Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Improve Authorino Metrics to Enable Filtering by AuthPolicy #1035

Open
jsmolar opened this issue Nov 20, 2024 · 3 comments
Open

Improve Authorino Metrics to Enable Filtering by AuthPolicy #1035

jsmolar opened this issue Nov 20, 2024 · 3 comments

Comments

@jsmolar
Copy link
Contributor

jsmolar commented Nov 20, 2024

Authorino Metrics from Prometheus look like this:

{
  "__name__": "auth_server_evaluator_total",
  "authconfig": "25333b0ef58d1faf0d2443c52ecad12b8e8ed03856457a10e5d3508420d01821",
  "endpoint": "http",
  "evaluator_name": "opa",
  "evaluator_type": "AUTHORIZATION_OPA",
  "exported_namespace": "kuadrant-system",
  "instance": "*",
  "job": "authorino-controller-metrics",
  "namespace": "kuadrant-system",
  "pod": "authorino-59fd4f8948-nxpfp",
  "prometheus": "openshift-user-workload-monitoring/user-workload",
  "service": "authorino-controller-metrics"
}

The authconfig name is a SHA hash generated from objects such as GatewayClass, Gateway, etc.

As a user of Kuadrant, I am unable to filter metrics associated with my AuthPolicy.Which was not a problem in the past because the AuthConfig name was based on the name of the AuthPolicy.

However, with the current implementation, a single AuthConfig can represent a merged state of multiple AuthPolicies. This change results in the authconfig field being a SHA hash, making it impossible to filter or analyze metrics for a particular AuthPolicy.
@david-martin
Copy link
Member

david-martin commented Nov 20, 2024
edited
Loading

I had a chat with @jsmolar offline about this issue.
Without understanding the implementation and what's changed here,
it looks like there's a link missing between the AuthPolicy and AuthConfig layers (or authorino-operator and authorino).
Previously, the link was in the consistent naming of the AuthPolicy and AuthConfig, which got propagated into the authconfig metric label.
In the absence of that consistent naming being available, I've seen this kind of problem solved in metrics through consistent labelling rather than consistent naming.
For example, the existence of labels (or even just 1 well known label) on the AuthPolicy being propagated into the generated AuthConfig.
The label(s) would then get added to the metrics exposed from authorino.
The onus is then on the person setting labels and using the metrics to establish the appropriate link between the AuthPolicy and AuthConfig when presenting the data.

@maleck13
Copy link
Collaborator

In the context of v1 I would say this is a nice to have @david-martin agree?

@david-martin
Copy link
Member

In the context of v1 I would say this is a nice to have

I wouldn't see this as a blocker for the current release as I'm not aware of any example dashboards or alerts relying on the previous behaviour.

@jsmolar jsmolar mentioned this issue Nov 21, 2024
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
Kuadrant
Status: Todo
Milestone
No milestone
Development

No branches or pull requests
3 participants
@maleck13 @david-martin @jsmolar