This commit expands the existing credential ID concept to cover X.509
certificates. We use the certificate's signature as the credential ID,
since this safe and unique.
Kubernetes-commit: 2ad2bd8907d979f709cd924af7986be71c31ce12
The `certificate_expiration_seconds` histogram measures the remaining
time of client certificates used to authenticate to the API server. It
records the lifetime of received client request certificates in buckets
of 6h, 12h, ..., 1y.
In environments with automated certificate rotation it is not uncommen
to have issued certificates expire in less than the above mentioned
minimum bucket of 6h. In such environments the above histogram is
useless given that every request will be recorded in the first bucket.
This patch increases the histogram resolution by adding a 30m, 1h and 2h
bucket. Prometheus histogram buckets are cummulative, e.g. the 12h
bucket is counting _all_ records with an expiration date lower or equal
to 12h including _all_ requests of the 6h bucket. Thereby this patch
does not break existing monitoring setups. This histogram is exposed
once per API server, thereby the 3 additional time series do not cause a
cardinality issue.
Kubernetes-commit: f90bbc3d6bfba992831eb216161990eae1098ae5
Suppress common name verify warning log and roll up into returned error
remove glog test dependency
Kubernetes-commit: bb3124c48a4d276ed280175e5825ea9db022d699
When incoming requests to the API server are authenticated by a
certificate, the expiration of the certificate can affect the validity
of the authentication. With auto rotation of certificates, which is
starting with kubelet certificates, the goal is to use shorter lifetimes
and let the kubelet renew the certificate as desired. Monitoring
certificates which are approaching expiration and not renewing would be
an early warning sign that nodes are about to stop participating in the
cluster.
Kubernetes-commit: 49a19c6011e05363a8baf8e99c917d11a9496568
modulitos
Taahir Ahmed
seantywork
Han Kang
卢振兴10069964
Jiaxin Shan
yoyinzyc
Tomas Nozicka
Alvaro Aleman
David Eads
Max Leonard Inden
Mike Danese
David McCormick
Jordan Liggitt
Jacob Simpson