Merge pull request kubevirt#1836 from rmohr/httpGet-for-virt-api

Switch to httpGet on virt-api readinessProbe

api/openapi-spec/swagger.json

@@ -92,29 +92,6 @@
      }
     }
    },
-   "/apis/kubevirt.io/v1alpha2/healthz": {
-    "get": {
-     "consumes": [
-      "application/json"
-     ],
-     "produces": [
-      "application/json"
-     ],
-     "summary": "Health endpoint",
-     "operationId": "checkHealth",
-     "responses": {
-      "200": {
-       "description": "OK"
-      },
-      "500": {
-       "description": "Unhealthy"
-      },
-      "default": {
-       "description": "OK"
-      }
-     }
-    }
-   },
    "/apis/kubevirt.io/v1alpha2/namespaces/{namespace}/virtualmachineinstancemigrations": {
     "get": {
      "produces": [
@@ -3687,6 +3664,29 @@
      }
     }
    },
+   "/apis/subresources.kubevirt.io/v1alpha2/healthz": {
+    "get": {
+     "consumes": [
+      "application/json"
+     ],
+     "produces": [
+      "application/json"
+     ],
+     "summary": "Health endpoint",
+     "operationId": "checkHealth",
+     "responses": {
+      "200": {
+       "description": "OK"
+      },
+      "500": {
+       "description": "Unhealthy"
+      },
+      "default": {
+       "description": "OK"
+      }
+     }
+    }
+   },
    "/apis/subresources.kubevirt.io/v1alpha2/namespaces/{namespace}/virtualmachineinstances/{name}/console": {
     "get": {
      "summary": "Open a websocket connection to a serial console on the specified VirtualMachineInstance.",

manifests/dev/virt-api.yaml.in

@@ -55,9 +55,11 @@ spec:
               name: "metrics"
               protocol: "TCP"
           readinessProbe:
-            tcpSocket:
+            httpGet:
+              scheme: HTTPS
               port: 8443
-            initialDelaySeconds: 5
-            periodSeconds: 10
+              path: /apis/subresources.kubevirt.io/v1alpha2/healthz
+            initialDelaySeconds: 15
+            timeoutSeconds: 10
       securityContext:
         runAsNonRoot: true

manifests/release/kubevirt.yaml.in

@@ -470,10 +470,12 @@ spec:
               name: "metrics"
               protocol: "TCP"
           readinessProbe:
-            tcpSocket:
+            httpGet:
+              scheme: HTTPS
               port: 8443
-            initialDelaySeconds: 5
-            periodSeconds: 10
+              path: /apis/subresources.kubevirt.io/v1alpha2/healthz
+            initialDelaySeconds: 15
+            timeoutSeconds: 10
       securityContext:
         runAsNonRoot: true
 ---

pkg/virt-api/api.go

@@ -175,24 +175,6 @@ func subresourceAPIGroup() metav1.APIGroup {
 	return apiGroup
 }
 
-func (app *virtAPIApp) composeHealthEndpoint() {
-
-	ws, err := rest.GroupVersionProxyBase(v1.GroupVersion)
-	if err != nil {
-		panic(err)
-	}
-
-	ws.Route(ws.GET("/healthz").
-		To(healthz.KubeConnectionHealthzFunc).
-		Consumes(restful.MIME_JSON).
-		Produces(restful.MIME_JSON).
-		Operation("checkHealth").
-		Doc("Health endpoint").
-		Returns(http.StatusOK, "OK", nil).
-		Returns(http.StatusInternalServerError, "Unhealthy", nil))
-	restful.Add(ws)
-}
-
 func (app *virtAPIApp) composeSubresources() {
 
 	subresourcesvmGVR := schema.GroupVersionResource{Group: v1.SubresourceGroupVersion.Group, Version: v1.SubresourceGroupVersion.Version, Resource: "virtualmachines"}
@@ -239,6 +221,15 @@ func (app *virtAPIApp) composeSubresources() {
 			response.WriteAsJson(version.Get())
 		}).Operation("version"))
 
+	subws.Route(subws.GET(rest.SubResourcePath("healthz")).
+		To(healthz.KubeConnectionHealthzFunc).
+		Consumes(restful.MIME_JSON).
+		Produces(restful.MIME_JSON).
+		Operation("checkHealth").
+		Doc("Health endpoint").
+		Returns(http.StatusOK, "OK", nil).
+		Returns(http.StatusInternalServerError, "Unhealthy", nil))
+
 	// Return empty api resource list.
 	// K8s expects to be able to retrieve a resource list for each aggregated
 	// app in order to discover what resources it provides. Without returning
@@ -296,7 +287,6 @@ func (app *virtAPIApp) composeSubresources() {
 func (app *virtAPIApp) Compose() {
 
 	app.composeSubresources()
-	app.composeHealthEndpoint()
 
 	restful.Filter(filter.RequestLoggingFilter())
 	restful.Filter(restful.OPTIONSFilter())

pkg/virt-api/rest/authorizer.go

@@ -185,7 +185,7 @@ func (a *authorizor) generateAccessReview(req *restful.Request) (*authorization.
 	return r, nil
 }
 
-func isInfoEndpoint(req *restful.Request) bool {
+func isInfoOrHealthEndpoint(req *restful.Request) bool {
 
 	httpRequest := req.Request
 	if httpRequest == nil || httpRequest.URL == nil {
@@ -195,7 +195,7 @@ func isInfoEndpoint(req *restful.Request) bool {
 	// /apis/subresources.kubevirt.io/v1alpha2/namespaces/default/virtualmachineinstances/testvmi/console
 	// The /apis/<group>/<version> part of the urls should be accessible without needing authorization
 	pathSplit := strings.Split(httpRequest.URL.Path, "/")
-	if len(pathSplit) <= 4 || (len(pathSplit) > 4 && pathSplit[4] == "version") {
+	if len(pathSplit) <= 4 || (len(pathSplit) > 4 && (pathSplit[4] == "version" || pathSplit[4] == "healthz")) {
 		return true
 	}
 
@@ -217,7 +217,7 @@ func (a *authorizor) Authorize(req *restful.Request) (bool, string, error) {
 	// Endpoints related to getting information about
 	// what apis our server provides are authorized to
 	// all users.
-	if isInfoEndpoint(req) {
+	if isInfoOrHealthEndpoint(req) {
 		return true, "", nil
 	}
 

pkg/virt-api/rest/authorizer_test.go

@@ -154,6 +154,7 @@ var _ = Describe("VirtualMachineInstance Subresources", func() {
 			table.Entry("apis", "/apis"),
 			table.Entry("group", "/apis/subresources.kubevirt.io"),
 			table.Entry("version", "/apis/subresources.kubevirt.io/version"),
+			table.Entry("healthz", "/apis/subresources.kubevirt.io/healthz"),
 		)
 
 		table.DescribeTable("should reject all users for unknown endpoint paths", func(path string) {