Add signature count and error metrics to crlImpl (#7533)

Add the "signatureCount" and "signErrorCount" metrics, which are already
incremented by the certificateAuthorityImpl and ocspImpl after all
signing operations, to the crlImpl.

Note that in the process of writing this PR I discovered that the method
for determining whether to increment the signErrorCount metric is
broken. Rather than diverge the crlImpl's version of that code from the
identical code in the other two files, I have duplicated the broken code
and will fix it in all three places in a follow-up.

Fixes #7532

Author: aarongable

ca/ca_test.go

@@ -239,6 +239,8 @@ func setup(t *testing.T) *testCtx {
 		},
 		100,
 		blog.NewMock(),
+		signatureCount,
+		signErrorCount,
 	)
 	test.AssertNotError(t, err, "Failed to create crl impl")
 

ca/crl.go

@@ -10,6 +10,9 @@ import (
 
 	"google.golang.org/grpc"
 
+	"github.com/miekg/pkcs11"
+	"github.com/prometheus/client_golang/prometheus"
+
 	capb "github.com/letsencrypt/boulder/ca/proto"
 	"github.com/letsencrypt/boulder/core"
 	corepb "github.com/letsencrypt/boulder/core/proto"
@@ -20,10 +23,12 @@ import (
 
 type crlImpl struct {
 	capb.UnsafeCRLGeneratorServer
-	issuers   map[issuance.NameID]*issuance.Issuer
-	profile   *issuance.CRLProfile
-	maxLogLen int
-	log       blog.Logger
+	issuers        map[issuance.NameID]*issuance.Issuer
+	profile        *issuance.CRLProfile
+	maxLogLen      int
+	log            blog.Logger
+	signatureCount *prometheus.CounterVec
+	signErrorCount *prometheus.CounterVec
 }
 
 var _ capb.CRLGeneratorServer = (*crlImpl)(nil)
@@ -36,7 +41,10 @@ func NewCRLImpl(
 	issuers []*issuance.Issuer,
 	profileConfig issuance.CRLProfileConfig,
 	maxLogLen int,
-	logger blog.Logger) (*crlImpl, error) {
+	logger blog.Logger,
+	signatureCount *prometheus.CounterVec,
+	signErrorCount *prometheus.CounterVec,
+) (*crlImpl, error) {
 	issuersByNameID := make(map[issuance.NameID]*issuance.Issuer, len(issuers))
 	for _, issuer := range issuers {
 		issuersByNameID[issuer.NameID()] = issuer
@@ -48,10 +56,12 @@ func NewCRLImpl(
 	}
 
 	return &crlImpl{
-		issuers:   issuersByNameID,
-		profile:   profile,
-		maxLogLen: maxLogLen,
-		log:       logger,
+		issuers:        issuersByNameID,
+		profile:        profile,
+		maxLogLen:      maxLogLen,
+		log:            logger,
+		signatureCount: signatureCount,
+		signErrorCount: signErrorCount,
 	}, nil
 }
 
@@ -134,8 +144,13 @@ func (ci *crlImpl) GenerateCRL(stream grpc.BidiStreamingServer[capb.GenerateCRLR
 
 	crlBytes, err := issuer.IssueCRL(ci.profile, req)
 	if err != nil {
+		var pkcs11Error *pkcs11.Error
+		if errors.As(err, &pkcs11Error) {
+			ci.signErrorCount.WithLabelValues("HSM").Inc()
+		}
 		return fmt.Errorf("signing crl: %w", err)
 	}
+	ci.signatureCount.With(prometheus.Labels{"purpose": "crl", "issuer": issuer.Name()}).Inc()
 
 	hash := sha256.Sum256(crlBytes)
 	ci.log.AuditInfof(

cmd/boulder-ca/main.go

@@ -287,6 +287,8 @@ func main() {
 			c.CA.Issuance.CRLProfile,
 			c.CA.OCSPLogMaxLength,
 			logger,
+			signatureCount,
+			signErrorCount,
 		)
 		cmd.FailOnError(err, "Failed to create CRL impl")