Skip to content

Moves health and metrics endpoints to dedicated listener on separate port#910

Open
mcblake27 wants to merge 1 commit into
openstack-experimental:mainfrom
mcblake27:health-endpoint
Open

Moves health and metrics endpoints to dedicated listener on separate port#910
mcblake27 wants to merge 1 commit into
openstack-experimental:mainfrom
mcblake27:health-endpoint

Conversation

@mcblake27

Copy link
Copy Markdown
Collaborator

Health and metrics endpoints were previously attached to the public API router, allowing end users to access /health, /ready, and /metrics directly, which is a potential DDoS vector. This change moves them to a dedicated listener on port 8082, separate from the public API on port 8080. Also updates relevant tests to work with new structure/naming schema. Adds modular spawn_metrics_listener function to crates/keystone/src/bin/keystone.rs and API interface structure MetricsInterface in crates/config/src/interface.rs, as well as updating pathways in crates/config/src/lib.rs, crates/keystone/src/api/mod.rs, and crates/keystone/src/api/health.rs.

Closes #719.

This contribution was developed with the assistance of AI tools.

…port

Health and metrics endpoints were previously attached to the public API
router, allowing end users to access /health, /ready, and /metrics
directly, which is a potential DDoS vector. This change moves them to a
dedicated listener on port 8082, separate from the public API on port 8080. Also updates relevant tests to work with new structure/naming schema.

Closes openstack-experimental#719. This contribution was developed with the assistance of AI tools.

@gtema gtema left a comment

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have updated the original issue with bit more details of the target setup how the new endpoint should work and combine healthz with otel metrics. Part of this change you do not need to implement OTEL service, but build an endpoint that will be further extended with it. Otherwise the change goes in the correct direction.
You need to fix commit message, formatting, and once you fix the deployment manifest the k3s test should also pass

Comment thread crates/config/src/lib.rs
pub interface_internal: Option<InternalInterface>,

/// Server listener configuration for the internal interface.
/// Server listener configuration for the public interface.

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hehe, nice spot

}

/// Prometheus scrape endpoint — returns the three audit counters in text
/// exposition format (v0.0.4). No authentication required; operators are

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is the metrics handler that you need to merge with the health endpoint so that at the new listener we have

  • /health - the health endpoint
  • /metrics - prometheus metrics

In one of the next steps we would evaluate how to populate metrics endpoint with the real data.

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The way I am currently handling this is that when I define the router metrics_app in spawn_metrics_listener, I call .route("/metrics", axum::routing::get(metrics_handler)) to add this metrics handler as a route on the router. Is that satisfactory for what you're describing here, or is there a different way I am supposed to be doing this? My understanding is that that is what you are asking, but I may be misunderstanding.

}

fn default_metrics_tcp_address() -> SocketAddr {
SocketAddr::new(IpAddr::V4(Ipv4Addr::new(0, 0, 0, 0)), 8082)

Copy link
Copy Markdown
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

now that you moved the health endpoint to the different address the k3s test fails since the keystone statefulset in kubernetes cannot reach it: https://github.com/openstack-experimental/keystone/blob/main/tools/k8s/keystone/base/statefulset-rs.yaml#L47C1-L72C1 - that place need to be adapted to point at the new place. Keep in mind the potential port conflict since keystone operates with many other components and systems (it does not conflict now, but any decision on changing ports is tricky - keycloak is also running on 8082, just in the different container). Let's maybe use 8099 as something less standard

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Move health endpoint to a dedicated app

2 participants