Add a new "issuer" label to the ocsp-responder's ocsp_filter_responses metric. This allows the count of responses served by ocsp-responder to be broken down by which intermediate issued the certificate (and OCSP response) in question.
This approach has the benefit of being minimal. The filterSource is the only place within ocsp-responder that actually has knowledge of which intermediate issued the certificate/ocsp response. The HTTP-handling code above filterSource and the other redis and live-signing sources below filterSource have no knowledge of the set of issuing intermediates. They operate solely on the serial, because we guarantee that our serials are unique across all issuers. So adding the metric label here means that we don't have to make any other ocsp-responder code aware of the issuers.
However, this approach has the cost of being somewhat surprising. Every source has a counter metric with a "result" label; adding this "issuer" label makes the filterSource's metric unique.
Add a new "issuer" label to the ocsp-responder's ocsp_filter_responses metric. This allows the count of responses served by ocsp-responder to be broken down by which intermediate issued the certificate (and OCSP response) in question.
This approach has the benefit of being minimal. The filterSource is the only place within ocsp-responder that actually has knowledge of which intermediate issued the certificate/ocsp response. The HTTP-handling code above filterSource and the other redis and live-signing sources below filterSource have no knowledge of the set of issuing intermediates. They operate solely on the serial, because we guarantee that our serials are unique across all issuers. So adding the metric label here means that we don't have to make any other ocsp-responder code aware of the issuers.
However, this approach has the cost of being somewhat surprising. Every source has a
countermetric with a "result" label; adding this "issuer" label makes the filterSource's metric unique.Fixes https://github.com/letsencrypt/boulder/issues/7538