[WIP] Add metrics for OIDC #8015
Conversation
|
Skipping CI for Draft Pull Request. |
knative-prow
bot
added
the
do-not-merge/work-in-progress
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: Leo6Leo The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
knative-prow
bot
added
the
size/L
pkg/broker/filter/filter_handler.go
Outdated
| if errors.Is(err, auth.ErrNoJWTTokenFound) { | ||
| _ = h.reporter.ReportUnauthenticatedRequest(&ReportArgs{ |
There was a problem hiding this comment.
How do you think the way here to distinguish these 2 different scenario? Are there any better approach you would recommend? @creydr
There was a problem hiding this comment.
I think this can work. You could also think about passing the reporter to the tokenVerifier, so this reports the metrics on each request and not only do this in the caller 🤔
|
/cc @creydr Am I on the right track? I am only doing broker filter for now, just in case my approach is wrong. |
pkg/auth/token_verifier.go
Outdated
| func NewOIDCTokenVerifier(ctx context.Context, statsReporter filter.StatsReporter) *OIDCTokenVerifier { | ||
| tokenHandler := &OIDCTokenVerifier{ | ||
| logger: logging.FromContext(ctx).With("component", "oidc-token-handler"), | ||
| restConfig: injection.GetConfig(ctx), | ||
| logger: logging.FromContext(ctx).With("component", "oidc-token-handler"), | ||
| restConfig: injection.GetConfig(ctx), | ||
| statsReporter: statsReporter, |
There was a problem hiding this comment.
Does this looks good? @creydr By passing the statsReporter to the verifier, and pass the reportArgs when verifying happens.
There was a problem hiding this comment.
Can we make this an optional argument (e.g. by using a configuration-option function as we do for example in
eventing/pkg/reconciler/testing/v1/broker.go
Lines 35 to 44 in 825202f
type BrokerOption func(*v1.Broker))? This allows us to add options, without the need to update the packages immediately which use the NewOIDCTokenVerifier.
Codecov ReportAttention: Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #8015 +/- ##
==========================================
- Coverage 67.79% 67.50% -0.29%
==========================================
Files 363 364 +1
Lines 16899 17113 +214
==========================================
+ Hits 11456 11552 +96
- Misses 4735 4841 +106
- Partials 708 720 +12 ☔ View full report in Codecov by Sentry. |
| @@ -147,11 +148,12 @@ func main() { | |||
| } | |||
|
|
|||
| reporter := filter.NewStatsReporter(env.ContainerName, kmeta.ChildName(env.PodName, uuid.New().String())) | |||
| authReporter := filter.NewAuthStatsReporterAdapter(reporter) | |||
There was a problem hiding this comment.
Creating an interface to avoid import cycle.
Before this, it is stuck with a import cycle between auth and filter packages. The auth code needs filter's stats reporting, but filter is already using auth stuff. To fix this I created a simple interface in auth that just covers the stats we need. Then making an adapter in filter to bridge the gap. Is this a good approach to solve this problem?
There was a problem hiding this comment.
As this is not only relevant to broker-filters anymore, should we move this StatsReporter to a dedicated package and make it more generic? E.g. pkg/metrics?
(This could also help to remove the import cycle.)
Then you could also change the ReportArgs to an interface (which has the method generateTag()) to have component specific args. E.g. from a Trigger (which would to the same as the current reporter.generateTag(), or then for a Channel, etc.
There was a problem hiding this comment.
So for example:
type ReportArgs interface { //TODO: find a better name
generateTag(tags ...tag.Mutator) (context.Context, error)
}
and then for example for the broker/trigger:
type BrokerArgs struct {
ns string
trigger string
broker string
filterType string
requestType string
requestScheme string
}
func (args *BrokerArgs) generateTag(tags ...tag.Mutator) (context.Context, error) {
ctx := metricskey.WithResource(emptyContext, resource.Resource{
Type: eventingmetrics.ResourceTypeKnativeTrigger,
Labels: map[string]string{
eventingmetrics.LabelNamespaceName: args.ns,
eventingmetrics.LabelBrokerName: args.broker,
eventingmetrics.LabelTriggerName: args.trigger,
},
})
// Note that filterType and filterSource can be empty strings, so they need a special treatment.
ctx, err := tag.New(
ctx,
append(tags,
tag.Insert(triggerFilterTypeKey, valueOrAny(args.filterType)),
tag.Insert(triggerFilterRequestTypeKey, args.requestType),
tag.Insert(triggerFilterRequestSchemeKey, args.requestScheme),
)...)
return ctx, err
}
And then we call this e.g. in ReportEventCount():
func (r *reporter) ReportEventCount(args ReportArgs, responseCode int) error {
ctx, err := args.generateTag(
tag.Insert(responseCodeKey, strconv.Itoa(responseCode)),
tag.Insert(responseCodeClassKey, metrics.ResponseCodeClass(responseCode)))
if err != nil {
return err
}
metrics.Record(ctx, eventCountM.M(1))
return nil
}
and use it
reportArgs := &BrokerArgs{
Ns: broker.Namespace,
Broker: broker.Name,
RequestType: "broker_ingress",
}
err = h.tokenVerifier.VerifyJWTFromRequest(ctx, request, broker.Status.Address.Audience, writer, reportArgs)
knative-prow-robot
added
the
needs-rebase
|
PR needs rebase. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
Fixes #7877
Proposed Changes
Pre-review Checklist
Release Note
Docs