From 178b2fe610fb1e2e1620a4d2ae36bc827a12db63 Mon Sep 17 00:00:00 2001
From: Paul Coignet <paul.coignet@datadoghq.com>
Date: Fri, 14 Jun 2019 18:15:14 +0200
Subject: [PATCH 1/3] Add listerners metrics

---
 envoy/datadog_checks/envoy/metrics.py  | 24 +++++++++++++++
 envoy/metadata.csv                     |  3 ++
 envoy/tests/fixtures/multiple_services |  4 +++
 envoy/tests/test_parser.py             | 42 ++++++++++++++++++++++++++
 4 files changed, 73 insertions(+)

diff --git a/envoy/datadog_checks/envoy/metrics.py b/envoy/datadog_checks/envoy/metrics.py
index 4c4d472338c23..30b52076b631c 100644
--- a/envoy/datadog_checks/envoy/metrics.py
+++ b/envoy/datadog_checks/envoy/metrics.py
@@ -1071,6 +1071,30 @@
         ),
         'method': 'monotonic_count',
     },
+    'listener.ssl.versions': {
+        'tags': (
+            ('address', ),
+            (),
+            ('version', ),
+        ),
+        'method': 'monotonic_count',
+    },
+    'listener.ssl.curves': {
+        'tags': (
+            ('address', ),
+            (),
+            ('curve', ),
+        ),
+        'method': 'monotonic_count',
+    },
+    'listener.ssl.sigalgs': {
+        'tags': (
+            ('address', ),
+            (),
+            ('sigalg', ),
+        ),
+        'method': 'monotonic_count',
+    },
     'listener_manager.listener_added': {
         'tags': (
             (),
diff --git a/envoy/metadata.csv b/envoy/metadata.csv
index 87f67f2608ac6..172c7b51004cf 100644
--- a/envoy/metadata.csv
+++ b/envoy/metadata.csv
@@ -110,6 +110,9 @@ envoy.listener.ssl.fail_verify_error,count,,connection,,Total TLS connections th
 envoy.listener.ssl.fail_verify_san,count,,connection,,Total TLS connections that failed SAN verification,-1,envoy,
 envoy.listener.ssl.fail_verify_cert_hash,count,,connection,,Total TLS connections that failed certificate pinning verification,-1,envoy,
 envoy.listener.ssl.cipher,count,,connection,,Total TLS connections that used cipher tag,0,envoy,
+envoy.listener.ssl.versions,count,,connection,,Total successful TLS connections that used protocol version tag,0,envoy,
+envoy.listener.ssl.curves,count,,connection,,Total successful TLS connections that used ECDHE curve tag,0,envoy,
+envoy.listener.ssl.sigalgs,count,,connection,,Total successful TLS connections that used signature algorithm sigalg tag,0,envoy,
 envoy.listener_manager.listener_added,count,,host,,Total listeners added (either via static config or LDS),0,envoy,
 envoy.listener_manager.listener_modified,count,,host,,Total listeners modified (via LDS),0,envoy,
 envoy.listener_manager.listener_removed,count,,host,,Total listeners removed (via LDS),0,envoy,
diff --git a/envoy/tests/fixtures/multiple_services b/envoy/tests/fixtures/multiple_services
index 3fc6951356862..eb4250d5ad1cb 100644
--- a/envoy/tests/fixtures/multiple_services
+++ b/envoy/tests/fixtures/multiple_services
@@ -4273,6 +4273,10 @@ listener.00.00.00.00_0000.downstream_cx_total: 0
 listener.00.00.00.00_0000.downstream_cx_active: 0
 listener.00.00.00.00_0000.downstream_cx_destroy: 0
 listener.00.00.00.00_0000.downstream_cx_total: 0
+listener.00.00.00.00_0000.ssl.versions.TLSv1.2: 13108
+listener.00.00.00.00_0000.ssl.versions.TLSv1.3: 7
+listener.00.00.00.00_0000.ssl.curves.P-256: 76
+listener.00.00.00.00_0000.ssl.sigalgs.rsa_pss_rsae_sha256: 0
 listener.admin.downstream_cx_active: 1
 listener.admin.downstream_cx_destroy: 3
 listener.admin.downstream_cx_total: 4
diff --git a/envoy/tests/test_parser.py b/envoy/tests/test_parser.py
index 976407ff87385..f54fceb034b5e 100644
--- a/envoy/tests/test_parser.py
+++ b/envoy/tests/test_parser.py
@@ -305,6 +305,48 @@ def test_listener_manager(self):
 
         assert parse_metric(metric) == (METRIC_PREFIX + metric, list(tags), METRICS[metric]['method'])
 
+    def test_listener_tls(self):
+        metric = 'listener{}.ssl.versions{}'
+        untagged_metric = metric.format('', '')
+        tags = [tag for tags in METRICS[untagged_metric]['tags'] for tag in tags]
+        tag0 = '0.0.0.0'
+        tag1 = 'TLSv1.2'
+        tagged_metric = metric.format('.{}'.format(tag0), '.{}'.format(tag1))
+
+        assert parse_metric(tagged_metric) == (
+            METRIC_PREFIX + untagged_metric,
+            ['{}:{}'.format(tags[0], tag0), '{}:{}'.format(tags[1], tag1)],
+            METRICS[untagged_metric]['method'],
+        )
+
+    def test_listener_curves(self):
+        metric = 'listener{}.ssl.curves{}'
+        untagged_metric = metric.format('', '')
+        tags = [tag for tags in METRICS[untagged_metric]['tags'] for tag in tags]
+        tag0 = '0.0.0.0'
+        tag1 = 'P-256'
+        tagged_metric = metric.format('.{}'.format(tag0), '.{}'.format(tag1))
+
+        assert parse_metric(tagged_metric) == (
+            METRIC_PREFIX + untagged_metric,
+            ['{}:{}'.format(tags[0], tag0), '{}:{}'.format(tags[1], tag1)],
+            METRICS[untagged_metric]['method'],
+        )
+
+    def test_listener_sigalgs(self):
+        metric = 'listener{}.ssl.sigalgs{}'
+        untagged_metric = metric.format('', '')
+        tags = [tag for tags in METRICS[untagged_metric]['tags'] for tag in tags]
+        tag0 = '0.0.0.0'
+        tag1 = 'rsa_pss_rsae_sha256'
+        tagged_metric = metric.format('.{}'.format(tag0), '.{}'.format(tag1))
+
+        assert parse_metric(tagged_metric) == (
+            METRIC_PREFIX + untagged_metric,
+            ['{}:{}'.format(tags[0], tag0), '{}:{}'.format(tags[1], tag1)],
+            METRICS[untagged_metric]['method'],
+        )
+
     def test_http(self):
         metric = 'http{}.downstream_cx_total'
         untagged_metric = metric.format('')

From 04be24a590671ec7ce717d6d65f53a458b3c024e Mon Sep 17 00:00:00 2001
From: Paul Coignet <paul.coignet@datadoghq.com>
Date: Mon, 17 Jun 2019 10:53:04 +0200
Subject: [PATCH 2/3] Add ciphers metric

---
 envoy/datadog_checks/envoy/metrics.py  | 8 ++++++++
 envoy/metadata.csv                     | 1 +
 envoy/tests/fixtures/multiple_services | 1 +
 envoy/tests/test_envoy.py              | 2 +-
 4 files changed, 11 insertions(+), 1 deletion(-)

diff --git a/envoy/datadog_checks/envoy/metrics.py b/envoy/datadog_checks/envoy/metrics.py
index 30b52076b631c..f452fef23969f 100644
--- a/envoy/datadog_checks/envoy/metrics.py
+++ b/envoy/datadog_checks/envoy/metrics.py
@@ -1071,6 +1071,14 @@
         ),
         'method': 'monotonic_count',
     },
+    'listener.ssl.ciphers': {
+        'tags': (
+            ('address', ),
+            (),
+            ('cipher', ),
+        ),
+        'method': 'monotonic_count',
+    },
     'listener.ssl.versions': {
         'tags': (
             ('address', ),
diff --git a/envoy/metadata.csv b/envoy/metadata.csv
index 172c7b51004cf..4e8e872c36224 100644
--- a/envoy/metadata.csv
+++ b/envoy/metadata.csv
@@ -110,6 +110,7 @@ envoy.listener.ssl.fail_verify_error,count,,connection,,Total TLS connections th
 envoy.listener.ssl.fail_verify_san,count,,connection,,Total TLS connections that failed SAN verification,-1,envoy,
 envoy.listener.ssl.fail_verify_cert_hash,count,,connection,,Total TLS connections that failed certificate pinning verification,-1,envoy,
 envoy.listener.ssl.cipher,count,,connection,,Total TLS connections that used cipher tag,0,envoy,
+envoy.listener.ssl.ciphers,count,,connection,,Total TLS connections that used cipher tag,0,envoy,
 envoy.listener.ssl.versions,count,,connection,,Total successful TLS connections that used protocol version tag,0,envoy,
 envoy.listener.ssl.curves,count,,connection,,Total successful TLS connections that used ECDHE curve tag,0,envoy,
 envoy.listener.ssl.sigalgs,count,,connection,,Total successful TLS connections that used signature algorithm sigalg tag,0,envoy,
diff --git a/envoy/tests/fixtures/multiple_services b/envoy/tests/fixtures/multiple_services
index eb4250d5ad1cb..eed46b7ffee73 100644
--- a/envoy/tests/fixtures/multiple_services
+++ b/envoy/tests/fixtures/multiple_services
@@ -4273,6 +4273,7 @@ listener.00.00.00.00_0000.downstream_cx_total: 0
 listener.00.00.00.00_0000.downstream_cx_active: 0
 listener.00.00.00.00_0000.downstream_cx_destroy: 0
 listener.00.00.00.00_0000.downstream_cx_total: 0
+listener.00.00.00.00_0000.ssl.ciphers.AEAD-AES256-GCM-SHA384: 3
 listener.00.00.00.00_0000.ssl.versions.TLSv1.2: 13108
 listener.00.00.00.00_0000.ssl.versions.TLSv1.3: 7
 listener.00.00.00.00_0000.ssl.curves.P-256: 76
diff --git a/envoy/tests/test_envoy.py b/envoy/tests/test_envoy.py
index 5e18118def92f..772f6d0c010c7 100644
--- a/envoy/tests/test_envoy.py
+++ b/envoy/tests/test_envoy.py
@@ -36,7 +36,7 @@ def test_success_fixture(self, aggregator):
 
         num_metrics = len(response('multiple_services').content.decode().splitlines())
         num_metrics -= sum(c.unknown_metrics.values()) + sum(c.unknown_tags.values())
-        assert 4150 <= metrics_collected == num_metrics
+        assert 4155 <= metrics_collected == num_metrics
 
     def test_success_fixture_whitelist(self, aggregator):
         instance = INSTANCES['whitelist']

From d05f52ffe00c31325f2adf3ff3417c5045fae87a Mon Sep 17 00:00:00 2001
From: Paul Coignet <paul.coignet@datadoghq.com>
Date: Tue, 18 Jun 2019 10:14:18 +0200
Subject: [PATCH 3/3] Remove old cipher metric

---
 envoy/datadog_checks/envoy/metrics.py | 8 --------
 envoy/metadata.csv                    | 1 -
 envoy/tests/test_parser.py            | 4 ++--
 3 files changed, 2 insertions(+), 11 deletions(-)

diff --git a/envoy/datadog_checks/envoy/metrics.py b/envoy/datadog_checks/envoy/metrics.py
index f452fef23969f..f3d30ad511f14 100644
--- a/envoy/datadog_checks/envoy/metrics.py
+++ b/envoy/datadog_checks/envoy/metrics.py
@@ -1063,14 +1063,6 @@
         ),
         'method': 'monotonic_count',
     },
-    'listener.ssl.cipher': {
-        'tags': (
-            ('address', ),
-            (),
-            ('cipher', ),
-        ),
-        'method': 'monotonic_count',
-    },
     'listener.ssl.ciphers': {
         'tags': (
             ('address', ),
diff --git a/envoy/metadata.csv b/envoy/metadata.csv
index 4e8e872c36224..666249a57c066 100644
--- a/envoy/metadata.csv
+++ b/envoy/metadata.csv
@@ -109,7 +109,6 @@ envoy.listener.ssl.fail_verify_no_cert,count,,connection,,Total TLS connections
 envoy.listener.ssl.fail_verify_error,count,,connection,,Total TLS connections that failed CA verification,-1,envoy,
 envoy.listener.ssl.fail_verify_san,count,,connection,,Total TLS connections that failed SAN verification,-1,envoy,
 envoy.listener.ssl.fail_verify_cert_hash,count,,connection,,Total TLS connections that failed certificate pinning verification,-1,envoy,
-envoy.listener.ssl.cipher,count,,connection,,Total TLS connections that used cipher tag,0,envoy,
 envoy.listener.ssl.ciphers,count,,connection,,Total TLS connections that used cipher tag,0,envoy,
 envoy.listener.ssl.versions,count,,connection,,Total successful TLS connections that used protocol version tag,0,envoy,
 envoy.listener.ssl.curves,count,,connection,,Total successful TLS connections that used ECDHE curve tag,0,envoy,
diff --git a/envoy/tests/test_parser.py b/envoy/tests/test_parser.py
index f54fceb034b5e..6b5e9396b8f4d 100644
--- a/envoy/tests/test_parser.py
+++ b/envoy/tests/test_parser.py
@@ -286,11 +286,11 @@ def test_mongo_collection(self):
         )
 
     def test_listener(self):
-        metric = 'listener{}.ssl.cipher{}'
+        metric = 'listener{}.ssl.ciphers{}'
         untagged_metric = metric.format('', '')
         tags = [tag for tags in METRICS[untagged_metric]['tags'] for tag in tags]
         tag0 = '0.0.0.0_80'
-        tag1 = 'some_cipher'
+        tag1 = 'some_ciphers'
         tagged_metric = metric.format('.{}'.format(tag0), '.{}'.format(tag1))
 
         assert parse_metric(tagged_metric) == (