Add metrics for tracking when instance key renewal succeeds and fails, as well as when instance key *lookup* fails

util/security/registry_jwt.py

@@ -22,7 +22,7 @@ class InvalidBearerTokenException(Exception):
   pass
 
 
-def decode_bearer_header(bearer_header, instance_keys, config):
+def decode_bearer_header(bearer_header, instance_keys, config, metric_queue=None):
   """ decode_bearer_header decodes the given bearer header that contains an encoded JWT with both
       a Key ID as well as the signed JWT and returns the decoded and validated JWT. On any error,
       raises an InvalidBearerTokenException with the reason for failure.
@@ -34,10 +34,10 @@ def decode_bearer_header(bearer_header, instance_keys, config):
 
   encoded_jwt = match.group(1)
   logger.debug('encoded JWT: %s', encoded_jwt)
-  return decode_bearer_token(encoded_jwt, instance_keys, config)
+  return decode_bearer_token(encoded_jwt, instance_keys, config, metric_queue=metric_queue)
 
 
-def decode_bearer_token(bearer_token, instance_keys, config):
+def decode_bearer_token(bearer_token, instance_keys, config, metric_queue=None):
   """ decode_bearer_token decodes the given bearer token that contains both a Key ID as well as the
       encoded JWT and returns the decoded and validated JWT. On any error, raises an
       InvalidBearerTokenException with the reason for failure.
@@ -52,6 +52,9 @@ def decode_bearer_token(bearer_token, instance_keys, config):
   # Find the matching public key.
   public_key = instance_keys.get_service_key_public_key(kid)
   if public_key is None:
+    if metric_queue is not None:
+      metric_queue.invalid_instance_key_count.Inc(labelvalues=[kid])
+
     logger.error('Could not find requested service key %s with encoded JWT: %s', kid, bearer_token)
     raise InvalidBearerTokenException('Unknown service key')