Metrics for Venafi Enhanced Issuer¶
Overview¶
The Venafi Enhanced Issuer component exposes operational and usage telemetry metrics suitable for popular monitoring solutions, enabling alerts on important operational states.
Health metrics assist in evaluating the readiness of the configured VenafiIssuer and VenafiClusterIssuer resources.
Resource metrics helps the monitoring of CPU, networking, and other resources used by the Venafi Enhanced Issuer on its host.
Operational metrics related to certificate requests help identify conditions that may indicate potential malfunctions, incorrect configurations, or misuse.
All metrics formatted in Prometheus format are available at the standard /metrics path. They can be accessed using the configured HTTP port of the controller component.
Enabling metrics¶
You need Venafi Enhanced Issuer version 0.10.0 or later to use Prometheus metrics. The metrics aren't enabled by default. The example configuration below enables the metrics and specifies the interval at which metrics should be scraped.
To enable the metrics, see the instructions on deploying Venafi Enhanced Issuer, and add the following to the Helm values file:
metrics:
enabled: true
podmonitor:
enabled: true
There are various metrics configuration options in the Helm chart.
Component information metrics¶
This metric enables you to view the version and commit number of the Venafi Enhanced Issuer component.
-
venafienhancedissuer_info: A gauge metric indicating the version of the component.Labels
version: The version number of the component.commit: The commit number of the component.
Health status of VenafiIssuer and VenafiClusterIssuer resources metrics¶
VenafiIssuer and VenafiClusterIssuer are Kubernetes resources representing certificate authorities (CAs) capable of generating signed certificates by processing certificate signing requests. All cert-manager certificates require a referenced issuer that is in a ready condition in order to attempt certificate enrollment.
The two metrics indicate the location and the current status of the Issuer and ClusterIssuer resources.
venafienhancedissuer_venafiissuer_ready_status: A gauge metric for the health status ofVenafiIssuerresources.-
venafienhancedissuer_venaficlusterissuer_ready_status: A gauge metric for the health status ofVenafiClusterIssuerresources.Labels
name: The name of the issuer resource.namespace: The namespace of the issuer resource.venafi_connection_name: The name of the VenafiConnection resource used by the current issuer.ready_status: The status of the issuer. Possible values areTrue,False,Unknown.ready_reason: The reason for the current issuer status. Possible values arePendingandChecked.Checkedindicates that the connection to Venafi Control Plane or Venafi TLS Protect Datacenter has been verified and is functioning properly.
Alerts
If you notice issuers with a ready_status value of False or Unknown, it may impact the certificate enrollment and renewal operations for certificates associated with the affected issuer. This has the potential to result in the inability to obtain a certificate, leading to potential application malfunctions.
To diagnose the problem, list the issuers with the following command:
$ kubectl get venafiissuer,venaficlusterissuer --all-namespaces
NAME READY REASON MESSAGE
venafiissuer.jetstack.io/issuer-4 False Pending Not ready yet: VenafiConnection.jetstack.io "example" not found
In the above example, the name provided to venafiConnectionName was incorrect; changing it to the correct value fixed the issue.
Status of the certificate requests metrics¶
The CertificateRequest is a resource used for requesting X.509 certificates from an cert-manager issuer. The resource includes the certificate signing request (CSR) sent to the referenced issuer. Upon successful issuance, it returns a signed certificate based on the CSR.
venafienhancedissuer_certificaterequest_ready_status is a gauge metric that contains the count of certificate requests for all issuers (not limited to VenafiIssuer and VenafiClusterIssuer). It provides additional details on the location of the certificate request resource and its status. The metric also includes information about the referenced cert-manager issuer.
-
venafienhancedissuer_certificaterequest_ready_status: A gauge metric for the requested certificate requests.Labels
namespace: The namespace of the certificate request resource.ready_status: The status of the certificate request. Possible values areTrue,False,Unknown.ready_reason: The reason for the current status of the certificate request. Possible values arePending,Failed,Denied,Issued, andInitializing.issuer_name: The name of the issuer which processed the certificate request.issuer_kind: The kind of the issuer which processed the certificate request.issuer_group: The group of the issuer which processed the certificate request.
Alerts
Monitoring the count of venafienhancedissuer_certificaterequest_ready_status allows you to understand the certificate enrollment process across the Kubernetes cluster. Certificate requests with ready_status equal to False require investigation. For instance, an increase in failed certificate requests with ready_reason equal to Denied suggests a potential attempt of mis-issuance or mis-configuration.
Here are some kubectl commands to help you find and examine the offending CertificateRequest resources in your cluster:
Troubleshooting CertificateRequest resources¶
If there are CertificateRequest resources which are not Ready
Use the following command to find all unready CertificateRequest resources in all namespaces, and show only the name, namespace and Ready condition of each resource:
kubectl wait certificaterequest \
--all-namespaces \
--all \
--timeout 0 \
--output json \
--for condition=Ready=false \
2>stderr.txt \
| jq '{"name": .metadata.name, "namespace": .metadata.namespace, "ready-condition": .status.conditions[] | select(.type=="Ready")}'
If there are Denied CertificateRequest resources
First, find the offending CertificateRequest resources.
You can use following command to find all Denied CertificateRequest resources in all namespaces, and show only the name, namespace and Denied condition of each resource:
kubectl wait certificaterequest \
--all-namespaces \
--all \
--timeout 0 \
--output json \
--for condition=Denied=True \
2>stderr.txt \
| jq '{"name": .metadata.name, "namespace": .metadata.namespace, "denied-condition": .status.conditions[] | select(.type=="Denied")}'
Problems¶
Here is an example of a failure caused by a CertificateRequestPolicy violation:
{
"name": "issuer-2-policy-fails-cert-42-1",
"namespace": "default",
"denied-condition": {
"lastTransitionTime": "2023-11-29T23:09:41Z",
"message": "No policy approved this request: [issuer-2: spec.allowed.dnsNames.values: Invalid value: []string{\"forbidden-domain-42.com\"}: *.example.com, *.ca-wont-accept.org] [mael: common name forbidden-domain-42.com is not allowed in this policy: [^.*.example.com$ ^.*.example.org$ ^.*.example.net$ ^.*.invalid$ ^.*.local$ ^.*.localhost$ ^.*.test$]]",
"reason": "policy.cert-manager.io",
"status": "True",
"type": "Denied"
}
}
In this example, there are two problems:
Non-compliance with CertificateRequestPolicy named issuer-2
The DNS names in the CertificateRequest do not comply with the DNS domain patterns allowed by the CertificateRequestPolicy called issuer-2.
Non-compliance with CertificateRequestPolicy named mael
The common name of the CertificateRequest does not comply with common name patterns allowed by the CertificateRequestPolicy called mael.
Possible Causes¶
There are three possible causes of this problem:
- The team responsible for this
CertificateRequestmay be creating inappropriate CertificateRequest resources. - The policy in the
CertificateRequestPolicyresources may be wrong. - The
CertificateRequestPolicyselector may be wrong.
The team responsible for this CertificateRequest may be creating inappropriate CertificateRequest resources
If they have examined the CertificateRequest resource, the application team will be aware of the policy violations. They should know what the problem is by looking at the condition and events, and they should create another CertificateRequest using compliant DNS names. No further action should be required from the platform team, unless the application team fails to correct the problem themselves.
The policy in the CertificateRequestPolicy resources may be wrong
As a platform administrator you should examine the CertificateRequestPolicy resources to understand how they are configured, and to double-check that the policy rules are appropriate.
Use the following kubectl describe command to show a summary of the two CertificateRequestPolicy resources that have been applied to this CertificateRequest:
kubectl describe CertificateRequestPolicy issuer-2 mael
The CertificateRequestPolicy called issuer-2 uses built-in policy settings. For more information, see the approver-policy API reference.
$ kubectl describe CertificateRequestPolicy issuer-2
Name: issuer-2
Namespace:
Labels: <none>
Annotations: <none>
API Version: policy.cert-manager.io/v1alpha1
Kind: CertificateRequestPolicy
Metadata:
Creation Timestamp: 2023-09-28T12:15:55Z
Generation: 2
Resource Version: 50593872
UID: 976773f4-0f0f-48a8-8bd8-6305d5097a9c
Spec:
Allowed:
Common Name:
Value: *
Dns Names:
Values:
*.example.com
*.ca-wont-accept.org
Selector:
Issuer Ref:
Group: jetstack.io
Kind: VenafiClusterIssuer
Name: issuer-2
Status:
Conditions:
Last Transition Time: 2023-11-30T08:30:02Z
Message: CertificateRequestPolicy is ready for approval evaluation
Observed Generation: 2
Reason: Ready
Status: True
Type: Ready
Events: <none>
Check that these policy rules are appropriate for the CertificateRequest resources that they are being applied to.
The CertificateRequestPolicy called mael uses the Plugins.Venafi stanza, which means that it is connected to Venafi:
$ kubectl describe CertificateRequestPolicy mael
Name: mael
Namespace:
Labels: <none>
Annotations: <none>
API Version: policy.cert-manager.io/v1alpha1
Kind: CertificateRequestPolicy
Metadata:
Creation Timestamp: 2023-10-27T12:42:43Z
Generation: 2
Resource Version: 50881317
UID: 77dd9c0c-46f8-4c90-8109-798a4278fd01
Spec:
Allowed:
Common Name:
Value: *
Dns Names:
Values:
*
Plugins:
Venafi:
Values:
Venafi Connection Name: mael-connection
Zone: mael\Default
Selector:
Issuer Ref:
Status:
Conditions:
Last Transition Time: 2023-11-30T17:12:50Z
Message: CertificateRequestPolicy is ready for approval evaluation
Observed Generation: 2
Reason: Ready
Status: True
Type: Ready
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal Ready 8m41s (x161 over 2d8h) policy.cert-manager.io CertificateRequestPolicy is ready for approval evaluation
This CertificateRequestPolicy is Ready, so you can be confident that the policy rules have been successfully downloaded from the Venafi TPP server. These policy rules are maintained in Venafi TPP by the InfoSec team, as a platform administrator you can communicate with the InfoSec team and ask them to relax the policy rules if necessary, or ask them to suggest a different Venafi policy "zone" which might be more appropriate.
The CertificateRequestPolicy selector may be wrong
As a platform administrator you might conclude that CertificateRequest resource has been matched to the wrong CertificateRequestPolicy resources. In this case, it's your responsibility to adjust the CertificateRequestPolicy selector fields.
For more information, see the CertificateRequestPolicy selector field configuration instructions.
Health of the Venafi Connection metrics¶
The Venafi Connection resource venaficonnection_status indicates if connection to the Venafi API is successful or not with respect to which service is using the connection.
Labels¶
name: The name of the Venafi Connection resource.namespace: The name of the service that is using the connection.cond_type: This string represents the name of the component for whichcond_statusapplies. The possible values areVenafiEnhancedIssuerReadyandApproverPolicyVenafiReady.cond_status: The possible values areTrue(the connection to the Venafi service is OK) orFalse(the connection or authentication is failing).
For example, the following line means that the Venafi Connection conn is being used by the Approver Policy Enterprise component, and that the connection between Approver Policy Enterprise and Venafi is failing:
venaficonnection_status{name="conn",namespace="venafi",ready_status="False",cond_type="ApproverPolicyVenafiReady"} 1
Alerts¶
Venafi Connection resources with the condition type VenafiEnhancedIssuerReady or ApproverPolicyEnterpriseReady equal to False must be investigated. This will alert you when a component is unable to connect to the Venafi API.
If you have jq installed, you can identify the component that is using the connection. Use the following command to list the Venafi Connection resources:
kubectl get venaficonnection --all-namespaces -o json \
| jq -r '.items[] | select(.status.conditions[].status == "True") | "\(.metadata.namespace) \(.metadata.name)"'
Once you have identified the Venafi Connection resource that contain a False condition, you can debug the problem by displaying its events:
kubectl describe venaficonnection -n <namespace> <name>
Latency and status codes of the HTTP requests metrics¶
These two metrics represent the latency and status codes of the HTTP requests to Venafi Control Plane and Venafi TLS Protect Datacenter.
-
vcert_http_request_duration_seconds_bucket: A histogram metric indicating the durations of requests to Venafi Control Plane and Venafi TLS Protect Datacenter.Labels
method: The HTTP method (for example, POST) of the request.path: The HTTP path of the request (for example,/outagedetection/v1/certificaterequests).host: The HTTP Host header of the request (for example,api.venafi.cloud).le: The time between the invocation of the HTTP request and the corresponding response.
-
vcert_http_requests_total: A counter metric indicating the total number of HTTP requests to Venafi Control Plane and Venafi TLS Protect Datacenter.Labels
method: The HTTP method (for example, POST) of the request.path: The HTTP path of the request (for example,/outagedetection/v1/certificaterequests).host: The HTTP Host header of the request (for example,api.venafi.cloud).code: The HTTP status code (for example, 200).
Alerts
If you notice a significant increase in failed HTTP requests (vcert_http_requests_total with code equal to or higher than 400), it's crucial to investigate the root cause of this issue.
The metric vcert_http_request_duration_seconds_bucket, when averaged, measures how fast Venafi Control Plane and Venafi TLS Protect Datacenter respond to requests from Venafi Enhanced Issuer. If you notice a significant increase in this metric, this requires investigation.
CPU and memory metrics¶
The CPU and memory metrics are provided by Kubernetes. The kubelet processes running on each Kubernetes node expose the endpoint /metrics/resources which, when scraped, provide the two following metrics (among others):
container_memory_usage_bytescontainer_cpu_usage_seconds_total
Tip
If you are using Prometheus and have installed it through the kube-prometheus operator, the metrics are already available to you. To install the kube-prometheus operator, see the Getting Started tutorial.
Visualizing metrics¶
Venafi offers a sample Grafana dashboard in JSON format for you to import into your Grafana instance.
venafi-enhanced-issuer.grafana.json
{
"__inputs": [
{
"name": "DS_GRAFANACLOUD-MAELVLS-PROM",
"label": "grafanacloud-maelvls-prom",
"description": "",
"type": "datasource",
"pluginId": "prometheus",
"pluginName": "Prometheus"
}
],
"__elements": {},
"__requires": [
{
"type": "panel",
"id": "bargauge",
"name": "Bar gauge",
"version": ""
},
{
"type": "grafana",
"id": "grafana",
"name": "Grafana",
"version": "10.3.0-63839"
},
{
"type": "datasource",
"id": "prometheus",
"name": "Prometheus",
"version": "1.0.0"
},
{
"type": "panel",
"id": "stat",
"name": "Stat",
"version": ""
},
{
"type": "panel",
"id": "timeseries",
"name": "Time series",
"version": ""
}
],
"annotations": {
"list": [
{
"builtIn": 1,
"datasource": {
"type": "datasource",
"uid": "grafana"
},
"enable": true,
"hide": true,
"iconColor": "rgba(0, 211, 255, 1)",
"name": "Annotations & Alerts",
"target": {
"limit": 100,
"matchAny": false,
"tags": [],
"type": "dashboard"
},
"type": "dashboard"
}
]
},
"description": "Profiling performance-related metrics based on controller-runtime.",
"editable": true,
"fiscalYearStartMonth": 0,
"gnetId": 15920,
"graphTooltip": 0,
"id": null,
"links": [],
"liveNow": false,
"panels": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_GRAFANACLOUD-MAELVLS-PROM}"
},
"description": "",
"fieldConfig": {
"defaults": {
"color": {
"mode": "thresholds"
},
"mappings": [
{
"options": {
"True": {
"index": 0,
"text": "Fas"
}
},
"type": "value"
}
],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
},
{
"color": "red",
"value": 1
}
]
}
},
"overrides": [
{
"matcher": {
"id": "byName",
"options": "True"
},
"properties": [
{
"id": "thresholds",
"value": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
},
{
"color": "green",
"value": 80
}
]
}
},
{
"id": "displayName",
"value": "Ready"
}
]
},
{
"matcher": {
"id": "byName",
"options": "False"
},
"properties": [
{
"id": "displayName",
"value": "Failing"
}
]
}
]
},
"gridPos": {
"h": 7,
"w": 5,
"x": 0,
"y": 0
},
"id": 13,
"options": {
"colorMode": "value",
"graphMode": "area",
"justifyMode": "auto",
"orientation": "auto",
"reduceOptions": {
"calcs": [
"lastNotNull"
],
"fields": "",
"values": false
},
"text": {},
"textMode": "value_and_name",
"wideLayout": true
},
"pluginVersion": "10.3.0-63839",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_GRAFANACLOUD-MAELVLS-PROM}"
},
"disableTextWrap": false,
"editorMode": "code",
"expr": "sum by(ready_reason) (venafienhancedissuer_venafiissuer_ready_status{cluster=\"$cluster\", job=\"$job\"}) > 0",
"fullMetaSearch": false,
"includeNullMetadata": true,
"instant": false,
"legendFormat": "__auto",
"range": true,
"refId": "A",
"useBackend": false
}
],
"title": "Readiness of VenafiIssuers",
"transformations": [],
"type": "stat"
},
{
"datasource": {
"type": "prometheus",
"uid": "${DS_GRAFANACLOUD-MAELVLS-PROM}"
},
"description": "",
"fieldConfig": {
"defaults": {
"color": {
"mode": "continuous-GrYlRd",
"seriesBy": "last"
},
"custom": {
"axisBorderShow": false,
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "auto",
"axisSoftMin": 0,
"barAlignment": 0,
"drawStyle": "line",
"fillOpacity": 20,
"gradientMode": "scheme",
"hideFrom": {
"legend": false,
"tooltip": false,
"viz": false
},
"insertNulls": false,
"lineInterpolation": "smooth",
"lineWidth": 3,
"pointSize": 5,
"scaleDistribution": {
"type": "linear"
},
"showPoints": "auto",
"spanNulls": false,
"stacking": {
"group": "A",
"mode": "normal"
},
"thresholdsStyle": {
"mode": "off"
}
},
"decimals": 0,
"fieldMinMax": false,
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
}
]
}
},
"overrides": []
},
"gridPos": {
"h": 14,
"w": 7,
"x": 5,
"y": 0
},
"id": 20,
"options": {
"legend": {
"calcs": [],
"displayMode": "list",
"placement": "bottom",
"showLegend": true
},
"tooltip": {
"mode": "single",
"sort": "none"
}
},
"pluginVersion": "10.2.0-61892",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_GRAFANACLOUD-MAELVLS-PROM}"
},
"disableTextWrap": false,
"editorMode": "code",
"exemplar": false,
"expr": "sum by(exported_namespace) (venafienhancedissuer_certificaterequest_ready_status{cluster=\"$cluster\", ready_reason=\"Pending\",job=\"$job\"})",
"format": "time_series",
"fullMetaSearch": false,
"hide": false,
"includeNullMetadata": true,
"instant": false,
"interval": "",
"legendFormat": "__auto",
"range": true,
"refId": "A",
"useBackend": false
}
],
"title": "CertificateRequests Pending Grouped By Namespace",
"transformations": [],
"type": "timeseries"
},
{
"datasource": {
"type": "prometheus",
"uid": "${DS_GRAFANACLOUD-MAELVLS-PROM}"
},
"description": "Finished means that the certificate request won't be changing anymore.",
"fieldConfig": {
"defaults": {
"color": {
"fixedColor": "red",
"mode": "thresholds"
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "#ccccdb3b",
"value": null
},
{
"color": "red",
"value": 1
}
]
}
},
"overrides": [
{
"matcher": {
"id": "byName",
"options": "Issued"
},
"properties": [
{
"id": "color",
"value": {
"fixedColor": "green",
"mode": "fixed"
}
}
]
}
]
},
"gridPos": {
"h": 7,
"w": 7,
"x": 12,
"y": 0
},
"id": 14,
"options": {
"displayMode": "basic",
"maxVizHeight": 300,
"minVizHeight": 10,
"minVizWidth": 0,
"namePlacement": "auto",
"orientation": "horizontal",
"reduceOptions": {
"calcs": [
"lastNotNull"
],
"fields": "",
"values": false
},
"showUnfilled": true,
"sizing": "auto",
"valueMode": "color"
},
"pluginVersion": "10.3.0-63839",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_GRAFANACLOUD-MAELVLS-PROM}"
},
"disableTextWrap": false,
"editorMode": "code",
"expr": "sum by(ready_reason) (venafienhancedissuer_certificaterequest_ready_status{cluster=\"$cluster\", ready_reason!=\"Pending\",job=\"$job\"})",
"fullMetaSearch": false,
"includeNullMetadata": true,
"instant": false,
"legendFormat": "__auto",
"range": true,
"refId": "A",
"useBackend": false
}
],
"title": "CertificateRequests In A Finished State",
"type": "bargauge"
},
{
"datasource": {
"type": "prometheus",
"uid": "${DS_GRAFANACLOUD-MAELVLS-PROM}"
},
"fieldConfig": {
"defaults": {
"color": {
"mode": "thresholds"
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "#ccccdb1a",
"value": null
},
{
"color": "green",
"value": 0.1
},
{
"color": "yellow",
"value": 1
},
{
"color": "red",
"value": 5
}
]
},
"unit": "s"
},
"overrides": []
},
"gridPos": {
"h": 7,
"w": 5,
"x": 19,
"y": 0
},
"id": 15,
"options": {
"colorMode": "value",
"graphMode": "area",
"justifyMode": "auto",
"orientation": "auto",
"reduceOptions": {
"calcs": [
"lastNotNull"
],
"fields": "",
"values": false
},
"textMode": "value_and_name",
"wideLayout": true
},
"pluginVersion": "10.3.0-63839",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_GRAFANACLOUD-MAELVLS-PROM}"
},
"disableTextWrap": false,
"editorMode": "code",
"expr": "histogram_quantile(0.95, sum by(le, method) (rate(vcert_http_request_duration_seconds_bucket{cluster=\"$cluster\",job=\"$job\"}[$__rate_interval])))",
"fullMetaSearch": false,
"includeNullMetadata": true,
"instant": false,
"legendFormat": "__auto",
"range": true,
"refId": "A",
"useBackend": false
}
],
"title": "P95 latency of HTTP calls to Venafi",
"type": "stat"
},
{
"datasource": {
"type": "prometheus",
"uid": "${DS_GRAFANACLOUD-MAELVLS-PROM}"
},
"description": "",
"fieldConfig": {
"defaults": {
"color": {
"mode": "thresholds"
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
},
{
"color": "red",
"value": 1
}
]
}
},
"overrides": [
{
"matcher": {
"id": "byName",
"options": "Checked"
},
"properties": [
{
"id": "displayName",
"value": "Ready"
},
{
"id": "color",
"value": {
"fixedColor": "green",
"mode": "fixed"
}
}
]
}
]
},
"gridPos": {
"h": 7,
"w": 5,
"x": 0,
"y": 7
},
"id": 18,
"options": {
"colorMode": "value",
"graphMode": "area",
"justifyMode": "auto",
"orientation": "auto",
"reduceOptions": {
"calcs": [
"lastNotNull"
],
"fields": "",
"values": false
},
"text": {},
"textMode": "value_and_name",
"wideLayout": true
},
"pluginVersion": "10.3.0-63839",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_GRAFANACLOUD-MAELVLS-PROM}"
},
"disableTextWrap": false,
"editorMode": "code",
"expr": "sum by(ready_reason) (venafienhancedissuer_venaficlusterissuer_ready_status{cluster=\"$cluster\",job=\"$job\"}) > 0",
"fullMetaSearch": false,
"includeNullMetadata": true,
"instant": false,
"legendFormat": "__auto",
"range": true,
"refId": "A",
"useBackend": false
}
],
"title": "Readiness of VenafiClusterIssuers",
"transformations": [],
"type": "stat"
},
{
"datasource": {
"type": "prometheus",
"uid": "${DS_GRAFANACLOUD-MAELVLS-PROM}"
},
"description": "",
"fieldConfig": {
"defaults": {
"color": {
"mode": "palette-classic"
},
"custom": {
"axisBorderShow": false,
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "auto",
"barAlignment": 0,
"drawStyle": "line",
"fillOpacity": 0,
"gradientMode": "none",
"hideFrom": {
"legend": false,
"tooltip": false,
"viz": false
},
"insertNulls": false,
"lineInterpolation": "smooth",
"lineWidth": 1,
"pointSize": 5,
"scaleDistribution": {
"type": "linear"
},
"showPoints": "auto",
"spanNulls": false,
"stacking": {
"group": "A",
"mode": "none"
},
"thresholdsStyle": {
"mode": "off"
}
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
},
{
"color": "red",
"value": 80
}
]
},
"unit": "reqps"
},
"overrides": []
},
"gridPos": {
"h": 7,
"w": 12,
"x": 12,
"y": 7
},
"id": 16,
"options": {
"legend": {
"calcs": [],
"displayMode": "list",
"placement": "bottom",
"showLegend": true
},
"tooltip": {
"mode": "single",
"sort": "asc"
}
},
"pluginVersion": "10.2.0-61298",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_GRAFANACLOUD-MAELVLS-PROM}"
},
"disableTextWrap": false,
"editorMode": "code",
"expr": "sum by (code) (\n rate(vcert_http_requests_total{cluster=\"$cluster\",job=\"$job\"}[$__rate_interval])\n)",
"fullMetaSearch": false,
"includeNullMetadata": true,
"instant": false,
"legendFormat": "__auto",
"range": true,
"refId": "A",
"useBackend": false
}
],
"title": "Number of HTTP calls to Venafi",
"type": "timeseries"
},
{
"datasource": {
"type": "prometheus",
"uid": "${DS_GRAFANACLOUD-MAELVLS-PROM}"
},
"description": "",
"fieldConfig": {
"defaults": {
"color": {
"mode": "thresholds"
},
"mappings": [],
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
},
{
"color": "red",
"value": 80
}
]
}
},
"overrides": []
},
"gridPos": {
"h": 4,
"w": 3,
"x": 0,
"y": 14
},
"id": 25,
"options": {
"colorMode": "value",
"graphMode": "none",
"justifyMode": "center",
"orientation": "auto",
"reduceOptions": {
"calcs": [
"lastNotNull"
],
"fields": "",
"values": false
},
"textMode": "name",
"wideLayout": true
},
"pluginVersion": "10.3.0-63839",
"targets": [
{
"datasource": {
"type": "prometheus",
"uid": "${DS_GRAFANACLOUD-MAELVLS-PROM}"
},
"editorMode": "code",
"expr": "sum by (version) (venafienhancedissuer_info{cluster=\"$cluster\",job=\"$job\"})",
"instant": false,
"legendFormat": "__auto",
"range": true,
"refId": "A"
}
],
"title": "Version",
"type": "stat"
},
{
"datasource": {
"type": "prometheus",
"uid": "${DS_GRAFANACLOUD-MAELVLS-PROM}"
},
"description": "CPU Usage and limits, as percent of a vCPU core. ",
"fieldConfig": {
"defaults": {
"color": {
"mode": "palette-classic"
},
"custom": {
"axisBorderShow": false,
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "auto",
"barAlignment": 0,
"drawStyle": "line",
"fillOpacity": 0,
"gradientMode": "none",
"hideFrom": {
"legend": false,
"tooltip": false,
"viz": false
},
"insertNulls": false,
"lineInterpolation": "linear",
"lineWidth": 1,
"pointSize": 5,
"scaleDistribution": {
"type": "linear"
},
"showPoints": "never",
"spanNulls": false,
"stacking": {
"group": "A",
"mode": "none"
},
"thresholdsStyle": {
"mode": "off"
}
},
"links": [],
"mappings": [],
"min": 0,
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
},
{
"color": "red",
"value": 80
}
]
},
"unit": "percentunit"
},
"overrides": [
{
"matcher": {
"id": "byName",
"options": "max"
},
"properties": [
{
"id": "color",
"value": {
"fixedColor": "dark-yellow",
"mode": "fixed"
}
}
]
},
{
"matcher": {
"id": "byName",
"options": "CPU"
},
"properties": [
{
"id": "custom.fillOpacity",
"value": 10
},
{
"id": "custom.fillOpacity",
"value": 50
}
]
},
{
"matcher": {
"id": "byRegexp",
"options": "/Request.*/"
},
"properties": [
{
"id": "color",
"value": {
"fixedColor": "#FF9830",
"mode": "fixed"
}
},
{
"id": "custom.lineStyle",
"value": {
"dash": [
10,
10
],
"fill": "dash"
}
}
]
},
{
"matcher": {
"id": "byRegexp",
"options": "/Limit.*/"
},
"properties": [
{
"id": "color",
"value": {
"fixedColor": "#F2495C",
"mode": "fixed"
}
},
{
"id": "custom.lineStyle",
"value": {
"dash": [
10,
10
],
"fill": "dash"
}
}
]
}
]
},
"gridPos": {
"h": 8,
"w": 10,
"x": 3,
"y": 14
},
"id": 24,
"interval": "1m",
"links": [],
"maxDataPoints": 250,
"options": {
"legend": {
"calcs": [],
"displayMode": "list",
"placement": "bottom",
"showLegend": true
},
"tooltip": {
"mode": "multi",
"sort": "none"
}
},
"pluginVersion": "10.3.0-62411",
"targets": [
{
"datasource": {
"uid": "$datasource"
},
"editorMode": "code",
"expr": "avg by (pod) (rate(container_cpu_usage_seconds_total{container=\"venafi-enhanced-issuer\", cluster=\"$cluster\"}[$__rate_interval]))",
"format": "time_series",
"hide": false,
"interval": "",
"intervalFactor": 2,
"legendFormat": "CPU {{ pod }}",
"range": true,
"refId": "A"
},
{
"datasource": {
"uid": "$datasource"
},
"editorMode": "code",
"expr": "avg by (pod) (kube_pod_container_resource_limits_cpu_cores{container=\"venafi-enhanced-issuer\", cluster=\"$cluster\"})",
"format": "time_series",
"hide": true,
"interval": "",
"intervalFactor": 1,
"legendFormat": "Limit {{ pod }}",
"range": true,
"refId": "B"
},
{
"datasource": {
"uid": "$datasource"
},
"editorMode": "code",
"expr": "avg by (pod) (kube_pod_container_resource_requests_cpu_cores{container=\"venafi-enhanced-issuer\", cluster=\"$cluster\"})",
"format": "time_series",
"hide": true,
"interval": "",
"intervalFactor": 1,
"legendFormat": "Request {{ pod }}",
"range": true,
"refId": "C"
}
],
"title": "CPU",
"type": "timeseries"
},
{
"datasource": {
"type": "prometheus",
"uid": "${DS_GRAFANACLOUD-MAELVLS-PROM}"
},
"description": "Memory utilisation and limits.",
"fieldConfig": {
"defaults": {
"color": {
"mode": "palette-classic"
},
"custom": {
"axisBorderShow": false,
"axisCenteredZero": false,
"axisColorMode": "text",
"axisLabel": "",
"axisPlacement": "auto",
"barAlignment": 0,
"drawStyle": "line",
"fillOpacity": 0,
"gradientMode": "none",
"hideFrom": {
"legend": false,
"tooltip": false,
"viz": false
},
"insertNulls": false,
"lineInterpolation": "linear",
"lineWidth": 1,
"pointSize": 5,
"scaleDistribution": {
"type": "linear"
},
"showPoints": "never",
"spanNulls": false,
"stacking": {
"group": "A",
"mode": "none"
},
"thresholdsStyle": {
"mode": "off"
}
},
"links": [],
"mappings": [],
"min": 0,
"thresholds": {
"mode": "absolute",
"steps": [
{
"color": "green",
"value": null
},
{
"color": "red",
"value": 80
}
]
},
"unit": "bytes"
},
"overrides": [
{
"matcher": {
"id": "byName",
"options": "max"
},
"properties": [
{
"id": "color",
"value": {
"fixedColor": "dark-yellow",
"mode": "fixed"
}
}
]
},
{
"matcher": {
"id": "byName",
"options": "Memory"
},
"properties": [
{
"id": "custom.fillOpacity",
"value": 10
},
{
"id": "custom.fillOpacity",
"value": 50
}
]
},
{
"matcher": {
"id": "byName",
"options": "Request"
},
"properties": [
{
"id": "color",
"value": {
"fixedColor": "#FF9830",
"mode": "fixed"
}
},
{
"id": "custom.lineStyle",
"value": {
"dash": [
10,
10
],
"fill": "dash"
}
}
]
},
{
"matcher": {
"id": "byName",
"options": "Limit"
},
"properties": [
{
"id": "color",
"value": {
"fixedColor": "#F2495C",
"mode": "fixed"
}
},
{
"id": "custom.lineStyle",
"value": {
"dash": [
10,
10
],
"fill": "dash"
}
}
]
}
]
},
"gridPos": {
"h": 8,
"w": 11,
"x": 13,
"y": 14
},
"id": 23,
"interval": "1m",
"links": [],
"maxDataPoints": 250,
"options": {
"legend": {
"calcs": [],
"displayMode": "list",
"placement": "bottom",
"showLegend": true
},
"tooltip": {
"mode": "multi",
"sort": "none"
}
},
"pluginVersion": "10.3.0-62411",
"targets": [
{
"datasource": {
"uid": "$datasource"
},
"editorMode": "code",
"expr": "avg by (pod) (container_memory_usage_bytes{container=\"venafi-enhanced-issuer\", cluster=\"$cluster\"})",
"format": "time_series",
"hide": false,
"interval": "",
"intervalFactor": 1,
"legendFormat": "Memory {{ pod }}",
"range": true,
"refId": "A"
},
{
"datasource": {
"uid": "$datasource"
},
"editorMode": "code",
"expr": "avg by (pod) (kube_pod_container_resource_limits_memory_bytes{container=\"venafi-enhanced-issuer\", cluster=\"$cluster\"})",
"format": "time_series",
"interval": "",
"intervalFactor": 1,
"legendFormat": "Limit {{ pod }}",
"range": true,
"refId": "B"
},
{
"datasource": {
"uid": "$datasource"
},
"editorMode": "code",
"expr": "avg by (pod) (kube_pod_container_resource_requests_memory_bytes{container=\"venafi-enhanced-issuer\", cluster=\"$cluster\"})",
"format": "time_series",
"interval": "",
"intervalFactor": 1,
"legendFormat": "Request {{ pod }}",
"range": true,
"refId": "C"
}
],
"title": "Memory",
"type": "timeseries"
}
],
"refresh": "5s",
"schemaVersion": 39,
"tags": [],
"templating": {
"list": [
{
"current": {},
"datasource": {
"type": "prometheus",
"uid": "${DS_GRAFANACLOUD-MAELVLS-PROM}"
},
"definition": "label_values(venafienhancedissuer_info,cluster)",
"hide": 0,
"includeAll": false,
"multi": false,
"name": "cluster",
"options": [],
"query": {
"qryType": 1,
"query": "label_values(venafienhancedissuer_info,cluster)",
"refId": "PrometheusVariableQueryEditor-VariableQuery"
},
"refresh": 1,
"regex": "",
"skipUrlSync": false,
"sort": 0,
"type": "query"
},
{
"current": {},
"datasource": {
"type": "prometheus",
"uid": "${DS_GRAFANACLOUD-MAELVLS-PROM}"
},
"definition": "label_values(venafienhancedissuer_info,job)",
"hide": 0,
"includeAll": false,
"multi": false,
"name": "job",
"options": [],
"query": {
"qryType": 1,
"query": "label_values(venafienhancedissuer_info,job)",
"refId": "PrometheusVariableQueryEditor-VariableQuery"
},
"refresh": 1,
"regex": "",
"skipUrlSync": false,
"sort": 0,
"type": "query"
},
{
"current": {
"selected": true,
"text": "default",
"value": "default"
},
"hide": 0,
"includeAll": false,
"label": "",
"multi": false,
"name": "datasource",
"options": [],
"query": "prometheus",
"queryValue": "",
"refresh": 1,
"regex": "",
"skipUrlSync": false,
"type": "datasource"
}
]
},
"time": {
"from": "now-1h",
"to": "now"
},
"timepicker": {
"refresh_intervals": [
"5s",
"10s",
"30s",
"1m",
"5m",
"15m",
"30m",
"1h",
"2h",
"1d"
]
},
"timezone": "",
"title": "Venafi Enhanced Issuer",
"uid": "5J4pyKEnk",
"version": 49,
"weekStart": ""
}
Reference¶
You can query the metrics endpoint and fetch the current metrics data as follows:
POD_NAME=$(kubectl get pod -n venafi -l app.kubernetes.io/name=venafi-enhanced-issuer -o jsonpath='{ .items[0].metadata.name }')
kubectl get --raw "/api/v1/namespaces/venafi/pods/${POD_NAME}:8080/proxy/metrics" | grep -A1 'HELP'
Full metrics reference
Here are the metrics that Venafi Enhanced Issuer exports:
# HELP certwatcher_read_certificate_errors_total Total number of certificate read errors
# TYPE certwatcher_read_certificate_errors_total counter
--
# HELP certwatcher_read_certificate_total Total number of certificate reads
# TYPE certwatcher_read_certificate_total counter
--
# HELP controller_runtime_active_workers Number of currently used workers per controller
# TYPE controller_runtime_active_workers gauge
--
# HELP controller_runtime_max_concurrent_reconciles Maximum number of concurrent reconciles per controller
# TYPE controller_runtime_max_concurrent_reconciles gauge
--
# HELP controller_runtime_reconcile_errors_total Total number of reconciliation errors per controller
# TYPE controller_runtime_reconcile_errors_total counter
--
# HELP controller_runtime_reconcile_total Total number of reconciliations per controller
# TYPE controller_runtime_reconcile_total counter
--
# HELP go_gc_duration_seconds A summary of the pause duration of garbage collection cycles.
# TYPE go_gc_duration_seconds summary
--
# HELP go_goroutines Number of goroutines that currently exist.
# TYPE go_goroutines gauge
--
# HELP go_info Information about the Go environment.
# TYPE go_info gauge
--
# HELP go_memstats_alloc_bytes Number of bytes allocated and still in use.
# TYPE go_memstats_alloc_bytes gauge
--
# HELP go_memstats_alloc_bytes_total Total number of bytes allocated, even if freed.
# TYPE go_memstats_alloc_bytes_total counter
--
# HELP go_memstats_buck_hash_sys_bytes Number of bytes used by the profiling bucket hash table.
# TYPE go_memstats_buck_hash_sys_bytes gauge
--
# HELP go_memstats_frees_total Total number of frees.
# TYPE go_memstats_frees_total counter
--
# HELP go_memstats_gc_sys_bytes Number of bytes used for garbage collection system metadata.
# TYPE go_memstats_gc_sys_bytes gauge
--
# HELP go_memstats_heap_alloc_bytes Number of heap bytes allocated and still in use.
# TYPE go_memstats_heap_alloc_bytes gauge
--
# HELP go_memstats_heap_idle_bytes Number of heap bytes waiting to be used.
# TYPE go_memstats_heap_idle_bytes gauge
--
# HELP go_memstats_heap_inuse_bytes Number of heap bytes that are in use.
# TYPE go_memstats_heap_inuse_bytes gauge
--
# HELP go_memstats_heap_objects Number of allocated objects.
# TYPE go_memstats_heap_objects gauge
--
# HELP go_memstats_heap_released_bytes Number of heap bytes released to OS.
# TYPE go_memstats_heap_released_bytes gauge
--
# HELP go_memstats_heap_sys_bytes Number of heap bytes obtained from system.
# TYPE go_memstats_heap_sys_bytes gauge
--
# HELP go_memstats_last_gc_time_seconds Number of seconds since 1970 of last garbage collection.
# TYPE go_memstats_last_gc_time_seconds gauge
--
# HELP go_memstats_lookups_total Total number of pointer lookups.
# TYPE go_memstats_lookups_total counter
--
# HELP go_memstats_mallocs_total Total number of mallocs.
# TYPE go_memstats_mallocs_total counter
--
# HELP go_memstats_mcache_inuse_bytes Number of bytes in use by mcache structures.
# TYPE go_memstats_mcache_inuse_bytes gauge
--
# HELP go_memstats_mcache_sys_bytes Number of bytes used for mcache structures obtained from system.
# TYPE go_memstats_mcache_sys_bytes gauge
--
# HELP go_memstats_mspan_inuse_bytes Number of bytes in use by mspan structures.
# TYPE go_memstats_mspan_inuse_bytes gauge
--
# HELP go_memstats_mspan_sys_bytes Number of bytes used for mspan structures obtained from system.
# TYPE go_memstats_mspan_sys_bytes gauge
--
# HELP go_memstats_next_gc_bytes Number of heap bytes when next garbage collection will take place.
# TYPE go_memstats_next_gc_bytes gauge
--
# HELP go_memstats_other_sys_bytes Number of bytes used for other system allocations.
# TYPE go_memstats_other_sys_bytes gauge
--
# HELP go_memstats_stack_inuse_bytes Number of bytes in use by the stack allocator.
# TYPE go_memstats_stack_inuse_bytes gauge
--
# HELP go_memstats_stack_sys_bytes Number of bytes obtained from system for stack allocator.
# TYPE go_memstats_stack_sys_bytes gauge
--
# HELP go_memstats_sys_bytes Number of bytes obtained from system.
# TYPE go_memstats_sys_bytes gauge
--
# HELP go_threads Number of OS threads created.
# TYPE go_threads gauge
--
# HELP leader_election_master_status Gauge of if the reporting system is master of the relevant lease, 0 indicates backup, 1 indicates master. 'name' is the string used to identify the lease. Please make sure to group by name.
# TYPE leader_election_master_status gauge
--
# HELP process_cpu_seconds_total Total user and system CPU time spent in seconds.
# TYPE process_cpu_seconds_total counter
--
# HELP process_max_fds Maximum number of open file descriptors.
# TYPE process_max_fds gauge
--
# HELP process_open_fds Number of open file descriptors.
# TYPE process_open_fds gauge
--
# HELP process_resident_memory_bytes Resident memory size in bytes.
# TYPE process_resident_memory_bytes gauge
--
# HELP process_start_time_seconds Start time of the process since unix epoch in seconds.
# TYPE process_start_time_seconds gauge
--
# HELP process_virtual_memory_bytes Virtual memory size in bytes.
# TYPE process_virtual_memory_bytes gauge
--
# HELP process_virtual_memory_max_bytes Maximum amount of virtual memory available in bytes.
# TYPE process_virtual_memory_max_bytes gauge
--
# HELP rest_client_requests_total Number of HTTP requests, partitioned by status code, method, and host.
# TYPE rest_client_requests_total counter
--
# HELP vcert_http_in_flight_requests A gauge of in-flight requests being made using vcert.
# TYPE vcert_http_in_flight_requests gauge
--
# HELP venafienhancedissuer_info Information about the Venafi Enhanced Issuer.
# TYPE venafienhancedissuer_info gauge
--
# HELP workqueue_adds_total Total number of adds handled by workqueue
# TYPE workqueue_adds_total counter
--
# HELP workqueue_depth Current depth of workqueue
# TYPE workqueue_depth gauge
--
# HELP workqueue_longest_running_processor_seconds How many seconds has the longest running processor for workqueue been running.
# TYPE workqueue_longest_running_processor_seconds gauge
--
# HELP workqueue_queue_duration_seconds How long in seconds an item stays in workqueue before being requested
# TYPE workqueue_queue_duration_seconds histogram
--
# HELP workqueue_retries_total Total number of retries handled by workqueue
# TYPE workqueue_retries_total counter
--
# HELP workqueue_unfinished_work_seconds How many seconds of work has been done that is in progress and hasn't been observed by work_duration. Large values indicate stuck threads. One can deduce the number of stuck threads by observing the rate at which this increases.
# TYPE workqueue_unfinished_work_seconds gauge
--
# HELP workqueue_work_duration_seconds How long in seconds processing an item from workqueue takes.
# TYPE workqueue_work_duration_seconds histogram