tetrateio · sergicastro · Feb 16, 2024 · Feb 16, 2024 · Feb 16, 2024
diff --git a/cmd/main.go b/cmd/main.go
@@ -36,6 +36,7 @@ func main() {
 		sessions    = oidc.NewSessionStoreFactory(&configFile.Config)
 		envoyAuthz  = server.NewExtAuthZFilter(&configFile.Config, jwks, sessions)
 		authzServer = server.New(&configFile.Config, envoyAuthz.Register)
+		healthz     = server.NewHealthServer(&configFile.Config)
 	)
 
 	configLog := run.NewPreRunner("config-log", func() error {
@@ -55,6 +56,7 @@ func main() {
 		jwks,              // start the JWKS provider
 		sessions,          // start the session store
 		authzServer,       // start the server
+		healthz,           // start the health server
 		&signal.Handler{}, // handle graceful termination
 	)
 

diff --git a/config/gen/go/v1/config.pb.go b/config/gen/go/v1/config.pb.go
diff --git a/config/gen/go/v1/config.pb.validate.go b/config/gen/go/v1/config.pb.validate.go
diff --git a/config/v1/config.proto b/config/v1/config.proto
@@ -140,6 +140,19 @@ message Config {
   // If true will allow the the requests even no filter chain match is found. Default false.
   // Optional.
   bool allow_unmatched_requests = 11;
+
+  // The Authservice provides an HTTP server to check the health state.
+  // This configures the address for the health server to listen for.
+  // Optional. Defaults to the value of `listen_address`.
+  string health_listen_address = 12;
+
+  // The TCP port for the health server to listen for.
+  // Optional. Defaults 10004.
+  int32 health_listen_port = 13 [(validate.rules).int32.lt = 65536];
+
+  // The path for the health server to attend.
+  // Optional. Defaults to "/healthz".
+  string health_listen_path = 14;
 }
 
 // Trigger rule to match against a request. The trigger rule is satisfied if

diff --git a/e2e/mock/authz-config.json b/e2e/mock/authz-config.json
@@ -1,6 +1,6 @@
 {
   "listen_address": "0.0.0.0",
-  "listen_port": 10004,
+  "listen_port": 10003,
   "log_level": "debug",
   "chains": [
     {

diff --git a/e2e/mock/envoy-config.yaml b/e2e/mock/envoy-config.yaml
@@ -68,4 +68,4 @@ static_resources:
                   address:
                     socket_address:
                       address: ext-authz
-                      port_value: 10004
+                      port_value: 10003
diff --git a/internal/config.go b/internal/config.go
@@ -38,6 +38,7 @@ var (
 	ErrMultipleOIDCConfig  = errors.New("multiple OIDC configurations")
 	ErrInvalidURL          = errors.New("invalid URL")
 	ErrRequiredURL         = errors.New("required URL")
+	ErrHealthPortInUse     = errors.New("health port is already in use by listen port")
 )
 
 // LocalConfigFile is a run.Config that loads the configuration file.
@@ -71,6 +72,10 @@ func (l *LocalConfigFile) Validate() error {
 		return err
 	}
 
+	if l.Config.GetListenPort() == l.Config.GetHealthListenPort() {
+		return ErrHealthPortInUse
+	}
+
 	// Validate the URLs before merging the OIDC configurations
 	if err = validateURLs(&l.Config); err != nil {
 		return err

diff --git a/internal/config_test.go b/internal/config_test.go
@@ -61,6 +61,7 @@ func TestValidateConfig(t *testing.T) {
 		{"multiple-oidc", "testdata/multiple-oidc.json", errCheck{is: ErrMultipleOIDCConfig}},
 		{"invalid-redis", "testdata/invalid-redis.json", errCheck{is: ErrInvalidURL}},
 		{"invalid-oidc-uris", "testdata/invalid-oidc-uris.json", errCheck{is: ErrRequiredURL}},
+		{"invalid-health-port", "testdata/invalid-health-port.json", errCheck{is: ErrHealthPortInUse}},
 		{"oidc-dynamic", "testdata/oidc-dynamic.json", errCheck{is: nil}},
 		{"valid", "testdata/mock.json", errCheck{is: nil}},
 	}

diff --git a/internal/logging.go b/internal/logging.go
@@ -30,6 +30,7 @@ const (
 	Authz    = "authz"
 	Config   = "config"
 	Default  = "default"
+	Health   = "health"
 	JWKS     = "jwks"
 	Requests = "requests"
 	Server   = "server"
@@ -41,6 +42,7 @@ var scopes = map[string]string{
 	Authz:    "Envoy ext-authz filter implementation messages",
 	Config:   "Configuration messages",
 	Default:  "Default",
+	Health:   "Health server messages",
 	JWKS:     "JWKS update and parse messages",
 	Requests: "Logs all requests and responses received by the server",
 	Server:   "Server request handling messages",

diff --git a/internal/server/health.go b/internal/server/health.go
@@ -0,0 +1,120 @@
+// Copyright 2024 Tetrate
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//     http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package server
+
+import (
+	"fmt"
+	"net"
+	"net/http"
+
+	"github.com/tetratelabs/run"
+	"github.com/tetratelabs/telemetry"
+
+	configv1 "github.com/tetrateio/authservice-go/config/gen/go/v1"
+	"github.com/tetrateio/authservice-go/internal"
+)
+
+const (
+	HealthzPath = "/healthz"
+	HealthzPort = 10004
+)
+
+var (
+	_ http.Handler = (*healthServer)(nil)
+	_ run.Service  = (*healthServer)(nil)
+)
+
+type healthServer struct {
+	log    telemetry.Logger
+	config *configv1.Config
+	server *http.Server
+
+	// Listen allows overriding the default listener. It is meant to
+	// be used in tests.
+	l net.Listener
+}
+
+// NewHealthServer creates a new health server.
+func NewHealthServer(config *configv1.Config) run.Unit {
+	hs := &healthServer{
+		log:    internal.Logger(internal.Health),
+		config: config,
+	}
+	httpServer := &http.Server{Handler: hs}
+	hs.server = httpServer
+	return hs
+}
+
+// Name implements run.Unit.
+func (hs *healthServer) Name() string {
+	return "Health Server"
+}
+
+// Serve implements run.Service.
+func (hs *healthServer) Serve() error {
+	// use test listener if set
+	if hs.l == nil {
+		var err error
+		hs.l, err = net.Listen("tcp", hs.getAddressAndPort())
+		if err != nil {
+			return err
+		}
+	}
+
+	hs.log.Info("starting health server", "addr", hs.l.Addr(), "path", hs.getPath())
+	return hs.server.Serve(hs.l)
+}
+
+// GracefulStop implements run.Service.
+func (hs *healthServer) GracefulStop() {
+	hs.log.Info("stopping health server")
+	_ = hs.server.Close()
+}
+
+func (hs *healthServer) getAddressAndPort() string {
+	addr := hs.config.GetHealthListenAddress()
+	if addr == "" {
+		addr = hs.config.GetListenAddress()
+	}
+
+	port := hs.config.GetHealthListenPort()
+	if port == 0 {
+		port = HealthzPort
+	}
+
+	return fmt.Sprintf("%s:%d", addr, port)
+}
+
+func (hs *healthServer) getPath() string {
+	path := hs.config.GetHealthListenPath()
+	if path != "" {
+		return path
+	}
+	return HealthzPath
+}
+
+// ServeHTTP implements http.Handler.
+func (hs *healthServer) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	log := hs.log.With("method", r.Method, "path", r.URL.Path)
+	listenPath := hs.getPath()
+
+	if r.Method != http.MethodGet || r.URL.Path != listenPath {
+		log.Debug("invalid request")
+		http.Error(w, fmt.Sprintf("only GET %s is allowed", listenPath), http.StatusBadRequest)
+		return
+	}
+
+	w.WriteHeader(http.StatusOK)
+}