highlight the agent.tls cert metric with CA ones

Include server agent certificate with list of cert metrics that need monitoring.
This commit is contained in:
John Eikenberry 2023-04-07 20:41:14 +00:00 committed by GitHub
parent 97173725b7
commit eccd2f9871
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 10 additions and 8 deletions

View File

@ -93,19 +93,22 @@ These are some metrics emitted that can help you understand the health of your c
| Metric Name | Description | Unit | Type | | Metric Name | Description | Unit | Type |
| :------------------------- | :---------------------------------------------------------------------------------- | :------ | :---- | | :------------------------- | :---------------------------------------------------------------------------------- | :------ | :---- |
| `consul.mesh.active-root-ca.expiry` | The number of seconds until the root CA expires, updated every hour. | seconds | gauge | | `consul.mesh.active-root-ca.expiry` | The number of seconds until the root CA expires, updated every hour. | seconds | gauge |
| `consul.mesh.active-signing-ca.expiry` | The number of seconds until the signing CA expires, updated every hour. | seconds | gauge | | `consul.mesh.active-signing-ca.expiry` | The number of seconds until the signing CA expires, updated every hour. | seconds | gauge |
| `consul.agent.tls.cert.expiry` | The number of seconds until the server agent's TLS certificate expires, updated every hour. | seconds | gauge |
** Why they're important:** Consul Mesh requires a CA to sign all certificates ** Why they're important:** Consul Mesh requires a CA to sign all certificates
used to connect the mesh and the mesh network ceases to work if they expire and used to connect the mesh and the mesh network ceases to work if they expire and
become invalid. The Root is particularly important to monitor as Consul does become invalid. The Root is particularly important to monitor as Consul does
not automatically rotate it. not automatically rotate it. The TLS certificate metric monitors the certificate
that the server's agent uses to connect with the other agents in the cluster.
** What to look for:** The Root CA should be monitored for an approaching ** What to look for:** The Root CA should be monitored for an approaching
expiration, to indicate it is time for you to rotate the "root" CA either manually or with external automation. expiration, to indicate it is time for you to rotate the "root" CA either
The signing (intermediate) certificate should be manually or with external automation. Consul should rotate the signing (intermediate) certificate
rotated automatically by Consul, but should be monitored in case of rotation isn't working; automatically, but we recommend monitoring the rotation. When the certificate does not rotate, check the server agent logs for
in this scenario, check the server agent logs for messages related to the CA system. messages related to the CA system. The agent TLS certificate's rotation handling
varies based on the configuration.
### Autopilot ### Autopilot
@ -688,7 +691,6 @@ are allowed for <EnterpriseAlert inline />.
| `consul.catalog.connect.query-tag` | Increments for each connect-based catalog query for the given service with the given tag. | queries | counter | | `consul.catalog.connect.query-tag` | Increments for each connect-based catalog query for the given service with the given tag. | queries | counter |
| `consul.catalog.connect.query-tags` | Increments for each connect-based catalog query for the given service with the given tags. | queries | counter | | `consul.catalog.connect.query-tags` | Increments for each connect-based catalog query for the given service with the given tags. | queries | counter |
| `consul.catalog.connect.not-found` | Increments for each connect-based catalog query where the given service could not be found. | queries | counter | | `consul.catalog.connect.not-found` | Increments for each connect-based catalog query where the given service could not be found. | queries | counter |
| `consul.agent.tls.cert.expiry` | The number of seconds until the Agent TLS certificate expires, updated every hour. | seconds | gauge |
## Connect Built-in Proxy Metrics ## Connect Built-in Proxy Metrics