[7883] - Fix uncontrolled cardinality for Prometheus metrics

[mladen-rusev-cyberark]

This PR addresses issue #7883 where the ACME client's Prometheus metrics could grow with unbounded cardinality, leading to performance degradation and high memory usage in Prometheus.

Rationale

The existing instrumentation for ACME client metrics used the request's URL path as a label. A pathProcessor function attempted to normalize this by taking the first two URL segments. While this heuristic worked for ACME CAs like Let's Encrypt (e.g., /acme/orders/<id>), it failed for others like Google Public CA, whose URL structures are different (e.g., /orders/<id>).

This divergence meant that for some CAs, unique order/challenge identifiers were still included in the path label, creating a new time series for nearly every step of the certificate issuance process.

This change fixes the issue by replacing the brittle, high-cardinality path label with a new, low-cardinality action label. The action is a string representing the logical ACME operation being performed (e.g., get_challenge, authorize_order), ensuring a stable and predictable number of metric series regardless of the CA's URL structure.

Implementation Details

1. Context Propagation via Middleware: The logical ACME operation name is now added to the context.Context within the Logger middleware (pkg/acme/client/middleware/logger.go). This cleanly separates the instrumentation concern from the underlying ACME client logic.
2. Metric Instrumentation: The instrumented HTTP RoundTripper in pkg/acme/client/http.go now reads the action value from the context using the AcmeActionLabel key.
3. Label Update: If the action is present, it's used as a label. A fallback of unnamed_action is used for any requests where the context value is not set, ensuring robustness. The brittle pathProcessor function has been removed.
4. Testing: New unit tests have been added in pkg/acme/client/http_test.go to validate the new labeling scheme, including context handling, the fallback mechanism, and counter accumulation, using the prometheus/testutil package for precise validation.

---

BREAKING CHANGE

This change modifies the labels of core ACME client metrics and will require users to update their monitoring dashboards and alerting rules if using those metrics.

Output from changed metrics test pkg/acme/client/http_test.go

from github.com/prometheus/client_golang@v1.23.2/prometheus/testutil/testutil.go:303

# HELP certmanager_http_acme_client_request_count The number of requests made by the ACME client.
# TYPE certmanager_http_acme_client_request_count counter
certmanager_http_acme_client_request_count{action="get_directory",host="127.0.0.1:34759",method="GET",scheme="http",status="200"} 1

# HELP certmanager_http_acme_client_request_count The number of requests made by the ACME client.
# TYPE certmanager_http_acme_client_request_count counter
certmanager_http_acme_client_request_count{action="finalize_order",host="127.0.0.1:34091",method="POST",scheme="http",status="200"} 3

Pull Request Motivation

Kind

/kind bug

Release Note

This change removes the `path` label of core ACME client metrics and will require users to update their monitoring dashboards and alerting rules if using those metrics.

CyberArk tracker: VC-45587

[cert-manager-prow]

Hi @mladen-rusev-cyberark. Thanks for your PR.

I'm waiting for a cert-manager member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[erikgb]

/ok-to-test

[Copilot]

Pull Request Overview

This PR addresses a critical issue where ACME HTTP metrics had unbounded cardinality due to using dynamic URL paths as Prometheus labels. The fix replaces the high-cardinality path label with a bounded action label derived from logical ACME operations, significantly improving Prometheus performance and memory efficiency.

Key changes include:

• Replace path label with action label in ACME metrics to prevent cardinality explosion
• Implement context-based action propagation from ACME client methods to HTTP instrumentation
• Add comprehensive test coverage for the new metric labeling behavior

Reviewed Changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File	Description
pkg/metrics/metrics.go	Updates ACME metric definitions to use action instead of path labels and adds public accessors for testing
pkg/acme/client/middleware/logger.go	Injects bounded action names into request contexts for all ACME operations
pkg/acme/client/http_test.go	Adds comprehensive tests validating metric labeling and accumulation across different scenarios
pkg/acme/client/http.go	Modifies HTTP transport to extract action from context instead of processing URL paths

---

_{Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.}

[mladen-rusev-cyberark]

@erikgb Hi Erik, we were discussing today on how we would like this to be tested. Do you think that the added unit tests are exhaustive enough?

[wallrj-cyberark]

After digging into this, I wonder if we should just drop the path label or set its value to "deprecated". What use is it? And what use will the action label be?

Suggest writing a paragraph explaining how you expect users will make use of the new action label. Will it actually be useful to know the rate and average request duration of get_order requests?

Here's the original motivation for adding the metrics:

• https://cert-manager.io/docs/releases/release-notes/release-notes-0.6/#improved-handling-of-acme-rate-limits

And I've linked elsewhere to the original discussion about the path label when these metrics were first introduced.

[wallrj-cyberark]

I forgot to link to this which I found while reading the background to this PR.
The prometheus client_golang module has various helpers for instrumenting the http client,
including a mechanism for capturing labels from the context of the request:

• https://github.com/prometheus/client_golang/blob/main/prometheus/promhttp/option_test.go#L73-L128

I'm necessarily suggesting using that here in this PR, but perhaps in future we could adopt the promhttp helper functions in place of our own metrics round tripper.

[mladen-rusev-cyberark]

How to proceed with this PR was discussed during open source standup today. I will try to create a short summary of the discussion and PR comments as to not lose the added context and resources which @wallrj-cyberark provided.

1. The reason why the path metric was introduced in the first place was to help solve an issue where cert-manager was creating a massive amount of requests to services like Let's encrypt - link. The PR author pointed out the exact problem which this PR is aiming to fix - the path metric may capture the ID in the url. We were questioning the overall usefulness of these metrics and if they were of interest to cert-manager users.
2. We discussed options to avoid breaking changes by deprecating this metric first. In the end we decided to remove the path metric outright, document that in the release notes as a breaking change and update the help text of the metrics.
3. Richard pointed out ways users can use relabeling to solve issues with high cardinality labels here

Some things found which are out of scope:

1. We ignore the error when writing the metrics. The status code will be 999 in such cases, but unsure what the significance of 999 is.- link

	// Make the request using the wrapped RoundTripper.
	resp, err := it.wrappedRT.RoundTrip(req)
	if resp != nil {
		statusCode = resp.StatusCode
	}

2. A future consideration

The prometheus client_golang module has various helpers for instrumenting the http client,
including a mechanism for capturing labels from the context of the request:
https://github.com/prometheus/client_golang/blob/main/prometheus/promhttp/option_test.go#L73-L128
I'm not necessarily suggesting using that here in this PR, but perhaps in future we could adopt the promhttp helper functions in place of our own metrics round tripper.

[wallrj-cyberark]

Was that just a test flake. Seems suspicious that the metrics related tests should fail.

{Failed  panic: test timed out after 10m0s
	running tests:
		TestMetricsController (8m40s)

goroutine 27935 [running]:

• https://prow.infra.cert-manager.io/view/gs/cert-manager-prow-artifacts/pr-logs/pull/cert-manager_cert-manager/8109/pull-cert-manager-master-make-test/1973726499710177280

Triggering a retest anyway to see if it was a flake.

/retest

[wallrj]

/approve
/lgtm

[cert-manager-prow]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: wallrj, wallrj-cyberark

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [wallrj]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[wallrj-cyberark]

@mladen-rusev-cyberark We have released this. Please test and feedback: https://github.com/cert-manager/cert-manager/releases/tag/v1.19.1