Add new RBAC metrics in Legacy check (#16432)

* add new metrics * changelog entry * lint
DataDog · Dec 14, 2023 · bf72db2 · bf72db2
1 parent 373087f
commit bf72db2
Show file tree

Hide file tree

Showing 7 changed files with 70 additions and 7 deletions.
diff --git a/envoy/changelog.d/16432.added b/envoy/changelog.d/16432.added
@@ -0,0 +1 @@
+Add new RBAC metrics in Legacy check
diff --git a/envoy/datadog_checks/envoy/metrics.py b/envoy/datadog_checks/envoy/metrics.py
@@ -3861,6 +3861,38 @@
         ),
         'method': 'monotonic_count',
     },
+    'http.rbac.allowed': {
+        'tags': (
+            ('stat_prefix',),
+            (),
+            (),
+        ),
+        'method': 'monotonic_count',
+    },
+    'http.rbac.denied': {
+        'tags': (
+            ('stat_prefix',),
+            (),
+            (),
+        ),
+        'method': 'monotonic_count',
+    },
+    'http.rbac.shadow_allowed': {
+        'tags': (
+            ('stat_prefix',),
+            (),
+            (),
+        ),
+        'method': 'monotonic_count',
+    },
+    'http.rbac.shadow_denied': {
+        'tags': (
+            ('stat_prefix',),
+            (),
+            (),
+        ),
+        'method': 'monotonic_count',
+    },
     # "*." to match at the beginning of raw metric if it doesn't have a standard name
     '*.http_local_rate_limit.enabled': {
         'tags': (

diff --git a/envoy/metadata.csv b/envoy/metadata.csv
@@ -973,3 +973,7 @@ envoy.http_local_rate_limit.enabled,count,,request,,[Legacy] Total number of req
 envoy.http_local_rate_limit.enforced,count,,request,,[Legacy] Total number of requests for which rate limiting was applied (e.g.: 429 returned),-1,envoy,,
 envoy.http_local_rate_limit.rate_limited,count,,request,,[Legacy] Total number of responses without an available token (but not necessarily enforced),-1,envoy,,
 envoy.http_local_rate_limit.ok,count,,request,,[Legacy] Total number of under the limit responses from the token bucket,-1,envoy,,
+envoy.http.rbac.allowed,count,,request,,[Legacy] Total requests that were allowed access,-1,envoy,,
+envoy.http.rbac.denied,count,,request,,[Legacy] Total requests that were denied access,-1,envoy,,
+envoy.http.rbac.shadow_allowed,count,,request,,[Legacy] Total requests that would be allowed access by the filter's shadow rules,-1,envoy,,
+envoy.http.rbac.shadow_denied,count,,request,,[Legacy] Total requests that would be denied access by the filter's shadow rules,-1,envoy,,
diff --git a/envoy/tests/fixtures/legacy/local_rate_limit.txt b/envoy/tests/fixtures/legacy/local_rate_limit.txt
@@ -2,7 +2,7 @@ http_local_rate_limiter.http_local_rate_limit.enabled: 0
 http_local_rate_limiter.http_local_rate_limit.enforced: 0
 http_local_rate_limiter.http_local_rate_limit.ok: 0
 http_local_rate_limiter.http_local_rate_limit.rate_limited: 0
-foo.http_local_rate_limit.enabled: 0
-foo.http_local_rate_limit.enforced: 0
-foo.http_local_rate_limit.ok: 0
-foo.http_local_rate_limit.rate_limited: 0
+foo_buz_112.http_local_rate_limit.enabled: 0
+foo_buz_112.http_local_rate_limit.enforced: 0
+foo_buz_112.http_local_rate_limit.ok: 0
+foo_buz_112.http_local_rate_limit.rate_limited: 0
diff --git a/envoy/tests/fixtures/legacy/rbac_metric.txt b/envoy/tests/fixtures/legacy/rbac_metric.txt
@@ -0,0 +1,4 @@
+http.foo_buz_112.rbac.allowed: 0
+http.foo_buz_112.rbac.denied: 0
+http.foo_buz_112.rbac.shadow_allowed: 0
+http.foo_buz_112.rbac.shadow_denied: 0
diff --git a/envoy/tests/legacy/common.py b/envoy/tests/legacy/common.py
@@ -52,4 +52,11 @@
     "envoy.http_local_rate_limit.ok",
 ]
 
-RATE_LIMIT_STAT_PREFIX_TAG = ['stat_prefix:http_local_rate_limiter', 'stat_prefix:foo']
+STAT_PREFIX_TAG = ['stat_prefix:http_local_rate_limiter', 'stat_prefix:foo_buz_112']
+
+RBAC_METRICS = [
+    "envoy.http.rbac.allowed",
+    "envoy.http.rbac.denied",
+    "envoy.http.rbac.shadow_allowed",
+    "envoy.http.rbac.shadow_denied",
+]
diff --git a/envoy/tests/legacy/test_unit.py b/envoy/tests/legacy/test_unit.py
@@ -18,7 +18,8 @@
     HOST,
     INSTANCES,
     LOCAL_RATE_LIMIT_METRICS,
-    RATE_LIMIT_STAT_PREFIX_TAG,
+    RBAC_METRICS,
+    STAT_PREFIX_TAG,
 )
 
 CHECK_NAME = 'envoy'
@@ -281,7 +282,21 @@ def test_local_rate_limit_metrics(aggregator, fixture_path, mock_http_response,
 
     for metric in LOCAL_RATE_LIMIT_METRICS:
         aggregator.assert_metric(metric)
-        for tag in RATE_LIMIT_STAT_PREFIX_TAG:
+        for tag in STAT_PREFIX_TAG:
             aggregator.assert_metric_has_tag(metric, tag, count=1)
 
     aggregator.assert_metrics_using_metadata(get_metadata_metrics())
+
+
+def test_rbac_metrics(aggregator, fixture_path, mock_http_response, check, dd_run_check):
+    instance = INSTANCES['main']
+    c = check(instance)
+
+    mock_http_response(file_path=fixture_path('./legacy/rbac_metric.txt'))
+    dd_run_check(c)
+
+    for metric in RBAC_METRICS:
+        aggregator.assert_metric(metric)
+        aggregator.assert_metric_has_tag(metric, STAT_PREFIX_TAG[1], count=1)
+
+    aggregator.assert_metrics_using_metadata(get_metadata_metrics())