From 40854125a5cdabe3d19a4ef77486f8eeaf0b647c Mon Sep 17 00:00:00 2001 From: John Eikenberry Date: Mon, 3 Apr 2023 20:02:08 +0000 Subject: [PATCH] CA mesh CA expiration to it's own section This is part of an effort to raise awareness that you need to monitor your mesh CA if coming from an external source as you'll need to manage the rotation. --- website/content/docs/agent/telemetry.mdx | 20 ++++++++++++++++++-- 1 file changed, 18 insertions(+), 2 deletions(-) diff --git a/website/content/docs/agent/telemetry.mdx b/website/content/docs/agent/telemetry.mdx index df8fdef15d..300b6801dc 100644 --- a/website/content/docs/agent/telemetry.mdx +++ b/website/content/docs/agent/telemetry.mdx @@ -89,6 +89,24 @@ These are some metrics emitted that can help you understand the health of your c **What to look for:** For a healthy cluster, you're looking for a `lastContact` lower than 200ms, `leader` > 0 and `candidate` == 0. Deviations from this might indicate flapping leadership. +### Certificate Authority Expiration + +| Metric Name | Description | Unit | Type | +| :------------------------- | :---------------------------------------------------------------------------------- | :------ | :---- | +| `consul.mesh.active-root-ca.expiry` | The number of seconds until the root CA expires, updated every hour. | seconds | gauge | +| `consul.mesh.active-signing-ca.expiry` | The number of seconds until the signing CA expires, updated every hour. | seconds | gauge | + +** Why they're important:** Consul Mesh requires a CA to sign all certificates +used to connect the mesh and the mesh network ceases to work if they expire and +become invalid. The Root is particularly important to monitor as Consul does +not automatically rotate it. + +** What to look for:** The Root CA should be monitored for an approaching +expiration, to indicate it is time for you to rotate the "root" CA either manually or with external automation. +The signing (intermediate) certificate should be +rotated automatically by Consul, but should be monitored in case of rotation isn't working; +in this scenario, check the server agent logs for messages related to the CA system. + ### Autopilot | Metric Name | Description | Unit | Type | @@ -670,8 +688,6 @@ are allowed for . | `consul.catalog.connect.query-tag` | Increments for each connect-based catalog query for the given service with the given tag. | queries | counter | | `consul.catalog.connect.query-tags` | Increments for each connect-based catalog query for the given service with the given tags. | queries | counter | | `consul.catalog.connect.not-found` | Increments for each connect-based catalog query where the given service could not be found. | queries | counter | -| `consul.mesh.active-root-ca.expiry` | The number of seconds until the root CA expires, updated every hour. | seconds | gauge | -| `consul.mesh.active-signing-ca.expiry` | The number of seconds until the signing CA expires, updated every hour. | seconds | gauge | | `consul.agent.tls.cert.expiry` | The number of seconds until the Agent TLS certificate expires, updated every hour. | seconds | gauge | ## Connect Built-in Proxy Metrics