Cert-manager: metric "certmanager_certificate_expiration_timestamp_seconds" is not exposed anymore in 0.11
Describe the bug:
After upgrading to 0.11 ( from 0.8 ) the metric certmanager_certificate_expiration_timestamp_seconds is not available anymore in prometheus .
Querying the /metrics url does not show it either
I can see the new certmanager_certificate_ready_status one
Expected behaviour:
Looking at the code here the metric should still be there
Steps to reproduce the bug:
Upgrade to 0.11 and curl on :9402/metrics
check if the the expiration timestamp is there
Anything else we need to know?:
Environment details::
- Kubernetes version (e.g. v1.10.2): 1.13.7
- Cloud-provider/provisioner (e.g. GKE, kops AWS, etc): GKE
- cert-manager version (e.g. v0.4.0): 0.11.0
- Install method (e.g. helm or static manifests): static manifests
/kind bug
primeroz
All 7 comments
Looking at bit more at the code it seems to me that this metric was forgotten while upgrading to the new API
I can't see any reference to UpdateCertificateExpiry ever being called. Before it was called as part of the sync loop here
Compared to the UpdateCertificateStatus which is indeed caliing during sync.
primeroz
on 23 Oct 2019
Looks like this commit removes the call of UpdateCertificateExpiry: https://github.com/jetstack/cert-manager/commit/51bf98581e6b40a4c81bd41a11203a8fad3dc200#diff-d14e419095685c0725dd0282d442ae7d
@munnerz was there a reason for removing it or did it happen by accident?
kevinscholz
on 7 Nov 2019
The _only_ stats I am seeing on v0.11.0 (when directly scraping the metrics endpoint with curl) are
# HELP certmanager_certificate_ready_status The ready status of the certificate.
# HELP certmanager_controller_sync_call_count The number of sync() calls made by a controller.
I was expecting to also see
- certificate_expiration_timestamp_seconds
- acme_client_request_count
- acme_client_request_duration_seconds
Nuru
on 7 Nov 2019
@munnerz is there any chance for someone to look at this by 0.12 ?
I found myself stuck since i need 0.11 to be able to consume vault using serviceaccount but to do that i lost the ability to monitor expiration of certificates.
thanks!
primeroz
on 19 Nov 2019
@kevinscholz thanks for digging that out - you are correct, it was removed by accident as we switched over to the new CertificateRequest based implementation!
We need to get a PR prepared to re-add this call back into the Certificate controller. We are no longer supplying backports for v0.11 as v0.12 is out, but this _would_ be a candidate for back porting into v0.12
@Nuru the I'm surprised to hear that the ACME client is _also_ not recording metrics, as this area of code has not changed. Are you sure your instance of cert-manager has actually made some requests with an ACME server? IIRC, metrics are not displayed unless there has been at least one occurrence of them.
/milestone v0.12
/priority important-soon
munnerz
on 29 Nov 2019
@Nuru after doing some of my own testing, I can confirm that the ACME client metrics are present in v0.12, so I believe perhaps your controller just hasn't made any ACME client requests since starting 馃槃
munnerz
on 29 Nov 2019
Opened #2416 to address this!
munnerz
on 29 Nov 2019
Related issues
f-f
路
4Comments
cpick
路
3Comments
howardjohn
路
3Comments
munjal-patel
路
3Comments
jakubknejzlik
路
3Comments
Most helpful comment
The _only_ stats I am seeing on v0.11.0 (when directly scraping the metrics endpoint with
curl) areI was expecting to also see