Add metrics #158
Add metrics #158
Conversation
jetstack-bot
added
the
dco-signoff: yes
jetstack-bot
added
size/XL
docs/tasks/metrics.md
Outdated
|
|
||
| ### kube_oidc_proxy_http_client_requests | ||
| counter - {http status code, path, remote address} | ||
| The number of requests for incoming requests. |
There was a problem hiding this comment.
| The number of requests for incoming requests. | |
| The number of incoming requests. |
docs/tasks/metrics.md
Outdated
|
|
||
| ### kube_oidc_proxy_http_server_requests | ||
| counter - {http status code, path, remote address} | ||
| The requests for outgoing server requests. |
There was a problem hiding this comment.
| The requests for outgoing server requests. | |
| The number of outgoing server requests. |
cmd/app/options/app.go
Outdated
| "Adress to serving metrics on at the /metrics path. An empty address will "+ | ||
| "disable serving metrics.") |
There was a problem hiding this comment.
Worth mentioning that this can't conflict with the other addresses here?
There was a problem hiding this comment.
Also the readiness probe is exposed as a port, but this is a full address. I think that makes sense despite the inconsistency.
cmd/app/run.go
Outdated
| return err | ||
| } | ||
| } else { | ||
| klog.Info("metrics listen address empty, disabling serving") |
There was a problem hiding this comment.
| klog.Info("metrics listen address empty, disabling serving") | |
| klog.Info("metrics listen address empty, disabling serving metrics") |
pkg/proxy/handlers.go
Outdated
| http.Error(rw, "Impersonation requests are disabled when using kube-oidc-proxy", http.StatusForbidden) | ||
| return | ||
|
|
||
| // No name given or available in oidc request | ||
| case errNoName: | ||
| klog.V(2).Infof("no name available in oidc info %s", r.RemoteAddr) | ||
| statusCode = http.StatusForbidden | ||
| klog.V(2).Infof("no name available in oidc info %s", remoteAddr) | ||
| http.Error(rw, "Username claim not available in OIDC Issuer response", http.StatusForbidden) |
There was a problem hiding this comment.
| http.Error(rw, "Username claim not available in OIDC Issuer response", http.StatusForbidden) | |
| http.Error(rw, "Username claim not available in OIDC Issuer response", statusCode) |
pkg/proxy/handlers.go
Outdated
| http.Error(rw, "Username claim not available in OIDC Issuer response", http.StatusForbidden) | ||
| return | ||
|
|
||
| // No impersonation configuration found in context | ||
| case errNoImpersonationConfig: | ||
| klog.Errorf("if you are seeing this, there is likely a bug in the proxy (%s): %s", r.RemoteAddr, err) | ||
| statusCode = http.StatusInternalServerError | ||
| klog.Errorf("if you are seeing this, there is likely a bug in the proxy (%s): %s", remoteAddr, err) | ||
| http.Error(rw, "", http.StatusInternalServerError) |
There was a problem hiding this comment.
| http.Error(rw, "", http.StatusInternalServerError) | |
| http.Error(rw, "", statusCode) |
pkg/proxy/handlers.go
Outdated
| http.Error(rw, "", http.StatusInternalServerError) | ||
| return | ||
|
|
||
| // Server or unknown error | ||
| default: | ||
| klog.Errorf("unknown error (%s): %s", r.RemoteAddr, err) | ||
| statusCode = http.StatusInternalServerError | ||
| klog.Errorf("unknown error (%s): %s", remoteAddr, err) | ||
| http.Error(rw, "", http.StatusInternalServerError) |
There was a problem hiding this comment.
| http.Error(rw, "", http.StatusInternalServerError) | |
| http.Error(rw, "", statusCode) |
| var statusCode int | ||
| if resp != nil { | ||
| statusCode = resp.StatusCode | ||
| } |
There was a problem hiding this comment.
So we will report statusCode as nil if there was an error in round-tripping? What will the client see in that case?
There was a problem hiding this comment.
The client will see the error code that comes from the error handler if the there is an error.
If the response is nil then we have to report the status code as 0.
I actually made a mistake here that if there is an error, then we will be observing a client call twice (once here, and again in the error handler). I have now wrapped the client observation in an err != nil. The server still need to be observed here regardless.
There was a problem hiding this comment.
Is there some wrapper we could make the observation for both the error case (with the real error code) and the success case? I guess we lose access to some of the labels if we do that?
There was a problem hiding this comment.
Yeah exactly, the error handler code path isn't in most requests so we can't invoke it there, and indeed we loose some info.
| @@ -0,0 +1,218 @@ | |||
| // Copyright Jetstack Ltd. See LICENSE for details. | |||
| package metrics | |||
There was a problem hiding this comment.
How is the prom client testing support? Is it possible to write tests that check that samples were recorded with certain labels set?
There was a problem hiding this comment.
It is, but it is a bit of a string matching exercise. Happy to stick something in if you are keen...
https://github.com/jetstack/cert-manager/blob/master/pkg/metrics/certificates_test.go
There was a problem hiding this comment.
I don't think it's critical, but I always prefer tests if they aren't too onerous.
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
buckets for request duration Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: JoshVanL The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
Signed-off-by: JoshVanL <vleeuwenjoshua@gmail.com>
| @@ -43,6 +44,10 @@ func (k *KubeOIDCProxyOptions) AddFlags(fs *pflag.FlagSet) *KubeOIDCProxyOptions | |||
| fs.IntVarP(&k.ReadinessProbePort, "readiness-probe-port", "P", 8080, | |||
| "Port to expose readiness probe.") | |||
|
|
|||
| fs.StringVar(&k.MetricsListenAddress, "metrics-serving-address", "0.0.0.0:80", | |||
| "Address to serve metrics on at the /metrics path. An empty address will "+ | |||
| "disable serving metrics. Cannot use the same address as proxy or probe.") | |||
There was a problem hiding this comment.
Is it possible to explicitly set --metrics-serving-address="" without it being defaulted to 0.0.0.0:80?
| return err | ||
| } | ||
| hooks.AddPreShutdownHook("Readiness Probe", readinessHandler.Shutdown) |
There was a problem hiding this comment.
nit: are spaces in hook names okay/normal?
| @@ -74,6 +82,9 @@ spec: | |||
| {{- range $key, $value := .Values.extraArgs -}} | |||
| - "--{{ $key }}={{ $value -}}" | |||
| {{ end }} | |||
| {{- if and .Values.metrics.enabled }} | |||
There was a problem hiding this comment.
What this and for? Should it be if .Values.metrics.enabled?
| @@ -74,6 +82,9 @@ spec: | |||
| {{- range $key, $value := .Values.extraArgs -}} | |||
| - "--{{ $key }}={{ $value -}}" | |||
| {{ end }} | |||
| {{- if and .Values.metrics.enabled }} | |||
| - "--metrics-serving-address={{ .Values.metrics.address }}:{{ .Values.metrics.port }}" | |||
| {{ end }} | |||
There was a problem hiding this comment.
nit: I think we want this to be {{- end }} to avoid a trailing whitespace, but I see that others don't use it and it isn't really essential at all to this PR :)
| annotations: | ||
| prometheus.io/path: /metrics | ||
| prometheus.io/port: "80" | ||
| prometheus.io/scrape: "true" |
There was a problem hiding this comment.
This manifest does not have - "--metrics-serving-address={{ .Values.metrics.address }}:{{ .Values.metrics.port }}" in it, but does enable scraping of the endpoint. Is it being generated from the Helm chart?
| klog.Infof("serving readiness probe on %s/ready", ln.Addr()) | ||
|
|
||
| if err := h.Serve(ln); err != nil { | ||
| klog.Errorf("failed to serve readiness probe: %s", err) |
There was a problem hiding this comment.
Again, we don't have any way to pass 'up' the stack if this is failing from what I can tell? Meaning if the readiness probe listener fails, the pod will never be restarted (assuming the liveness probe handler doesn't fail).
This isn't a change from what happened before from what I can see, but may be worth looking into as a follow up
| // Auth request and handle unauthed | ||
| info, ok, err := p.oidcRequestAuther.AuthenticateRequest(req) | ||
| if err != nil { | ||
| // Since we have failed OIDC auth, we will try a token review, if enabled. | ||
| p.metrics.IncrementOIDCAuthCount(false, remoteAddr, "") |
There was a problem hiding this comment.
If a user specifically isn't connecting with OIDC, is there any way to avoid that one user flooding the metric with failure counts?
If I wanted to use token passthrough for one client, I'd end out with something that looks like an error but actually isn't really (from what I can tell).
There was a problem hiding this comment.
Maybe a distinct 'number of passthroughs' metric? 🤷♂️
|
|
||
| // Setup unauthed handler so that it is passed through the audit | ||
| unauthedHandler := audit.NewUnauthenticatedHandler(p.auditor, func(rw http.ResponseWriter, req *http.Request) { | ||
| _, remoteAddr := context.RemoteAddr(req) |
There was a problem hiding this comment.
bit of a nit, but why does RemoteAddr return the request as well? Does it modify it in any way? 🤔
There was a problem hiding this comment.
Ah, I see:
clientAddress, ok := ctx.Value(clientAddressKey).(string)
if !ok {
clientAddress = xff.GetRemoteAddr(req)
req = req.WithContext(request.WithValue(ctx, clientAddressKey, clientAddress))
}
Not one for this PR, but that seems like non-obvious behaviour 😬 is xff.GetRemoteAddr(req) particularly expensive? What about just making this only accept the req, and then having a separate function WithRemoteAddress(ctx context.Context, remoteAddr string) context.Context or something? I don't quite see why we need to add that context back into the request, but perhaps I am missing something 😄 is this to allow passing through a header containing the connecting client's address?
| @@ -199,8 +186,26 @@ func (p *Proxy) RoundTrip(req *http.Request) (*http.Response, error) { | |||
| // Set up impersonation request. | |||
| rt := transport.NewImpersonatingRoundTripper(*conf, p.clientTransport) | |||
|
|
|||
| req, remoteAddr := context.RemoteAddr(req) | |||
| serverDuration := time.Now() | |||
| clientDuration := context.ClientRequestTimestamp(req) | |||
There was a problem hiding this comment.
nit: you might want to consider adopting the k8s.io/utils 'clock' package sometime soon - this will be tough to test otherwise 😄
|
|
||
| // Start clock on metrics | ||
| tokenReviewDuration := time.Now() | ||
| req, remoteAddr := proxycontext.RemoteAddr(req) |
There was a problem hiding this comment.
Just to confirm.. do we want to be overwriting req here to include this remote address?
|
Pardon my ignorance, is this complete ? |
This PR metrics adds a number of metrics to the proxy.
The PR should be split up fairly well per commit.
It would be good to have a bit of insight into whether these metrics look sane... It is tricky not to make the number of time series explode here.
/assign @munnerz
/assign @simonswine
fixes #156