add sts error metric

pkg/metrics/metrics.go

@@ -17,7 +17,7 @@ const (
 var authenticatorMetrics Metrics
 
 func InitMetrics(registerer prometheus.Registerer) {
-	authenticatorMetrics = CreateMetrics(registerer)
+	authenticatorMetrics = createMetrics(registerer)
 }
 
 func Get() Metrics {
@@ -29,9 +29,11 @@ type Metrics struct {
 	ConfigMapWatchFailures       prometheus.Counter
 	Latency                      *prometheus.HistogramVec
 	EC2DescribeInstanceCallCount prometheus.Counter
+	StsConnectionFailure         prometheus.Counter
+	StsResponses                 *prometheus.CounterVec
 }
 
-func CreateMetrics(reg prometheus.Registerer) Metrics {
+func createMetrics(reg prometheus.Registerer) Metrics {
 	factory := promauto.With(reg)
 
 	return Metrics{
@@ -42,6 +44,20 @@ func CreateMetrics(reg prometheus.Registerer) Metrics {
 				Help:      "EKS Configmap watch failures",
 			},
 		),
+		StsConnectionFailure: factory.NewCounter(
+			prometheus.CounterOpts{
+				Namespace: Namespace,
+				Name:      "sts_connection_failures_total",
+				Help:      "Sts call could not succeed or timedout",
+			},
+		),
+		StsResponses: factory.NewCounterVec(
+			prometheus.CounterOpts{
+				Namespace: Namespace,
+				Name:      "sts_responses_total",
+				Help:      "Sts responses with error code label",
+			}, []string{"ResponseCode"},
+		),
 		Latency: factory.NewHistogramVec(
 			prometheus.HistogramOpts{
 				Namespace: Namespace,

pkg/token/token.go

@@ -41,6 +41,7 @@ import (
 	clientauthv1beta1 "k8s.io/client-go/pkg/apis/clientauthentication/v1beta1"
 	"sigs.k8s.io/aws-iam-authenticator/pkg"
 	"sigs.k8s.io/aws-iam-authenticator/pkg/arn"
+	"sigs.k8s.io/aws-iam-authenticator/pkg/metrics"
 )
 
 // Identity is returned on successful Verify() results. It contains a parsed
@@ -510,6 +511,7 @@ func (v tokenVerifier) Verify(token string) (*Identity, error) {
 
 	response, err := v.client.Do(req)
 	if err != nil {
+		metrics.Get().StsConnectionFailure.Inc()
 		// special case to avoid printing the full URL if possible
 		if urlErr, ok := err.(*url.Error); ok {
 			return nil, NewSTSError(fmt.Sprintf("error during GET: %v", urlErr.Err))
@@ -523,6 +525,7 @@ func (v tokenVerifier) Verify(token string) (*Identity, error) {
 		return nil, NewSTSError(fmt.Sprintf("error reading HTTP result: %v", err))
 	}
 
+	metrics.Get().StsResponses.WithLabelValues(fmt.Sprint(response.StatusCode)).Inc()
 	if response.StatusCode != 200 {
 		return nil, NewSTSError(fmt.Sprintf("error from AWS (expected 200, got %d). Body: %s", response.StatusCode, string(responseBody[:])))
 	}

pkg/token/token_test.go

@@ -13,8 +13,16 @@ import (
 	"strings"
 	"testing"
 	"time"
+
+	"github.com/prometheus/client_golang/prometheus"
+	"sigs.k8s.io/aws-iam-authenticator/pkg/metrics"
 )
 
+func TestMain(m *testing.M) {
+	metrics.InitMetrics(prometheus.NewRegistry())
+	m.Run()
+}
+
 func validationErrorTest(t *testing.T, partition string, token string, expectedErr string) {
 	t.Helper()