refactor: configuration agnostic healthcheck (#2231)

This makes the healthcheck simple and configured directly by Authelia's configuration on startup.

.dockerignore

@@ -21,3 +21,6 @@ examples
 internal/server/public_html
 authelia.service
 bootstrap.sh
+
+# Overrides
+!.healthcheck.env

.healthcheck.env

@@ -0,0 +1,5 @@
+# Default Template
+X_AUTHELIA_HEALTHCHECK_SCHEME=http
+X_AUTHELIA_HEALTHCHECK_HOST=localhost
+X_AUTHELIA_HEALTHCHECK_PORT=9091
+X_AUTHELIA_HEALTHCHECK_PATH=

Dockerfile

@@ -17,6 +17,7 @@ ARG LDFLAGS_EXTRA
 
 RUN \
 mv public_html internal/server/public_html && \
+chmod 0666 /go/src/app/.healthcheck.env && \
 echo ">> Starting go build..." && \
 GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -tags netgo \
 -ldflags "-s -w ${LDFLAGS_EXTRA}" -trimpath -o authelia ./cmd/authelia
@@ -30,7 +31,7 @@ WORKDIR /app
 
 RUN apk --no-cache add ca-certificates su-exec tzdata
 
-COPY --from=builder-backend /go/src/app/authelia /go/src/app/LICENSE /go/src/app/entrypoint.sh /go/src/app/healthcheck.sh ./
+COPY --from=builder-backend /go/src/app/authelia /go/src/app/LICENSE /go/src/app/entrypoint.sh /go/src/app/healthcheck.sh /go/src/app/.healthcheck.env ./
 
 EXPOSE 9091
 

Dockerfile.arm32v7

@@ -17,6 +17,7 @@ ARG LDFLAGS_EXTRA
 
 RUN \
 mv public_html internal/server/public_html && \
+chmod 0666 /go/src/app/.healthcheck.env && \
 echo ">> Starting go build..." && \
 GOOS=linux GOARCH=arm CGO_ENABLED=0 go build -tags netgo \
 -ldflags "-s -w ${LDFLAGS_EXTRA}" -trimpath -o authelia ./cmd/authelia
@@ -31,7 +32,7 @@ WORKDIR /app
 RUN \
 apk --no-cache add ca-certificates su-exec tzdata
 
-COPY --from=builder-backend /go/src/app/authelia /go/src/app/LICENSE /go/src/app/entrypoint.sh /go/src/app/healthcheck.sh ./
+COPY --from=builder-backend /go/src/app/authelia /go/src/app/LICENSE /go/src/app/entrypoint.sh /go/src/app/healthcheck.sh /go/src/app/.healthcheck.env ./
 
 EXPOSE 9091
 

Dockerfile.arm64v8

@@ -17,6 +17,7 @@ ARG LDFLAGS_EXTRA
 
 RUN \
 mv public_html internal/server/public_html && \
+chmod 0666 /go/src/app/.healthcheck.env && \
 echo ">> Starting go build..." && \
 GOOS=linux GOARCH=arm64 CGO_ENABLED=0 go build -tags netgo \
 -ldflags "-s -w ${LDFLAGS_EXTRA}" -trimpath -o authelia ./cmd/authelia
@@ -31,7 +32,7 @@ WORKDIR /app
 RUN \
 apk --no-cache add ca-certificates su-exec tzdata
 
-COPY --from=builder-backend /go/src/app/authelia /go/src/app/LICENSE /go/src/app/entrypoint.sh /go/src/app/healthcheck.sh ./
+COPY --from=builder-backend /go/src/app/authelia /go/src/app/LICENSE /go/src/app/entrypoint.sh /go/src/app/healthcheck.sh /go/src/app/.healthcheck.env ./
 
 EXPOSE 9091
 

Dockerfile.coverage

@@ -32,6 +32,7 @@ ARG LDFLAGS_EXTRA
 RUN \
 mv api internal/server/public_html/api && \
 cd cmd/authelia && \
+chmod 0666 /go/src/app/.healthcheck.env && \
 echo ">> Starting go build (coverage via go test)..." && \
 CGO_ENABLED=0 go test -c --tags coverage -covermode=atomic \
 -ldflags "${LDFLAGS_EXTRA}" -o authelia -coverpkg github.com/authelia/authelia/...
@@ -45,7 +46,7 @@ RUN apk --no-cache add ca-certificates tzdata
 
 WORKDIR /app
 
-COPY --from=builder-backend /go/src/app/cmd/authelia/authelia /go/src/app/LICENSE /go/src/app/healthcheck.sh ./
+COPY --from=builder-backend /go/src/app/cmd/authelia/authelia /go/src/app/LICENSE /go/src/app/healthcheck.sh /go/src/app/.healthcheck.env ./
 
 EXPOSE 9091
 

config.template.yml

@@ -53,6 +53,10 @@ server:
   ## Enables the expvars endpoint.
   enable_expvars: false
 
+  ## Disables writing the health check vars to /app/.healthcheck.env which makes healthcheck.sh return exit code 0.
+  ## This is disabled by default if either /app/.healthcheck.env or /app/healthcheck.sh do not exist.
+  disable_healthcheck: false
+
   ## Authelia by default doesn't accept TLS communication on the server port. This section overrides this behaviour.
   tls:
     ## The path to the DER base64/PEM format private key.

docs/configuration/server.md

@@ -20,6 +20,7 @@ server:
   write_buffer_size: 4096
   enable_pprof: false
   enable_expvars: false
+  disable_healthcheck: false
   tls:
     key: ""
     certificate: ""
@@ -134,6 +135,23 @@ required: no
 
 Enables the go expvars endpoints.
 
+### disable_healthcheck
+<div markdown="1">
+type: boolean
+{: .label .label-config .label-purple } 
+default: false
+{: .label .label-config .label-blue }
+required: no
+{: .label .label-config .label-green }
+</div>
+
+On startup Authelia checks for the existence of /app/healthcheck.sh and /app/.healthcheck.env and if both of these exist
+it writes the configuration vars for the healthcheck to the /app/.healthcheck.env file. In instances where this is not
+desirable it's possible to disable these interactions entirely.
+
+An example situation where this is the case is in Kubernetes when set security policies that prevent writing to the
+ephemeral storage of a container or just don't want to enable the internal health check.
+
 ### tls
 
 Authelia typically listens for plain unencrypted connections. This is by design as most environments allow to

healthcheck.sh

@@ -1,23 +1,21 @@
 #!/bin/sh
 
-AUTHELIA_CONFIG=$(pgrep -af authelia | awk '{print $NF}')
-AUTHELIA_SCHEME=$(grep ^tls "${AUTHELIA_CONFIG}")
-AUTHELIA_HOST=$(grep ^host "${AUTHELIA_CONFIG}" | sed -e 's/host: //' -e 's/\r//')
-AUTHELIA_PORT=$(grep ^port "${AUTHELIA_CONFIG}" | sed -e 's/port: //' -e 's/\r//')
-AUTHELIA_PATH=$(grep ^\ \ path "${AUTHELIA_CONFIG}" | sed -e 's/  path: //' -e 's/\r//' -e 's/^/\//')
-
-if [ -z "${AUTHELIA_SCHEME}" ]; then
-  AUTHELIA_SCHEME=http
-else
-  AUTHELIA_SCHEME=https
+if [ -z "${X_AUTHELIA_HEALTHCHECK}" ]; then
+  exit 0
 fi
 
-if [ -z "${AUTHELIA_HOST}" ] || [ "${AUTHELIA_HOST}" = "0.0.0.0" ]; then
-  AUTHELIA_HOST=localhost
+source /app/.healthcheck.env
+
+if [ -z "${X_AUTHELIA_HEALTHCHECK_SCHEME}" ]; then
+  X_AUTHELIA_HEALTHCHECK_SCHEME=http
 fi
 
-if [ -z "${AUTHELIA_PORT}" ]; then
-  AUTHELIA_PORT=9091
+if [ -z "${X_AUTHELIA_HEALTHCHECK_HOST}" ]; then
+  X_AUTHELIA_HEALTHCHECK_HOST=localhost
 fi
 
-wget --quiet --no-check-certificate --tries=1 --spider "${AUTHELIA_SCHEME}://${AUTHELIA_HOST}:${AUTHELIA_PORT}${AUTHELIA_PATH}/api/health" || exit 1
+if [ -z "${X_AUTHELIA_HEALTHCHECK_PORT}" ]; then
+  X_AUTHELIA_HEALTHCHECK_PORT=9091
+fi
+
+wget --quiet --no-check-certificate --tries=1 --spider "${X_AUTHELIA_HEALTHCHECK_SCHEME}://${X_AUTHELIA_HEALTHCHECK_HOST}:${X_AUTHELIA_HEALTHCHECK_PORT}${X_AUTHELIA_HEALTHCHECK_PATH}/api/health" || exit 1

internal/configuration/config.template.yml

@@ -53,6 +53,10 @@ server:
   ## Enables the expvars endpoint.
   enable_expvars: false
 
+  ## Disables writing the health check vars to /app/.healthcheck.env which makes healthcheck.sh return exit code 0.
+  ## This is disabled by default if either /app/.healthcheck.env or /app/healthcheck.sh do not exist.
+  disable_healthcheck: false
+
   ## Authelia by default doesn't accept TLS communication on the server port. This section overrides this behaviour.
   tls:
     ## The path to the DER base64/PEM format private key.

internal/configuration/schema/server.go

@@ -9,6 +9,7 @@ type ServerConfiguration struct {
 	WriteBufferSize    int    `koanf:"write_buffer_size"`
 	EnablePprof        bool   `koanf:"enable_endpoint_pprof"`
 	EnableExpvars      bool   `koanf:"enable_endpoint_expvars"`
+	DisableHealthcheck bool   `koanf:"disable_healthcheck"`
 
 	TLS ServerTLSConfiguration `koanf:"tls"`
 }

internal/configuration/validator/const.go

@@ -139,6 +139,7 @@ var ValidKeys = []string{
 	"server.path",
 	"server.enable_pprof",
 	"server.enable_expvars",
+	"server.disable_healthcheck",
 	"server.tls.key",
 	"server.tls.certificate",
 

internal/server/const.go

@@ -6,3 +6,11 @@ const apiFile = "openapi.yml"
 const indexFile = "index.html"
 
 const dev = "dev"
+
+const healthCheckEnv = `# Written by Authelia Process
+X_AUTHELIA_HEALTHCHECK=1
+X_AUTHELIA_HEALTHCHECK_SCHEME=%s
+X_AUTHELIA_HEALTHCHECK_HOST=%s
+X_AUTHELIA_HEALTHCHECK_PORT=%d
+X_AUTHELIA_HEALTHCHECK_PATH=%s
+`

internal/server/server.go

@@ -192,9 +192,17 @@ func Start(configuration schema.Configuration, providers middlewares.Providers)
 	}
 
 	if configuration.Server.TLS.Certificate != "" && configuration.Server.TLS.Key != "" {
+		if err = writeHealthCheckEnv(configuration.Server.DisableHealthcheck, "https", configuration.Server.Host, configuration.Server.Path, configuration.Server.Port); err != nil {
+			logger.Fatalf("Could not configure healthcheck: %v", err)
+		}
+
 		logger.Infof("Listening for TLS connections on %s%s", addrPattern, configuration.Server.Path)
 		logger.Fatal(server.ServeTLS(listener, configuration.Server.TLS.Certificate, configuration.Server.TLS.Key))
 	} else {
+		if err = writeHealthCheckEnv(configuration.Server.DisableHealthcheck, "http", configuration.Server.Host, configuration.Server.Path, configuration.Server.Port); err != nil {
+			logger.Fatalf("Could not configure healthcheck: %v", err)
+		}
+
 		logger.Infof("Listening for non-TLS connections on %s%s", addrPattern, configuration.Server.Path)
 		logger.Fatal(server.Serve(listener))
 	}

internal/server/template.go

@@ -64,3 +64,36 @@ func ServeTemplatedFile(publicDir, file, base, rememberMe, resetPassword, sessio
 		}
 	}
 }
+
+func writeHealthCheckEnv(disabled bool, scheme, host, path string, port int) (err error) {
+	if disabled {
+		return nil
+	}
+
+	_, err = os.Stat("/app/healthcheck.sh")
+	if err != nil {
+		return nil
+	}
+
+	_, err = os.Stat("/app/.healthcheck.env")
+	if err != nil {
+		return nil
+	}
+
+	file, err := os.OpenFile("/app/.healthcheck.env", os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0755)
+	if err != nil {
+		return err
+	}
+
+	defer func() {
+		_ = file.Close()
+	}()
+
+	if host == "0.0.0.0" {
+		host = "localhost"
+	}
+
+	_, err = file.WriteString(fmt.Sprintf(healthCheckEnv, scheme, host, port, path))
+
+	return err
+}