diff --git a/cmd/prober/prober.go b/cmd/prober/prober.go index 07ce49e1b..ee6ab6511 100644 --- a/cmd/prober/prober.go +++ b/cmd/prober/prober.go @@ -20,6 +20,7 @@ import ( "crypto/ecdsa" "crypto/elliptic" "crypto/rand" + "crypto/tls" "encoding/json" "flag" "log" @@ -32,7 +33,7 @@ import ( "github.com/prometheus/client_golang/prometheus/promhttp" fulciopb "github.com/sigstore/fulcio/pkg/generated/protobuf" "google.golang.org/grpc" - "google.golang.org/grpc/credentials/insecure" + "google.golang.org/grpc/credentials" "sigs.k8s.io/release-utils/version" "github.com/sigstore/cosign/v2/cmd/cosign/cli/options" @@ -118,7 +119,7 @@ func init() { flag.StringVar(&rekorURL, "rekor-url", "https://rekor.sigstore.dev", "Set to the Rekor URL to run probers against") flag.StringVar(&fulcioURL, "fulcio-url", "https://fulcio.sigstore.dev", "Set to the Fulcio URL to run probers against") - flag.StringVar(&fulcioGrpcURL, "fulcio-grpc-url", "grpc://fulcio.sigstore.dev", "Set to the Fulcio GRPC URL to run probers against") + flag.StringVar(&fulcioGrpcURL, "fulcio-grpc-url", "fulcio.sigstore.dev", "Set to the Fulcio GRPC URL to run probers against") flag.BoolVar(&oneTime, "one-time", false, "Whether to run only one time and exit.") flag.BoolVar(&runWriteProber, "write-prober", false, " [Kubernetes only] run the probers for the write endpoints.") @@ -193,7 +194,7 @@ func main() { func NewFulcioClient() (fulciopb.CAClient, error) { opts := []grpc.DialOption{grpc.WithUserAgent(options.UserAgent())} - transportCreds := insecure.NewCredentials() + transportCreds := credentials.NewTLS(&tls.Config{MinVersion: tls.VersionTLS12}) opts = append(opts, grpc.WithTransportCredentials(transportCreds)) conn, err := grpc.NewClient(fulcioGrpcURL, opts...) if err != nil { @@ -219,12 +220,12 @@ func runProbers(ctx context.Context, freq int, runOnce bool, fulcioGrpcClient fu } } - Logger.Infoln("Getting Bundle via grpc:", fulcioGrpcURL) - if resp, err := fulcioGrpcClient.GetTrustBundle(ctx, &fulciopb.GetTrustBundleRequest{}); err != nil { - hasErr = true - Logger.Errorf("error running request GetTrustBundle via gRPC: %v", err) - } else { - Logger.Infoln("Worked fine: %s", resp) + // Performing requests against Fulcio gRPC API + for _, method := range fulciopb.CA_ServiceDesc.Methods { + if err := observeGrcpRequest(ctx, method, fulcioGrpcClient); err != nil { + hasErr = true + Logger.Errorf("error running request %s: %v", method.MethodName, err) + } } if runWriteProber { @@ -284,6 +285,27 @@ func observeRequest(host string, r ReadProberCheck) error { return nil } +func observeGrcpRequest(ctx context.Context, method grpc.MethodDesc, fulcioGrpcClient fulciopb.CAClient) error { + s := time.Now() + + var err error + switch method.MethodName { + case "GetTrustBundle": + _, err = fulcioGrpcClient.GetTrustBundle(ctx, &fulciopb.GetTrustBundleRequest{}) + case "GetConfiguration": + _, err = fulcioGrpcClient.GetConfiguration(ctx, &fulciopb.GetConfigurationRequest{}) + default: + Logger.Warn("Unimplemented:", method.MethodName) + return nil + } + latency := time.Since(s).Milliseconds() + if err != nil { + return err + } + exportGrpcDataToPrometheus(fulcioGrpcURL, method.MethodName, latency) + return nil +} + func httpRequest(host string, r ReadProberCheck) (*retryablehttp.Request, error) { req, err := retryablehttp.NewRequest(r.Method, host+r.Endpoint, bytes.NewBuffer([]byte(r.Body))) if err != nil { diff --git a/cmd/prober/prometheus.go b/cmd/prober/prometheus.go index 891493d06..f5619cd78 100644 --- a/cmd/prober/prometheus.go +++ b/cmd/prober/prometheus.go @@ -49,6 +49,22 @@ var ( }, []string{endpointLabel, hostLabel, statusCodeLabel, methodLabel}) + grpcMethodLatenciesSummary = prometheus.NewSummaryVec( + prometheus.SummaryOpts{ + Name: "api_endpoint_latency", + Help: "API endpoint latency distributions (milliseconds).", + Objectives: map[float64]float64{0.5: 0.05, 0.9: 0.01, 0.99: 0.001, .999: 0.0001}, + }, + []string{hostLabel, methodLabel}, + ) + + grpcMethodLatenciesHistogram = prometheus.NewHistogramVec(prometheus.HistogramOpts{ + Name: "api_endpoint_latency_histogram", + Help: "API endpoint latency distribution across Rekor and Fulcio (milliseconds)", + Buckets: []float64{0.0, 200.0, 400.0, 600.0, 800.0, 1000.0}, + }, + []string{hostLabel, methodLabel}) + verificationCounter = prometheus.NewCounterVec( prometheus.CounterOpts{ Name: "verification", @@ -72,6 +88,16 @@ func exportDataToPrometheus(resp *http.Response, host, endpoint, method string, Logger.With(zap.Int("status", statusCode), zap.Int("bytes", int(resp.ContentLength)), zap.Duration("latency", time.Duration(latency)*time.Millisecond)).Infof("[DEBUG] %v %v", method, host+endpoint) } +func exportGrpcDataToPrometheus(host string, method string, latency int64) { + labels := prometheus.Labels{ + hostLabel: host, + methodLabel: method, + } + grpcMethodLatenciesSummary.With(labels).Observe(float64(latency)) + grpcMethodLatenciesHistogram.With(labels).Observe(float64(latency)) + Logger.With(zap.Duration("latency", time.Duration(latency)*time.Millisecond)).Infof("[DEBUG] %v %v", method, host) +} + // NewVersionCollector returns a collector that exports metrics about current version // information. func NewVersionCollector(program string) prometheus.Collector {