Skip to content

Commit

Permalink
add sts error metric
Browse files Browse the repository at this point in the history
Signed-off-by: Jyoti Mahapatra <[email protected]>
  • Loading branch information
jyotimahapatra committed Feb 10, 2022
1 parent 057fa8f commit e6b80f7
Show file tree
Hide file tree
Showing 3 changed files with 32 additions and 5 deletions.
20 changes: 18 additions & 2 deletions pkg/metrics/metrics.go
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,7 @@ const (
var authenticatorMetrics Metrics

func InitMetrics(registerer prometheus.Registerer) {
authenticatorMetrics = CreateMetrics(registerer)
authenticatorMetrics = createMetrics(registerer)
}

func Get() Metrics {
Expand All @@ -27,10 +27,12 @@ func Get() Metrics {
// Metrics are handles to the collectors for prometheus for the various metrics we are tracking.
type Metrics struct {
ConfigMapWatchFailures prometheus.Counter
StsConnectionFailure prometheus.Counter
StsResponseError prometheus.Counter
Latency *prometheus.HistogramVec
}

func CreateMetrics(reg prometheus.Registerer) Metrics {
func createMetrics(reg prometheus.Registerer) Metrics {
factory := promauto.With(reg)

return Metrics{
Expand All @@ -41,6 +43,20 @@ func CreateMetrics(reg prometheus.Registerer) Metrics {
Help: "EKS Configmap watch failures",
},
),
StsConnectionFailure: factory.NewCounter(
prometheus.CounterOpts{
Namespace: Namespace,
Name: "sts_connection_failures",
Help: "Sts call could not succeed or timedout",
},
),
StsResponseError: factory.NewCounter(
prometheus.CounterOpts{
Namespace: Namespace,
Name: "sts_failures",
Help: "Sts response error code is not 2xx",
},
),
Latency: factory.NewHistogramVec(
prometheus.HistogramOpts{
Namespace: Namespace,
Expand Down
7 changes: 5 additions & 2 deletions pkg/token/token.go
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ import (
clientauthv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
"sigs.k8s.io/aws-iam-authenticator/pkg"
"sigs.k8s.io/aws-iam-authenticator/pkg/arn"
"sigs.k8s.io/aws-iam-authenticator/pkg/metrics"
)

// Identity is returned on successful Verify() results. It contains a parsed
Expand Down Expand Up @@ -504,12 +505,13 @@ func (v tokenVerifier) Verify(token string) (*Identity, error) {
return nil, FormatError{fmt.Sprintf("X-Amz-Date parameter is expired (%.f minute expiration) %s", presignedURLExpiration.Minutes(), dateParam)}
}

req, err := http.NewRequest("GET", parsedURL.String(), nil)
req, _ := http.NewRequest("GET", parsedURL.String(), nil)
req.Header.Set(clusterIDHeader, v.clusterID)
req.Header.Set("accept", "application/json")

response, err := v.client.Do(req)
if err != nil {
metrics.Get().StsConnectionFailure.Inc()
// special case to avoid printing the full URL if possible
if urlErr, ok := err.(*url.Error); ok {
return nil, NewSTSError(fmt.Sprintf("error during GET: %v", urlErr.Err))
Expand All @@ -524,6 +526,7 @@ func (v tokenVerifier) Verify(token string) (*Identity, error) {
}

if response.StatusCode != 200 {
metrics.Get().StsResponseError.Inc()
return nil, NewSTSError(fmt.Sprintf("error from AWS (expected 200, got %d). Body: %s", response.StatusCode, string(responseBody[:])))
}

Expand Down Expand Up @@ -564,7 +567,7 @@ func (v tokenVerifier) Verify(token string) (*Identity, error) {
func hasSignedClusterIDHeader(paramsLower *url.Values) bool {
signedHeaders := strings.Split(paramsLower.Get("x-amz-signedheaders"), ";")
for _, hdr := range signedHeaders {
if strings.ToLower(hdr) == strings.ToLower(clusterIDHeader) {
if strings.EqualFold(hdr, clusterIDHeader) {
return true
}
}
Expand Down
10 changes: 9 additions & 1 deletion pkg/token/token_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,16 @@ import (
"strings"
"testing"
"time"

"github.com/prometheus/client_golang/prometheus"
"sigs.k8s.io/aws-iam-authenticator/pkg/metrics"
)

func TestMain(m *testing.M) {
metrics.InitMetrics(prometheus.NewRegistry())
m.Run()
}

func validationErrorTest(t *testing.T, partition string, token string, expectedErr string) {
t.Helper()

Expand Down Expand Up @@ -152,7 +160,7 @@ func TestSTSEndpoints(t *testing.T) {
}

func TestVerifyTokenPreSTSValidations(t *testing.T) {
b := make([]byte, maxTokenLenBytes+1, maxTokenLenBytes+1)
b := make([]byte, maxTokenLenBytes+1)
s := string(b)
validationErrorTest(t, "aws", s, "token is too large")
validationErrorTest(t, "aws", "k8s-aws-v2.asdfasdfa", "token is missing expected \"k8s-aws-v1.\" prefix")
Expand Down

0 comments on commit e6b80f7

Please sign in to comment.