Monitoring observability for "CertificateRequests"

[jacksgt]

Hello,

we completed the switch to openshift-routes in our production environment and are quite happy with it.

However, we noticed that openshift-routes creates CertificateRequests - unlike cert-manager's ingress-shim which creates Certificates.

This has the unfortunate side-effect that we have no observability on these resources, because cert-manager's metrics endpoint exposes only metrics about Certificates (but not CertificateRequests, Orders, Challenges etc.). In practice this means that when one of the certificate requests get stuck (for many reasons, e.g. wrong DNS setup, order invalid, ...), we might not notice for a long time. :-(

certmanager_certificate_expiration_timestamp_seconds
certmanager_certificate_ready_status
certmanager_certificate_renewal_timestamp_seconds
certmanager_clock_time_seconds
certmanager_clock_time_seconds_gauge
certmanager_controller_sync_call_count
certmanager_controller_sync_error_count
certmanager_http_acme_client_request_count
certmanager_http_acme_client_request_duration_seconds
certmanager_http_acme_client_request_duration_seconds_count
certmanager_http_acme_client_request_duration_seconds_sum

I see two possible ways to resolve this issue:

• expose CertificateRequest metrics directly in cert-manager
  • this seems to me the cleanest solution and will benefit all users of cert-manager
• add additional metrics to openshift-routes that indicate if it successfully got a new certificate for a route
  • openshift-routes already has a /metrics endpoint, but it currently exposes only low-level metrics about controller runtime etc.
  • this approach might mean some of the logic that is already part of cert-manager gets reimplemented

I'm happy to discuss other ideas as well.

[ctrought]

Also wondering if switching to use Certificates instead of CertificateRequests is another feasible option. Maybe a bit more work but it would help with consistency as these differences come up.