Identity Platform Login UI Observability Reference

The Identity Platform Login UI Operator of the IAM Platform provides integrations to the Canonical Observability Stack.

In this reference we will provide a technical description of the alert rules, and the dashboards the Identity Platform Login UI operator passes to the components of the COS. We will also showcase the Metrics we use to provide observability features.

See more: Charmhub | Identity Platform Login Ui Operator > Integrations > metrics-endpoint, grafana-dashboard

Metrics

up

Description

When this counter equals one, that means the instance the metric was scraped from is available to the Prometheus deployment. If the counter equals zero, or the metric is not present, then the application is inaccessible to the Prometheus deployment.

Source Component

Prometheus

Intended use

This metric signals whether a unit is unavailable. By specifying the label juju_unit this metric tells you whether the unit is available to the Prometheus component or not. Example: up{juju_unit="identity-platform-login-ui-operator/0"}

Observed by

  • Alert Rules: Rules in group LoginUIUnavailable
  • Dashboard: Login UI Unit Availability

severity

Description

All Identity Platform Login UI logs have a severity level to indicate the seriousness of an event. Identity Platform Login UI logs (and json formatted logs in general) can be filtered by these levels.

Source Component

Loki

Usage

Use the LogQL’s abilities to enumerate log entries that match a regex template, and to parse json logs and populate fields such as level. Example: {juju_charm="identity-platform-login-ui-operator"} | json | severity =~ `error`

Observed by

  • Alert Rules: Rules in group LoginUiHighSeverityLog
  • Dashboard Visualisation: Login UI High Severity Log Entries

http_response_time_seconds_count

Description

This metric holds the value of the number of HTTP requests received by a unit on a specific route with a specific status code response. It can be used to observe failures when using an application REST API.

Source Component

Prometheus

Usage

The following PromQL expression will return the number of times a user failed to use the Identity Platform to log into an application with a browser: sum(http_response_time_seconds_count{juju_charm=”identity-platform-login-ui-operator”, route="GET/api/kratos/self-service/login/browser", status="500"})

Observed by

  • Alert Rules: LoginUIProxyingError
  • Dashboard Visualisation: Login UI Proxying Errors

Alert rules

LoginUIHighSeverityLog

Description

Alerts in this alert group are fired based on how many log entries with the log level of error, critical, or fatal have been created in the last five minutes.

Data Source

Loki

LowFrequencyHighSeverityLog

Description

This alert is fired if the number of interested logs created in the last five minutes is at least one, but no more than one hundred.

Observed failure

The alert does not necessitate a component failure, but could corroborate it.

Severity

Warning. Without other alerts firing, it can be assumed that the deployment does not need human intervention yet.

HighFrequencyHighSeverityLog

Description

This alert is fired if the number of interested logs created in the last five minutes is more than one hundred.

Observed failure

This alert could indicate that some application function is inaccessible due to missing external, or internal dependencies, or misconfiguration. The alert can also indicate that the application is being frequently restarted by the Pebble service because of application errors.

Note: This alert can also indicate problems with the client.

Severity

Error. Without other alerts firing, it can be assumed that the deployment is not in imminent danger of loss of service.

LoginUIUnavailable

Description

Alerts in this alert group observe the up metric of individual Identity Platform Login UI deployment units. In this context, a unit not being available by Prometheus is treated as being inactive. Alerts are fired when units are inactive for at least one minute.

Data Source

Prometheus

LoginUIUnavailable-one

Description

One unit in a multi-unit deployment is inactive.

Observed failure

An operator instance has encountered an issue from which it can not recover within a minute. The alert also suggests that there are more than one healthy unit in the deployment.

Severity

Warning, because the service itself is still available for the foreseeable future.

LoginUIUnavailable-multiple

Description

More than one unit in a multi-unit deployment is inactive.

Observed failure

Multiple operator instances have encountered an issue from which they can not recover within a minute. Without other alerts suggesting otherwise, the alert also suggests that there is at least one healthy unit in the deployment.

Severity

Error, because while the service is still available, there is now potential for a critical scenario.

LoginUIUnavailable-all-except-one

Description

All but one unit in a multi-unit deployment is inactive.

Observed failure

Multiple operator instances have encountered an issue from which they can not recover within a minute. The next such error will result in loss of service.

Severity

Critical. The service is one error away from being inaccessible.

LoginUIUnavailable-all

Description

No unit in the deployment is active. Observed failure None of the units in the deployment are active. The service is inaccessible.

Severity

Fatal. The service has failed, and can not recover without human intervention.

LoginUIProxyingError

Description

This alert fires if requests to the Login UI’s routes used for proxying Kratos and Hydra services return with a server error.

Data Source

Prometheus

Observed failure

A fired alert implies that there is at least one issue while handling OAuth flows in at least one Identity Platform component. This could be an issue within the client. However this could be an issue within the application deployment (such as misconfiguration, or missing external dependencies) that need a user to address them.

Severity

Warning, because this error could both occur due to issues with the client, and because of misconfiguration of the Identity Platform deployment. Of these options, the latter requires human intervention.

Dashboards

Login UI High Severity Log Entries

Description

Visualization for the number of log entries with levels error or above produced by the Identity Platform Login UI Operator deployment within 5 minutes spans.

Associated Alerts

Alert rules in alert group LoginUi HighSeverityLog.

Login UI Unit Availability

Description

Visualization displaying the availability of Identity Platform Login UI units.

Associated Alerts

Alert rules in alert group LoginUIUnavailable.

Login UI Proxying Errors

Description

Visualization displaying number of HTTP failed requests on HTTP routes handling proxy services to Kratos and Hydra. Each route has its own line in the graph.

Associated Alerts

LoginUIProxyingError

Kratos High Severity Log Entries

Description

Visualization for the number of log entries with levels error or above within 5 minutes spans.

Associated Alerts

Alert rules in alert group KratosHighSeverityLog.

Kratos Unit Availability

Description

Visualization displaying the availability of Kratos units.

Associated Alerts

Alert rules in alert group KratosUnavailable.

Hydra High Severity Log Entries

Description

Visualization for the number of log entries with levels error or above within 5 minutes spans.

Associated Alerts

Alert rules in alert group HydraHighSeverityLog.

Hydra Unit Availability

Description

Visualization displaying the availability of Hydra units.

Associated Alerts

Alert rules in alert group HydraUnavailable.

Related documentation

  • A dedicated How-To is available detailing the process of deploying and integrating the IAM Platform bundle and the Canonical Observability Stack bundle.