use httpGet as liveness/readiness probe method (#4945)

zhangzujian · zhangzujian · commit dc641799aa7d · 2025-02-08T01:32:17.000Z
Signed-off-by: zhangzujian &lt;zhangzujian.7@gmail.com&gt;
diff --git a/Makefile b/Makefile
@@ -515,6 +515,7 @@ kind-install-chart: kind-load-image kind-untaint-control-plane
 		--set global.images.kubeovn.tag=$(VERSION) \
 		--set replicaCount=$$(echo $$ips | awk -F ',' '{print NF}') \
 		--set MASTER_NODES="$$(echo $$ips | sed 's/,/\\,/g')" \
+		--set func.SECURE_SERVING=$(shell echo $${SECURE_SERVING:-false}) \
 		--set func.ENABLE_IC=$$(kubectl get node --show-labels | grep -q "ovn.kubernetes.io/ic-gw" && echo true || echo false)
 
 .PHONY: kind-install-chart-ssl
@@ -528,6 +529,7 @@ kind-upgrade-chart: kind-load-image
 		--set global.images.kubeovn.tag=$(VERSION) \
 		--set replicaCount=$$(echo $(OVN_DB_IPS) | awk -F ',' '{print NF}') \
 		--set MASTER_NODES='$(OVN_DB_IPS)' \
+		--set func.SECURE_SERVING=$(shell echo $${SECURE_SERVING:-false}) \
 		--set func.ENABLE_IC=$$(kubectl get node --show-labels | grep -q "ovn.kubernetes.io/ic-gw" && echo true || echo false)
 	sleep 90
 	kubectl -n kube-system wait pod --for=condition=ready -l app=ovs --timeout=60s
diff --git a/charts/kube-ovn/templates/controller-deploy.yaml b/charts/kube-ovn/templates/controller-deploy.yaml
@@ -168,19 +168,17 @@ spec:
             - mountPath: /var/run/tls
               name: kube-ovn-tls
           readinessProbe:
-            exec:
-              command:
-                - /kube-ovn/kube-ovn-healthcheck
-                - --port=10660
-                - --tls={{- .Values.func.SECURE_SERVING }}
+            httpGet:
+              port: 10660
+              path: /readyz
+              scheme: '{{ ternary "HTTPS" "HTTP" .Values.func.SECURE_SERVING }}'
             periodSeconds: 3
             timeoutSeconds: 5
           livenessProbe:
-            exec:
-              command:
-                - /kube-ovn/kube-ovn-healthcheck
-                - --port=10660
-                - --tls={{- .Values.func.SECURE_SERVING }}
+            httpGet:
+              port: 10660
+              path: /livez
+              scheme: '{{ ternary "HTTPS" "HTTP" .Values.func.SECURE_SERVING }}'
             initialDelaySeconds: 300
             periodSeconds: 7
             failureThreshold: 5
diff --git a/charts/kube-ovn/templates/monitor-deploy.yaml b/charts/kube-ovn/templates/monitor-deploy.yaml
@@ -108,22 +108,20 @@ spec:
             initialDelaySeconds: 30
             periodSeconds: 7
             successThreshold: 1
-            exec:
-              command:
-                - /kube-ovn/kube-ovn-healthcheck
-                - --port=10661
-                - --tls={{- .Values.func.SECURE_SERVING }}
+            httpGet:
+              port: 10661
+              path: /livez
+              scheme: '{{ ternary "HTTPS" "HTTP" .Values.func.SECURE_SERVING }}'
             timeoutSeconds: 5
           readinessProbe:
             failureThreshold: 3
             initialDelaySeconds: 30
             periodSeconds: 7
             successThreshold: 1
-            exec:
-              command:
-                - /kube-ovn/kube-ovn-healthcheck
-                - --port=10661
-                - --tls={{- .Values.func.SECURE_SERVING }}
+            httpGet:
+              port: 10661
+              path: /readyz
+              scheme: '{{ ternary "HTTPS" "HTTP" .Values.func.SECURE_SERVING }}'
             timeoutSeconds: 5
       nodeSelector:
         kubernetes.io/os: "linux"
diff --git a/charts/kube-ovn/templates/ovncni-ds.yaml b/charts/kube-ovn/templates/ovncni-ds.yaml
@@ -152,22 +152,20 @@ spec:
           failureThreshold: 3
           periodSeconds: 7
           successThreshold: 1
-          exec:
-            command:
-              - /kube-ovn/kube-ovn-healthcheck
-              - --port=10665
-              - --tls={{- .Values.func.SECURE_SERVING }}
+          httpGet:
+            port: 10665
+            path: /readyz
+            scheme: '{{ ternary "HTTPS" "HTTP" .Values.func.SECURE_SERVING }}'
           timeoutSeconds: 5
         livenessProbe:
           failureThreshold: 3
           initialDelaySeconds: 30
           periodSeconds: 7
           successThreshold: 1
-          exec:
-            command:
-              - /kube-ovn/kube-ovn-healthcheck
-              - --port=10665
-              - --tls={{- .Values.func.SECURE_SERVING }}
+          httpGet:
+            port: 10665
+            path: /livez
+            scheme: '{{ ternary "HTTPS" "HTTP" .Values.func.SECURE_SERVING }}'
           timeoutSeconds: 5
         resources:
           requests:
diff --git a/cmd/cmdmain.go b/cmd/cmdmain.go
@@ -13,7 +13,6 @@ import (
 
 	"github.com/kubeovn/kube-ovn/cmd/controller"
 	"github.com/kubeovn/kube-ovn/cmd/daemon"
-	"github.com/kubeovn/kube-ovn/cmd/health_check"
 	"github.com/kubeovn/kube-ovn/cmd/ovn_ic_controller"
 	"github.com/kubeovn/kube-ovn/cmd/ovn_leader_checker"
 	"github.com/kubeovn/kube-ovn/cmd/ovn_monitor"
@@ -28,7 +27,6 @@ const (
 	CmdMonitor          = "kube-ovn-monitor"
 	CmdPinger           = "kube-ovn-pinger"
 	CmdSpeaker          = "kube-ovn-speaker"
-	CmdHealthCheck      = "kube-ovn-healthcheck"
 	CmdOvnLeaderChecker = "kube-ovn-leader-checker"
 	CmdOvnICController  = "kube-ovn-ic-controller"
 )
@@ -93,8 +91,6 @@ func main() {
 	case CmdSpeaker:
 		dumpProfile()
 		speaker.CmdMain()
-	case CmdHealthCheck:
-		health_check.CmdMain()
 	case CmdOvnLeaderChecker:
 		ovn_leader_checker.CmdMain()
 	case CmdOvnICController:
diff --git a/cmd/health_check/health_check.go b/cmd/health_check/health_check.go
diff --git a/dist/images/Dockerfile b/dist/images/Dockerfile
@@ -25,6 +25,5 @@ RUN ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-controller && \
     ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-monitor && \
     ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-pinger && \
     ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-speaker && \
-    ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-healthcheck && \
     ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-leader-checker && \
     ln -s /kube-ovn/kube-ovn-cmd /kube-ovn/kube-ovn-ic-controller
diff --git a/dist/images/install.sh b/dist/images/install.sh
@@ -41,6 +41,11 @@ SECURE_SERVING=${SECURE_SERVING:-false}
 OVSDB_CON_TIMEOUT=${OVSDB_CON_TIMEOUT:-3}
 OVSDB_INACTIVITY_TIMEOUT=${OVSDB_INACTIVITY_TIMEOUT:-10}
 
+PROBE_HTTP_SCHEME="HTTP"
+if [ "$SECURE_SERVING" = "true" ]; then
+  PROBE_HTTP_SCHEME="HTTPS"
+fi
+
 # debug
 DEBUG_WRAPPER=${DEBUG_WRAPPER:-}
 
@@ -4161,19 +4166,17 @@ spec:
             - mountPath: /var/run/tls
               name: kube-ovn-tls
           readinessProbe:
-            exec:
-              command:
-                - /kube-ovn/kube-ovn-healthcheck
-                - --port=10660
-                - --tls=${SECURE_SERVING}
+            httpGet:
+              port: 10660
+              path: /readyz
+              scheme: ${PROBE_HTTP_SCHEME}
             periodSeconds: 3
             timeoutSeconds: 5
           livenessProbe:
-            exec:
-              command:
-                - /kube-ovn/kube-ovn-healthcheck
-                - --port=10660
-                - --tls=${SECURE_SERVING}
+            httpGet:
+              port: 10660
+              path: /livez
+              scheme: ${PROBE_HTTP_SCHEME}
             initialDelaySeconds: 300
             periodSeconds: 7
             failureThreshold: 5
@@ -4344,21 +4347,19 @@ spec:
           initialDelaySeconds: 30
           periodSeconds: 7
           successThreshold: 1
-          exec:
-            command:
-              - /kube-ovn/kube-ovn-healthcheck
-              - --port=10665
-              - --tls=${SECURE_SERVING}
+          httpGet:
+            port: 10665
+            path: /livez
+            scheme: ${PROBE_HTTP_SCHEME}
           timeoutSeconds: 5
         readinessProbe:
           failureThreshold: 3
           periodSeconds: 7
           successThreshold: 1
-          exec:
-            command:
-              - /kube-ovn/kube-ovn-healthcheck
-              - --port=10665
-              - --tls=${SECURE_SERVING}
+          httpGet:
+            port: 10665
+            path: /readyz
+            scheme: ${PROBE_HTTP_SCHEME}
           timeoutSeconds: 5
         resources:
           requests:
@@ -4642,22 +4643,20 @@ spec:
             initialDelaySeconds: 30
             periodSeconds: 7
             successThreshold: 1
-            exec:
-              command:
-                - /kube-ovn/kube-ovn-healthcheck
-                - --port=10661
-                - --tls=${SECURE_SERVING}
+            httpGet:
+              port: 10661
+              path: /livez
+              scheme: ${PROBE_HTTP_SCHEME}
             timeoutSeconds: 5
           readinessProbe:
             failureThreshold: 3
             initialDelaySeconds: 30
             periodSeconds: 7
             successThreshold: 1
-            exec:
-              command:
-                - /kube-ovn/kube-ovn-healthcheck
-                - --port=10661
-                - --tls=${SECURE_SERVING}
+            httpGet:
+              port: 10661
+              path: /readyz
+              scheme: ${PROBE_HTTP_SCHEME}
             timeoutSeconds: 5
       nodeSelector:
         kubernetes.io/os: "linux"
diff --git a/go.mod b/go.mod
@@ -13,7 +13,8 @@ require (
 	github.com/digitalocean/go-openvswitch v0.0.0-20240130171624-c0f7d42efe24
 	github.com/docker/docker v27.1.1+incompatible
 	github.com/emicklei/go-restful/v3 v3.12.1
-	github.com/evanphx/json-patch/v5 v5.9.0
+	github.com/evanphx/json-patch/v5 v5.9.11
+	github.com/go-logr/logr v1.4.2
 	github.com/go-logr/stdr v1.2.2
 	github.com/google/uuid v1.6.0
 	github.com/k8snetworkplumbingwg/network-attachment-definition-client v1.7.1
@@ -77,7 +78,6 @@ require (
 	github.com/go-kit/kit v0.13.0 // indirect
 	github.com/go-kit/log v0.2.1 // indirect
 	github.com/go-logfmt/logfmt v0.6.0 // indirect
-	github.com/go-logr/logr v1.4.2 // indirect
 	github.com/go-openapi/jsonpointer v0.21.0 // indirect
 	github.com/go-openapi/jsonreference v0.21.0 // indirect
 	github.com/go-openapi/swag v0.23.0 // indirect
diff --git a/go.sum b/go.sum
@@ -725,8 +725,8 @@ github.com/envoyproxy/protoc-gen-validate v0.10.0/go.mod h1:DRjgyB0I43LtJapqN6Ni
 github.com/evanphx/json-patch v4.12.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
 github.com/evanphx/json-patch v5.7.0+incompatible h1:vgGkfT/9f8zE6tvSCe74nfpAVDQ2tG6yudJd8LBksgI=
 github.com/evanphx/json-patch v5.7.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLiYLvXMP4fmwYFNcr97nuDLSk=
-github.com/evanphx/json-patch/v5 v5.9.0 h1:kcBlZQbplgElYIlo/n1hJbls2z/1awpXxpRi0/FOJfg=
-github.com/evanphx/json-patch/v5 v5.9.0/go.mod h1:VNkHZ/282BpEyt/tObQO8s5CMPmYYq14uClGH4abBuQ=
+github.com/evanphx/json-patch/v5 v5.9.11 h1:/8HVnzMq13/3x9TPvjG08wUGqBTmZBsCWzjTM0wiaDU=
+github.com/evanphx/json-patch/v5 v5.9.11/go.mod h1:3j+LviiESTElxA4p3EMKAB9HXj3/XEtnUf6OZxqIQTM=
 github.com/fatih/set v0.2.1 h1:nn2CaJyknWE/6txyUDGwysr3G5QC6xWB/PtVjPBbeaA=
 github.com/fatih/set v0.2.1/go.mod h1:+RKtMCH+favT2+3YecHGxcc0b4KyVWA1QWWJUs4E0CI=
 github.com/felixge/httpsnoop v1.0.4 h1:NFTV2Zj1bL4mc9sqWACXbQFVBBg2W3GPvqp8/ESS2Wg=
diff --git a/pkg/metrics/server.go b/pkg/metrics/server.go
@@ -3,14 +3,39 @@ package metrics
 import (
 	"context"
 	"fmt"
+	"net/http"
 
+	"github.com/go-logr/logr"
 	"k8s.io/client-go/rest"
 	"k8s.io/klog/v2"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/metrics/filters"
 	"sigs.k8s.io/controller-runtime/pkg/metrics/server"
+
+	"github.com/kubeovn/kube-ovn/pkg/util"
 )
 
+func filterProvider(c *rest.Config, httpClient *http.Client) (server.Filter, error) {
+	return func(log logr.Logger, handler http.Handler) (http.Handler, error) {
+		filter, err := filters.WithAuthenticationAndAuthorization(c, httpClient)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create filter: %w", err)
+		}
+		h, err := filter(log, handler)
+		if err != nil {
+			return nil, fmt.Errorf("failed to create handler: %w", err)
+		}
+		return http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
+			switch req.URL.Path {
+			case "/healthz", "/livez", "/readyz":
+				handler.ServeHTTP(w, req)
+			default:
+				h.ServeHTTP(w, req)
+			}
+		}), nil
+	}, nil
+}
+
 func Run(ctx context.Context, config *rest.Config, addr string, secureServing bool) error {
 	if config == nil {
 		config = ctrl.GetConfigOrDie()
@@ -26,7 +51,12 @@ func Run(ctx context.Context, config *rest.Config, addr string, secureServing bo
 		BindAddress:   addr,
 	}
 	if secureServing {
-		options.FilterProvider = filters.WithAuthenticationAndAuthorization
+		options.FilterProvider = filterProvider
+	}
+	options.ExtraHandlers = map[string]http.Handler{
+		"/healthz": http.HandlerFunc(util.DefaultHealthCheckHandler),
+		"/livez":   http.HandlerFunc(util.DefaultHealthCheckHandler),
+		"/readyz":  http.HandlerFunc(util.DefaultHealthCheckHandler),
 	}
 	svr, err := server.NewServer(options, config, client)
 	if err != nil {
diff --git a/pkg/util/health_check.go b/pkg/util/health_check.go
@@ -0,0 +1,17 @@
+package util
+
+import (
+	"net/http"
+
+	"k8s.io/klog/v2"
+)
+
+func DefaultHealthCheckHandler(w http.ResponseWriter, _ *http.Request) {
+	if _, err := w.Write([]byte("ok")); err != nil {
+		klog.Error(err)
+		w.WriteHeader(http.StatusInternalServerError)
+		return
+	}
+
+	w.WriteHeader(http.StatusOK)
+}
