From 66ad6ef1e218152a7fc0e8aa51a90e723b95d4a7 Mon Sep 17 00:00:00 2001 From: Ramon de Klein Date: Wed, 7 Aug 2024 14:23:57 +0200 Subject: [PATCH] Fix sidecar probing with multiple certs (#2239) (#2257) --- sidecar/pkg/sidecar/probes_handlers.go | 43 ++++++++++++++------------ sidecar/pkg/sidecar/sidecar_utils.go | 2 +- 2 files changed, 25 insertions(+), 20 deletions(-) diff --git a/sidecar/pkg/sidecar/probes_handlers.go b/sidecar/pkg/sidecar/probes_handlers.go index b67466bbe9b..2149be63ba5 100644 --- a/sidecar/pkg/sidecar/probes_handlers.go +++ b/sidecar/pkg/sidecar/probes_handlers.go @@ -24,14 +24,15 @@ import ( "time" "github.com/gorilla/mux" + v2 "github.com/minio/operator/pkg/apis/minio.min.io/v2" ) -func configureProbesServer(c *Controller, tenantTLS bool) *http.Server { +func configureProbesServer(tenant *v2.Tenant) *http.Server { router := mux.NewRouter().SkipClean(true).UseEncodedPath() router.Methods(http.MethodGet). Path("/ready"). - HandlerFunc(readinessHandler(tenantTLS)) + HandlerFunc(readinessHandler(tenant)) router.NotFoundHandler = http.NotFoundHandler() @@ -46,23 +47,29 @@ func configureProbesServer(c *Controller, tenantTLS bool) *http.Server { return s } -// we do insecure skip verify because we are checking against the local instance and don't care for the certificate -var probeHTTPClient = &http.Client{ - Timeout: time.Millisecond * 500, - Transport: &http.Transport{ - TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, - }, -} +func readinessHandler(tenant *v2.Tenant) func(http.ResponseWriter, *http.Request) { + // we do insecure skip verify because we are checking against + // the local instance and don't care for the certificate. We + // do need to specify a proper server-name (SNI), otherwise the + // MinIO server doesn't know which certificate it should offer + probeHTTPClient := &http.Client{ + Timeout: time.Millisecond * 500, + Transport: &http.Transport{ + TLSClientConfig: &tls.Config{ + ServerName: tenant.MinIOFQDNServiceName(), + InsecureSkipVerify: true, + }, + }, + } -func readinessHandler(tenantTLS bool) func(w http.ResponseWriter, r *http.Request) { - return func(w http.ResponseWriter, r *http.Request) { + return func(w http.ResponseWriter, _ *http.Request) { schema := "https" - if !tenantTLS { + if !tenant.TLS() { schema = "http" } // we only check against the local instance of MinIO - url := schema + "://localhost:9000" - request, err := http.NewRequest("GET", url, nil) + url := schema + "://localhost:9000/minio/health/live" + request, err := http.NewRequest("HEAD", url, nil) if err != nil { http.Error(w, fmt.Sprintf("Failed to create request: %s", err), http.StatusInternalServerError) return @@ -76,10 +83,8 @@ func readinessHandler(tenantTLS bool) func(w http.ResponseWriter, r *http.Reques defer response.Body.Close() _, _ = io.Copy(io.Discard, response.Body) // Discard body to enable connection reuse - if response.StatusCode == 403 { - fmt.Fprintln(w, "Readiness probe succeeded.") - } else { - http.Error(w, fmt.Sprintf("Readiness probe failed: expected status 403, got %d", response.StatusCode), http.StatusServiceUnavailable) - } + // we don't care if MinIO is actually handling requests, + // but we only want to know if the service is running + fmt.Fprintln(w, "Readiness probe succeeded with HTTP status ", response.StatusCode) } } diff --git a/sidecar/pkg/sidecar/sidecar_utils.go b/sidecar/pkg/sidecar/sidecar_utils.go index 63cb8aef0e7..1b2778bb166 100644 --- a/sidecar/pkg/sidecar/sidecar_utils.go +++ b/sidecar/pkg/sidecar/sidecar_utils.go @@ -78,7 +78,7 @@ func StartSideCar(tenantName string, secretName string) { controller := NewSideCarController(kubeClient, controllerClient, namespace, tenantName, secretName) controller.ws = configureWebhookServer(controller) - controller.probeServer = configureProbesServer(controller, tenant.TLS()) + controller.probeServer = configureProbesServer(tenant) controller.sidecar = configureSidecarServer(controller) stopControllerCh := make(chan struct{})