([]*ingress.Server) {}
|
2018-12-04 19:59:54 +00:00
|
|
|
|
|
|
|
|
// SetHosts ...
|
|
|
|
|
func (dc DummyCollector) SetHosts(hosts sets.String) {}
|
2019-03-10 22:12:33 +00:00
|
|
|
|
|
|
|
|
// OnStartedLeading indicates the pod is not the current leader
|
|
|
|
|
func (dc DummyCollector) OnStartedLeading(electionID string) {}
|
|
|
|
|
|
|
|
|
|
// OnStoppedLeading indicates the pod is not the current leader
|
|
|
|
|
func (dc DummyCollector) OnStoppedLeading(electionID string) {}
|