Monitor resources using Cloud Monitoring
Cloud Monitoring can be used to monitor operations performed on resources in Certificate Authority Service.
Before you begin
If you haven't already done so, set up a Google Cloud project that has the Certificate Authority Service API enabled. For information, see Prepare your environment.
View metrics in Cloud Monitoring
Console
To view the metrics for a monitored resource by using the Metrics Explorer, do the following:
-
In the Google Cloud console, go to the leaderboard Metrics explorer page:
If you use the search bar to find this page, then select the result whose subheading is Monitoring.
- In the Metric element, expand the Select a metric menu,
enter
Certificate Authority
in the filter bar, and then use the submenus to select a specific resource type and metric:- In the Active resources menu, select Certificate Authority.
- To select a metric, use the Active metric categories and Active metrics menus. For a list of metrics, see privateca metrics.
- Click Apply.
To remove time series from the display, use the Filter element.
To combine time series, use the menus on the Aggregation element. For example, to display the CPU utilization for your VMs, based on their zone, set the first menu to Mean and the second menu to zone.
All time series are displayed when the first menu of the Aggregation element is set to Unaggregated. The default settings for the Aggregation element are determined by the metric type you selected.
- For quota and other metrics that report one sample per day, do the following:
- In the Display pane, set the Widget type to Stacked bar chart.
- Set the time period to at least one week.
CA Service metrics
The list of metrics can be viewed in Cloud Monitoring documentation.
The monitored resource documentation can be viewed in Monitored resources.
Enabling Recommended Alerts
Use the following instructions to enable recommended alerts.
Console
Go to the CA Service Overview page in the Google Cloud console.
On the top right of the Overview page, click the + 5 Recommended Alerts.
Enable or disable each alert, reading its description.
- Some alerts support custom thresholds. For example, you can specify when you want to be alerted for an expiring CA certificate, or the error rate for a high rate of certificate creation failures.
- All alerts support notification channels.
Click Submit once you have enabled all selected alerts.
Create an alerting policy
Console
You can create alerting policies to monitor the values of metrics and to notify you when those metrics violate a condition.
-
In the Google Cloud console, go to the notifications Alerting page:
If you use the search bar to find this page, then select the result whose subheading is Monitoring.
- If you haven't created your notification channels and if you want to be notified, then click Edit Notification Channels and add your notification channels. Return to the Alerting page after you add your channels.
- From the Alerting page, select Create policy.
- To select the metric, expand the Select a metric menu and then do the following:
- To limit the menu to relevant entries, enter
Certificate Authority
into the filter bar. If there are no results after you filter the menu, then disable the Show only active resources & metrics toggle. - For the Resource type, select Certificate Authority.
- For the Metric category, select Ca.
- For the Metric, select a metric from the list of privateca metrics.
- Select Apply.
- To limit the menu to relevant entries, enter
- Click Next.
- The settings in the Configure alert trigger page determine when the alert is triggered. Select a condition type and, if necessary, specify a threshold. For more information, see Create metric-threshold alerting policies.
- Click Next.
- Optional: To add notifications to your alerting policy, click Notification channels. In the dialog, select one or more notification channels from the menu, and then click OK.
- Optional: Update the Incident autoclose duration. This field determines when Monitoring closes incidents in the absence of metric data.
- Optional: Click Documentation, and then add any information that you want included in a notification message.
- Click Alert name and enter a name for the alerting policy.
- Click Create Policy.
Create Pub/Sub notification channel
A notification channel that publishes events to Pub/Sub can be set up by following these instructions.
Sample alert policies
You can use the following sample alert policies for common CA Service monitoring use cases.
To learn more about alert policies, see the documentation.
CA expiring in 30 days
This alert policy notifies you 30 days before a managed CA expires. This policy creates alert notifications for all managed CAs across all projects whose metrics are visible to the Google Cloud project selected in the Google Cloud console project picker. For information about metric visibility, see Understanding metrics scope.
Console
You can create alerting policies to monitor the values of metrics and to notify you when those metrics violate a condition.
-
In the Google Cloud console, go to the notifications Alerting page:
If you use the search bar to find this page, then select the result whose subheading is Monitoring.
- If you haven't created your notification channels and if you want to be notified, then click Edit Notification Channels and add your notification channels. Return to the Alerting page after you add your channels.
- From the Alerting page, select Create policy.
- To select the metric, expand the Select a metric menu and then do the following:
- To limit the menu to relevant entries, enter
Certificate Authority
into the filter bar. If there are no results after you filter the menu, then disable the Show only active resources & metrics toggle. - For the Resource type, select Certificate Authority.
- For the Metric category, select Ca.
- For the Metric, select ca/cert_expiration.
- Select Apply.
- To limit the menu to relevant entries, enter
- Click Next.
- The settings in the Configure alert trigger page determine when the alert is triggered.
Complete this page with the settings in the following table.
Configure alert trigger page
Field
ValueCondition type
Threshold
Alert trigger
Any time series violates
Threshold position
Below threshold
Threshold value
2592000000 ms
Advanced Options: Retest window
No retest
- Click Next.
- Optional: To add notifications to your alerting policy, click Notification channels. In the dialog, select one or more notification channels from the menu, and then click OK.
- Optional: Update the Incident autoclose duration. This field determines when Monitoring closes incidents in the absence of metric data.
- Optional: Click Documentation, and then add any information that you want included in a notification message.
- Click Alert name and enter a name for the alerting policy.
- Click Create Policy.
gcloud
Paste the following policy into a file named ca-expiration-policy.yaml
:
combiner: OR
conditions:
- conditionThreshold:
aggregations:
- alignmentPeriod: 60s
perSeriesAligner: ALIGN_MEAN
comparison: COMPARISON_LT
duration: 0s
filter: metric.type="privateca.googleapis.com/ca/cert_expiration" resource.type="privateca.googleapis.com/CertificateAuthority"
thresholdValue: 2592000.0
trigger:
count: 1
displayName: CA certificate expiration
displayName: CA expiring in 30 days
enabled: true
Create the alert policy with the following command:
gcloud alpha monitoring policies create --policy-from-file ca-expiration-policy.yaml
After creating the alert policy, follow Managing notification channels to create or update existing notification channels, if required. To add a notification channel to an existing alert policy, follow Updating notification channels in a policy.
High rate of certificate creation failures
This alert policy notifies you when the ratio of certificate creation
failures, due to either CA policy or validation failure, exceeds a threshold
of 0.2
. This
policy creates alert notifications for all managed CAs across all projects
whose metrics are visible to the Google Cloud project selected in the
Google Cloud console project picker. For information about metric visibility,
see Understanding metrics scope.
gcloud
Paste the following policy into a file named cert-create-failure.yaml
:
displayName: High rate of certificate creation failures
enabled: true
combiner: OR
conditions:
- conditionThreshold:
filter: metric.type="privateca.googleapis.com/ca/cert/create_failure_count" resource.type="privateca.googleapis.com/CertificateAuthority"
aggregations:
- alignmentPeriod: 300s
crossSeriesReducer: REDUCE_SUM
groupByFields:
- resource.label.resource_container
- resource.label.location
- resource.label.certificate_authority_id
perSeriesAligner: ALIGN_DELTA
denominatorFilter: metric.type="privateca.googleapis.com/ca/cert/create_request_count"
resource.type="privateca.googleapis.com/CertificateAuthority"
denominatorAggregations:
- alignmentPeriod: 300s
perSeriesAligner: ALIGN_DELTA
comparison: COMPARISON_GT
duration: 0s
thresholdValue: 0.2
trigger:
count: 1
displayName: 'Ratio: Certificate creation CA policy error count / Total certificate creation request count'
Create the alert policy with the following command:
gcloud alpha monitoring policies create --policy-from-file cert-create-failure.yaml
After creating the alert policy, follow Managing notification channels to create or update existing notification channels, if required. To add a notification channel to an existing alert policy, follow Updating notification channels in a policy.
What this policy does
This policy computes the ratio of failures to total requests. The policy triggers an alert notification if the ratio exceeds 20% (that is, the ratio is greater than 0.2) over the 5-minute alignment period.
The filter in the condition selects the number of certificate creation failures, which is the numerator in the ratio. The numerator aggregates by project, location, and CA resource ID, since this metric has additional labels. The denominator filter in the condition selects the number of certificate creation requests.
Once the threshold is reached, the policy triggers the alert notification immediately, since the permitted duration for the condition is 0 seconds. This policy uses a trigger count of 1, which is the number of time series that needs to violate the condition to trigger the alert notification.
Monitoring gauge metrics
Gauge metrics measure a value at a specific instant in time. For example,
privateca.googleapis.com/ca/resource_state
or
privateca.googleapis.com/kms/key_issue
are gauge metrics. These metrics use a
boolean value, while using labels to provide additional information. For
example, privateca.googleapis.com/ca/resource_state
uses a boolean for
whether the CA state is enabled, but uses a label, state
, for the
actual resource state.
When monitoring gauge metrics that use boolean values, we recommend
that you use the COUNT
aggregator to build alert thresholds. The SUM
aggregator only sums the boolean values, whereas the COUNT
aggregator sums the
number of time series. For example, if you want to determine the number of CAs
that are in the DISABLED
state, you should create a filter for
state=DISABLED
. Use the COUNT
aggregator to determine the number of CAs
that match this condition.
Cloud Monitoring cost
There is no cost for monitoring CA Service.