feat: add health Probe

Makefile

@@ -644,4 +644,4 @@ $(CONTROLLER_GEN): $(LOCALBIN)
 .PHONY: conversion-gen
 conversion-gen: $(CONVERSION_GEN) ## Download conversion-gen locally if necessary.
 $(CONVERSION_GEN): $(LOCALBIN)
-	test -s $(LOCALBIN)/conversion-gen || GOBIN=$(LOCALBIN) go install k8s.io/code-generator/cmd/conversion-gen@$(CONVERSION_TOOLS_VERSION)
+	test -s $(LOCALBIN)/conversion-gen || GOBIN=$(LOCALBIN) go install k8s.io/code-generator/cmd/conversion-gen@$(CONVERSION_TOOLS_VERSION)

charts/ratify/templates/deployment.yaml

@@ -38,6 +38,14 @@ spec:
         - name: {{ .Chart.Name }}
           image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: {{ .Values.healthPort }}
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: {{ .Values.healthPort }}
           securityContext:
             allowPrivilegeEscalation: false
             capabilities:
@@ -70,11 +78,15 @@ spec:
             - --metrics-enabled={{ .Values.instrumentation.metricsEnabled }}
             - --metrics-type={{ .Values.instrumentation.metricsType }}
             - --metrics-port={{ .Values.instrumentation.metricsPort }}
+            - --health-port=:{{ .Values.healthPort }}
           ports:
             - containerPort: 6001
             {{- if .Values.instrumentation.metricsEnabled }}
             - containerPort: {{ required "You must provide .Values.instrumentation.metricsPort" .Values.instrumentation.metricsPort }}
             {{- end }}
+            - containerPort: {{ required "You must provide .Values.healthPort"  .Values.healthPort }}
+              name: healthz
+              protocol: TCP
           volumeMounts:             
             {{- if .Values.cosign.enabled }}
             - mountPath: "/usr/local/ratify-certs/cosign"

charts/ratify/values.yaml

@@ -87,6 +87,7 @@ provider:
 podAnnotations: {}
 podLabels: {}
 enableRuntimeDefaultSeccompProfile: true
+healthPort: 9090
 
 rbac:
   create: true

cmd/ratify/cmd/serve.go

@@ -47,6 +47,7 @@ type serveCmdOptions struct {
 	metricsEnabled    bool
 	metricsType       string
 	metricsPort       int
+	healthPort        string
 }
 
 func NewCmdServe(_ ...string) *cobra.Command {
@@ -77,6 +78,7 @@ func NewCmdServe(_ ...string) *cobra.Command {
 	flags.BoolVar(&opts.metricsEnabled, "metrics-enabled", false, "Enable metrics exporter if enabled (default: false)")
 	flags.StringVar(&opts.metricsType, "metrics-type", httpserver.DefaultMetricsType, fmt.Sprintf("Metrics exporter type to use (default: %s)", httpserver.DefaultMetricsType))
 	flags.IntVar(&opts.metricsPort, "metrics-port", httpserver.DefaultMetricsPort, fmt.Sprintf("Metrics exporter port to use (default: %d)", httpserver.DefaultMetricsPort))
+	flags.StringVar(&opts.healthPort, "health-port", httpserver.DefaultHealthPort, fmt.Sprintf("Health port to use (default: %s)", httpserver.DefaultHealthPort))
 	return cmd
 }
 
@@ -100,7 +102,7 @@ func serve(opts serveCmdOptions) error {
 	if opts.enableCrdManager {
 		certRotatorReady := make(chan struct{})
 		logrus.Infof("starting crd manager")
-		go manager.StartManager(certRotatorReady)
+		go manager.StartManager(certRotatorReady, opts.healthPort)
 		manager.StartServer(opts.httpServerAddress, opts.configFilePath, opts.certDirectory, opts.caCertFile, opts.cacheTTL, opts.metricsEnabled, opts.metricsType, opts.metricsPort, certRotatorReady)
 
 		return nil

httpserver/server.go

@@ -46,6 +46,7 @@ const (
 
 	DefaultMetricsType = "prometheus"
 	DefaultMetricsPort = 8888
+	DefaultHealthPort  = ":9090"
 )
 
 type Server struct {

pkg/manager/manager.go

@@ -142,12 +142,11 @@ func StartServer(httpServerAddress, configFilePath, certDirectory, caCertFile st
 	}
 }
 
-func StartManager(certRotatorReady chan struct{}) {
+func StartManager(certRotatorReady chan struct{}, probeAddr string) {
 	var metricsAddr string
 	var enableLeaderElection bool
-	var probeAddr string
+
 	flag.StringVar(&metricsAddr, "metrics-bind-address", ":8080", "The address the metric endpoint binds to.")
-	flag.StringVar(&probeAddr, "health-probe-bind-address", ":8081", "The address the probe endpoint binds to.")
 	flag.BoolVar(&enableLeaderElection, "leader-elect", false,
 		"Enable leader election for controller manager. "+
 			"Enabling this will ensure there is only one active controller manager.")
@@ -179,6 +178,8 @@ func StartManager(certRotatorReady chan struct{}) {
 		os.Exit(1)
 	}
 
+	setupLog.Debugf("setting up probeAddr at %s", probeAddr)
+
 	// Make sure certs are generated and valid if cert rotation is enabled.
 	if featureflag.CertRotation.Enabled {
 		// Make sure TLS cert watcher is already set up.

test/bats/quickstart-test.bats

@@ -9,4 +9,4 @@ load helpers
     # validate unsigned fails
     run kubectl run demo1 --image=ghcr.io/deislabs/ratify/notary-image:unsigned
     assert_failure
-}
+}