security: add telemetry for OCSP server checks

This commit adds two telemetry counters: - `server.ocsp.conn-verifications` counts the number of connections for which the OCSP feature is enabled - `server.ocsp.cert-verifications` counts the number of times a certificate actually underwent OCSP verification. Release justification: low risk, high benefit changes to existing functionality Release note: None
cockroachdb · Aug 31, 2020 · 66f3a96 · 66f3a96
1 parent 410616f
commit 66f3a96
Showing 1 changed file with 20 additions and 0 deletions.
diff --git a/pkg/security/ocsp.go b/pkg/security/ocsp.go
@@ -18,6 +18,7 @@ import (
 	"io/ioutil"
 	"net/http"
 
+	"github.com/cockroachdb/cockroach/pkg/server/telemetry"
 	"github.com/cockroachdb/cockroach/pkg/util/contextutil"
 	"github.com/cockroachdb/cockroach/pkg/util/log"
 	"github.com/cockroachdb/errors"
@@ -39,6 +40,9 @@ func makeOCSPVerifier(settings TLSSettings) func([][]byte, [][]*x509.Certificate
 
 		return contextutil.RunWithTimeout(context.Background(), "OCSP verification", settings.ocspTimeout(),
 			func(ctx context.Context) error {
+				// Per-conn telemetry counter.
+				telemetry.Inc(ocspChecksCounter)
+
 				errG, gCtx := errgroup.WithContext(ctx)
 				for _, chain := range verifiedChains {
 					// Ignore the last cert in the chain; it's the root and if it
@@ -60,10 +64,26 @@ func makeOCSPVerifier(settings TLSSettings) func([][]byte, [][]*x509.Certificate
 	}
 }
 
+// ocspChecksCounter counts the number of connections that are
+// undergoing OCSP validations. This counter exists so that the value
+// of ocspCheckWithOCSPServerInCertCounter can be interpreted as a
+// percentage.
+var ocspChecksCounter = telemetry.GetCounterOnce("server.ocsp.conn-verifications")
+
+// ocspCheckWithOCSPServerInCert counts the number of certificate
+// verifications performed with a populated OCSPServer field in one of
+// the certs in the validation chain.
+var ocspCheckWithOCSPServerInCertCounter = telemetry.GetCounterOnce("server.ocsp.cert-verifications")
+
 func verifyOCSP(ctx context.Context, settings TLSSettings, cert, issuer *x509.Certificate) error {
 	if len(cert.OCSPServer) == 0 {
 		return nil
 	}
+
+	// Per-cert telemetry counter. We only count requests when there is
+	// an OCSP server to check in the first place.
+	telemetry.Inc(ocspCheckWithOCSPServerInCertCounter)
+
 	var errs []error
 	for _, url := range cert.OCSPServer {
 		ok, err := queryOCSP(ctx, url, cert, issuer)