remove _ssl_expire_time_seconds metric by identifier (#11239)

Signed-off-by: xiayu.lyt <[email protected]>
Co-authored-by: xiayu.lyt <[email protected]>

Author: k8s-infra-cherrypick-robot

internal/ingress/controller/controller.go

@@ -250,9 +250,8 @@ func (n *NGINXController) syncIngress(interface{}) error {
 	}
 
 	ri := utilingress.GetRemovedIngresses(n.runningConfig, pcfg)
-	re := utilingress.GetRemovedHosts(n.runningConfig, pcfg)
 	rc := utilingress.GetRemovedCertificateSerialNumbers(n.runningConfig, pcfg)
-	n.metricCollector.RemoveMetrics(ri, re, rc)
+	n.metricCollector.RemoveMetrics(ri, rc)
 
 	n.runningConfig = pcfg
 

internal/ingress/metric/collectors/controller.go

@@ -30,7 +30,7 @@ import (
 var (
 	operation        = []string{"controller_namespace", "controller_class", "controller_pod"}
 	ingressOperation = []string{"controller_namespace", "controller_class", "controller_pod", "namespace", "ingress"}
-	sslLabelHost     = []string{"namespace", "class", "host", "secret_name"}
+	sslLabelHost     = []string{"namespace", "class", "host", "secret_name", "identifier"}
 	sslInfoLabels    = []string{"namespace", "class", "host", "secret_name", "identifier", "issuer_organization", "issuer_common_name", "serial_number", "public_key_algorithm"}
 	orphanityLabels  = []string{"controller_namespace", "controller_class", "controller_pod", "namespace", "ingress", "type"}
 )
@@ -305,6 +305,7 @@ func (cm *Controller) SetSSLExpireTime(servers []*ingress.Server) {
 		}
 		labels["host"] = s.Hostname
 		labels["secret_name"] = s.SSLCert.Name
+		labels["identifier"] = s.SSLCert.Identifier()
 
 		cm.sslExpireTime.With(labels).Set(float64(s.SSLCert.ExpireTime.Unix()))
 	}
@@ -337,9 +338,9 @@ func (cm *Controller) SetSSLInfo(servers []*ingress.Server) {
 	}
 }
 
-// RemoveMetrics removes metrics for hostnames not available anymore
-func (cm *Controller) RemoveMetrics(hosts, certificates []string, registry prometheus.Gatherer) {
-	cm.removeSSLExpireMetrics(true, hosts, registry)
+// RemoveMetrics removes metrics for certificates not available anymore by identifier
+func (cm *Controller) RemoveMetrics(certificates []string, registry prometheus.Gatherer) {
+	cm.removeSSLExpireMetrics(true, certificates, registry)
 	cm.removeCertificatesMetrics(true, certificates, registry)
 }
 
@@ -390,14 +391,14 @@ func (cm *Controller) removeCertificatesMetrics(onlyDefinedHosts bool, certifica
 	}
 }
 
-func (cm *Controller) removeSSLExpireMetrics(onlyDefinedHosts bool, hosts []string, registry prometheus.Gatherer) {
+func (cm *Controller) removeSSLExpireMetrics(onlyDefinedCerts bool, certificates []string, registry prometheus.Gatherer) {
 	mfs, err := registry.Gather()
 	if err != nil {
 		klog.ErrorS(err, "Error gathering metrics")
 		return
 	}
 
-	toRemove := sets.NewString(hosts...)
+	toRemove := sets.NewString(certificates...)
 
 	for _, mf := range mfs {
 		metricName := mf.GetName()
@@ -414,19 +415,24 @@ func (cm *Controller) removeSSLExpireMetrics(onlyDefinedHosts bool, hosts []stri
 			// remove labels that are constant
 			deleteConstants(labels)
 
+			identifier, ok := labels["identifier"]
+			if !ok {
+				continue
+			}
+
 			host, ok := labels["host"]
 			if !ok {
 				continue
 			}
 
-			if onlyDefinedHosts && !toRemove.Has(host) {
+			if onlyDefinedCerts && !toRemove.Has(identifier) {
 				continue
 			}
 
-			klog.V(2).InfoS("Removing prometheus metric", "gauge", metricName, "host", host)
+			klog.V(2).InfoS("Removing prometheus metric", "gauge", metricName, "host", host, "identifier", identifier)
 			removed := cm.sslExpireTime.Delete(labels)
 			if !removed {
-				klog.V(2).InfoS("metric removed", "metric", metricName, "host", host, "labels", labels)
+				klog.V(2).InfoS("metric removed", "metric", metricName, "host", host, "identifier", identifier, "labels", labels)
 			}
 		}
 	}

internal/ingress/metric/collectors/controller_test.go

@@ -88,6 +88,15 @@ func TestControllerCounters(t *testing.T) {
 						Hostname: "demo",
 						SSLCert: &ingress.SSLCert{
 							ExpireTime: t1,
+							Certificate: &x509.Certificate{
+								PublicKeyAlgorithm: x509.ECDSA,
+								Issuer: pkix.Name{
+									CommonName:   "certificate issuer",
+									SerialNumber: "abcd1234",
+									Organization: []string{"issuer org"},
+								},
+								SerialNumber: big.NewInt(100),
+							},
 						},
 					},
 					{
@@ -102,7 +111,7 @@ func TestControllerCounters(t *testing.T) {
 			want: `
 				# HELP nginx_ingress_controller_ssl_expire_time_seconds Number of seconds since 1970 to the SSL Certificate expire.\n			An example to check if this certificate will expire in 10 days is: "nginx_ingress_controller_ssl_expire_time_seconds < (time() + (10 * 24 * 3600))"
 				# TYPE nginx_ingress_controller_ssl_expire_time_seconds gauge
-				nginx_ingress_controller_ssl_expire_time_seconds{class="nginx",host="demo",namespace="default",secret_name=""} 1.351807721e+09
+				nginx_ingress_controller_ssl_expire_time_seconds{class="nginx",host="demo",identifier="abcd1234-100",namespace="default",secret_name=""} 1.351807721e+09
 			`,
 			metrics: []string{"nginx_ingress_controller_ssl_expire_time_seconds"},
 		},
@@ -262,7 +271,7 @@ func TestRemoveMetrics(t *testing.T) {
 	cm.SetSSLExpireTime(servers)
 	cm.SetSSLInfo(servers)
 
-	cm.RemoveMetrics([]string{"demo"}, []string{"abcd1234-100"}, reg)
+	cm.RemoveMetrics([]string{"abcd1234-100"}, reg)
 
 	if err := GatherAndCompare(cm, "", []string{"nginx_ingress_controller_ssl_expire_time_seconds"}, reg); err != nil {
 		t.Errorf("unexpected collecting result:\n%s", err)

internal/ingress/metric/dummy.go

@@ -54,7 +54,7 @@ func (dc DummyCollector) IncCheckCount(string, string) {}
 func (dc DummyCollector) IncCheckErrorCount(string, string) {}
 
 // RemoveMetrics dummy implementation
-func (dc DummyCollector) RemoveMetrics(_, _, _ []string) {}
+func (dc DummyCollector) RemoveMetrics(_, _ []string) {}
 
 // Start dummy implementation
 func (dc DummyCollector) Start(_ string) {}

internal/ingress/metric/main.go

@@ -46,7 +46,7 @@ type Collector interface {
 	IncOrphanIngress(string, string, string)
 	DecOrphanIngress(string, string, string)
 
-	RemoveMetrics(ingresses, endpoints, certificates []string)
+	RemoveMetrics(ingresses, certificates []string)
 
 	SetSSLExpireTime([]*ingress.Server)
 	SetSSLInfo(servers []*ingress.Server)
@@ -131,9 +131,9 @@ func (c *collector) IncReloadErrorCount() {
 	c.ingressController.IncReloadErrorCount()
 }
 
-func (c *collector) RemoveMetrics(ingresses, hosts, certificates []string) {
+func (c *collector) RemoveMetrics(ingresses, certificates []string) {
 	c.socket.RemoveMetrics(ingresses, c.registry)
-	c.ingressController.RemoveMetrics(hosts, certificates, c.registry)
+	c.ingressController.RemoveMetrics(certificates, c.registry)
 }
 
 func (c *collector) Start(admissionStatus string) {