feat(core): add separate healthz endpoint to virt-operator (#570)

* feat(core): add separate healthz endpoint to virt-operator --------- Signed-off-by: Maksim Fedotov <[email protected]>
deckhouse · Dec 13, 2024 · af350ba · af350ba
1 parent afe682a
commit af350ba
Show file tree

Hide file tree

Showing 2 changed files with 60 additions and 5 deletions.
diff --git a/images/virt-artifact/patches/026-add-healthz-to-virt-operator.patch b/images/virt-artifact/patches/026-add-healthz-to-virt-operator.patch
@@ -0,0 +1,53 @@
+diff --git a/pkg/virt-operator/application.go b/pkg/virt-operator/application.go
+index 47b4880c38..7e889dd48b 100644
+--- a/pkg/virt-operator/application.go
++++ b/pkg/virt-operator/application.go
+@@ -341,8 +341,6 @@ func Execute() {
+ }
+
+ func (app *VirtOperatorApp) Run() {
+-	promTLSConfig := kvtls.SetupPromTLS(app.operatorCertManager, app.clusterConfig)
+-
+ 	go func() {
+
+ 		mux := http.NewServeMux()
+@@ -360,15 +358,34 @@ func (app *VirtOperatorApp) Run() {
+ 		restfulContainer.ServeMux = mux
+ 		restfulContainer.Add(webService)
+
++		server := http.Server{
++			Addr:      app.ServiceListen.MetricsAddress(),
++			Handler:   mux,
++		}
++		if err := server.ListenAndServe(); err != nil {
++			golog.Fatal(err)
++		}
++	}()
++	go func() {
++		var handle200 = restful.RouteFunction(func(req *restful.Request, resp *restful.Response) {
++			resp.WriteHeader(http.StatusOK)
++		})
++		mux := http.NewServeMux()
++
++		webService := new(restful.WebService)
++		webService.Path("/").Consumes(restful.MIME_JSON).Produces(restful.MIME_JSON)
++		webService.Route(webService.GET("/healthz").To(handle200).
++		Produces(restful.MIME_JSON).
++		Returns(200, "OK", nil))
++
++		restfulContainer := restful.NewContainer()
++		restfulContainer.ServeMux = mux
++		restfulContainer.Add(webService)
+ 		server := http.Server{
+ 			Addr:      app.ServiceListen.Address(),
+ 			Handler:   mux,
+-			TLSConfig: promTLSConfig,
+-			// Disable HTTP/2
+-			// See CVE-2023-44487
+-			TLSNextProto: map[string]func(*http.Server, *tls.Conn, http.Handler){},
+ 		}
+-		if err := server.ListenAndServeTLS("", ""); err != nil {
++		if err := server.ListenAndServe(); err != nil {
+ 			golog.Fatal(err)
+ 		}
+ 	}()
diff --git a/templates/kubevirt/virt-operator/deployment.yaml b/templates/kubevirt/virt-operator/deployment.yaml
@@ -103,13 +103,18 @@ spec:
       {{- $_ := set $kubeRbacProxySettings "runAsUserNobody" true }}
       {{- $_ := set $kubeRbacProxySettings "upstreams" (list
           (dict "upstream" "http://127.0.0.1:9090/metrics" "path" "/proxy/metrics" "name" "kube-api-rewriter") 
+          (dict "upstream" "http://127.0.0.1:8080/metrics" "path" "/metrics" "name" "virt-operator") 
       ) }}
       {{- include "kube_rbac_proxy.sidecar_container" (tuple . $kubeRbacProxySettings) | nindent 6 }}
       - name: virt-operator
         {{- include "helm_lib_module_container_security_context_read_only_root_filesystem_capabilities_drop_all" . | nindent 8 }}
         args:
         - --port
         - "8443"
+        - --metrics-listen
+        - 127.0.0.1
+        - --metrics-port
+        - "8080"
         - -v
         - "2"
         command:
@@ -124,17 +129,14 @@ spec:
         image: {{ include "helm_lib_module_image" (list . "virtOperator") }}
         imagePullPolicy: IfNotPresent
         ports:
-        - containerPort: 8443
-          name: metrics
-          protocol: TCP
         - containerPort: 8444
           name: webhooks
           protocol: TCP
         readinessProbe:
           httpGet:
-            path: /metrics
+            path: /healthz
             port: 8443
-            scheme: HTTPS
+            scheme: HTTP
           initialDelaySeconds: 5
           timeoutSeconds: 10
         resources: