identity: add identity_cert_refresh_count metric (#788)

hawkw · web-flow · commit 1be301f2b060 · 2020-12-22T19:59:23.000-08:00
This commit adds a new `identity_cert_refresh_count` counter metric,
which tracks the number of times the proxy's identity certificate has
been successfully refreshed by the Identity service.

This change was fairly straightforward, but I did make a few internal
changes so that the counter could be passed into the daemon task. This
resulted in a couple things moving around, but the moved code is largely
unchanged.

In the future we may want to count cert refresh errors as well, possibly
adding labels for successes/failures, or a new metric tracking errors.
diff --git a/linkerd/app/src/identity.rs b/linkerd/app/src/identity.rs
@@ -46,21 +46,18 @@ impl Config {
         match self {
             Config::Disabled => Ok(Identity::Disabled),
             Config::Enabled { control, certify } => {
-                let (local, crt_store) = Local::new(&certify);
+                let (local, daemon) = Local::new(&certify);
 
                 let addr = control.addr.clone();
-                let svc = control.build(
-                    dns,
-                    metrics,
-                    tls::Conditional::Some(certify.trust_anchors.clone()),
-                );
+                let svc =
+                    control.build(dns, metrics, tls::Conditional::Some(certify.trust_anchors));
 
                 // Save to be spawned on an auxiliary runtime.
                 let task = {
                     let addr = addr.clone();
                     Box::pin(async move {
                         debug!(peer.addr = ?addr, "running");
-                        certify::daemon(certify, crt_store, svc).await
+                        daemon.run(svc).await
                     })
                 };
 
diff --git a/linkerd/proxy/identity/src/certify.rs b/linkerd/proxy/identity/src/certify.rs
@@ -1,6 +1,7 @@
 use crate::{Crt, CrtKey, Csr, Key, Name, TokenSource, TrustAnchors};
 use http_body::Body as HttpBody;
 use linkerd2_error::Error;
+use linkerd2_metrics::Counter;
 use linkerd2_proxy_api::identity as api;
 use linkerd2_proxy_transport::tls;
 use pin_project::pin_project;
@@ -37,6 +38,7 @@ pub struct Local {
     trust_anchors: TrustAnchors,
     name: Name,
     crt_key: watch::Receiver<Option<CrtKey>>,
+    refreshes: Arc<Counter>,
 }
 
 /// Produces a `Local` identity once a certificate is available.
@@ -48,74 +50,14 @@ pub struct LostDaemon;
 
 pub type CrtKeySender = watch::Sender<Option<CrtKey>>;
 
-pub async fn daemon<T>(config: Config, crt_key_watch: watch::Sender<Option<CrtKey>>, client: T)
-where
-    T: GrpcService<BoxBody>,
-    T::ResponseBody: Send + 'static,
-    <T::ResponseBody as Body>::Data: Send,
-    <T::ResponseBody as HttpBody>::Error: Into<Error> + Send,
-{
-    let mut curr_expiry = UNIX_EPOCH;
-    let mut client = api::identity_client::IdentityClient::new(client);
-
-    loop {
-        match config.token.load() {
-            Ok(token) => {
-                let req = grpc::Request::new(api::CertifyRequest {
-                    token,
-                    identity: config.local_name.as_ref().to_owned(),
-                    certificate_signing_request: config.csr.to_vec(),
-                });
-                trace!("daemon certifying");
-                let rsp = client.certify(req).await;
-                match rsp {
-                    Err(e) => error!("Failed to certify identity: {}", e),
-                    Ok(rsp) => {
-                        let api::CertifyResponse {
-                            leaf_certificate,
-                            intermediate_certificates,
-                            valid_until,
-                        } = rsp.into_inner();
-                        match valid_until.and_then(|d| SystemTime::try_from(d).ok()) {
-                            None => {
-                                error!("Identity service did not specify a certificate expiration.")
-                            }
-                            Some(expiry) => {
-                                let key = config.key.clone();
-                                let crt = Crt::new(
-                                    config.local_name.clone(),
-                                    leaf_certificate,
-                                    intermediate_certificates,
-                                    expiry,
-                                );
-
-                                match config.trust_anchors.certify(key, crt) {
-                                    Err(e) => {
-                                        error!("Received invalid ceritficate: {}", e);
-                                    }
-                                    Ok(crt_key) => {
-                                        debug!("daemon certified until {:?}", expiry);
-                                        if crt_key_watch.send(Some(crt_key)).is_err() {
-                                            // If we can't store a value, than all observations
-                                            // have been dropped and we can stop refreshing.
-                                            return;
-                                        }
-
-                                        curr_expiry = expiry;
-                                    }
-                                }
-                            }
-                        }
-                    }
-                }
-            }
-            Err(e) => error!("Failed to read authentication token: {}", e),
-        }
-        config.refresh(curr_expiry).await;
-    }
+#[derive(Debug)]
+pub struct Daemon {
+    crt_key_watch: CrtKeySender,
+    refreshes: Arc<linkerd2_metrics::Counter>,
+    config: Config,
 }
 
-// // === impl Config ===
+// === impl Config ===
 
 impl Config {
     /// Returns a future that fires when a refresh should occur.
@@ -138,17 +80,101 @@ impl Config {
     }
 }
 
+// === impl Daemon ===
+
+impl Daemon {
+    pub async fn run<T>(self, client: T)
+    where
+        T: GrpcService<BoxBody>,
+        T::ResponseBody: Send + 'static,
+        <T::ResponseBody as Body>::Data: Send,
+        <T::ResponseBody as HttpBody>::Error: Into<Error> + Send,
+    {
+        let Self {
+            config,
+            crt_key_watch,
+            refreshes,
+        } = self;
+        let mut curr_expiry = UNIX_EPOCH;
+        let mut client = api::identity_client::IdentityClient::new(client);
+
+        loop {
+            match config.token.load() {
+                Ok(token) => {
+                    let req = grpc::Request::new(api::CertifyRequest {
+                        token,
+                        identity: config.local_name.as_ref().to_owned(),
+                        certificate_signing_request: config.csr.to_vec(),
+                    });
+                    trace!("daemon certifying");
+                    let rsp = client.certify(req).await;
+                    match rsp {
+                        Err(e) => error!("Failed to certify identity: {}", e),
+                        Ok(rsp) => {
+                            let api::CertifyResponse {
+                                leaf_certificate,
+                                intermediate_certificates,
+                                valid_until,
+                            } = rsp.into_inner();
+                            match valid_until.and_then(|d| SystemTime::try_from(d).ok()) {
+                                None => error!(
+                                    "Identity service did not specify a certificate expiration."
+                                ),
+                                Some(expiry) => {
+                                    let key = config.key.clone();
+                                    let crt = Crt::new(
+                                        config.local_name.clone(),
+                                        leaf_certificate,
+                                        intermediate_certificates,
+                                        expiry,
+                                    );
+
+                                    match config.trust_anchors.certify(key, crt) {
+                                        Err(e) => {
+                                            error!("Received invalid ceritficate: {}", e);
+                                        }
+                                        Ok(crt_key) => {
+                                            debug!("daemon certified until {:?}", expiry);
+                                            if crt_key_watch.send(Some(crt_key)).is_err() {
+                                                // If we can't store a value, than all observations
+                                                // have been dropped and we can stop refreshing.
+                                                return;
+                                            }
+
+                                            refreshes.incr();
+                                            curr_expiry = expiry;
+                                        }
+                                    }
+                                }
+                            }
+                        }
+                    }
+                }
+                Err(e) => error!("Failed to read authentication token: {}", e),
+            }
+            config.refresh(curr_expiry).await;
+        }
+    }
+}
+
 // === impl Local ===
 
 impl Local {
-    pub fn new(config: &Config) -> (Self, CrtKeySender) {
+    pub fn new(config: &Config) -> (Self, Daemon) {
         let (s, w) = watch::channel(None);
+        let refreshes = Arc::new(Counter::new());
         let l = Local {
             name: config.local_name.clone(),
             trust_anchors: config.trust_anchors.clone(),
             crt_key: w,
+            refreshes: refreshes.clone(),
+        };
+        let daemon = Daemon {
+            config: config.clone(),
+            refreshes,
+            crt_key_watch: s,
         };
-        (l, s)
+        (l, daemon)
     }
 
     pub fn name(&self) -> &Name {
@@ -166,7 +192,7 @@ impl Local {
     }
 
     pub fn metrics(&self) -> crate::metrics::Report {
-        crate::metrics::Report::new(self.crt_key.clone())
+        crate::metrics::Report::new(self.crt_key.clone(), self.refreshes.clone())
     }
 }
 
diff --git a/linkerd/proxy/identity/src/metrics.rs b/linkerd/proxy/identity/src/metrics.rs
@@ -1,53 +1,70 @@
 use crate::CrtKey;
-use linkerd2_metrics::{metrics, FmtMetrics, Gauge};
-use std::{fmt, time::UNIX_EPOCH};
+use linkerd2_metrics::{metrics, Counter, FmtMetrics, Gauge};
+use std::{fmt, sync::Arc, time::UNIX_EPOCH};
 use tokio::sync::watch;
 
 #[derive(Debug, Clone)]
 pub struct Report {
-    crt_key_watch: Option<watch::Receiver<Option<CrtKey>>>,
+    inner: Option<Inner>,
 }
 
 metrics! {
     identity_cert_expiration_timestamp_seconds: Gauge {
-        "Time when the this proxy's current mTLS identity certificate will expire (in seconds since the UNIX epoch)"
+        "Time when the this proxy's current mTLS identity certificate will expire (in seconds since the UNIX epoch)."
+    },
+
+    identity_cert_refresh_count: Counter {
+        "The total number of times this proxy's mTLS identity certificate has been refreshed by the Identity service."
     }
 }
 
 impl Report {
-    pub(crate) fn new(watch: watch::Receiver<Option<CrtKey>>) -> Self {
+    pub(crate) fn new(
+        crt_key_watch: watch::Receiver<Option<CrtKey>>,
+        refreshes: Arc<Counter>,
+    ) -> Self {
         Self {
-            crt_key_watch: Some(watch),
+            inner: Some(Inner {
+                crt_key_watch,
+                refreshes,
+            }),
         }
     }
 
     pub fn disabled() -> Self {
-        Self {
-            crt_key_watch: None,
-        }
+        Self { inner: None }
     }
 }
 
+#[derive(Debug, Clone)]
+struct Inner {
+    crt_key_watch: watch::Receiver<Option<CrtKey>>,
+    refreshes: Arc<Counter>,
+}
+
 impl FmtMetrics for Report {
     fn fmt_metrics(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        let dur = if let Some(watch) = self.crt_key_watch.as_ref() {
-            if let Some(ref crt_key) = *(watch.borrow()) {
-                crt_key
-                .expiry()
-                .duration_since(UNIX_EPOCH)
-                .map_err(|error| {
-                    tracing::warn!(%error, "an identity would expire before the beginning of the UNIX epoch, something is probably wrong");
-                    fmt::Error
-                })?
-            } else {
-                return Ok(());
-            }
-        } else {
-            return Ok(());
+        let this = match self.inner.as_ref() {
+            Some(inner) => inner,
+            None => return Ok(()),
         };
 
-        identity_cert_expiration_timestamp_seconds.fmt_help(f)?;
-        identity_cert_expiration_timestamp_seconds.fmt_metric(f, &Gauge::from(dur.as_secs()))?;
+        if let Some(ref crt_key) = *(this.crt_key_watch.borrow()) {
+            let dur = crt_key
+            .expiry()
+            .duration_since(UNIX_EPOCH)
+            .map_err(|error| {
+                tracing::warn!(%error, "an identity would expire before the beginning of the UNIX epoch, something is probably wrong");
+                fmt::Error
+            })?;
+            identity_cert_expiration_timestamp_seconds.fmt_help(f)?;
+            identity_cert_expiration_timestamp_seconds
+                .fmt_metric(f, &Gauge::from(dur.as_secs()))?;
+        }
+
+        identity_cert_refresh_count.fmt_help(f)?;
+        identity_cert_refresh_count.fmt_metric(f, &this.refreshes)?;
+
         Ok(())
     }
 }
