Add collector for csr

[wanghaoran1988]

What this PR does / why we need it:

Which issue(s) this PR fixes (optional, in fixes #<issue number>(, fixes #<issue_number>, ...) format, will close the issue(s) when PR gets merged):
Fixes #649

[mxinden]

A CSR can either be approved or denied, right? If so, I would encode this here by only having either a approved or denied boolean, and derive the opposite via the ! operator.

[brancz]

yes, this should be treated as an enum metric

[mxinden]

Just to make sure, if a CSR has multiple conditions, do all of the apply or only the most recent one?

[wanghaoran1988]

If it has multiple condition, then do all the apply, it can has "approve" and "denied" condition at the same time now.

[mxinden]

👍

[wanghaoran1988]

@mxinden @brancz Updated according to https://github.com/kubernetes/kubernetes/blob/master/pkg/controller/certificates/certificate_controller_utils.go#L23

[brancz]

interpretation of data should be done at query time, not in kube-state-metrics, we should just expose each state with a 0 or 1 depending on whether it is in that state

[wanghaoran1988]

A little confused, what do you mean by "query time" ? do you mean I can just remove this line? when the csr have "approved" and "denied" condition at the same time, should I expose the metrics both 1 like this:
kube_csr_condition{csr="certificate-test",csr_condition="denied"} 1
kube_csr_condition{csr="certificate-test",csr_condition="approved"} 1

[mxinden]

@brancz if we don't interpret the data, there is the possibility for both approved and denied being true.

This upstream section seems to be the source of truth: https://github.com/kubernetes/kubernetes/blob/master/pkg/controller/certificates/certificate_controller_utils.go#L23

[brancz]

Correct, but here we want to expose the raw data. Essentially the approved && !denied is something that is up to a user to do in PromQL.

[wanghaoran1988]

This make sense, and it's how I did originally

[mxinden]

No need for this, if it is 0, the for loop will loop 0 times.

[wanghaoran1988]

good catch

[mxinden]

How about using GetCertApprovalCondition here instead?

[wanghaoran1988]

I'd like a duplication here, or it will bring go dependency here, WDYT?

[mxinden]

👍

[mxinden]

In regards to the outdated discussion here: #650 (comment)

If we want to expose the raw data, how about also exposing the count of denied and approved conditions instead of just true or false?

@brancz @wanghaoran1988 what do you think?

[brancz]

Just true and false. Count is then something a user can do in PromQL 🙂 .

[brancz]

this is a state assessed based on data, not raw data, this should be done in PromQL

[wanghaoran1988]

@brancz So how about expose a metrics kube_csr_cert_length ?

[brancz]

that works 👍

[brancz]

Same as abbove

[wanghaoran1988]

Yes, we can do the "count" in PromQL

[mxinden]

I am not quite sure we are on the same page @brancz.

For the following CertificateSigningRequestStatus

CertificateSigningRequestStatus {
    []Condition {
        { approved }, { approved }, { denied }, { denied }, { denied },
    }
}

I am suggesting to expose the number of approvals and denies like:

kube_csr_condition{ condition="approved" } 2
kube_csr_condition{ conditiion="denied" } 3

Instead of what we currently do:

kube_csr_condition{ condition="approved" } 1
kube_csr_condition{ conditiion="denied" } 1

What do you think?

[wanghaoran1988]

{ approved }, { approved }, { denied }, { denied }, { denied },

@mxinden This will not happen, we can only have one for each like: { approved }, { denied }

[mxinden]

The comment here states that there can be multiple denied conditions:

// IsCertificateRequestApproved returns true if a certificate request has the
// "Approved" condition and no "Denied" conditions; false otherwise.

https://github.com/kubernetes/kubernetes/blob/master/pkg/controller/certificates/certificate_controller_utils.go#L21-L22

Is there a specification somewhere?

[wanghaoran1988]

@mxinden Did some test with running "kubectl certificate approve/deny" many time against on one csr, finally, it only have one "approve" and one "denied" condition.

[wanghaoran1988]

@mxinden @brancz Could you take another look? I had a rebase again and addressed the comments.

[tariq1890]

Suggested change

	* [CSR Metrics](csr-metrics.md)
	* [CertificateSigningRequest Metrics](certificatesigningrequest-metrics.md)

Suggesting this, as the convention seems to be the resource type name rather than resource abbreviation

[tariq1890]

This should be renamed to certificatesigningrequest.go IMO

[tariq1890]

Suggested change

	descCSRLabelsName = "kube_csr_labels"
	descCSRLabelsName = "kube_certificatesigningrequest_labels"

[tariq1890]

Suggested change

	| kube_csr_created| Gauge | `csr`=<csr-name>| STABLE |
	| kube_certificatesigningrequest_created| Gauge | `csr`=<csr-name>| STABLE |

I understand that this may be concerning given the length, but I see instances like kube_persistentvolumeclaim_resource_requests_storage_bytes

[tariq1890]

Suggested change

	"csr": func(b *Builder) *coll.Collector { return b.buildCsrCollector() },
	"certificatesigningrequests": func(b *Builder) *coll.Collector { return b.buildCsrCollector() },

[tariq1890]

@mxinden @brancz I've added my non-maintainer review comments (apologize if it's inappropriate) for ensuring nomenclature consistency.

[tariq1890]

@wanghaoran1988 make sure you run either go mod tidy or go mod vendor. That would fix one of the travic CI fails :).

[wanghaoran1988]

Sorry, I just back from paternity leave, will have an update this week.

[wanghaoran1988]

@mxinden @tariq1890 Could you take a look ? I rebased and renamed.

[tariq1890]

Suggested change

	# CSR Metrics
	# CertificateSigningRequest Metrics

[tariq1890]

@wanghaoran1988 Let's change this as well.

[tariq1890]

s/csr/certificatesigningrequest

[tariq1890]

Suggested change

	descCSRLabelsDefaultLabels = []string{"csr"}
	descCSRLabelsDefaultLabels = []string{"certificatesigningrequest"}

[wanghaoran1988]

comments addressed, @tariq1890 PTAL

[tariq1890]

This list actually follows alphabetical order. Let's continue that :)

[tariq1890]

Sorry to have missed this earlier.

[tariq1890]

Suggested change

	t.Errorf("unexpected collecting result in %vth run:\n%s", i, err)
	t.Errorf("unexpected error when collecting result in %vth run:\n%s", i, err)

[tariq1890]

@wanghaoran1988 Thanks for your patience! This should be my last round of review comments.

LGTM pending those comments and @brancz 's final word of approval.

[wanghaoran1988]

@tariq1890 comments addressed

[tariq1890]

Suggested change

	# CertificatesSigningRequest Metrics
	# CertificateSigningRequest Metrics

[tariq1890]

there is an extra s.

[wanghaoran1988]

done

[tariq1890]

can this go to the top?

[wanghaoran1988]

done

[tariq1890]

/lgtm

[tariq1890]

/assign @mxinden for final approval.

Possible to fit this into release 1.6 once merged?

[brancz]

lgtm but leaving final decision up to @mxinden whether to include in 1.6 or not

[mxinden]

Thanks for the work @wanghaoran1988!

[mxinden]

Let's include this in kube state metrics 1.6.

/lgtm

/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mxinden, tariq1890, wanghaoran1988

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [mxinden]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[tariq1890]

Yes! Thanks once again @wanghaoran1988 :)