refactor: configuration agnostic healthcheck (#2231)

This makes the healthcheck simple and configured directly by Authelia's configuration on startup.
2021-08-05 14:02:07 +10:00 · 2021-08-05 14:02:07 +10:00 · c5c6bda8b0
parent cbedf79f86
commit c5c6bda8b0
15 changed files with 113 additions and 26 deletions
--- a/.dockerignore
+++ b/.dockerignore
@ -21,3 +21,6 @@ examples
 internal/server/public_html
 authelia.service
 bootstrap.sh
+
+# Overrides
+!.healthcheck.env
--- a/.healthcheck.env
+++ b/.healthcheck.env
@ -0,0 +1,5 @@
+# Default Template
+X_AUTHELIA_HEALTHCHECK_SCHEME=http
+X_AUTHELIA_HEALTHCHECK_HOST=localhost
+X_AUTHELIA_HEALTHCHECK_PORT=9091
+X_AUTHELIA_HEALTHCHECK_PATH=
--- a/3
+++ b/3
@ -17,6 +17,7 @@ ARG LDFLAGS_EXTRA

 RUN \
 mv public_html internal/server/public_html && \
+chmod 0666 /go/src/app/.healthcheck.env && \
 echo ">> Starting go build..." && \
 GOOS=linux GOARCH=amd64 CGO_ENABLED=0 go build -tags netgo \
 -ldflags "-s -w ${LDFLAGS_EXTRA}" -trimpath -o authelia ./cmd/authelia
@ -30,7 +31,7 @@ WORKDIR /app

 RUN apk --no-cache add ca-certificates su-exec tzdata

-COPY --from=builder-backend /go/src/app/authelia /go/src/app/LICENSE /go/src/app/entrypoint.sh /go/src/app/healthcheck.sh ./
+COPY --from=builder-backend /go/src/app/authelia /go/src/app/LICENSE /go/src/app/entrypoint.sh /go/src/app/healthcheck.sh /go/src/app/.healthcheck.env ./

 EXPOSE 9091

--- a/Dockerfile.arm32v7
+++ b/Dockerfile.arm32v7
@ -17,6 +17,7 @@ ARG LDFLAGS_EXTRA

 RUN \
 mv public_html internal/server/public_html && \
+chmod 0666 /go/src/app/.healthcheck.env && \
 echo ">> Starting go build..." && \
 GOOS=linux GOARCH=arm CGO_ENABLED=0 go build -tags netgo \
 -ldflags "-s -w ${LDFLAGS_EXTRA}" -trimpath -o authelia ./cmd/authelia
@ -31,7 +32,7 @@ WORKDIR /app
 RUN \
 apk --no-cache add ca-certificates su-exec tzdata

-COPY --from=builder-backend /go/src/app/authelia /go/src/app/LICENSE /go/src/app/entrypoint.sh /go/src/app/healthcheck.sh ./
+COPY --from=builder-backend /go/src/app/authelia /go/src/app/LICENSE /go/src/app/entrypoint.sh /go/src/app/healthcheck.sh /go/src/app/.healthcheck.env ./

 EXPOSE 9091

--- a/Dockerfile.arm64v8
+++ b/Dockerfile.arm64v8
@ -17,6 +17,7 @@ ARG LDFLAGS_EXTRA

 RUN \
 mv public_html internal/server/public_html && \
+chmod 0666 /go/src/app/.healthcheck.env && \
 echo ">> Starting go build..." && \
 GOOS=linux GOARCH=arm64 CGO_ENABLED=0 go build -tags netgo \
 -ldflags "-s -w ${LDFLAGS_EXTRA}" -trimpath -o authelia ./cmd/authelia
@ -31,7 +32,7 @@ WORKDIR /app
 RUN \
 apk --no-cache add ca-certificates su-exec tzdata

-COPY --from=builder-backend /go/src/app/authelia /go/src/app/LICENSE /go/src/app/entrypoint.sh /go/src/app/healthcheck.sh ./
+COPY --from=builder-backend /go/src/app/authelia /go/src/app/LICENSE /go/src/app/entrypoint.sh /go/src/app/healthcheck.sh /go/src/app/.healthcheck.env ./

 EXPOSE 9091

--- a/Dockerfile.coverage
+++ b/Dockerfile.coverage
@ -32,6 +32,7 @@ ARG LDFLAGS_EXTRA
 RUN \
 mv api internal/server/public_html/api && \
 cd cmd/authelia && \
+chmod 0666 /go/src/app/.healthcheck.env && \
 echo ">> Starting go build (coverage via go test)..." && \
 CGO_ENABLED=0 go test -c --tags coverage -covermode=atomic \
 -ldflags "${LDFLAGS_EXTRA}" -o authelia -coverpkg github.com/authelia/authelia/...
@ -45,7 +46,7 @@ RUN apk --no-cache add ca-certificates tzdata

 WORKDIR /app

-COPY --from=builder-backend /go/src/app/cmd/authelia/authelia /go/src/app/LICENSE /go/src/app/healthcheck.sh ./
+COPY --from=builder-backend /go/src/app/cmd/authelia/authelia /go/src/app/LICENSE /go/src/app/healthcheck.sh /go/src/app/.healthcheck.env ./

 EXPOSE 9091

--- a/config.template.yml
+++ b/config.template.yml
@ -53,6 +53,10 @@ server:
  ## Enables the expvars endpoint.
  enable_expvars: false

+  ## Disables writing the health check vars to /app/.healthcheck.env which makes healthcheck.sh return exit code 0.
+  ## This is disabled by default if either /app/.healthcheck.env or /app/healthcheck.sh do not exist.
+  disable_healthcheck: false
+
  ## Authelia by default doesn't accept TLS communication on the server port. This section overrides this behaviour.
  tls:
    ## The path to the DER base64/PEM format private key.
--- a/docs/configuration/server.md
+++ b/docs/configuration/server.md
@ -20,6 +20,7 @@ server:
  write_buffer_size: 4096
  enable_pprof: false
  enable_expvars: false
+  disable_healthcheck: false
  tls:
    key: ""
    certificate: ""
@ -134,6 +135,23 @@ required: no

 Enables the go expvars endpoints.

+### disable_healthcheck
+<div markdown="1">
+type: boolean
+{: .label .label-config .label-purple } 
+default: false
+{: .label .label-config .label-blue }
+required: no
+{: .label .label-config .label-green }
+</div>
+
+On startup Authelia checks for the existence of /app/healthcheck.sh and /app/.healthcheck.env and if both of these exist
+it writes the configuration vars for the healthcheck to the /app/.healthcheck.env file. In instances where this is not
+desirable it's possible to disable these interactions entirely.
+
+An example situation where this is the case is in Kubernetes when set security policies that prevent writing to the
+ephemeral storage of a container or just don't want to enable the internal health check.
+
 ### tls

 Authelia typically listens for plain unencrypted connections. This is by design as most environments allow to
--- a/healthcheck.sh
+++ b/healthcheck.sh
@ -1,23 +1,21 @@
 #!/bin/sh

-AUTHELIA_CONFIG=$(pgrep -af authelia | awk '{print $NF}')
-AUTHELIA_SCHEME=$(grep ^tls "${AUTHELIA_CONFIG}")
-AUTHELIA_HOST=$(grep ^host "${AUTHELIA_CONFIG}" | sed -e 's/host: //' -e 's/\r//')
-AUTHELIA_PORT=$(grep ^port "${AUTHELIA_CONFIG}" | sed -e 's/port: //' -e 's/\r//')
-AUTHELIA_PATH=$(grep ^\ \ path "${AUTHELIA_CONFIG}" | sed -e 's/  path: //' -e 's/\r//' -e 's/^/\//')
-
-if [ -z "${AUTHELIA_SCHEME}" ]; then
-  AUTHELIA_SCHEME=http
-else
-  AUTHELIA_SCHEME=https
+if [ -z "${X_AUTHELIA_HEALTHCHECK}" ]; then
+  exit 0
 fi

-if [ -z "${AUTHELIA_HOST}" ] || [ "${AUTHELIA_HOST}" = "0.0.0.0" ]; then
-  AUTHELIA_HOST=localhost
+source /app/.healthcheck.env
+
+if [ -z "${X_AUTHELIA_HEALTHCHECK_SCHEME}" ]; then
+  X_AUTHELIA_HEALTHCHECK_SCHEME=http
 fi

-if [ -z "${AUTHELIA_PORT}" ]; then
-  AUTHELIA_PORT=9091
+if [ -z "${X_AUTHELIA_HEALTHCHECK_HOST}" ]; then
+  X_AUTHELIA_HEALTHCHECK_HOST=localhost
 fi

-wget --quiet --no-check-certificate --tries=1 --spider "${AUTHELIA_SCHEME}://${AUTHELIA_HOST}:${AUTHELIA_PORT}${AUTHELIA_PATH}/api/health" || exit 1
+if [ -z "${X_AUTHELIA_HEALTHCHECK_PORT}" ]; then
+  X_AUTHELIA_HEALTHCHECK_PORT=9091
+fi
+
+wget --quiet --no-check-certificate --tries=1 --spider "${X_AUTHELIA_HEALTHCHECK_SCHEME}://${X_AUTHELIA_HEALTHCHECK_HOST}:${X_AUTHELIA_HEALTHCHECK_PORT}${X_AUTHELIA_HEALTHCHECK_PATH}/api/health" || exit 1
--- a/internal/configuration/config.template.yml
+++ b/internal/configuration/config.template.yml
@ -53,6 +53,10 @@ server:
  ## Enables the expvars endpoint.
  enable_expvars: false

+  ## Disables writing the health check vars to /app/.healthcheck.env which makes healthcheck.sh return exit code 0.
+  ## This is disabled by default if either /app/.healthcheck.env or /app/healthcheck.sh do not exist.
+  disable_healthcheck: false
+
  ## Authelia by default doesn't accept TLS communication on the server port. This section overrides this behaviour.
  tls:
    ## The path to the DER base64/PEM format private key.
--- a/internal/configuration/schema/server.go
+++ b/internal/configuration/schema/server.go
@ -2,13 +2,14 @@ package schema

 // ServerConfiguration represents the configuration of the http server.
 type ServerConfiguration struct {
-	Host            string `koanf:"host"`
-	Port            int    `koanf:"port"`
-	Path            string `koanf:"path"`
-	ReadBufferSize  int    `koanf:"read_buffer_size"`
-	WriteBufferSize int    `koanf:"write_buffer_size"`
-	EnablePprof     bool   `koanf:"enable_endpoint_pprof"`
-	EnableExpvars   bool   `koanf:"enable_endpoint_expvars"`
+	Host               string `koanf:"host"`
+	Port               int    `koanf:"port"`
+	Path               string `koanf:"path"`
+	ReadBufferSize     int    `koanf:"read_buffer_size"`
+	WriteBufferSize    int    `koanf:"write_buffer_size"`
+	EnablePprof        bool   `koanf:"enable_endpoint_pprof"`
+	EnableExpvars      bool   `koanf:"enable_endpoint_expvars"`
+	DisableHealthcheck bool   `koanf:"disable_healthcheck"`

 	TLS ServerTLSConfiguration `koanf:"tls"`
 }
--- a/internal/configuration/validator/const.go
+++ b/internal/configuration/validator/const.go
@ -139,6 +139,7 @@ var ValidKeys = []string{
 	"server.path",
 	"server.enable_pprof",
 	"server.enable_expvars",
+	"server.disable_healthcheck",
 	"server.tls.key",
 	"server.tls.certificate",

--- a/internal/server/const.go
+++ b/internal/server/const.go
@ -6,3 +6,11 @@ const apiFile = "openapi.yml"
 const indexFile = "index.html"

 const dev = "dev"
+
+const healthCheckEnv = `# Written by Authelia Process
+X_AUTHELIA_HEALTHCHECK=1
+X_AUTHELIA_HEALTHCHECK_SCHEME=%s
+X_AUTHELIA_HEALTHCHECK_HOST=%s
+X_AUTHELIA_HEALTHCHECK_PORT=%d
+X_AUTHELIA_HEALTHCHECK_PATH=%s
+`
--- a/internal/server/server.go
+++ b/internal/server/server.go
@ -192,9 +192,17 @@ func Start(configuration schema.Configuration, providers middlewares.Providers)
 	}

 	if configuration.Server.TLS.Certificate != "" && configuration.Server.TLS.Key != "" {
+		if err = writeHealthCheckEnv(configuration.Server.DisableHealthcheck, "https", configuration.Server.Host, configuration.Server.Path, configuration.Server.Port); err != nil {
+			logger.Fatalf("Could not configure healthcheck: %v", err)
+		}
+
 		logger.Infof("Listening for TLS connections on %s%s", addrPattern, configuration.Server.Path)
 		logger.Fatal(server.ServeTLS(listener, configuration.Server.TLS.Certificate, configuration.Server.TLS.Key))
 	} else {
+		if err = writeHealthCheckEnv(configuration.Server.DisableHealthcheck, "http", configuration.Server.Host, configuration.Server.Path, configuration.Server.Port); err != nil {
+			logger.Fatalf("Could not configure healthcheck: %v", err)
+		}
+
 		logger.Infof("Listening for non-TLS connections on %s%s", addrPattern, configuration.Server.Path)
 		logger.Fatal(server.Serve(listener))
 	}
--- a/internal/server/template.go
+++ b/internal/server/template.go
@ -64,3 +64,36 @@ func ServeTemplatedFile(publicDir, file, base, rememberMe, resetPassword, sessio
 		}
 	}
 }
+
+func writeHealthCheckEnv(disabled bool, scheme, host, path string, port int) (err error) {
+	if disabled {
+		return nil
+	}
+
+	_, err = os.Stat("/app/healthcheck.sh")
+	if err != nil {
+		return nil
+	}
+
+	_, err = os.Stat("/app/.healthcheck.env")
+	if err != nil {
+		return nil
+	}
+
+	file, err := os.OpenFile("/app/.healthcheck.env", os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0755)
+	if err != nil {
+		return err
+	}
+
+	defer func() {
+		_ = file.Close()
+	}()
+
+	if host == "0.0.0.0" {
+		host = "localhost"
+	}
+
+	_, err = file.WriteString(fmt.Sprintf(healthCheckEnv, scheme, host, port, path))
+
+	return err
+}