diff --git a/pkg/metrics/metrics.go b/pkg/metrics/metrics.go index 59ba82973..6e726b231 100644 --- a/pkg/metrics/metrics.go +++ b/pkg/metrics/metrics.go @@ -17,7 +17,7 @@ const ( var authenticatorMetrics Metrics func InitMetrics(registerer prometheus.Registerer) { - authenticatorMetrics = CreateMetrics(registerer) + authenticatorMetrics = createMetrics(registerer) } func Get() Metrics { @@ -27,10 +27,12 @@ func Get() Metrics { // Metrics are handles to the collectors for prometheus for the various metrics we are tracking. type Metrics struct { ConfigMapWatchFailures prometheus.Counter + StsConnectionFailure prometheus.Counter + StsResponseError prometheus.Counter Latency *prometheus.HistogramVec } -func CreateMetrics(reg prometheus.Registerer) Metrics { +func createMetrics(reg prometheus.Registerer) Metrics { factory := promauto.With(reg) return Metrics{ @@ -41,6 +43,20 @@ func CreateMetrics(reg prometheus.Registerer) Metrics { Help: "EKS Configmap watch failures", }, ), + StsConnectionFailure: factory.NewCounter( + prometheus.CounterOpts{ + Namespace: Namespace, + Name: "sts_connection_failures", + Help: "Sts call could not succeed or timedout", + }, + ), + StsResponseError: factory.NewCounter( + prometheus.CounterOpts{ + Namespace: Namespace, + Name: "sts_failures", + Help: "Sts response error code is not 2xx", + }, + ), Latency: factory.NewHistogramVec( prometheus.HistogramOpts{ Namespace: Namespace, diff --git a/pkg/token/token.go b/pkg/token/token.go index 6402b41ab..29ce2c055 100644 --- a/pkg/token/token.go +++ b/pkg/token/token.go @@ -41,6 +41,7 @@ import ( clientauthv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1" "sigs.k8s.io/aws-iam-authenticator/pkg" "sigs.k8s.io/aws-iam-authenticator/pkg/arn" + "sigs.k8s.io/aws-iam-authenticator/pkg/metrics" ) // Identity is returned on successful Verify() results. It contains a parsed @@ -504,12 +505,13 @@ func (v tokenVerifier) Verify(token string) (*Identity, error) { return nil, FormatError{fmt.Sprintf("X-Amz-Date parameter is expired (%.f minute expiration) %s", presignedURLExpiration.Minutes(), dateParam)} } - req, err := http.NewRequest("GET", parsedURL.String(), nil) + req, _ := http.NewRequest("GET", parsedURL.String(), nil) req.Header.Set(clusterIDHeader, v.clusterID) req.Header.Set("accept", "application/json") response, err := v.client.Do(req) if err != nil { + metrics.Get().StsConnectionFailure.Inc() // special case to avoid printing the full URL if possible if urlErr, ok := err.(*url.Error); ok { return nil, NewSTSError(fmt.Sprintf("error during GET: %v", urlErr.Err)) @@ -524,6 +526,7 @@ func (v tokenVerifier) Verify(token string) (*Identity, error) { } if response.StatusCode != 200 { + metrics.Get().StsResponseError.Inc() return nil, NewSTSError(fmt.Sprintf("error from AWS (expected 200, got %d). Body: %s", response.StatusCode, string(responseBody[:]))) } @@ -564,7 +567,7 @@ func (v tokenVerifier) Verify(token string) (*Identity, error) { func hasSignedClusterIDHeader(paramsLower *url.Values) bool { signedHeaders := strings.Split(paramsLower.Get("x-amz-signedheaders"), ";") for _, hdr := range signedHeaders { - if strings.ToLower(hdr) == strings.ToLower(clusterIDHeader) { + if strings.EqualFold(hdr, clusterIDHeader) { return true } } diff --git a/pkg/token/token_test.go b/pkg/token/token_test.go index 69af6280f..4b72e1ee2 100644 --- a/pkg/token/token_test.go +++ b/pkg/token/token_test.go @@ -13,8 +13,16 @@ import ( "strings" "testing" "time" + + "github.com/prometheus/client_golang/prometheus" + "sigs.k8s.io/aws-iam-authenticator/pkg/metrics" ) +func TestMain(m *testing.M) { + metrics.InitMetrics(prometheus.NewRegistry()) + m.Run() +} + func validationErrorTest(t *testing.T, partition string, token string, expectedErr string) { t.Helper() @@ -152,7 +160,7 @@ func TestSTSEndpoints(t *testing.T) { } func TestVerifyTokenPreSTSValidations(t *testing.T) { - b := make([]byte, maxTokenLenBytes+1, maxTokenLenBytes+1) + b := make([]byte, maxTokenLenBytes+1) s := string(b) validationErrorTest(t, "aws", s, "token is too large") validationErrorTest(t, "aws", "k8s-aws-v2.asdfasdfa", "token is missing expected \"k8s-aws-v1.\" prefix")