envoy: add support for tls_inspector metrics

see also https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/listener_filters/tls_inspector Signed-off-by: William Dauchy <[email protected]>
DataDog · Sep 9, 2024 · 79f645f · 79f645f
1 parent 2d82a48
commit 79f645f
Show file tree

Hide file tree

Showing 9 changed files with 81 additions and 3 deletions.
diff --git a/envoy/changelog.d/18536.added b/envoy/changelog.d/18536.added
@@ -0,0 +1 @@
+Add support for tls_inspector metrics
diff --git a/envoy/datadog_checks/envoy/metrics.py b/envoy/datadog_checks/envoy/metrics.py
@@ -385,6 +385,14 @@
     'envoy_cluster_client_ssl_socket_factory_downstream_context_secrets_not_ready': 'cluster.client_ssl_socket_factory.downstream_context_secrets_not_ready',  # noqa: E501
     'envoy_connection_limit_active_connections': 'connection_limit.active_connections',
     'envoy_connection_limit_limited_connections': 'connection_limit.limited_connections',
+    'envoy_tls_inspector_client_hello_too_large': 'tls_inspector.client_hello_too_large',
+    'envoy_tls_inspector_tls_found': 'tls_inspector.tls.found',
+    'envoy_tls_inspector_tls_not_found': 'tls_inspector.tls.not_found',
+    'envoy_tls_inspector_alpn_found': 'tls_inspector.alpn.found',
+    'envoy_tls_inspector_alpn_not_found': 'tls_inspector.alpn.not_found',
+    'envoy_tls_inspector_sni_found': 'tls_inspector.sni.found',
+    'envoy_tls_inspector_sni_not_found': 'tls_inspector.sni.not_found',
+    'envoy_tls_inspector_bytes_processed': 'tls_inspector.bytes_processed',
 }
 
 # fmt: off

diff --git a/envoy/metadata.csv b/envoy/metadata.csv
@@ -988,3 +988,13 @@ envoy.cluster.client_ssl_socket_factory.upstream_context_secrets_not_ready.count
 envoy.listener.server_ssl_socket_factory.downstream_context_secrets_not_ready.count,count,,,,[OpenMetrics V2] The count of SSL context updates for the client's SSL socket factory performed by Secret Discovery Service.,-1,envoy,,
 envoy.listener.server_ssl_socket_factory.ssl_context_update_by_sds.count,count,,,,[OpenMetrics V2] The count of upstream SSL context secrets of the client's SSL socket factory that are not ready.,-1,envoy,,
 envoy.listener.server_ssl_socket_factory.upstream_context_secrets_not_ready.count,count,,,,[OpenMetrics V2] The count of downstream SSL context secrets for the client SSL socket factory that are not yet ready.,-1,envoy,,
+envoy.tls_inspector.client_hello_too_large.count,count,,,,[OpenMetrics V2] Total unreasonably large client hello received,0,envoy,,
+envoy.tls_inspector.tls.found.count,count,,,,[OpenMetrics V2] Total number of times TLS was found,0,envoy,,
+envoy.tls_inspector.tls.not_found.count,count,,,,[OpenMetrics V2] Total number of times TLS was not found,0,envoy,,
+envoy.tls_inspector.alpn.found.count,count,,,,[OpenMetrics V2] Total number of times Application-Layer Protocol Negotiation was successful,0,envoy,,
+envoy.tls_inspector.alpn.not_found.count,count,,,,[OpenMetrics V2] Total number of times Application-Layer Protocol Negotiation has failed,0,envoy,,
+envoy.tls_inspector.sni.found.count,count,,,,[OpenMetrics V2] Total number of times Server Name Indication was found,0,envoy,,
+envoy.tls_inspector.sni.not_found.count,count,,,,[OpenMetrics V2] Total number of times Server Name Indication was not found,0,envoy,,
+envoy.tls_inspector.bytes_processed.bucket,count,,,,[OpenMetrics V2] Records sizes which records the number of bytes the tls_inspector processed while analyzing for tls usage,0,envoy,,
+envoy.tls_inspector.bytes_processed.count,count,,,,[OpenMetrics V2] Count of records sizes which records the number of bytes the tls_inspector processed while analyzing for tls usage,0,envoy,,
+envoy.tls_inspector.bytes_processed.sum,count,,,,[OpenMetrics V2] Total sum of records sizes which records the number of bytes the tls_inspector processed while analyzing for tls usage,0,envoy,,
diff --git a/envoy/tests/common.py b/envoy/tests/common.py
@@ -383,6 +383,19 @@
 
 CONNECTION_LIMIT_STAT_PREFIX_TAG = 'stat_prefix:ingress_http'
 
+TLS_INSPECTOR_METRICS = [
+    "tls_inspector.client_hello_too_large.count",
+    "tls_inspector.tls.found.count",
+    "tls_inspector.tls.not_found.count",
+    "tls_inspector.alpn.found.count",
+    "tls_inspector.alpn.not_found.count",
+    "tls_inspector.sni.found.count",
+    "tls_inspector.sni.not_found.count",
+    "tls_inspector.bytes_processed.bucket",
+    "tls_inspector.bytes_processed.count",
+    "tls_inspector.bytes_processed.sum",
+]
+
 LOCAL_RATE_LIMIT_METRICS = [
     "http.local_rate_limit_enabled.count",
     "http.local_rate_limit_enforced.count",

diff --git a/envoy/tests/docker/api_v3/front-envoy.yaml b/envoy/tests/docker/api_v3/front-envoy.yaml
@@ -22,6 +22,10 @@ static_resources:
   listeners:
   - address:
       socket_address: {address: 0.0.0.0, port_value: 80}
+    listener_filters:
+      - name: envoy.filters.listeners.tls_inspector
+        typed_config:
+          "@type": type.googleapis.com/envoy.extensions.filters.listener.tls_inspector.v3.TlsInspector
     filter_chains:
     - filters:
       - name: envoy.filters.network.connection_limit

diff --git a/envoy/tests/fixtures/openmetrics/openmetrics.txt b/envoy/tests/fixtures/openmetrics/openmetrics.txt
@@ -1340,3 +1340,40 @@ envoy_cluster_client_ssl_socket_factory_ssl_context_update_by_sds{envoy_cluster_
 envoy_cluster_client_ssl_socket_factory_upstream_context_secrets_not_ready{envoy_cluster_name="foo_cluster"} 2
 # TYPE envoy_cluster_client_ssl_socket_factory_downstream_context_secrets_not_ready counter
 envoy_cluster_client_ssl_socket_factory_downstream_context_secrets_not_ready{envoy_cluster_name="foo_cluster"} 0
+# TYPE envoy_tls_inspector_alpn_found counter
+envoy_tls_inspector_alpn_found{} 0
+# TYPE envoy_tls_inspector_alpn_not_found counter
+envoy_tls_inspector_alpn_not_found{} 0
+# TYPE envoy_tls_inspector_client_hello_too_large counter
+envoy_tls_inspector_client_hello_too_large{} 0
+# TYPE envoy_tls_inspector_sni_found counter
+envoy_tls_inspector_sni_found{} 0
+# TYPE envoy_tls_inspector_sni_not_found counter
+envoy_tls_inspector_sni_not_found{} 0
+# TYPE envoy_tls_inspector_tls_found counter
+envoy_tls_inspector_tls_found{} 0
+# TYPE envoy_tls_inspector_tls_not_found counter
+envoy_tls_inspector_tls_not_found{} 0
+# TYPE envoy_tls_inspector_bytes_processed histogram
+envoy_tls_inspector_bytes_processed_bucket{le="0.5"} 0
+envoy_tls_inspector_bytes_processed_bucket{le="1"} 0
+envoy_tls_inspector_bytes_processed_bucket{le="5"} 0
+envoy_tls_inspector_bytes_processed_bucket{le="10"} 0
+envoy_tls_inspector_bytes_processed_bucket{le="25"} 0
+envoy_tls_inspector_bytes_processed_bucket{le="50"} 0
+envoy_tls_inspector_bytes_processed_bucket{le="100"} 0
+envoy_tls_inspector_bytes_processed_bucket{le="250"} 0
+envoy_tls_inspector_bytes_processed_bucket{le="500"} 0
+envoy_tls_inspector_bytes_processed_bucket{le="1000"} 0
+envoy_tls_inspector_bytes_processed_bucket{le="2500"} 0
+envoy_tls_inspector_bytes_processed_bucket{le="5000"} 0
+envoy_tls_inspector_bytes_processed_bucket{le="10000"} 0
+envoy_tls_inspector_bytes_processed_bucket{le="30000"} 0
+envoy_tls_inspector_bytes_processed_bucket{le="60000"} 0
+envoy_tls_inspector_bytes_processed_bucket{le="300000"} 0
+envoy_tls_inspector_bytes_processed_bucket{le="600000"} 0
+envoy_tls_inspector_bytes_processed_bucket{le="1800000"} 0
+envoy_tls_inspector_bytes_processed_bucket{le="3600000"} 0
+envoy_tls_inspector_bytes_processed_bucket{le="+Inf"} 0
+envoy_tls_inspector_bytes_processed_sum{} 0
+envoy_tls_inspector_bytes_processed_count{} 0
diff --git a/envoy/tests/test_e2e.py b/envoy/tests/test_e2e.py
@@ -13,6 +13,7 @@
     FLAKY_METRICS,
     LOCAL_RATE_LIMIT_METRICS,
     PROMETHEUS_METRICS,
+    TLS_INSPECTOR_METRICS,
     requires_new_environment,
 )
 
@@ -23,7 +24,7 @@
 def test_e2e(dd_agent_check):
     aggregator = dd_agent_check(DEFAULT_INSTANCE, rate=True)
 
-    for metric in PROMETHEUS_METRICS + LOCAL_RATE_LIMIT_METRICS + CONNECTION_LIMIT_METRICS:
+    for metric in PROMETHEUS_METRICS + LOCAL_RATE_LIMIT_METRICS + CONNECTION_LIMIT_METRICS + TLS_INSPECTOR_METRICS:
         formatted_metric = "envoy.{}".format(metric)
         if metric in FLAKY_METRICS:
             aggregator.assert_metric(formatted_metric, at_least=0)

diff --git a/envoy/tests/test_integration.py b/envoy/tests/test_integration.py
@@ -15,6 +15,7 @@
     FLAKY_METRICS,
     LOCAL_RATE_LIMIT_METRICS,
     PROMETHEUS_METRICS,
+    TLS_INSPECTOR_METRICS,
     requires_new_environment,
 )
 
@@ -37,7 +38,7 @@ def test_check(aggregator, dd_run_check, check):
     dd_run_check(c)
     dd_run_check(c)
 
-    for metric in PROMETHEUS_METRICS + LOCAL_RATE_LIMIT_METRICS + CONNECTION_LIMIT_METRICS:
+    for metric in PROMETHEUS_METRICS + LOCAL_RATE_LIMIT_METRICS + CONNECTION_LIMIT_METRICS + TLS_INSPECTOR_METRICS:
         formatted_metric = "envoy.{}".format(metric)
         if metric in FLAKY_METRICS:
             aggregator.assert_metric(formatted_metric, at_least=0)

diff --git a/envoy/tests/test_unit.py b/envoy/tests/test_unit.py
@@ -18,6 +18,7 @@
     LOCAL_RATE_LIMIT_METRICS,
     MOCKED_PROMETHEUS_METRICS,
     RATE_LIMIT_STAT_PREFIX_TAG,
+    TLS_INSPECTOR_METRICS,
     get_fixture_path,
 )
 
@@ -48,7 +49,9 @@ def test_check(aggregator, dd_run_check, check, mock_http_response):
 
     dd_run_check(c)
 
-    for metric in MOCKED_PROMETHEUS_METRICS + LOCAL_RATE_LIMIT_METRICS + CLUSTER_AND_LISTENER_SSL_METRICS:
+    for metric in (
+        MOCKED_PROMETHEUS_METRICS + LOCAL_RATE_LIMIT_METRICS + CLUSTER_AND_LISTENER_SSL_METRICS + TLS_INSPECTOR_METRICS
+    ):
         aggregator.assert_metric("envoy.{}".format(metric))
 
     for metric in CONNECT_STATE_METRIC: