istio
Convert citadel cert expiry timestamp metrics to citadel cert expiry time left
(This is used to request new product features, please visit https://github.com/istio/istio/discussions for questions on using Istio)
Describe the feature request
Currently istio metrics citadel_server_cert_chain_expiry_timestamp reports The unix timestamp, in seconds, when Citadel cert chain will expire. A negative time indicates the cert is expired..
It is not possible in datadog to create alert for cert expiration is due in x days, as to get time left we need to subtract current time from metrics value. ( not supported functionality in datadog)
https://istio.io/latest/docs/reference/commands/pilot-discovery/#metrics
same case is for citadel_server_root_cert_expiry_timestamp metrics
Describe alternatives you've considered
we can add additional metrics citadel_server_cert_chain_expiry_time_left that report time in seconds left for expiration of certificate along with current metrics .
https://github.com/istio/istio/blob/3727b5719435c0cb4146413ac02ac16f8378cd36/security/pkg/server/ca/server.go#L166
same case is for citadel_server_root_cert_expiry_time_left metrics.
Affected product area (please put an X in all that apply)
[ ] Ambient [ ] Docs [ ] Dual Stack [ ] Installation [ ] Networking [ ] Performance and Scalability [*] Extensions and Telemetry [ ] Security [ ] Test and Release [ ] User Experience [ ] Developer Infrastructure
Affected features (please put an X in all that apply)
[ ] Multi Cluster [ ] Virtual Machine [ ] Multi Control Plane
Additional context
This feels reasonable to me; wdyt @jaellio @whitneygriffith?
I can pick it up
We already have one in agent so we should make sure we have a consistent name/semantics there
We already have one in agent so we should make sure we have a consistent name/semantics there
That is, the citadel cert time left should be consistent with the cert_expiry_seconds metric in agent
Name: citadel_server_cert_chain_expiry_seconds and citadel_server_root_cert_expiry_seconds
Type: LastValue