Skip to main content
Calico Enterprise 3.23 (latest) documentation

Operator metrics

Big picture

Use Prometheus to monitor the Calico Enterprise operator.

Value

The Calico Enterprise operator exposes Prometheus metrics that give you visibility into the overall health of your Calico Enterprise installation. These metrics let you set up alerts for degraded components, expiring TLS certificates, and license issues before they impact operations.

Before you begin

Operator metrics are enabled by default. The tigera-operator deployment ships with the following environment variables already set:

  • METRICS_ENABLED=true
  • METRICS_SCHEME=https

Metrics are served on port 9484 over HTTPS and scraped by the built-in Prometheus instance via the tigera-operator-metrics ServiceMonitor.

Metrics reference

Component status

The tigera_operator_component_status metric reports the status of each Calico Enterprise component as managed by the operator. This mirrors the information available through kubectl get tigerastatus.

MetricLabelsDescription
tigera_operator_component_statuscomponent, conditionStatus of a component. Value is 1 (true) or 0 (false).

Labels:

  • component — The Calico Enterprise component (e.g. calico, apiserver, monitor, log-storage, manager)
  • condition — One of:
    • available — The component is running and healthy
    • degraded — The component is in an error state
    • progressing — The component is being updated or is starting up

Example queries:

  • Find all degraded components:

    tigera_operator_component_status{condition="degraded"} == 1
  • Check if a specific component is available:

    tigera_operator_component_status{component="calico", condition="available"}

TLS certificate expiry

The tigera_operator_tls_certificate_expiry_timestamp_seconds metric reports the expiry time of each TLS certificate managed by the operator.

MetricLabelsDescription
tigera_operator_tls_certificate_expiry_timestamp_secondsname, namespace, issuerUnix timestamp when the certificate expires.

Labels:

  • name — The Secret name containing the certificate
  • namespace — The namespace of the Secret
  • issuer — The certificate issuer (e.g. tigera-operator-signer)

Example queries:

  • Certificates expiring within 30 days:

    tigera_operator_tls_certificate_expiry_timestamp_seconds - time() < 30 * 24 * 3600
  • Certificates expiring within 7 days:

    tigera_operator_tls_certificate_expiry_timestamp_seconds - time() < 7 * 24 * 3600

License

MetricLabelsDescription
tigera_operator_license_validWhether the license is valid (1) or not (0).
tigera_operator_license_expiry_timestamp_secondsUnix timestamp when the license expires.

Example queries:

  • License expires within 30 days:

    tigera_operator_license_expiry_timestamp_seconds - time() < 30 * 24 * 3600
  • License is invalid:

    tigera_operator_license_valid == 0

Built-in alerts

Calico Enterprise installs a PrometheusRule resource named calico with alerting rules that use these metrics. You can view it with:

kubectl -n tigera-prometheus get prometheusrule calico -o yaml

The built-in rules include:

AlertConditionSeverity
DeniedPacketsRateDenied packets rate > 50/sinfo
TLSCertExpiringWarningCertificate expires in < 30 dayswarning
TLSCertExpiringCriticalCertificate expires in < 7 dayscritical
LicenseExpiringWarningLicense expires in < 30 dayswarning
LicenseExpiringCriticalLicense expires in < 7 days or is invalidcritical
ComponentDegradedWarningComponent degraded for > 15mwarning
ComponentDegradedCriticalComponent degraded for > 30mcritical
ComponentProgressingWarningComponent progressing for > 15mwarning
ComponentProgressingCriticalComponent progressing for > 30mcritical

To route these alerts, see Configure Alertmanager.

Additional resources