Uncontrolled cardinality for Prometheus metrics certmanager_http_acme_client_request_*

[vierbergenlars]

Describe the bug:

The cardinality of the ACME client request prometheus metrics can grow unbounded.
This happens because the path metric label contains IDs for some paths, resulting in 2 new path values being used for every issued certificate.

This problem showed up in our cluster, where we manage a lot of ACME certificates using Google PKI.

The order and authorization paths are slightly different between Letsencrypt and Google PKI.

Letsencrypt Order URIs are like /acme/orders/<id>; but Google PKI Order URIs look like /orders/<id>.

The logic to transform the path simply takes the first 2 segments, which is not necessarily useful for all ACME implementations (since they can freely choose the exact URLs to use for everything but the discovery URL)

Because of how prometheus metrics work, these single-use metrics stay around until the cert-manager-controller is restarted.

The following metrics are affected:

• certmanager_http_acme_client_request_duration_seconds
• certmanager_http_acme_client_request_count
• certmanager_http_acme_client_request_duration_seconds_count
• certmanager_http_acme_client_request_duration_seconds_sum

Expected behaviour:

I would expect that only a single pathlabel is exposed for every ACME operation.

Steps to reproduce the bug:

1. Set up cert-manager
2. Configure an ACME issuer using Google PKI EAB credentials (See https://cloud.google.com/certificate-manager/docs/public-ca-tutorial)
3. Issue a certificate for a domain
4. Check the exported prometheus metrics; notice that there is a certmanager_http_acme_client_request_duration_seconds metrics where there is an ID in the path label.

Anything else we need to know?:

I am afraid that this is not really straightforward to fix at the HTTP client level, because it has no visibility into the meanings of the path. It would also be quite difficult to try to detect which path components are actually dynamic, because IDs don't have to follow a fixed structure.

I think it might be more interesting to instead instrument on the ACME client interface level, and use the logical operation as a label instead of the specific path.

Environment details:

• Kubernetes version: 1.31.7
• Cloud-provider/provisioner: Scaleway
• cert-manager version: 1.17.2
• Install method: helm

/kind bug

CyberArk tracker: VC-45083

[maelvls]

Hey. Mladen would like to take a stab at this. For context, we've briefly talked about this bug during yesterday's biweekly meeting: https://youtu.be/SKNW6MR14-4?si=PpG76Jf3aUho3gBK&t=67

[mladen-rusev-cyberark]

/assign

[wallrj-cyberark]

@vierbergenlars in #8109 we propose replacing path with action, as you suggested in the PR description:

use the logical operation as a label instead of the specific path.

But before we add yet another label, tell us whether you would find it useful. The alternative is to simply drop the path label,
or deprecate it and then drop it.

Also tell us whether you considered using relabelling to solve the issue:

• https://grafana.com/blog/2022/10/20/how-to-manage-high-cardinality-metrics-in-prometheus-and-kubernetes/
• https://last9.io/blog/optimizing-prometheus-remote-write-performance-guide/#effective-use-of-relabeling
• https://signoz.io/guides/what-are-prometheus-labels/#advanced-concepts-relabeling-in-prometheus
• https://prometheus.io/docs/prometheus/latest/configuration/configuration/#relabel_config

It seems to me that that would allow you to remove the ID from the label before it gets into your metrics database,
or just drop the path label if you don't use it.

[wallrj-cyberark]

You can see the problem with the path label by scraping the metrics when running the E2E tests using Pebble:

make e2e GINKGO_FOCUS=".*Certificates with issuer type ACME HTTP01 Issuer \(Gateway\).*"

$ POD_NAME=$(kubectl get pod -n cert-manager -l app.kubernetes.io/instance=cert-manager,app.kubernetes.io/component=controller -o jsonpath='{ .items[0].metadata.name }')
$ kubectl get --raw "/api/v1/namespaces/cert-manager/pods/${POD_NAME}:9402/proxy/metrics"  | grep certmanager_http_acme_client_request_count
# HELP certmanager_http_acme_client_request_count The number of requests made by the ACME client.
# TYPE certmanager_http_acme_client_request_count counter
certmanager_http_acme_client_request_count{host="pebble.pebble.svc.cluster.local",method="GET",path="/dir",scheme="https",status="200"} 8
certmanager_http_acme_client_request_count{host="pebble.pebble.svc.cluster.local",method="HEAD",path="/nonce-plz",scheme="https",status="200"} 9
certmanager_http_acme_client_request_count{host="pebble.pebble.svc.cluster.local",method="POST",path="/authZ/-NiKtrgw0Dx0S8iMe18AWR2zkvLMtbrpaoMX_kSVY-8",scheme="https",status="200"} 5
certmanager_http_acme_client_request_count{host="pebble.pebble.svc.cluster.local",method="POST",path="/authZ/lXerX3A2yqRi6OMT8M5QZekuKuKS20brZpUbR7oXwBk",scheme="https",status="200"} 5
certmanager_http_acme_client_request_count{host="pebble.pebble.svc.cluster.local",method="POST",path="/authZ/lXerX3A2yqRi6OMT8M5QZekuKuKS20brZpUbR7oXwBk",scheme="https",status="400"} 1
certmanager_http_acme_client_request_count{host="pebble.pebble.svc.cluster.local",method="POST",path="/certZ/4d84a5cc196afe75",scheme="https",status="200"} 2
certmanager_http_acme_client_request_count{host="pebble.pebble.svc.cluster.local",method="POST",path="/chalZ/o25wRdBMYjrffIqKjqngH7jAD9CrsbfmsTtkzKWclrQ",scheme="https",status="200"} 1
certmanager_http_acme_client_request_count{host="pebble.pebble.svc.cluster.local",method="POST",path="/chalZ/xwcTuL863Vrjw9yHfz9kNMFK2ETUq1LBcmxUGIqVFzc",scheme="https",status="200"} 1
certmanager_http_acme_client_request_count{host="pebble.pebble.svc.cluster.local",method="POST",path="/finalize-order/1GpaCYT62_sK8Ij4Vsplt4QxncFTo8ptfT8NpFuCGOs",scheme="https",status="200"} 1
certmanager_http_acme_client_request_count{host="pebble.pebble.svc.cluster.local",method="POST",path="/finalize-order/1GpaCYT62_sK8Ij4Vsplt4QxncFTo8ptfT8NpFuCGOs",scheme="https",status="403"} 1
certmanager_http_acme_client_request_count{host="pebble.pebble.svc.cluster.local",method="POST",path="/my-order/1GpaCYT62_sK8Ij4Vsplt4QxncFTo8ptfT8NpFuCGOs",scheme="https",status="200"} 5
certmanager_http_acme_client_request_count{host="pebble.pebble.svc.cluster.local",method="POST",path="/order-plz",scheme="https",status="201"} 2
certmanager_http_acme_client_request_count{host="pebble.pebble.svc.cluster.local",method="POST",path="/sign-me-up",scheme="https",status="200"} 6
certmanager_http_acme_client_request_count{host="pebble.pebble.svc.cluster.local",method="POST",path="/sign-me-up",scheme="https",status="201"} 4

As discussed in the PR where the metrics were introduced: #1226 (comment)

I've noticed the pebble specifically choses to use different URLs for Order resources etc, such as: https://pebble/my-order/t83R12aRzlYePmUbt4_qCbMKZVjLb1Z2Hmoz5AYIW3o.
This means that the forced trimming of the path label to 2 segments would still include the order ID on pebble installs, and highlights that we need to handle the case where the order URL may be non-standard.
We need to extend the pathProcessor function to handle this somehow, or otherwise bite the bullet and just add this instrumentation into the actual ACME client.