Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

metrics: emit stats for vault token next_renewal & last_renewal #5222 #12435

Merged
merged 4 commits into from
Apr 6, 2022
Merged

metrics: emit stats for vault token next_renewal & last_renewal #5222 #12435

merged 4 commits into from
Apr 6, 2022

Conversation

jazzyfresh
Copy link
Contributor

@jazzyfresh jazzyfresh commented Apr 1, 2022
edited by lgfa29
Loading

Closes #5222

@jazzyfresh jazzyfresh requested review from lgfa29 and angrycub April 1, 2022 17:05
@shoenig
Copy link
Member

shoenig commented Apr 4, 2022

@jazzyfresh looks like make check is unhappy

https://app.circleci.com/pipelines/github/hashicorp/nomad/21770/workflows/8b8b5570-ce2f-42f6-969a-cf8e66c52e53/jobs/227728

lgfa29
lgfa29 suggested changes Apr 4, 2022
View reviewed changes
Copy link
Contributor

@lgfa29 lgfa29 left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These are super nice!

I will ask the team about the ms vs ns thing, but regardless of the unit we need to document these new metrics in https://www.nomadproject.io/docs/operations/metrics-reference

Probably even worth mentioning them in https://www.nomadproject.io/docs/operations/metrics-reference#key-metrics.

Next token renewal should never be negative, if it does, it means that Nomad found an unrecoverable error and will not attempt to renew its Vault token anymore.

Last token renewal should never go past the Nomad token TTL, and going past TTL/2 should probably be a warning. If this happens it means that Nomad is not able to renew its token.

Token TTL is kind of a mix of them. It should never go below zero and dipping below TTL/2 should be a warning.

image

nomad/vault.go Outdated
v.currentExpiration = time.Now().Add(time.Duration(ttlSeconds) * time.Second)
now := time.Now()
v.currentExpiration = now.Add(time.Duration(ttlSeconds) * time.Second)
v.lastRenewalTime = now
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Right now extendExpiration is only called in parseToken, which runs once when the client starts, so the metric works, but it seems like it would be easy to call it somewhere else and accidentally reset this metric.

Updating this value inside renew (once it succeeds) sounds like a better option, or maybe inside the renewalLoop inside the if err == nil block and the use the same lock for last and next renewal?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

extendExpiration is called in renew too.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yup, but my point is that it should only be called in renew, otherwise it will reset the metric value. You would also want to reset it whenever renew is called, so this action is tied to the renew process, not necessarily to the expiration extension.

nomad/vault.go Outdated Show resolved Hide resolved
nomad/vault.go Outdated Show resolved Hide resolved
@jazzyfresh
Copy link
Contributor Author

@jazzyfresh looks like make check is unhappy

https://app.circleci.com/pipelines/github/hashicorp/nomad/21770/workflows/8b8b5570-ce2f-42f6-969a-cf8e66c52e53/jobs/227728

my goland linter is broken again T-T

@vercel vercel bot temporarily deployed to Preview – nomad April 5, 2022 23:53 Inactive
@vercel vercel bot temporarily deployed to Preview – nomad April 6, 2022 15:45 Inactive
@jazzyfresh jazzyfresh merged commit cab30e5 into main Apr 6, 2022
@jazzyfresh jazzyfresh deleted the vault-renewal-metrics branch April 6, 2022 17:03
lgfa29 added a commit that referenced this pull request Apr 6, 2022
@lgfa29
changelog: add entry for #12435
5d8eb7f
lgfa29 added a commit that referenced this pull request Apr 6, 2022
@lgfa29
changelog: add entry for #12435 (#12491)
3d29c6f
jazzyfresh pushed a commit that referenced this pull request Apr 7, 2022
docs: add token_last_renewal and token_next_renewal to server metrics…
251c9d5 
… and key metrics #12435
jazzyfresh pushed a commit that referenced this pull request Apr 7, 2022
docs: add token_last_renewal and token_next_renewal to server metrics…
ccaaadf 
… and key metrics #12435 (#12505)
@github-actions
Copy link

I'm going to lock this pull request because it has been closed for 120 days ⏳. This helps our maintainers find and focus on the active contributions.
If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Oct 22, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@lgfa29 lgfa29 lgfa29 approved these changes

@angrycub angrycub Awaiting requested review from angrycub

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[Enhancement] Add telemetry for vault token renewal
4 participants
@jazzyfresh @shoenig @angrycub @lgfa29