From e360ed35b2ba4b5e2c6eab76017e05ed6dc5307f Mon Sep 17 00:00:00 2001
From: Oren Leiman <oren.leiman@redpanda.com>
Date: Tue, 17 Oct 2023 14:00:52 -0700
Subject: [PATCH] cloud_roles/refresh_credentials: Integrate cert probe

Applies to:
- `aws_refresh_impl`
- `aws_sts_refresh_impl`
- `gcp_refresh_impl`

This commit also adds a default-empty `name` parameter to `::make_api_client`

Signed-off-by: Oren Leiman <oren.leiman@redpanda.com>
---
 src/v/cloud_roles/aws_refresh_impl.cc     |  5 +++--
 src/v/cloud_roles/aws_sts_refresh_impl.cc |  2 +-
 src/v/cloud_roles/gcp_refresh_impl.cc     |  2 +-
 src/v/cloud_roles/refresh_credentials.cc  | 13 ++++++++-----
 src/v/cloud_roles/refresh_credentials.h   |  7 ++++---
 5 files changed, 17 insertions(+), 12 deletions(-)

diff --git a/src/v/cloud_roles/aws_refresh_impl.cc b/src/v/cloud_roles/aws_refresh_impl.cc
index 479098aa22586..01f05b21ff3c4 100644
--- a/src/v/cloud_roles/aws_refresh_impl.cc
+++ b/src/v/cloud_roles/aws_refresh_impl.cc
@@ -202,7 +202,7 @@ ss::future<api_response> aws_refresh_impl::fetch_instance_metadata_token() {
     token_request.target("/latest/api/token");
 
     co_return co_await make_request(
-      co_await make_api_client(), std::move(token_request));
+      co_await make_api_client("aws"), std::move(token_request));
 }
 
 ss::future<api_response> aws_refresh_impl::make_request_with_token(
@@ -210,7 +210,8 @@ ss::future<api_response> aws_refresh_impl::make_request_with_token(
     if (token.has_value()) {
         add_metadata_token_to_request(req, token.value());
     }
-    co_return co_await make_request(co_await make_api_client(), std::move(req));
+    co_return co_await make_request(
+      co_await make_api_client("aws"), std::move(req));
 }
 
 std::ostream& aws_refresh_impl::print(std::ostream& os) const {
diff --git a/src/v/cloud_roles/aws_sts_refresh_impl.cc b/src/v/cloud_roles/aws_sts_refresh_impl.cc
index 9c5f480f9894f..6f904c25a4b6a 100644
--- a/src/v/cloud_roles/aws_sts_refresh_impl.cc
+++ b/src/v/cloud_roles/aws_sts_refresh_impl.cc
@@ -142,7 +142,7 @@ ss::future<api_response> aws_sts_refresh_impl::fetch_credentials() {
     }
 
     co_return co_await request_with_payload(
-      co_await make_api_client(tls_enabled),
+      co_await make_api_client("aws_sts", tls_enabled),
       std::move(assume_req),
       std::move(body));
 }
diff --git a/src/v/cloud_roles/gcp_refresh_impl.cc b/src/v/cloud_roles/gcp_refresh_impl.cc
index 822961140cf17..b42bf80bbdf8c 100644
--- a/src/v/cloud_roles/gcp_refresh_impl.cc
+++ b/src/v/cloud_roles/gcp_refresh_impl.cc
@@ -52,7 +52,7 @@ ss::future<api_response> gcp_refresh_impl::fetch_credentials() {
       metadata_flavor::header_name.data(), metadata_flavor::value.data());
 
     co_return co_await make_request(
-      co_await make_api_client(), std::move(oauth_req));
+      co_await make_api_client("gcp"), std::move(oauth_req));
 }
 
 api_response_parse_result gcp_refresh_impl::parse_response(iobuf response) {
diff --git a/src/v/cloud_roles/refresh_credentials.cc b/src/v/cloud_roles/refresh_credentials.cc
index a419f57d0ef62..7811c297d6ac3 100644
--- a/src/v/cloud_roles/refresh_credentials.cc
+++ b/src/v/cloud_roles/refresh_credentials.cc
@@ -17,6 +17,7 @@
 #include "config/configuration.h"
 #include "model/metadata.h"
 #include "net/tls.h"
+#include "net/tls_certificate_probe.h"
 #include "vlog.h"
 
 #include <seastar/core/abort_source.hh>
@@ -316,11 +317,11 @@ ss::future<> refresh_credentials::impl::sleep_until_expiry() const {
     }
 }
 
-ss::future<http::client>
-refresh_credentials::impl::make_api_client(client_tls_enabled enable_tls) {
+ss::future<http::client> refresh_credentials::impl::make_api_client(
+  ss::sstring name, client_tls_enabled enable_tls) {
     if (enable_tls == client_tls_enabled::yes) {
         if (_tls_certs == nullptr) {
-            co_await init_tls_certs();
+            co_await init_tls_certs(std::move(name));
         }
 
         co_return http::client{
@@ -342,7 +343,7 @@ refresh_credentials::impl::make_api_client(client_tls_enabled enable_tls) {
       _as};
 }
 
-ss::future<> refresh_credentials::impl::init_tls_certs() {
+ss::future<> refresh_credentials::impl::init_tls_certs(ss::sstring name) {
     ss::tls::credentials_builder b;
     b.set_client_auth(ss::tls::client_auth::NONE);
 
@@ -365,7 +366,9 @@ ss::future<> refresh_credentials::impl::init_tls_certs() {
         co_await b.set_system_trust();
     }
 
-    _tls_certs = co_await b.build_reloadable_certificate_credentials();
+    _tls_certs = co_await net::build_reloadable_credentials_with_probe<
+      ss::tls::certificate_credentials>(
+      std::move(b), "cloud_provider_client", std::move(name));
 }
 
 refresh_credentials make_refresh_credentials(
diff --git a/src/v/cloud_roles/refresh_credentials.h b/src/v/cloud_roles/refresh_credentials.h
index 62942b0147248..b1a8283a3ddef 100644
--- a/src/v/cloud_roles/refresh_credentials.h
+++ b/src/v/cloud_roles/refresh_credentials.h
@@ -71,8 +71,9 @@ class refresh_credentials {
 
     protected:
         /// Returns an http client with the API host and port applied
-        ss::future<http::client>
-        make_api_client(client_tls_enabled enable_tls = client_tls_enabled::no);
+        ss::future<http::client> make_api_client(
+          ss::sstring name = "",
+          client_tls_enabled enable_tls = client_tls_enabled::no);
 
         /// Helper to parse the iobuf returned from API into a credentials
         /// object, customized to API response structure
@@ -104,7 +105,7 @@ class refresh_credentials {
     private:
         /// Initializes certificate_credentials on first client creation.
         /// Subsequent clients which are created will reuse the certs.
-        ss::future<> init_tls_certs();
+        ss::future<> init_tls_certs(ss::sstring name);
 
         /// The address to query for credentials. Can be overridden using env
         /// variable `RP_SI_CREDS_API_ADDRESS`