feat: add istio citadel_server_cert_chain_expiry_timestamp metric (#1…

…7268) * feat: add istio citadel_server_cert_chain_expiry_timestamp metric * update the tests and metadata * update changelog * e2e tests --------- Co-authored-by: Florent Clarret <[email protected]>
DataDog · Mar 27, 2024 · 69a1509 · 69a1509
1 parent 5f6cf17
commit 69a1509
Show file tree

Hide file tree

Showing 6 changed files with 11 additions and 1 deletion.
diff --git a/istio/changelog.d/17268.added b/istio/changelog.d/17268.added
@@ -0,0 +1 @@
+Add the citadel_server_cert_chain_expiry_timestamp metric
diff --git a/istio/datadog_checks/istio/metrics.py b/istio/datadog_checks/istio/metrics.py
@@ -51,6 +51,7 @@
     'citadel_server_csr_count': 'server.csr_count',
     'citadel_server_csr_parsing_err_count': 'server.csr_parsing_err_count',
     'citadel_server_id_extraction_err_count': 'server.id_extraction_err_count',
+    'citadel_server_cert_chain_expiry_timestamp': 'server.cert_chain_expiry_timestamp',
     'citadel_server_success_cert_issuance_count': 'server.success_cert_issuance_count',
     'citadel_server_root_cert_expiry_timestamp': 'server.root_cert_expiry_timestamp',
 }
@@ -379,6 +380,7 @@
     'citadel_server_csr_count': 'citadel.server.csr_count',
     'citadel_server_csr_parsing_err_count': 'citadel.server.csr_parsing_err_count',
     'citadel_server_id_extraction_err_count': 'citadel.server.id_extraction_err_count',
+    'citadel_server_cert_chain_expiry_timestamp': 'citadel.server.cert_chain_expiry_timestamp',
     'citadel_server_success_cert_issuance_count': 'citadel.server.success_cert_issuance_count',
     # These metrics supported Istio 1.5
     'galley_validation_config_update_error': 'galley.validation.config_update_error',

diff --git a/istio/metadata.csv b/istio/metadata.csv
@@ -249,6 +249,7 @@ istio.citadel.process.resident_memory_bytes,gauge,,byte,,[OpenMetrics V1 and V2]
 istio.citadel.process.start_time_seconds,gauge,,second,,[OpenMetrics V1 and V2] Start time of the process since unix epoch in seconds.,0,istio,,
 istio.citadel.process.virtual_memory_bytes,gauge,,byte,,[OpenMetrics V1 and V2] Virtual memory size in bytes.,0,istio,,
 istio.galley.validation.config_update_error,count,,error,,[OpenMetrics V1 and V2] K8s webhook configuration update error,0,istio,,
+istio.citadel.server.cert_chain_expiry_timestamp,gauge,,second,,[OpenMetrics V1 and V2] The unix timestamp (in seconds) when Citadel cert chain will expire. Negative in case of internal error,0,istio,,
 istio.citadel.server.root_cert_expiry_timestamp,gauge,,second,,[OpenMetrics V1 and V2] The unix timestamp (in seconds) when Citadel root cert will expire. Negative in case of internal error,0,istio,,
 istio.galley.validation.failed,count,,,,[OpenMetrics V1 and V2 and Istio v1.5+] Count of resource validation failed,0,istio,,
 istio.pilot.conflict.outbound_listener.http_over_https,gauge,,,,[OpenMetrics V1 and V2 and Istio v1.5+] Number of conflicting HTTP listeners with well known HTTPS ports,0,istio,,

diff --git a/istio/tests/common.py b/istio/tests/common.py
@@ -107,6 +107,7 @@
 
 ISTIOD_METRICS = [
     'istio.citadel.server.root_cert_expiry_timestamp',
+    'istio.citadel.server.cert_chain_expiry_timestamp',
     'istio.galley.endpoint_no_pod',
     'istio.galley.validation.config_update_error',
     'istio.galley.validation.config_update',
@@ -210,6 +211,7 @@
 ]
 
 ISTIOD_V2_METRICS = [
+    'istio.citadel.server.cert_chain_expiry_timestamp',
     'istio.citadel.server.root_cert_expiry_timestamp',
     'istio.galley.endpoint_no_pod',
     'istio.galley.validation.config_update_error.count',

diff --git a/istio/tests/fixtures/1.5/istiod.txt b/istio/tests/fixtures/1.5/istiod.txt
@@ -1,3 +1,6 @@
+# HELP citadel_server_cert_chain_expiry_timestamp The unix timestamp, in seconds, when Citadel cert chain will expire. A negative time indicates the cert is expired.
+# TYPE citadel_server_cert_chain_expiry_timestamp gauge
+citadel_server_cert_chain_expiry_timestamp 2.310923901e+09
 # HELP citadel_server_root_cert_expiry_timestamp The unix timestamp, in seconds, when Citadel root cert will expire. We set it to negative in case of internal error.
 # TYPE citadel_server_root_cert_expiry_timestamp gauge
 citadel_server_root_cert_expiry_timestamp 1.900963606e+09
@@ -557,4 +560,4 @@ process_virtual_memory_max_bytes -1
 sidecar_injection_requests_total 3
 # HELP sidecar_injection_success_total Total number of successful Side car injection requests.
 # TYPE sidecar_injection_success_total counter
-sidecar_injection_success_total 3
+sidecar_injection_success_total 3
diff --git a/istio/tests/test_e2e.py b/istio/tests/test_e2e.py
@@ -10,6 +10,7 @@
 from .common import ISTIOD_METRICS, ISTIOD_V2_METRICS
 
 INTERMITTENT_METRICS = [
+    'istio.citadel.server.cert_chain_expiry_timestamp',
     'istio.mesh.request.count',
     'istio.pilot.mcp_sink.recv_failures_total',
     'istio.galley.validation.passed',
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Add the citadel_server_cert_chain_expiry_timestamp metric