Health and ready checks

chart/gatekeeper-operator/templates/gatekeeper.yaml

@@ -444,6 +444,10 @@ spec:
               fieldPath: metadata.name
         image: '{{ .Values.image.repository }}:{{ .Values.image.release }}'
         imagePullPolicy: '{{ .Values.image.pullPolicy }}'
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 9090
         name: manager
         ports:
         - containerPort: 8443
@@ -452,7 +456,11 @@ spec:
         - containerPort: 8888
           name: metrics
           protocol: TCP
-        resources: 
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: 9090
+        resources:
 {{ toYaml .Values.resources | indent 10 }}
         securityContext:
           allowPrivilegeEscalation: false
@@ -463,7 +471,7 @@ spec:
         - mountPath: /certs
           name: cert
           readOnly: true
-      nodeSelector: 
+      nodeSelector:
 {{ toYaml .Values.nodeSelector | indent 8 }}
       affinity:
 {{ toYaml .Values.affinity | indent 8 }}

config/manager/manager.yaml

@@ -53,6 +53,14 @@ spec:
           requests:
             cpu: 100m
             memory: 256Mi
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 9090
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: 9090
         securityContext:
           runAsUser: 1000
           runAsGroup: 999

deploy/gatekeeper.yaml

@@ -298,6 +298,10 @@ spec:
               fieldPath: metadata.name
         image: quay.io/open-policy-agent/gatekeeper:v3.1.0-beta.2
         imagePullPolicy: Always
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 9090
         name: manager
         ports:
         - containerPort: 8443
@@ -306,6 +310,10 @@ spec:
         - containerPort: 8888
           name: metrics
           protocol: TCP
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: 9090
         resources:
           limits:
             cpu: 1000m

go.mod

@@ -11,12 +11,15 @@ require (
 	github.com/go-openapi/spec v0.19.4 // indirect
 	github.com/go-openapi/strfmt v0.19.3 // indirect
 	github.com/go-openapi/validate v0.19.4 // indirect
+	github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b
 	github.com/google/go-cmp v0.3.1
 	github.com/onsi/ginkgo v1.10.1 // indirect
 	github.com/onsi/gomega v1.7.0
 	github.com/open-policy-agent/frameworks/constraint v0.0.0-20200106214430-991b84509bcf
 	github.com/open-policy-agent/opa v0.15.0
 	github.com/pkg/errors v0.8.1
+	github.com/spf13/cobra v0.0.5
+	github.com/spf13/pflag v1.0.3
 	go.opencensus.io v0.22.2
 	go.uber.org/zap v1.10.0
 	golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297

go.sum

@@ -269,6 +269,7 @@ github.com/spf13/afero v1.1.2/go.mod h1:j4pytiNVoe2o6bmDsKpLACNPDBIoEAkihy7loJ1B
 github.com/spf13/afero v1.2.2/go.mod h1:9ZxEEn6pIJ8Rxe320qSDBk6AsU0r9pR7Q4OcevTdifk=
 github.com/spf13/cast v1.3.0/go.mod h1:Qx5cxh0v+4UWYiBimWS+eyWzqEqokIECu5etghLkUJE=
 github.com/spf13/cobra v0.0.0-20181021141114-fe5e611709b0/go.mod h1:1l0Ry5zgKvJasoi3XT1TypsSe7PqH0Sj9dhYf7v3XqQ=
+github.com/spf13/cobra v0.0.5 h1:f0B+LkLX6DtmRH1isoNA9VTtNUK9K8xYd28JNNfOv/s=
 github.com/spf13/cobra v0.0.5/go.mod h1:3K3wKZymM7VvHMDS9+Akkh4K60UwM26emMESw8tLCHU=
 github.com/spf13/jwalterweatherman v1.0.0/go.mod h1:cQK4TGJAtQXfYWX+Ddv3mKDzgVb68N+wFjFa4jdeBTo=
 github.com/spf13/pflag v0.0.0-20170130214245-9ff6c6923cff/go.mod h1:DYY7MBk1bdzusC3SYhjObp+wFpr4gzcvqqNjLnInEg4=

main.go

@@ -41,6 +41,7 @@ import (
 	_ "k8s.io/client-go/plugin/pkg/client/auth/gcp"
 	ctrl "sigs.k8s.io/controller-runtime"
 	k8sCli "sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/healthz"
 	crzap "sigs.k8s.io/controller-runtime/pkg/log/zap"
 	// +kubebuilder:scaffold:imports
 )
@@ -53,6 +54,7 @@ var (
 var (
 	logLevel    = flag.String("log-level", "INFO", "Minimum log level. For example, DEBUG, INFO, WARNING, ERROR. Defaulted to INFO if unspecified.")
 	metricsAddr = flag.String("metrics-addr", ":8080", "The address the metric endpoint binds to.")
+	healthAddr  = flag.String("health-addr", ":9090", "The address to which the health endpoint binds.")
 	port        = flag.Int("port", 443, "port for the server. defaulted to 443 if unspecified ")
 	certDir     = flag.String("cert-dir", "/certs", "The directory where certs are stored, defaults to /certs")
 )
@@ -82,11 +84,12 @@ func main() {
 	ctrl.SetLogger(crzap.Logger(true))
 
 	mgr, err := ctrl.NewManager(ctrl.GetConfigOrDie(), ctrl.Options{
-		Scheme:             scheme,
-		MetricsBindAddress: *metricsAddr,
-		LeaderElection:     false,
-		Port:               *port,
-		CertDir:            *certDir,
+		Scheme:                 scheme,
+		MetricsBindAddress:     *metricsAddr,
+		LeaderElection:         false,
+		Port:                   *port,
+		CertDir:                *certDir,
+		HealthProbeBindAddress: *healthAddr,
 	})
 	if err != nil {
 		setupLog.Error(err, "unable to start manager")
@@ -148,6 +151,15 @@ func main() {
 
 	// +kubebuilder:scaffold:builder
 
+	if err := mgr.AddHealthzCheck("default", healthz.Ping); err != nil {
+		setupLog.Error(err, "unable to create health check")
+		os.Exit(1)
+	}
+	if err := mgr.AddReadyzCheck("default", healthz.Ping); err != nil {
+		setupLog.Error(err, "unable to create ready check")
+		os.Exit(1)
+	}
+
 	setupLog.Info("starting manager")
 	hadError := false
 	if err := mgr.Start(ctrl.SetupSignalHandler()); err != nil {