jcmoraisjr · jcmoraisjr · Mar 23, 2020 · Mar 22, 2020
diff --git a/pkg/acme/signer.go b/pkg/acme/signer.go
@@ -28,10 +28,11 @@ import (
 )
 
 // NewSigner ...
-func NewSigner(logger types.Logger, cache Cache) Signer {
+func NewSigner(logger types.Logger, cache Cache, metrics types.Metrics) Signer {
 	return &signer{
-		logger: logger,
-		cache:  cache,
+		logger:  logger,
+		cache:   cache,
+		metrics: metrics,
 	}
 }
 
@@ -65,6 +66,7 @@ type TLSSecret struct {
 type signer struct {
 	logger      types.Logger
 	cache       Cache
+	metrics     types.Metrics
 	account     Account
 	client      Client
 	expiring    time.Duration
@@ -119,17 +121,21 @@ func (s *signer) Notify(item interface{}) error {
 	return err
 }
 
-func (s *signer) verify(secretName string, domains []string) error {
+func (s *signer) verify(secretName string, domains []string) (verifyErr error) {
 	duedate := time.Now().Add(s.expiring)
 	tls := s.cache.GetTLSSecretContent(secretName)
 	strdomains := strings.Join(domains, ",")
 	if tls == nil || tls.Crt.NotAfter.Before(duedate) || !match(domains, tls.Crt.DNSNames) {
+		var collector func(domains string, success bool)
 		var reason string
 		if tls == nil {
+			collector = s.metrics.IncCertSigningMissing
 			reason = "certificate does not exist"
 		} else if tls.Crt.NotAfter.Before(duedate) {
+			collector = s.metrics.IncCertSigningOutdated
 			reason = fmt.Sprintf("certificate expires in %s", tls.Crt.NotAfter.String())
 		} else {
+			collector = s.metrics.IncCertSigningChangedDomains
 			reason = "added one or more domains to an existing certificate"
 		}
 		s.verifyCount++
@@ -143,17 +149,18 @@ func (s *signer) verify(secretName string, domains []string) error {
 			} else {
 				s.logger.Warn("acme: error storing new certificate: id=%d secret=%s domain(s)=%s error=%v",
 					s.verifyCount, secretName, strdomains, errTLS)
-				return errTLS
+				verifyErr = errTLS
 			}
 		} else {
 			s.logger.Warn("acme: error signing new certificate: id=%d secret=%s domain(s)=%s error=%v",
 				s.verifyCount, secretName, strdomains, err)
-			return err
+			verifyErr = err
 		}
+		collector(strdomains, verifyErr == nil)
 	} else {
 		s.logger.InfoV(2, "acme: skipping sign, certificate is updated: secret=%s domain(s)=%s", secretName, strdomains)
 	}
-	return nil
+	return verifyErr
 }
 
 // match return true if all hosts in hostnames (desired configuration)

diff --git a/pkg/acme/signer_test.go b/pkg/acme/signer_test.go
@@ -86,22 +86,24 @@ func setup(t *testing.T) *config {
 		cache: &cache{
 			tlsSecret: map[string]*TLSSecret{},
 		},
-		logger: types_helper.NewLoggerMock(t),
+		logger:  types_helper.NewLoggerMock(t),
+		metrics: types_helper.NewMetricsMock(),
 	}
 }
 
 type config struct {
-	t      *testing.T
-	cache  *cache
-	logger *types_helper.LoggerMock
+	t       *testing.T
+	cache   *cache
+	logger  *types_helper.LoggerMock
+	metrics *types_helper.MetricsMock
 }
 
 func (c *config) teardown() {
 	c.logger.CompareLogging("")
 }
 
 func (c *config) newSigner() *signer {
-	signer := NewSigner(c.logger, c.cache).(*signer)
+	signer := NewSigner(c.logger, c.cache, c.metrics).(*signer)
 	signer.client = &clientMock{}
 	return signer
 }

diff --git a/pkg/controller/controller.go b/pkg/controller/controller.go
@@ -100,7 +100,7 @@ func (hc *HAProxyController) configController() {
 	if hc.cfg.AcmeServer {
 		electorID := fmt.Sprintf("%s-%s", hc.cfg.AcmeElectionID, hc.cfg.IngressClass)
 		hc.leaderelector = NewLeaderElector(electorID, hc.logger, hc.cache, hc)
-		acmeSigner = acme.NewSigner(hc.logger, hc.cache)
+		acmeSigner = acme.NewSigner(hc.logger, hc.cache, hc.metrics)
 		hc.acmeQueue = utils.NewFailureRateLimitingQueue(
 			hc.cfg.AcmeFailInitialDuration,
 			hc.cfg.AcmeFailMaxDuration,

diff --git a/pkg/controller/metrics.go b/pkg/controller/metrics.go
@@ -17,6 +17,7 @@ limitations under the License.
 package controller
 
 import (
+	"strconv"
 	"time"
 
 	"github.com/prometheus/client_golang/prometheus"
@@ -30,6 +31,7 @@ type metrics struct {
 	updatesCounter     *prometheus.CounterVec
 	updateSuccessGauge *prometheus.GaugeVec
 	certExpireGauge    *prometheus.GaugeVec
+	certSigningCounter *prometheus.CounterVec
 	lastTrack          time.Time
 }
 
@@ -93,6 +95,14 @@ func createMetrics() *metrics {
 			},
 			[]string{"domain", "cn"},
 		),
+		certSigningCounter: prometheus.NewCounterVec(
+			prometheus.CounterOpts{
+				Namespace: namespace,
+				Name:      "cert_signing_count",
+				Help:      "Cumulative number of certificate signing.",
+			},
+			[]string{"domains", "reason", "success"},
+		),
 	}
 	prometheus.MustRegister(metrics.responseTime)
 	prometheus.MustRegister(metrics.ctlProcTimeSum)
@@ -101,6 +111,7 @@ func createMetrics() *metrics {
 	prometheus.MustRegister(metrics.updatesCounter)
 	prometheus.MustRegister(metrics.updateSuccessGauge)
 	prometheus.MustRegister(metrics.certExpireGauge)
+	prometheus.MustRegister(metrics.certSigningCounter)
 	return metrics
 }
 
@@ -152,3 +163,15 @@ func (m *metrics) SetCertExpireDate(domain, cn string, notAfter *time.Time) {
 	}
 	m.certExpireGauge.WithLabelValues(domain, cn).Set(float64(notAfter.Unix()))
 }
+
+func (m *metrics) IncCertSigningMissing(domains string, success bool) {
+	m.certSigningCounter.WithLabelValues(domains, "missing", strconv.FormatBool(success)).Inc()
+}
+
+func (m *metrics) IncCertSigningOutdated(domains string, success bool) {
+	m.certSigningCounter.WithLabelValues(domains, "outdated", strconv.FormatBool(success)).Inc()
+}
+
+func (m *metrics) IncCertSigningChangedDomains(domains string, success bool) {
+	m.certSigningCounter.WithLabelValues(domains, "changeddomains", strconv.FormatBool(success)).Inc()
+}
diff --git a/pkg/types/helper_test/metricsmock.go b/pkg/types/helper_test/metricsmock.go
@@ -68,3 +68,15 @@ func (m *MetricsMock) UpdateSuccessful(success bool) {
 // SetCertExpireDate ...
 func (m *MetricsMock) SetCertExpireDate(domain, cn string, notAfter *time.Time) {
 }
+
+// IncCertSigningMissing ...
+func (m *MetricsMock) IncCertSigningMissing(domains string, success bool) {
+}
+
+// IncCertSigningOutdated ...
+func (m *MetricsMock) IncCertSigningOutdated(domains string, success bool) {
+}
+
+// IncCertSigningChangedDomains ...
+func (m *MetricsMock) IncCertSigningChangedDomains(domains string, success bool) {
+}
diff --git a/pkg/types/metrics.go b/pkg/types/metrics.go
@@ -31,4 +31,7 @@ type Metrics interface {
 	IncUpdateFull()
 	UpdateSuccessful(success bool)
 	SetCertExpireDate(domain, cn string, notAfter *time.Time)
+	IncCertSigningMissing(domains string, success bool)
+	IncCertSigningOutdated(domains string, success bool)
+	IncCertSigningChangedDomains(domains string, success bool)
 }