improve proxy healthz checking #321
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -226,11 +226,12 @@ func Run(cfg *server.KubeRBACProxyConfig) error { | |
| return err | ||
| } | ||
|
|
||
| var stoppedCh, listenerStoppedCh <-chan struct{} | ||
| go func() { | ||
| defer wg.Done() | ||
| defer cancel() | ||
|
|
||
| stoppedCh, listenerStoppedCh, err = cfg.SecureServing.Serve(mux, 10*time.Second, serverCtx.Done()) | ||
| if err != nil { | ||
| klog.Errorf("%v", err) | ||
| return | ||
|
|
@@ -244,7 +245,9 @@ func Run(cfg *server.KubeRBACProxyConfig) error { | |
| // we need a second listener in order to serve proxy-specific endpoints | ||
| // on a different port (--proxy-endpoints-port) | ||
| proxyEndpointsMux := http.NewServeMux() | ||
| proxyEndpointsMux.HandleFunc("/healthz", func(w http.ResponseWriter, r *http.Request) { | ||
|
Collaborator
There was a problem hiding this comment. I think the previous What you added might be worth to be used as There was a problem hiding this comment. I am unsure of exactly what this trying to do, but I do think that you need something better than just "always return ok." For example, I would at a minimum expect a check that asserts that the upstream is working. I don't know if checking this specific listener is the correct approach though. From the YAML below I think this is acting as a readiness check and not a health check?
Collaborator
Author
There was a problem hiding this comment. I was trying to set up a few checks that make sure that the other listener is capable of responding to requests. I am not sure we want to add an upstream healthz check here - the proxy info port is supposed to serve information about the proxy itself. The healthz of upstream should probably be checked directly at upstream (or should be accessed via a permissive proxied path).
Collaborator
There was a problem hiding this comment. The previous health check is fine. This would be more like a At the beginning I had the opinion that @enj had, that we would need to "somehow check upstream", but your arguments are also right: this is the concern of upstream itself. |
||
| proxyHealtzCheck(w, cfg.SecureServing.Listener.Addr().String(), listenerStoppedCh, stoppedCh) | ||
| }) | ||
|
|
||
| if err := wg.Add(1); err != nil { | ||
| return err | ||
|
|
@@ -376,3 +379,31 @@ func copyHeaderIfSet(inReq *http.Request, outReq *http.Request, headerKey string | |
| outReq.Header.Add(headerKey, v) | ||
| } | ||
| } | ||
|
|
||
| func proxyHealtzCheck(w http.ResponseWriter, localProxyAddr string, listenerStoppedChan, stoppedChan <-chan struct{}) { | ||
| select { | ||
| case <-stoppedChan: | ||
| http.Error(w, "the proxying port serving logic has stopped", http.StatusServiceUnavailable) | ||
| return | ||
| case <-listenerStoppedChan: | ||
| http.Error(w, "listener stopped", http.StatusServiceUnavailable) | ||
| return | ||
| default: | ||
| } | ||
|
|
||
| // we need the tls.Dialer otherwise the server would log EOF for TLS handshakes | ||
| // since the connection would be cut before that was ever attempted | ||
| dialer := tls.Dialer{NetDialer: &net.Dialer{}, Config: &tls.Config{InsecureSkipVerify: true}} // the cert's not likely to have loopback IP SAN | ||
| dialCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second) | ||
| defer cancel() | ||
|
|
||
| // we just knock on the other listener as we don't want to trigger proxying to upstream | ||
| conn, err := dialer.DialContext(dialCtx, "tcp", localProxyAddr) | ||
| if err != nil { | ||
| http.Error(w, "failed to connect to the proxying listener", http.StatusInternalServerError) | ||
| klog.Errorf("failed to connect to the proxying listener: %v", err) | ||
| return | ||
| } | ||
| _ = conn.Close() | ||
| _, _ = w.Write([]byte("ok")) | ||
| } | ||
Uh oh!
There was an error while loading. Please reload this page.