License metrics
Big picture
Use the Prometheus monitoring and alerting tool to get Calico Enterprise license metrics.
Value
Platform engineering teams need to report licensing usage on third-party software (like Calico Enterprise) for their CaaS/Kubernetes platforms. This is often driven by compliance, but also to mitigate risks from license expiration or usage that may impact operations. For teams to easily access these vital metrics, Calico Enterprise provides license metrics using the Prometheus monitoring and alerting tool.
Concepts
About Prometheus
The Prometheus monitoring tool scrapes metrics from instrumented jobs and displays time series data in a visualizer (such as Grafana). For Calico Enterprise, the “jobs” that Prometheus can harvest metrics from the License Agent component.
About License Agent
The License Agent is a containerized application that monitors the following Calico Enterprise licensing information from the Kubernetes cluster, and exports the metrics through the Prometheus server:
- Days till expiration
- Nodes available
- Nodes used
FAQ
How long does it take to get a new Calico Enterprise license?
After you submit a sales purchase order to Tigera, 1-2 days.
Is there a grace period?
Yes, there is a grace period of 30 days (as of April 2022).
Does Manager UI display license expiration?
Yes. The license indicator in Manager UI (top right banner) turns red when the license expires.
What happens when a license expires or is invalid?
Although users can still log in to Manager UI, your deployment is no longer operational. All policy enforcement stops, except for policies in the default tier. In most cases, you will experience broken connectivity (depending on your policies in the default tier). Calico Enterprise stops reporting flow logs, DNS logs, and Calico Enterprise metrics, which affects other UI elements like Service Graph and dashboards. Although some elements may appear to work, actions are not saved, and you should regard your deployment as non-functional. We recommend that you proactively manage your license to avoid disruption.
What happens if I add nodes beyond what I'm licensed for?
- Node limits are not currently enforced
- All Calico Enterprise features still work
Do licenses cover free upgrades in Calico Enterprise?
Yes.
How do I get information about my license? Monitor the expiration date?
- Prometheus!. Monitor days till expiration, nodes available, and nodes used.
- Use
kubectlto get license key information
How to
Add license agent in your Kubernetes cluster
To add the license-agent component in a Kubernetes cluster for license metrics, install the pull secret and apply the license-agent manifest.
- Create a namespace for the license-agent.
kubectl create namespace tigera-license-agent - Install your pull secret.
kubectl create secret generic tigera-pull-secret \
--type=kubernetes.io/dockerconfigjson -n tigera-license-agent \
--from-file=.dockerconfigjson=<path/to/pull/secret> - Apply the manifest.
kubectl apply -f https://downloads.tigera.io/ee/v3.19.4/manifests/licenseagent.yaml
Create alerts using Prometheus metrics
In the following example, an alert is configured when the license expiry is fewer than 15 days.
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: calico-prometheus-license
namespace: tigera-prometheus
labels:
role: tigera-prometheus-rules
prometheus: calico-node-prometheus
spec:
groups:
- name: tigera-license.rules
rules:
- alert: CriticalLicenseExpiry
expr: license_number_of_days < 15
labels:
severity: Warning
annotations:
summary: 'Calico Enterprise License expires in less than 15 days'
description: 'Calico Enterprise License expires in less than 15 days'
If the Kubernetes api-server serves on any port other than 6443 or 443, add that port in the Egress policy of the license agent manifest.