Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add telemetry and logging around expired certificates #9891

Closed
preetapan opened this issue Mar 17, 2021 · 9 comments · Fixed by #10770
Closed

Add telemetry and logging around expired certificates #9891

preetapan opened this issue Mar 17, 2021 · 9 comments · Fixed by #10770
Labels
theme/reliability type/enhancement Proposed improvement or new feature

Comments

@preetapan
Copy link
Contributor

Consul has knowledge about various cerificates ( the agent certificates for TLS communication across clients/servers, Connect CA certificates).

Currently, we don't emit warnings when certificates are about to expire. It's helpful for operators to know about this so that they can set up alerts within their monitoring systems. We could also emit warning logs with the name/type of certificate and how much time is left that trigger based on a window.

This issue captures both needs (logs and adding metrics to the v1/metrics end point with seconds remaining for expiration). Can be split into multiple issues as needed.
@jsosulska jsosulska added the type/enhancement Proposed improvement or new feature label Mar 17, 2021
@ashwinkupatkar
Copy link

Hi @preetapan,

Any tentative timeline when this feature will be rolled out?

@dnephin dnephin mentioned this issue Mar 24, 2021
Merged
3 tasks
@dnephin
Copy link
Contributor

dnephin commented Mar 24, 2021

Hi @ashwinkupatkar , thank you for your interest in this issue! Hopefully we can get a metric into the next release.

I've opened a PR for one possible option in #9924. Would this work for your use case? If not, could you share more about what you would like to see?

Thank you!

@ashwinkupatkar
Copy link

Hi @dnephin,

Thanks for taking a look.

Yes, this is one of the metric that is needed. Apart from this metric we also need metric for the consul server certificates and consul client certificate expiration data.

@ashwinkupatkar
Copy link

Hello, @dnephin

Just wanted to follow up on this feature. Any idea in which version this would be launched ?

@ashwinkupatkar
Copy link

Hi @dnephin, any clue ... when this feature would be available ? thanks

@dnephin
Copy link
Contributor

dnephin commented May 13, 2021

Hi @ashwinkupatkar , I learned there were a few more certs that should be tracked, and I haven't had a chance to finish adding the metrics. It won't be for 1.10, so at the earliest 1.11.

@dnephin dnephin mentioned this issue Jun 7, 2021
Open
@ashwinkupatkar
Copy link

Hi @dnephin, I see the change has been merged to master. So should I expect it in GA of 1.10.0 ?
Thanks

@dnephin dnephin mentioned this issue Jul 26, 2021
Merged
This was referenced Aug 4, 2021
Merged
Merged
@dnephin
Copy link
Contributor

dnephin commented Aug 4, 2021

For anyone watching this issue, the following PRs add new metrics:

And #10770 adds logging when a cert is about to expire in the next 24h.

I believe this covers all the cases, but if there is something missing please do comment here.

@dnephin
Copy link
Contributor

dnephin commented Aug 5, 2021

@ashwinkupatkar sorry I did not respond to your question. These will all be released in Consul 1.11.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
theme/reliability type/enhancement Proposed improvement or new feature
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

telemetry: add log message when certs are about to expire hashicorp/consul
4 participants
@dnephin @preetapan @ashwinkupatkar @jsosulska