expose cached token expires in metrics

[WindzCUHK]

Description

TODO

• [ ] finalize metrics interface
• [ ] refactor

changes

metrics

$ curl -sSi http://127.0.0.1:9999/metrics | grep token_expiry_timestamp
# HELP token_expiry_timestamp Expiry time in seconds since Unix epoch.
# TYPE token_expiry_timestamp gauge
token_expiry_timestamp{domain="domain1",role="role1",type="accesstoken"} 1.703606237e+09
token_expiry_timestamp{domain="domain1",role="role1",type="roletoken"} 1.703606237e+09
token_expiry_timestamp{domain="domain2",role="role2",type="accesstoken"} 1.703606352e+09

Type of change

• [ ] Bug fix
• [x] New feature
• [ ] Refactoring (no functional changes, no api changes)
• [ ] Non-code changes (update documentation, pipeline, etc.)

Flags

• [ ] Breaks backward compatibility
• [ ] Requires a documentation update
• [ ] Has untestable code

---

Checklist

• [x] Followed the guidelines in the CONTRIBUTING document
• [x] Added prefix [skip ci]/[ci skip]/[no ci]/[skip actions]/[actions skip] in the PR title if necessary
• [ ] Tested and linted the code
• [ ] Commented the code
• [ ] Made corresponding changes to the documentation
• [ ] Passed all pipeline checking

Checklist for maintainer

• Use Squash and merge
• Double-confirm the merge message has prefix [skip ci]/[ci skip]/[no ci]/[skip actions]/[actions skip]
• Delete the branch after merge

[mlajkim]

Note:

• Make sure that the token expiry changes with the token refresh period
• Make sure that failed token is not included within the metrics.

[mlajkim]

TODOs

• [ ] Choose the option
• [ ] Check if a new option is required for metrics

Option 1: token_expiry_until_seconds{domain="domain1",role="role1",type="accesstoken"} 14400 token_expiry_until_seconds{domain="domain1",role="role1",type="roletoken"} 14400 token_expiry_until_seconds{domain="domain2",role="role2",type="accesstoken"} 14400

Option 2: tokens_expiry_earliest_seconds{domain=“domain1”,role=“role1",type=“accesstoken”} 8400

[mlajkim]

Performance; If performance affected, gotta give the options to modify

[mlajkim]

platform uses x509_cert_expires_in_seconds => access_token_expires_in_seconds role_token_expires_in_seconds

[WindzCUHK]

factor of metrics that affect performance

• no. of scraping client
• scrape interval
• response body size => label pattern => domain, role pairs

[mlajkim]

conclusion

• platform uses enix/exporter default x509_cert_expires_in_seconds
  • It uses GaugeValue
  • https://github.com/enix/x509-certificate-exporter/blob/b33c43ac520dfbced529bf7543d8271d052947d0/internal/collector.go#L159-L160
• token cache must follow the same format and unit. sample:

  x509_cert_expires_in_seconds{filename="ca.cert.pem",filepath="/var/run/athenz/ca.crt",... censored .. subject_OU="Unit"} 5.241816173314502e+08

[mlajkim]

Handled in the following:

• https://github.com/AthenZ/k8s-athenz-sia/pull/77
• https://github.com/AthenZ/k8s-athenz-sia/pull/103

Closed.