feat: wg health check

operator/gefyra/connection/stowaway/resources/statefulsets.py

@@ -1,5 +1,5 @@
 import kubernetes as k8s
-from kubernetes.client import V1Probe, V1ExecAction
+from kubernetes.client import V1Probe, V1HTTPGetAction
 
 from gefyra.configuration import OperatorConfiguration
 
@@ -12,17 +12,34 @@ def create_stowaway_statefulset(
         image=f"{configuration.STOWAWAY_IMAGE}:{configuration.STOWAWAY_TAG}",
         image_pull_policy=configuration.STOWAWAY_IMAGE_PULLPOLICY,
         # Wireguard default port 51820 will be mapped by the nodeport service
-        ports=[k8s.client.V1ContainerPort(container_port=51820, protocol="UDP")],
+        ports=[
+            k8s.client.V1ContainerPort(container_port=51820, protocol="UDP"),
+            k8s.client.V1ContainerPort(container_port=51822, protocol="TCP"),
+        ],
         resources=k8s.client.V1ResourceRequirements(
             requests={"cpu": "0.1", "memory": "100Mi"},
             limits={"cpu": "0.75", "memory": "500Mi"},
         ),
+        startup_probe=V1Probe(
+            http_get=V1HTTPGetAction(
+                port=51822,
+            ),
+            period_seconds=1,
+            initial_delay_seconds=5,
+        ),
         readiness_probe=V1Probe(
-            _exec=V1ExecAction(
-                command=["test", "-n", '"$(wg)"'],
+            http_get=V1HTTPGetAction(
+                port=51822,
+            ),
+            period_seconds=1,
+            initial_delay_seconds=5,
+        ),
+        liveness_probe=V1Probe(
+            http_get=V1HTTPGetAction(
+                port=51822,
             ),
             period_seconds=1,
-            initial_delay_seconds=1,
+            initial_delay_seconds=5,
         ),
         env_from=[
             k8s.client.V1EnvFromSource(

stowaway/Dockerfile

@@ -23,7 +23,7 @@ RUN git clone https://git.zx2c4.com/wireguard-tools && \
     make && \
     make install
 
-FROM ghcr.io/linuxserver/baseimage-alpine:3.17
+FROM ghcr.io/linuxserver/baseimage-alpine:3.20
 COPY --from=builder /usr/bin/wireguard-go /usr/bin/wg* /usr/bin/
 COPY --from=builder /usr/bin/wg-quick /usr/bin/
 
@@ -59,14 +59,15 @@ RUN \
     libqrencode \
     net-tools \
     openresolv \
+    python3 \
     perl && \
   echo "**** clean up ****" && \
   apk del --no-network build-dependencies && \
   rm -rf \
     /tmp/*
 
 
-ENV NGINX_VERSION 1.24.0
+ENV NGINX_VERSION 1.26.2
 ENV PKG_RELEASE   1
 
 ARG UID=101
@@ -185,4 +186,6 @@ RUN sed -i 's,listen       80;,listen       8080;,' /etc/nginx/conf.d/default.co
 COPY /root /
 
 # ports and volumes
-EXPOSE 51820/udp
+EXPOSE 51820/udp
+# for wireguard health check
+EXPOSE 51822/tcp

stowaway/root/etc/s6-overlay/s6-rc.d/svc-wireguard-health-check/run

@@ -0,0 +1,3 @@
+#!/usr/bin/with-contenv bash
+
+/etc/s6-overlay/s6-rc.d/svc-wireguard-health-check/wg-health-check.py

stowaway/root/etc/s6-overlay/s6-rc.d/svc-wireguard-health-check/type

@@ -0,0 +1 @@
+longrun

stowaway/root/etc/s6-overlay/s6-rc.d/svc-wireguard-health-check/wg-health-check.py

@@ -0,0 +1,33 @@
+#!/usr/bin/env python3
+# -*- coding: utf-8 -*-
+
+from http.server import HTTPServer, BaseHTTPRequestHandler
+import subprocess
+
+class HealthCheck(BaseHTTPRequestHandler):
+
+    def do_GET(self) -> None:
+        if check():
+            self.send_response(200)
+            self.send_header("Content-Type", "text/plain")
+            self.end_headers()
+            self.wfile.write(b"healthy\n")
+        else:
+            self.send_error(404)
+
+    def do_HEAD(self) -> None:
+        self.do_GET()
+
+def check() -> bool:
+    try:
+        subprocess.check_call("wg | grep 'listening port: 51820'", shell=True)
+        return True
+    except subprocess.CalledProcessError:
+        return False
+
+def main(port) -> None:
+    server = HTTPServer(('0.0.0.0', port), HealthCheck)
+    server.serve_forever()
+
+if __name__ == "__main__":
+    main(51822)