Add liveness probes where possible

IDM and NAT don't provide any debug service/port so use a simple TCP
check on the main port.
Notifications and Audit do currently not provide a debug port either. As
they are not listening on any port by default we don't currently implement
a useful liveness probe for them.

charts/ocis/templates/app-provider/deployment.yaml

@@ -81,6 +81,17 @@ spec:
                   name: {{ $.Values.secretRefs.jwtSecretRef }}
                   key: jwt-secret
 
+          livenessProbe:
+            exec:
+              command:
+              - /bin/sh
+              - -c
+              - curl --silent --fail http://frontend:9140/app/list | grep {{ $officeSuite.name }}
+            timeoutSeconds: 10
+            initialDelaySeconds: 60
+            periodSeconds: 20
+            failureThreshold: 3
+
           resources: {{ toYaml $.Values.resources | nindent 12 }}
           ports:
             - name: grpc

charts/ocis/templates/app-registry/deployment.yaml

@@ -64,6 +64,15 @@ spec:
                   name: {{ .Values.secretRefs.jwtSecretRef }}
                   key: jwt-secret
 
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: metrics-debug
+            timeoutSeconds: 10
+            initialDelaySeconds: 60
+            periodSeconds: 20
+            failureThreshold: 3
+
           resources: {{ toYaml .Values.resources | nindent 12 }}
           ports:
             - name: http

charts/ocis/templates/auth-basic/deployment.yaml

@@ -152,6 +152,15 @@ spec:
                   name: {{ .Values.secretRefs.jwtSecretRef }}
                   key: jwt-secret
 
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: metrics-debug
+            timeoutSeconds: 10
+            initialDelaySeconds: 60
+            periodSeconds: 20
+            failureThreshold: 3
+
           resources: {{ toYaml .Values.resources | nindent 12 }}
           ports:
             - name: grpc

charts/ocis/templates/auth-machine/deployment.yaml

@@ -69,6 +69,15 @@ spec:
                   name: {{ .Values.secretRefs.machineAuthApiKeySecretRef }}
                   key: machine-auth-api-key
 
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: metrics-debug
+            timeoutSeconds: 10
+            initialDelaySeconds: 60
+            periodSeconds: 20
+            failureThreshold: 3
+
           resources: {{ toYaml .Values.resources | nindent 12 }}
           ports:
             - name: grpc

charts/ocis/templates/frontend/deployment.yaml

@@ -84,6 +84,15 @@ spec:
                   name: {{ .Values.secretRefs.transferSecretSecretRef }}
                   key: transfer-secret
 
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: metrics-debug
+            timeoutSeconds: 10
+            initialDelaySeconds: 60
+            periodSeconds: 20
+            failureThreshold: 3
+
           resources: {{ toYaml .Values.resources | nindent 12 }}
           ports:
             - name: http

charts/ocis/templates/gateway/deployment.yaml

@@ -100,6 +100,15 @@ spec:
                   name: {{ .Values.secretRefs.transferSecretSecretRef }}
                   key: transfer-secret
 
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: metrics-debug
+            timeoutSeconds: 10
+            initialDelaySeconds: 60
+            periodSeconds: 20
+            failureThreshold: 3
+
           resources: {{ toYaml .Values.resources | nindent 12 }}
           ports:
             - name: grpc

charts/ocis/templates/graph/deployment.yaml

@@ -84,6 +84,15 @@ spec:
                   name: {{ .Values.secretRefs.jwtSecretRef }}
                   key: jwt-secret
 
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: metrics-debug
+            timeoutSeconds: 10
+            initialDelaySeconds: 60
+            periodSeconds: 20
+            failureThreshold: 3
+
           resources: {{ toYaml .Values.resources | nindent 12 }}
           ports:
             - name: http

charts/ocis/templates/groups/deployment.yaml

@@ -150,6 +150,15 @@ spec:
                   name: {{ .Values.secretRefs.jwtSecretRef }}
                   key: jwt-secret
 
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: metrics-debug
+            timeoutSeconds: 10
+            initialDelaySeconds: 60
+            periodSeconds: 20
+            failureThreshold: 3
+
           resources: {{ toYaml .Values.resources | nindent 12 }}
           ports:
             - name: grpc

charts/ocis/templates/idm/deployment.yaml

@@ -68,8 +68,13 @@ spec:
             - name: IDM_LOG_PRETTY
               value: "{{ .Values.logging.pretty }}"
 
+            - name: IDM_DEBUG_PPROF
+              value: "{{ .Values.debug.profiling }}"
+
             - name: IDM_LDAPS_ADDR
               value: 0.0.0.0:9235
+            - name: IDM_DEBUG_ADDR
+              value: 0.0.0.0:9239
 
             - name: IDM_CREATE_DEMO_USERS
               value: "{{ .Values.features.demoUsers }}"
@@ -109,10 +114,26 @@ spec:
             - name: IDM_LDAPS_KEY
               value: /etc/ocis/ldap-cert/ldap.key
 
+          livenessProbe:
+            # TODO: IDM does not currently provide a debug port, re-enable this once that is implemented
+            # httpGet:
+            #   path: /healthz
+            #   port: metrics-debug
+            # until then we're just doing a TCP check on the main port
+            tcpSocket:
+              port: ldaps
+            timeoutSeconds: 10
+            initialDelaySeconds: 60
+            periodSeconds: 20
+            failureThreshold: 3
+
           resources: {{ toYaml .Values.resources | nindent 12 }}
           ports:
             - name: ldaps
               containerPort: 9235
+            # TODO: IDM does not currently provide a debug port, re-enable this once that is implemented
+            # - name: metrics-debug
+            #   containerPort: 9239
           volumeMounts:
             - name: ocis-config-tmp
               mountPath: /etc/ocis # we mount that volume only to apply fsGroup to that path

charts/ocis/templates/idm/service.yaml

@@ -6,6 +6,7 @@ metadata:
   namespace: {{ template "ocis.namespace" . }}
   labels:
     app: idm
+    ocis-metrics: enabled
     {{- include "ocis.labels" . | nindent 4 }}
 spec:
   selector:
@@ -14,4 +15,8 @@ spec:
     - name: ldaps
       port: 9235
       protocol: TCP
+    # TODO: IDM does not currently provide a debug port, re-enable this once that is implemented
+    # - name: metrics-debug
+    #   port: 9239
+    #   protocol: TCP
 {{- end }}

charts/ocis/templates/idp/deployment.yaml

@@ -49,8 +49,13 @@ spec:
             - name: IDP_LOG_PRETTY
               value: "{{ .Values.logging.pretty }}"
 
+            - name: IDP_DEBUG_PPROF
+              value: "{{ .Values.debug.profiling }}"
+
             - name: IDP_HTTP_ADDR
               value: 0.0.0.0:9130
+            - name: IDP_DEBUG_ADDR
+              value: 0.0.0.0:9134
 
             - name: IDP_ISS
               value: "https://{{ .Values.externalDomain }}"
@@ -73,10 +78,21 @@ spec:
             - name: IDP_ENCRYPTION_SECRET_FILE
               value: /etc/ocis/idp/encryption.key
 
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: metrics-debug
+            timeoutSeconds: 10
+            initialDelaySeconds: 60
+            periodSeconds: 20
+            failureThreshold: 3
+
           resources: {{ toYaml .Values.resources | nindent 12 }}
           ports:
             - name: http
               containerPort: 9130
+            - name: metrics-debug
+              containerPort: 9134
           volumeMounts:
             - name: ocis-config-tmp
               mountPath: /etc/ocis # we mount that volume only to apply fsGroup to that path

charts/ocis/templates/idp/service.yaml

@@ -6,6 +6,7 @@ metadata:
   namespace: {{ template "ocis.namespace" . }}
   labels:
     app: idp
+    ocis-metrics: enabled
     {{- include "ocis.labels" . | nindent 4 }}
 spec:
   selector:
@@ -14,4 +15,8 @@ spec:
     - name: http
       port: 9130
       protocol: TCP
+    - name: metrics-debug
+      port: 9134
+      protocol: TCP
+
 {{- end }}

charts/ocis/templates/nats/deployment.yaml

@@ -52,14 +52,38 @@ spec:
             - name: NATS_LOG_PRETTY
               value: "{{ .Values.logging.pretty }}"
 
+            - name: NATS_DEBUG_PPROF
+              value: "{{ .Values.debug.profiling }}"
+
             - name: NATS_NATS_HOST
               value: "0.0.0.0"
             - name: NATS_NATS_PORT
               value: "9233"
+
+            - name: NATS_DEBUG_ADDR
+              value: 0.0.0.0:9234
+
+          livenessProbe:
+            # TODO: NATS does not currently provide a debug port, re-enable this once that is implemented
+            # See: https://github.com/owncloud/ocis-charts/issues/111
+            # httpGet:
+            #   path: /healthz
+            #   port: metrics-debug
+            # until then we're just doing a TCP check on the main port
+            tcpSocket:
+              port: 9233
+            timeoutSeconds: 10
+            initialDelaySeconds: 60
+            periodSeconds: 20
+            failureThreshold: 3
+
           resources: {{ toYaml .Values.resources | nindent 12 }}
           ports:
             - name: nats
               containerPort: 9233
+            # TODO: NATS does not currently provide a debug port, re-enable this once that is implemented
+            # - name: metrics-debug
+            #   containerPort: 9234
           volumeMounts:
             - name: nats-data
               mountPath: /var/lib/ocis

charts/ocis/templates/nats/service.yaml

@@ -5,6 +5,7 @@ metadata:
   namespace: {{ template "ocis.namespace" . }}
   labels:
     app: nats
+    ocis-metrics: enabled
     {{- include "ocis.labels" . | nindent 4 }}
 spec:
   selector:
@@ -13,3 +14,7 @@ spec:
     - name: nats
       port: 9233
       protocol: TCP
+    # TODO: NATS does not currently provide a debug port, re-enable this once that is implemented
+    # - name: metrics-debug
+    #   port: 9234
+    #   protocol: TCP

charts/ocis/templates/notifications/deployment.yaml

@@ -44,6 +44,12 @@ spec:
             - name: NOTIFICATIONS_LOG_PRETTY
               value: "{{ .Values.logging.pretty }}"
 
+            - name: NOTIFICATIONS_DEBUG_PPROF
+              value: "{{ .Values.debug.profiling }}"
+
+            - name: NOTIFICATIONS_DEBUG_ADDR
+              value: 0.0.0.0:9174
+
             - name: NOTIFICATIONS_SMTP_HOST
               value: "{{ .Values.features.emailNotifications.smtp.host }}"
             - name: NOTIFICATIONS_SMTP_PORT
@@ -78,5 +84,20 @@ spec:
                   name: {{ .Values.secretRefs.machineAuthApiKeySecretRef }}
                   key: machine-auth-api-key
 
+          # TODO: This service does not currently provide a debug port, re-enable this once that is implemented
+          # See: https://github.com/owncloud/ocis-charts/issues/111
+          # livenessProbe:
+          #   httpGet:
+          #     path: /healthz
+          #     port: metrics-debug
+          #   timeoutSeconds: 10
+          #   initialDelaySeconds: 60
+          #   periodSeconds: 20
+          #   failureThreshold: 3
+
           resources: {{ toYaml .Values.resources | nindent 12 }}
+          # TODO: This service does not currently provide a debug port, re-enable this once that is implemented
+          # ports:
+          #   - name: metrics-debug
+          #     containerPort: 9174
 {{- end }}

charts/ocis/templates/ocdav/deployment.yaml

@@ -75,6 +75,15 @@ spec:
                   name: {{ .Values.secretRefs.machineAuthApiKeySecretRef }}
                   key: machine-auth-api-key
 
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: metrics-debug
+            timeoutSeconds: 10
+            initialDelaySeconds: 60
+            periodSeconds: 20
+            failureThreshold: 3
+
           resources: {{ toYaml .Values.resources | nindent 12 }}
           ports:
             - name: http

charts/ocis/templates/ocs/deployment.yaml

@@ -76,6 +76,15 @@ spec:
                   name: {{ .Values.secretRefs.machineAuthApiKeySecretRef }}
                   key: machine-auth-api-key
 
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: metrics-debug
+            timeoutSeconds: 10
+            initialDelaySeconds: 60
+            periodSeconds: 20
+            failureThreshold: 3
+
           resources: {{ toYaml .Values.resources | nindent 12 }}
           ports:
             - name: http

charts/ocis/templates/proxy/deployment.yaml

@@ -97,6 +97,15 @@ spec:
                   name: {{ .Values.secretRefs.machineAuthApiKeySecretRef }}
                   key: machine-auth-api-key
 
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: metrics-debug
+            timeoutSeconds: 10
+            initialDelaySeconds: 60
+            periodSeconds: 20
+            failureThreshold: 3
+
           resources: {{ toYaml .Values.resources | nindent 12 }}
           ports:
             - name: http

charts/ocis/templates/proxy/service.yaml

@@ -1,5 +1,6 @@
-
-@@ -4,12 +4,17 @@ metadata:
+apiVersion: v1
+kind: Service
+metadata:
   name: proxy
   namespace: {{ template "ocis.namespace" . }}
   labels: