health check for webhook server

This change add support for health check endpoint for webhook. For this, a new http server is created to respond to k8s probe requests. Signed-off-by: Ravindra Thakur <[email protected]>
k8snetworkplumbingwg · Jul 4, 2022 · 1eff346 · 1eff346
1 parent 8eb1c4f
commit 1eff346
Show file tree

Hide file tree

Showing 3 changed files with 36 additions and 1 deletion.
diff --git a/README.md b/README.md
@@ -154,6 +154,7 @@ Currently supported arguments are below. If needed, detailed description is avai
 |tls-private-key-file|key.pem|File containing the default x509 private key matching --tls-cert-file.|NO|
 |insecure|false|Disable adding client CA to server TLS endpoint|NO|
 |client-ca|""|File containing client CA. This flag is repeatable if more than one client CA needs to be added to server|NO|
+|health-check-port|8444|The port to use for health check monitoring.|NO|
 |injectHugepageDownApi|false|Enable hugepage requests and limits into Downward API.|YES|
 |network-resource-name-keys|k8s.v1.cni.cncf.io/resourceName|comma separated resource name keys|YES|
 |honor-resources|false|Honor the existing requested resources requests & limits|YES|

diff --git a/cmd/webhook/main.go b/cmd/webhook/main.go
@@ -51,6 +51,7 @@ func main() {
 	key := flag.String("tls-private-key-file", "key.pem", "File containing the default x509 private key matching --tls-cert-file.")
 	insecure := flag.Bool("insecure", false, "Disable adding client CA to server TLS endpoint --insecure")
 	flag.Var(&clientCAPaths, "client-ca", "File containing client CA. This flag is repeatable if more than one client CA needs to be added to server")
+	healthCheckPort := flag.Int("health-check-port", 8444, "The port to use for health check monitoring")
 
 	// do initialization of control switches flags
 	controlSwitches := controlswitches.SetupControlSwitchesFlags()
@@ -62,7 +63,7 @@ func main() {
 	controlSwitches.InitControlSwitches()
 	glog.Infof("controlSwitches: %+v", *controlSwitches)
 
-	if *port < 1024 || *port > 65535 {
+	if !isValidPort(*port) {
 		glog.Fatalf("invalid port number. Choose between 1024 and 65535")
 	}
 
@@ -82,6 +83,25 @@ func main() {
 		namespace = "kube-system"
 	}
 
+	if !isValidPort(*healthCheckPort) {
+		glog.Fatalf("Invalid health check port number. Choose between 1024 and 65535")
+	} else if *healthCheckPort == *port {
+		glog.Fatalf("Health check port should be different from port")
+	} else {
+		go func() {
+			addr := fmt.Sprintf("%s:%d", *address, *healthCheckPort)
+			mux := http.NewServeMux()
+
+			mux.HandleFunc("/healthz", func(w http.ResponseWriter, r *http.Request) {
+				w.WriteHeader(http.StatusOK)
+			})
+			err := http.ListenAndServe(addr, mux)
+			if err != nil {
+				glog.Fatalf("error starting health check server: %v", err)
+			}
+		}()
+	}
+
 	glog.Infof("starting mutating admission controller for network resources injection")
 
 	keyPair, err := webhook.NewTlsKeypairReloader(*cert, *key)
@@ -217,3 +237,10 @@ func main() {
 	// TODO: find a way to stop cache, should we run the above block in a go routine and make main module
 	// to respond to terminate singal ?
 }
+
+func isValidPort(port int) bool {
+	if port < 1024 || port > 65535 {
+		return false
+	}
+	return true
+}
diff --git a/deployments/server.yaml b/deployments/server.yaml
@@ -41,6 +41,7 @@ spec:
         - -port=8443
         - -tls-private-key-file=/etc/tls/tls.key
         - -tls-cert-file=/etc/tls/tls.crt
+        - -health-check-port=8444
         - -logtostderr
         env:
         - name: NAMESPACE
@@ -66,6 +67,12 @@ spec:
           limits:
             memory: "200Mi"
             cpu: "500m"
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 8444
+          initialDelaySeconds: 10
+          periodSeconds: 5
       initContainers:
       - name: installer
         image: network-resources-injector:latest