Skip to content

Comments

release-24.3.1-rc: security: bugfix, ensure cert expiry metrics reflect reloaded certs#136227

Merged
angles-n-daemons merged 1 commit intocockroachdb:release-24.3.1-rcfrom
angles-n-daemons:backport24.3.1-rc-135596
Dec 2, 2024
Merged

release-24.3.1-rc: security: bugfix, ensure cert expiry metrics reflect reloaded certs#136227
angles-n-daemons merged 1 commit intocockroachdb:release-24.3.1-rcfrom
angles-n-daemons:backport24.3.1-rc-135596

Conversation

@angles-n-daemons
Copy link
Contributor

@angles-n-daemons angles-n-daemons commented Nov 26, 2024

Backport 1/1 commits from #135596.

/cc @cockroachdb/release

security: bugfix, ensure cert expiry metrics reflect reloaded certs

The PR #130110 added certificate TTL metrics alongside our existing expiration metrics. Prior to that change, the certificate metrics values were updated on each metrics load. Afterwards, new metrics objects were created for each load of certificates.

This created a bug in that the new expiration values would not be found in any of the system exhaust (metrics scrape or tsdb) because the registered metrics objects were the ones created on startup.

This new change instead allows the metrics to close the whole CertificateManager object, so that they only need to be created once, and therefore the initial registration of metrics reflects persistently valid values.

Release note (bug fix): security.certificate.* metrics will now be updated if a node loads new certificates while running.

Epic: none
Fixes: #135093

Release justification: Fixes a bug in the certificate metrics.

@angles-n-daemons
security: bugfix, ensure cert expiry metrics reflect reloaded certs
c371e33 
The PR cockroachdb#130110 added certificate TTL metrics alongside our existing
expiration metrics. Prior to that change, the certificate metrics values
were updated on each metrics load. Afterwards, new metrics objects were
created for each load of certificates.

This created a bug in that the new expiration values would not be
found in any of the system exhaust (metrics scrape or tsdb) because the
registered metrics objects were the ones created on startup.

This new change instead allows the metrics to close the whole
CertificateManager object, so that they only need to be created once, and
therefore the initial registration of metrics reflects persistently
valid values.

Release note (bug fix): security.certificate.* metrics will now be
updated if a node loads new certificates while running.
@angles-n-daemons angles-n-daemons requested a review from a team November 26, 2024 17:33
@angles-n-daemons angles-n-daemons requested a review from a team as a code owner November 26, 2024 17:33
@angles-n-daemons angles-n-daemons requested a review from a team November 26, 2024 17:33
@blathers-crl
Copy link

blathers-crl bot commented Nov 26, 2024
edited by angles-n-daemons
Loading

Thanks for opening a backport.

Please check the backport criteria before merging:

  • Backports should only be created for serious
    issues     or test-only changes.
  • Backports should not break backwards-compatibility.
  • Backports should change as little code as possible.
  • Backports should not change on-disk formats or node communication protocols.
  • Backports should not add new functionality (except as defined
    here).
  • Backports must not add, edit, or otherwise modify cluster versions; or add version gates.
  • All backports must be reviewed by the owning areas TL. For more information as to how that review should be conducted, please consult the backport
    policy    .
If your backport adds new functionality, please ensure that the following additional criteria are satisfied:
  • There is a high priority need for the functionality that cannot wait until the next release and is difficult to address in another way.
  • The new functionality is additive-only and only runs for clusters which have specifically “opted in” to it (e.g. by a cluster setting).
  • New code is protected by a conditional check that is trivial to verify and ensures that it only runs for opt-in clusters. State changes must be further protected such that nodes running old binaries will not be negatively impacted by the new state (with a mixed version test added).
  • The PM and TL on the team that owns the changed code have signed off that the change obeys the above rules.
  • Your backport must be accompanied by a post to the appropriate Slack
    channel (#db-backports-point-releases or #db-backports-XX-X-release) for awareness and discussion.

Also, please add a brief release justification to the body of your PR to justify this
backport.

@blathers-crl blathers-crl bot added the backport Label PR's that are backports to older release branches label Nov 26, 2024
@cockroach-teamcity
Copy link
Member

cockroach-teamcity commented Nov 26, 2024

This change is Reviewable

@angles-n-daemons angles-n-daemons merged commit 0bed88d into cockroachdb:release-24.3.1-rc Dec 2, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dhartunian dhartunian dhartunian approved these changes

Assignees

No one assigned

Labels

backport Label PR's that are backports to older release branches T-observability v24.3.1

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@angles-n-daemons @cockroach-teamcity @dhartunian @crl-codesys-jira