Register certificate expiry metrics for Dirk and tracing TLS

Threads the metrics monitor and a stable certificate name into both
certificate manager call sites via go-certmanager's WithMonitor/WithName
options:

- Dirk-comms client cert: name="dirk" (the concern being the Dirk
  coordination channel).
- Tracing TLS client cert: name="tracing" (the OTel collector
  coordination channel).

To make the monitor available at tracing-init time, startMonitor is
hoisted out of startBasicServices and called from main() before
initTracing; the resulting bootstrap monitor is threaded down into
startBasicServices, which continues to upgrade it later with chainTime
and the HTTP server once they're ready. The Prometheus default registry
is global so gauge registration survives the upgrade.

Adds unit tests exercising both wiring sites with a prometheus-presenter
stub monitor and asserting the gauges appear in the default registry
under the expected name/role labels.

Bumps go-certmanager to pull in the metrics.Service interface plus
Prometheus gauges.

Author: AntiD2ta

commands.go

@@ -42,7 +42,13 @@ func proposerConfigCheck(ctx context.Context, majordomo majordomo.Service) bool
 
 	// Force disable metrics.
 	viper.Set("metrics.prometheus.listen-address", "")
-	consensusClient, chainTime, monitor, err := startBasicServices(ctx)
+	// Create a bootstrap monitor to satisfy the startBasicServices signature; metrics are suppressed above.
+	bootstrapMonitor, err := startMonitor(ctx, nil, false)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Failed to start metrics service: %v\n", err)
+		return true
+	}
+	consensusClient, chainTime, monitor, err := startBasicServices(ctx, bootstrapMonitor)
 	if err != nil {
 		fmt.Fprintf(os.Stderr, "Failed to start basic services: %v\n", err)
 		return true

go.mod

@@ -6,13 +6,14 @@ require (
 	github.com/OffchainLabs/go-bitfield v0.0.0-20251031151322-f427d04d8506
 	github.com/attestantio/go-block-relay v0.5.1
 	github.com/attestantio/go-builder-client v0.7.2
-	github.com/attestantio/go-certmanager v0.1.1
+	github.com/attestantio/go-certmanager v0.2.0
 	github.com/attestantio/go-eth2-client v0.28.0
 	github.com/aws/aws-sdk-go v1.55.6
+	github.com/google/uuid v1.6.0
 	github.com/holiman/uint256 v1.3.2
 	github.com/mitchellh/go-homedir v1.1.0
 	github.com/pkg/errors v0.9.1
-	github.com/prometheus/client_golang v1.21.1
+	github.com/prometheus/client_golang v1.23.2
 	github.com/rs/zerolog v1.35.0
 	github.com/sasha-s/go-deadlock v0.3.6
 	github.com/shopspring/decimal v1.4.0
@@ -69,7 +70,6 @@ require (
 	github.com/goccy/go-yaml v1.17.1 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/s2a-go v0.1.9 // indirect
-	github.com/google/uuid v1.6.0 // indirect
 	github.com/googleapis/enterprise-certificate-proxy v0.3.5 // indirect
 	github.com/googleapis/gax-go/v2 v2.14.1 // indirect
 	github.com/gorilla/mux v1.8.1 // indirect
@@ -80,7 +80,6 @@ require (
 	github.com/jackc/puddle/v2 v2.2.2 // indirect
 	github.com/jmespath/go-jmespath v0.4.0 // indirect
 	github.com/json-iterator/go v1.1.12 // indirect
-	github.com/klauspost/compress v1.18.0 // indirect
 	github.com/klauspost/cpuid/v2 v2.2.10 // indirect
 	github.com/leodido/go-urn v1.4.0 // indirect
 	github.com/magiconair/properties v1.8.9 // indirect
@@ -95,9 +94,9 @@ require (
 	github.com/petermattis/goid v0.0.0-20250813065127-a731cc31b4fe // indirect
 	github.com/pk910/dynamic-ssz v0.0.6 // indirect
 	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
-	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.63.0 // indirect
-	github.com/prometheus/procfs v0.16.0 // indirect
+	github.com/prometheus/client_model v0.6.2 // indirect
+	github.com/prometheus/common v0.66.1 // indirect
+	github.com/prometheus/procfs v0.16.1 // indirect
 	github.com/r3labs/sse/v2 v2.10.0 // indirect
 	github.com/sagikazarmark/locafero v0.7.0 // indirect
 	github.com/sagikazarmark/slog-shim v0.1.0 // indirect
@@ -122,6 +121,7 @@ require (
 	go.opentelemetry.io/otel/metric v1.43.0 // indirect
 	go.opentelemetry.io/proto/otlp v1.10.0 // indirect
 	go.uber.org/multierr v1.11.0 // indirect
+	go.yaml.in/yaml/v2 v2.4.2 // indirect
 	golang.org/x/arch v0.15.0 // indirect
 	golang.org/x/crypto v0.49.0 // indirect
 	golang.org/x/exp v0.0.0-20250305212735-054e65f0b394 // indirect

go.sum

@@ -80,8 +80,8 @@ github.com/attestantio/go-block-relay v0.5.1 h1:VQk8oPBXWy41msIAfM/Ee4UomdroBIo5
 github.com/attestantio/go-block-relay v0.5.1/go.mod h1:T9VAtjQKNsRie69++TsG46aMe4HEoEhlbcymhDz7G08=
 github.com/attestantio/go-builder-client v0.7.2 h1:bOrtysEIZd9bEM+mAeT6OtAo6LSAft/qylBLwFoFwZ0=
 github.com/attestantio/go-builder-client v0.7.2/go.mod h1:+NADxbaknI5yxl+0mCkMa/VciVsesxRMGNP/poDfV08=
-github.com/attestantio/go-certmanager v0.1.1 h1:N56XLU/LohaQPB1HPSHZirAPd692lOrIpKqcnj2/lic=
-github.com/attestantio/go-certmanager v0.1.1/go.mod h1://OeWLAivtO7WYm2SdBwvE02OKcAnE1gK1OXhCKyPIs=
+github.com/attestantio/go-certmanager v0.2.0 h1:Hzj12L5fofK7b281uohMBN0HQuSx+8RfU2UA9eHl84k=
+github.com/attestantio/go-certmanager v0.2.0/go.mod h1:Dn+C/okccD+2RugizT1ryrjX65cBMZl55fNYtmaVYAg=
 github.com/attestantio/go-eth2-client v0.28.0 h1:2zIIIMPvSD+g6h3TgVXsoda/Yw3e+wjo1e8CZEanORU=
 github.com/attestantio/go-eth2-client v0.28.0/go.mod h1:PO9sHFCq+1RiG+Eh3eOR2GYvYV64Qzg7idM3kLgCs5k=
 github.com/aws/aws-sdk-go v1.44.81/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo=
@@ -355,15 +355,15 @@ github.com/planetscale/vtprotobuf v0.6.1-0.20240319094008-0393e58bdf10/go.mod h1
 github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 h1:Jamvg5psRIccs7FGNTlIRMkT8wgtp5eCXdBlqhYGL6U=
 github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4=
-github.com/prometheus/client_golang v1.21.1 h1:DOvXXTqVzvkIewV/CDPFdejpMCGeMcbGCQ8YOmu+Ibk=
-github.com/prometheus/client_golang v1.21.1/go.mod h1:U9NM32ykUErtVBxdvD3zfi+EuFkkaBvMb09mIfe0Zgg=
+github.com/prometheus/client_golang v1.23.2 h1:Je96obch5RDVy3FDMndoUsjAhG5Edi49h0RJWRi/o0o=
+github.com/prometheus/client_golang v1.23.2/go.mod h1:Tb1a6LWHB3/SPIzCoaDXI4I8UHKeFTEQ1YCr+0Gyqmg=
 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4/go.mod h1:xMI15A0UPsDsEKsMN9yxemIoYk6Tm2C1GtYGdfGttqA=
-github.com/prometheus/client_model v0.6.1 h1:ZKSh/rekM+n3CeS952MLRAdFwIKqeY8b62p8ais2e9E=
-github.com/prometheus/client_model v0.6.1/go.mod h1:OrxVMOVHjw3lKMa8+x6HeMGkHMQyHDk9E3jmP2AmGiY=
-github.com/prometheus/common v0.63.0 h1:YR/EIY1o3mEFP/kZCD7iDMnLPlGyuU2Gb3HIcXnA98k=
-github.com/prometheus/common v0.63.0/go.mod h1:VVFF/fBIoToEnWRVkYoXEkq3R3paCoxG9PXP74SnV18=
-github.com/prometheus/procfs v0.16.0 h1:xh6oHhKwnOJKMYiYBDWmkHqQPyiY40sny36Cmx2bbsM=
-github.com/prometheus/procfs v0.16.0/go.mod h1:8veyXUu3nGP7oaCxhX6yeaM5u4stL2FeMXnCqhDthZg=
+github.com/prometheus/client_model v0.6.2 h1:oBsgwpGs7iVziMvrGhE53c/GrLUsZdHnqNwqPLxwZyk=
+github.com/prometheus/client_model v0.6.2/go.mod h1:y3m2F6Gdpfy6Ut/GBsUqTWZqCUvMVzSfMLjcu6wAwpE=
+github.com/prometheus/common v0.66.1 h1:h5E0h5/Y8niHc5DlaLlWLArTQI7tMrsfQjHV+d9ZoGs=
+github.com/prometheus/common v0.66.1/go.mod h1:gcaUsgf3KfRSwHY4dIMXLPV0K/Wg1oZ8+SbZk/HH/dA=
+github.com/prometheus/procfs v0.16.1 h1:hZ15bTNuirocR6u0JZ6BAHHmwS1p8B4P6MRqxtzMyRg=
+github.com/prometheus/procfs v0.16.1/go.mod h1:teAbpZRB1iIAJYREa1LsoWUXykVXA1KlTmWl8x/U+Is=
 github.com/prysmaticlabs/gohashtree v0.0.4-beta h1:H/EbCuXPeTV3lpKeXGPpEV9gsUpkqOOVnWapUyeWro4=
 github.com/prysmaticlabs/gohashtree v0.0.4-beta/go.mod h1:BFdtALS+Ffhg3lGQIHv9HDWuHS8cTvHZzrHWxwOtGOs=
 github.com/r3labs/sse/v2 v2.10.0 h1:hFEkLLFY4LDifoHdiCN/LlGBAdVJYsANaLqNYa1l/v0=
@@ -498,6 +498,8 @@ go.uber.org/goleak v1.3.0 h1:2K3zAYmnTNqV73imy9J1T3WC+gmCePx2hEGkimedGto=
 go.uber.org/goleak v1.3.0/go.mod h1:CoHD4mav9JJNrW/WLlf7HGZPjdw8EucARQHekz1X6bE=
 go.uber.org/multierr v1.11.0 h1:blXXJkSxSSfBVBlC76pxqeO+LN3aDfLQo+309xJstO0=
 go.uber.org/multierr v1.11.0/go.mod h1:20+QtiLqy0Nd6FdQB9TLXag12DsQkrbs3htMFfDN80Y=
+go.yaml.in/yaml/v2 v2.4.2 h1:DzmwEr2rDGHl7lsFgAHxmNz/1NlQ7xLIrlN2h5d1eGI=
+go.yaml.in/yaml/v2 v2.4.2/go.mod h1:081UH+NErpNdqlCXm3TtEran0rJZGxAYx9hb/ELlsPU=
 golang.org/x/arch v0.15.0 h1:QtOrQd0bTUnhNVNndMpLHNWrDmYzZ2KDqSrEymqInZw=
 golang.org/x/arch v0.15.0/go.mod h1:JmwW7aLIoRUKgaTzhkiEFxvcEiQGyOg9BMonBJUS7EE=
 golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w=
@@ -691,7 +693,6 @@ golang.org/x/sys v0.0.0-20220624220833-87e55d714810/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220818161305-2296e01440c6/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.12.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.42.0 h1:omrd2nAlyT5ESRdCLYdm3+fMfNFE/+Rf4bDIQImRJeo=
 golang.org/x/sys v0.42.0/go.mod h1:4GL1E5IUh+htKOUEOaiffhrAeqysfVGipDYzABqnCmw=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=

main.go

@@ -156,7 +156,16 @@ func main2() int {
 
 	initProfiling()
 
-	if err := initTracing(ctx, majordomo); err != nil {
+	// Start a bootstrap monitor before tracing so the tracing TLS certificate
+	// manager can register expiry metrics against it. The monitor is later
+	// upgraded inside startBasicServices to include chainTime + the HTTP server.
+	bootstrapMonitor, err := startMonitor(ctx, nil, false)
+	if err != nil {
+		log.Error().Err(err).Msg("Failed to start metrics service")
+		return 1
+	}
+
+	if err := initTracing(ctx, majordomo, bootstrapMonitor); err != nil {
 		log.Error().Err(err).Msg("Failed to initialise tracing")
 		return 1
 	}
@@ -168,7 +177,7 @@ func main2() int {
 		return 1
 	}
 
-	chainTime, controller, err := startServices(ctx, majordomo)
+	chainTime, controller, err := startServices(ctx, majordomo, bootstrapMonitor)
 	if err != nil {
 		log.Error().Err(err).Msg("Failed to initialise services")
 		return 1
@@ -320,12 +329,13 @@ func startClient(ctx context.Context, monitor metrics.Service) (eth2client.Servi
 
 func startServices(ctx context.Context,
 	majordomo majordomo.Service,
+	bootstrapMonitor metrics.Service,
 ) (
 	chaintime.Service,
 	*standardcontroller.Service,
 	error,
 ) {
-	eth2Client, chainTime, monitor, err := startBasicServices(ctx)
+	eth2Client, chainTime, monitor, err := startBasicServices(ctx, bootstrapMonitor)
 	if err != nil {
 		return nil, nil, err
 	}
@@ -569,19 +579,13 @@ func startProviderServices(ctx context.Context, monitor metrics.Service) (eth2cl
 }
 
 func startBasicServices(ctx context.Context,
+	monitor metrics.Service,
 ) (
 	eth2client.Service,
 	chaintime.Service,
 	metrics.Service,
 	error,
 ) {
-	// Initialise monitor without chainTime service and server for now, so the
-	// client can provide metrics.
-	monitor, err := startMonitor(ctx, nil, false)
-	if err != nil {
-		return nil, nil, nil, errors.Wrap(err, "failed to start metrics service")
-	}
-
 	eth2Client, err := startClient(ctx, monitor)
 	if err != nil {
 		return nil, nil, nil, err

services/accountmanager/dirk/service.go

@@ -145,6 +145,8 @@ func loadClientCertificates(ctx context.Context, parameters *parameters) (creden
 		standardclientcert.WithMajordomo(parameters.majordomo),
 		standardclientcert.WithCertPEMURI(parameters.clientCertURI),
 		standardclientcert.WithCertKeyURI(parameters.clientKeyURI),
+		standardclientcert.WithMonitor(parameters.monitor),
+		standardclientcert.WithName("dirk"),
 	}
 	if parameters.caCertURI != "" {
 		clientCertOpts = append(clientCertOpts, standardclientcert.WithCACertURI(parameters.caCertURI))

services/accountmanager/dirk/service_test.go

@@ -16,6 +16,7 @@ package dirk_test
 import (
 	"context"
 	"crypto/tls"
+	"strings"
 	"testing"
 	"time"
 
@@ -25,12 +26,23 @@ import (
 	"github.com/attestantio/vouch/mock"
 	"github.com/attestantio/vouch/services/accountmanager/dirk"
 	standardchaintime "github.com/attestantio/vouch/services/chaintime/standard"
+	"github.com/attestantio/vouch/services/metrics"
 	nullmetrics "github.com/attestantio/vouch/services/metrics/null"
 	"github.com/attestantio/vouch/testing/logger"
+	"github.com/prometheus/client_golang/prometheus"
 	"github.com/rs/zerolog"
 	"github.com/stretchr/testify/require"
 )
 
+// stubMonitor is a monitor that reports a fixed presenter; used to opt into
+// go-certmanager metric registration during tests.
+// Mirrors tracingStubMonitor in tracing_test.go.
+type stubMonitor struct{ presenter string }
+
+func (s stubMonitor) Presenter() string { return s.presenter }
+
+var _ metrics.Service = stubMonitor{}
+
 // newTestMajordomo creates a mock majordomo with matching test certificates.
 func newTestMajordomo() *certmock.Majordomo {
 	return certmock.NewMajordomo(map[string][]byte{
@@ -583,6 +595,88 @@ func TestDirkTLSCAOptional(t *testing.T) {
 	})
 }
 
+func TestDirkTLSWiringWithPrometheusMonitor(t *testing.T) {
+	// Passing a monitor whose presenter is "prometheus" opts into go-certmanager's
+	// metric registration. Asserts the client certificate expiry gauges are
+	// registered under name="dirk", role="client". Guards both the WithMonitor
+	// and WithName wiring — missing either would cause the series to be absent
+	// (WithMonitor) or construction to fail with ErrNoNameWithMonitor (WithName).
+	ctx := context.Background()
+
+	genesisTime := time.Now()
+	chainTime, err := standardchaintime.New(ctx,
+		standardchaintime.WithLogLevel(zerolog.Disabled),
+		standardchaintime.WithGenesisProvider(mock.NewGenesisProvider(genesisTime)),
+		standardchaintime.WithSpecProvider(mock.NewSpecProvider()),
+	)
+	require.NoError(t, err)
+
+	svc, err := dirk.New(ctx,
+		dirk.WithLogLevel(zerolog.Disabled),
+		dirk.WithMonitor(stubMonitor{presenter: "prometheus"}),
+		dirk.WithClientMonitor(nullmetrics.New()),
+		dirk.WithProcessConcurrency(1),
+		dirk.WithEndpoints([]string{"localhost:12345"}),
+		dirk.WithAccountPaths([]string{"wallet1"}),
+		dirk.WithMajordomo(newTestMajordomo()),
+		dirk.WithClientCertURI("client-cert"),
+		dirk.WithClientKeyURI("client-key"),
+		dirk.WithCACertURI("ca-cert"),
+		dirk.WithValidatorsManager(mock.NewValidatorsManager()),
+		dirk.WithDomainProvider(mock.NewDomainProvider()),
+		dirk.WithFarFutureEpochProvider(mock.NewFarFutureEpochProvider(0xffffffffffffffff)),
+		dirk.WithCurrentEpochProvider(chainTime),
+	)
+	require.NoError(t, err)
+	require.NotNil(t, svc)
+
+	requireCertMetric(t, "certmanager_certificate_not_after_seconds", "dirk", "client")
+	requireCertMetric(t, "certmanager_certificate_not_before_seconds", "dirk", "client")
+}
+
+// requireCertMetric asserts the go-certmanager gauge series with the given
+// name/role labels is present in the default Prometheus registry and has a
+// positive value (i.e. SetCertificateExpiry was invoked).
+func requireCertMetric(t *testing.T, metricName, name, role string) {
+	t.Helper()
+
+	families, err := prometheus.DefaultGatherer.Gather()
+	require.NoError(t, err)
+
+	for _, mf := range families {
+		if mf.GetName() != metricName {
+			continue
+		}
+		for _, m := range mf.GetMetric() {
+			var matchName, matchRole bool
+			for _, l := range m.GetLabel() {
+				switch l.GetName() {
+				case "name":
+					matchName = l.GetValue() == name
+				case "role":
+					matchRole = l.GetValue() == role
+				}
+			}
+			if matchName && matchRole {
+				require.Greater(t, m.GetGauge().GetValue(), float64(0),
+					"metric %s{name=%q,role=%q} should have a positive value", metricName, name, role)
+				return
+			}
+		}
+	}
+
+	var found []string
+	for _, mf := range families {
+		if strings.HasPrefix(mf.GetName(), "certmanager_") {
+			for _, m := range mf.GetMetric() {
+				found = append(found, m.String())
+			}
+		}
+	}
+	t.Fatalf("metric %s{name=%q,role=%q} not registered (saw certmanager_ series: %v)",
+		metricName, name, role, found)
+}
+
 func TestDirkTLSMinVersion(t *testing.T) {
 	ctx := context.Background()
 

tracing.go

@@ -22,6 +22,7 @@ import (
 	"time"
 
 	standardclientcert "github.com/attestantio/go-certmanager/client/standard"
+	"github.com/attestantio/vouch/services/metrics"
 	"github.com/pkg/errors"
 	"github.com/spf13/viper"
 	majordomo "github.com/wealdtech/go-majordomo"
@@ -37,7 +38,7 @@ import (
 )
 
 // initTracing initialises the tracing system.
-func initTracing(ctx context.Context, majordomo majordomo.Service) error {
+func initTracing(ctx context.Context, majordomo majordomo.Service, monitor metrics.Service) error {
 	if viper.GetString("tracing.address") == "" {
 		log.Debug().Msg("No tracing endpoint supplied; tracing not enabled")
 		return nil
@@ -49,7 +50,7 @@ func initTracing(ctx context.Context, majordomo majordomo.Service) error {
 	}
 	if viper.GetString("tracing.client-cert") != "" {
 		log.Trace().Msg("Using TLS tracing connection")
-		creds, err := loadTracingClientCertificates(ctx, majordomo)
+		creds, err := loadTracingClientCertificates(ctx, majordomo, monitor)
 		if err != nil {
 			return err
 		}
@@ -113,14 +114,16 @@ func initTracing(ctx context.Context, majordomo majordomo.Service) error {
 
 // loadTracingClientCertificates returns gRPC TLS credentials for the tracing client
 // from the cert/key/CA URIs configured in viper, resolved via majordomo.
-func loadTracingClientCertificates(ctx context.Context, majordomo majordomo.Service) (credentials.TransportCredentials, error) {
+func loadTracingClientCertificates(ctx context.Context, majordomo majordomo.Service, monitor metrics.Service) (credentials.TransportCredentials, error) {
 	ctx, span := otel.Tracer("attestantio.vouch").Start(ctx, "loadTracingClientCertificates")
 	defer span.End()
 
 	clientCertOpts := []standardclientcert.Parameter{
 		standardclientcert.WithMajordomo(majordomo),
 		standardclientcert.WithCertPEMURI(viper.GetString("tracing.client-cert")),
 		standardclientcert.WithCertKeyURI(viper.GetString("tracing.client-key")),
+		standardclientcert.WithMonitor(monitor),
+		standardclientcert.WithName("tracing"),
 	}
 	// CA cert is optional; when omitted the system cert pool is used.
 	if viper.GetString("tracing.ca-cert") != "" {