Merge pull request #10 from patoarvizu/add_metrics

Enable metrics endpoint
patoarvizu · Feb 13, 2020 · 960c658 · 960c658
2 parents 28efa70 + bb25a4d
commit 960c658
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -11,6 +11,7 @@
         - [Webhook command-line flags](#webhook-command-line-flags)
         - [ConfigMap](#configmap)
         - [Init containers](#init-containers)
+        - [Metrics](#metrics)
     - [For security nerds](#for-security-nerds)
         - [Docker images are signed and published to Docker Hub's Notary server](#docker-images-are-signed-and-published-to-docker-hubs-notary-server)
         - [Docker images are labeled with Git and GPG metadata](#docker-images-are-labeled-with-git-and-gpg-metadata)
@@ -106,6 +107,7 @@ Flag | Description | Default
 `-memory-request` | The amount of memory units to request for the Vault agent sidecar") | `128Mi`
 `-memory-limit` | The amount of memory units to limit to on the Vault agent sidecar") | `256Mi`
 `-listen-addr` | The address to start the server | `:4443`
+`-metrics-addr` | The address where the Prometheus-style metrics are published | `:8081`
 
 ### ConfigMap
 
@@ -125,6 +127,10 @@ To do this, annotate your workload with `vault.patoarvizu.dev/agent-auto-inject:
 
 Usually, a given config file will only be suitable for either long-lived sidecars or short-lived init containers. If the default config map (`vault-agent-config` by default, or the overwrite if `-default-config-map-name` was provided) is not suitable for a specific application, it can be overwritten with the `vault.patoarvizu.dev/agent-config-map` annotation. If set, the value should be the name of a `ConfigMap` in the same namespace that that the webhook should use to inject, instead of the default one.
 
+### Metrics
+
+The webhook will also expose Prometheus-style metrics on port HTTP/8081 (unless overwritten with `-metrics-addr`), ready to be scraped. The metrics are provided by the underlying [slok/kubewebhook](https://github.com/slok/kubewebhook) framework and include `admission_reviews_total`, `admission_review_errors_total`, and `admission_review_duration_seconds`.
+
 ## For security nerds
 
 ### Docker images are signed and published to Docker Hub's Notary server

diff --git a/cmd/webhook.go b/cmd/webhook.go
@@ -13,6 +13,10 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	"github.com/prometheus/client_golang/prometheus"
+	"github.com/prometheus/client_golang/prometheus/promhttp"
+	"github.com/slok/kubewebhook/pkg/observability/metrics"
 )
 
 const (
@@ -28,6 +32,7 @@ type webhookCfg struct {
 	certFile             string
 	keyFile              string
 	addr                 string
+	metricsAddr          string
 	annotationPrefix     string
 	targetVaultAddress   string
 	kubernetesAuthPath   string
@@ -255,6 +260,7 @@ func main() {
 	fl.StringVar(&cfg.memoryRequest, "memory-request", "128Mi", "The amount of memory units to request for the Vault agent sidecar")
 	fl.StringVar(&cfg.memoryLimit, "memory-limit", "256Mi", "The amount of memory units to limit to on the Vault agent sidecar")
 	fl.StringVar(&cfg.addr, "listen-addr", ":4443", "The address to start the server")
+	fl.StringVar(&cfg.metricsAddr, "metrics-addr", ":8081", "The address where the Prometheus-style metrics are published")
 
 	fl.Parse(os.Args[1:])
 
@@ -264,7 +270,9 @@ func main() {
 		Name: "vaultSidecarInjector",
 		Obj:  &corev1.Pod{},
 	}
-	wh, err := mutatingwh.NewWebhook(mcfg, pm, nil, nil, logger)
+	reg := prometheus.NewRegistry()
+	metricsRec := metrics.NewPrometheus(reg)
+	wh, err := mutatingwh.NewWebhook(mcfg, pm, nil, metricsRec, logger)
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "error creating webhook: %s", err)
 		os.Exit(1)
@@ -274,9 +282,21 @@ func main() {
 		fmt.Fprintf(os.Stderr, "error creating webhook handler: %s", err)
 		os.Exit(1)
 	}
-	err = http.ListenAndServeTLS(cfg.addr, cfg.certFile, cfg.keyFile, whHandler)
-	if err != nil {
-		fmt.Fprintf(os.Stderr, "error serving webhook: %s", err)
+	webhookError := make(chan error)
+	go func() {
+		webhookError <- http.ListenAndServeTLS(cfg.addr, cfg.certFile, cfg.keyFile, whHandler)
+	}()
+	metricsError := make(chan error)
+	promHandler := promhttp.HandlerFor(reg, promhttp.HandlerOpts{})
+	go func() {
+		metricsError <- http.ListenAndServe(cfg.metricsAddr, promHandler)
+	}()
+	if <-webhookError != nil {
+		fmt.Fprintf(os.Stderr, "error serving webhook: %s", <-webhookError)
+		os.Exit(1)
+	}
+	if <-metricsError != nil {
+		fmt.Fprintf(os.Stderr, "error serving metrics: %s", <-metricsError)
 		os.Exit(1)
 	}
 }
diff --git a/go.mod b/go.mod
@@ -3,6 +3,7 @@ module github.com/patoarvizu/vault-agent-auto-inject-webhook
 go 1.12
 
 require (
+	github.com/prometheus/client_golang v0.9.2
 	github.com/slok/kubewebhook v0.3.0
 	k8s.io/api v0.0.0-20191206001707-7edad22604e1
 	k8s.io/apimachinery v0.0.0-20191203211716-adc6f4cd9e7d