root: optimise healthchecks (#5337)

* tests: remove redundant healthchecks Signed-off-by: Jens Langhammer <jens@goauthentik.io> * internal: do healthcheck within proxy instead of wget to use correct port Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix docs Signed-off-by: Jens Langhammer <jens@goauthentik.io> * fix tags Signed-off-by: Jens Langhammer <jens@goauthentik.io> --------- Signed-off-by: Jens Langhammer <jens@goauthentik.io>
2023-04-21 13:32:48 +03:00 · 2023-04-21 13:32:48 +03:00 · 367f86ecfb
parent 055ead54b5
commit 367f86ecfb
13 changed files with 264 additions and 201 deletions
--- a/cmd/ldap/main.go
+++ b/cmd/ldap/main.go
@ -6,11 +6,13 @@ import (
 	"os"

 	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"

 	"goauthentik.io/internal/common"
 	"goauthentik.io/internal/config"
 	"goauthentik.io/internal/debug"
 	"goauthentik.io/internal/outpost/ak"
+	"goauthentik.io/internal/outpost/ak/healthcheck"
 	"goauthentik.io/internal/outpost/ldap"
 )

@ -21,7 +23,9 @@ Required environment variables:
 - AUTHENTIK_TOKEN: Token to authenticate with
 - AUTHENTIK_INSECURE: Skip SSL Certificate verification`

-func main() {
+var rootCmd = &cobra.Command{
+	Long: helpMessage,
+	PersistentPreRun: func(cmd *cobra.Command, args []string) {
 		log.SetLevel(log.DebugLevel)
 		log.SetFormatter(&log.JSONFormatter{
 			FieldMap: log.FieldMap{
@ -30,6 +34,8 @@ func main() {
 			},
 			DisableHTMLEscape: true,
 		})
+	},
+	Run: func(cmd *cobra.Command, args []string) {
 		debug.EnableDebugServer()
 		akURL := config.Get().AuthentikHost
 		if akURL == "" {
@ -76,4 +82,13 @@ func main() {
 		for {
 			<-ex
 		}
+	},
+}
+
+func main() {
+	rootCmd.AddCommand(healthcheck.Command)
+	err := rootCmd.Execute()
+	if err != nil {
+		os.Exit(1)
+	}
 }
--- a/cmd/proxy/main.go
+++ b/cmd/proxy/main.go
@ -6,11 +6,13 @@ import (
 	"os"

 	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"

 	"goauthentik.io/internal/common"
 	"goauthentik.io/internal/config"
 	"goauthentik.io/internal/debug"
 	"goauthentik.io/internal/outpost/ak"
+	"goauthentik.io/internal/outpost/ak/healthcheck"
 	"goauthentik.io/internal/outpost/proxyv2"
 )

@ -24,7 +26,9 @@ Required environment variables:
 Optionally, you can set these:
 - AUTHENTIK_HOST_BROWSER: URL to use in the browser, when it differs from AUTHENTIK_HOST`

-func main() {
+var rootCmd = &cobra.Command{
+	Long: helpMessage,
+	PersistentPreRun: func(cmd *cobra.Command, args []string) {
 		log.SetLevel(log.DebugLevel)
 		log.SetFormatter(&log.JSONFormatter{
 			FieldMap: log.FieldMap{
@ -33,6 +37,8 @@ func main() {
 			},
 			DisableHTMLEscape: true,
 		})
+	},
+	Run: func(cmd *cobra.Command, args []string) {
 		debug.EnableDebugServer()
 		akURL := config.Get().AuthentikHost
 		if akURL == "" {
@ -79,4 +85,13 @@ func main() {
 		for {
 			<-ex
 		}
+	},
+}
+
+func main() {
+	rootCmd.AddCommand(healthcheck.Command)
+	err := rootCmd.Execute()
+	if err != nil {
+		os.Exit(1)
+	}
 }
--- a/cmd/radius/main.go
+++ b/cmd/radius/main.go
@ -0,0 +1,94 @@
+package main
+
+import (
+	"fmt"
+	"net/url"
+	"os"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+
+	"goauthentik.io/internal/common"
+	"goauthentik.io/internal/debug"
+	"goauthentik.io/internal/outpost/ak"
+	"goauthentik.io/internal/outpost/ak/healthcheck"
+	"goauthentik.io/internal/outpost/radius"
+)
+
+const helpMessage = `authentik radius
+
+Required environment variables:
+- AUTHENTIK_HOST: URL to connect to (format "http://authentik.company")
+- AUTHENTIK_TOKEN: Token to authenticate with
+- AUTHENTIK_INSECURE: Skip SSL Certificate verification`
+
+var rootCmd = &cobra.Command{
+	Long: helpMessage,
+	PersistentPreRun: func(cmd *cobra.Command, args []string) {
+		log.SetLevel(log.DebugLevel)
+		log.SetFormatter(&log.JSONFormatter{
+			FieldMap: log.FieldMap{
+				log.FieldKeyMsg:  "event",
+				log.FieldKeyTime: "timestamp",
+			},
+			DisableHTMLEscape: true,
+		})
+	},
+	Run: func(cmd *cobra.Command, args []string) {
+		debug.EnableDebugServer()
+		akURL, found := os.LookupEnv("AUTHENTIK_HOST")
+		if !found {
+			fmt.Println("env AUTHENTIK_HOST not set!")
+			fmt.Println(helpMessage)
+			os.Exit(1)
+		}
+		akToken, found := os.LookupEnv("AUTHENTIK_TOKEN")
+		if !found {
+			fmt.Println("env AUTHENTIK_TOKEN not set!")
+			fmt.Println(helpMessage)
+			os.Exit(1)
+		}
+
+		akURLActual, err := url.Parse(akURL)
+		if err != nil {
+			fmt.Println(err)
+			fmt.Println(helpMessage)
+			os.Exit(1)
+		}
+
+		ex := common.Init()
+		defer common.Defer()
+		go func() {
+			for {
+				<-ex
+				os.Exit(0)
+			}
+		}()
+
+		ac := ak.NewAPIController(*akURLActual, akToken)
+		if ac == nil {
+			os.Exit(1)
+		}
+		defer ac.Shutdown()
+
+		ac.Server = radius.NewServer(ac)
+
+		err = ac.Start()
+		if err != nil {
+			log.WithError(err).Panic("Failed to run server")
+		}
+
+		for {
+			<-ex
+		}
+
+	},
+}
+
+func main() {
+	rootCmd.AddCommand(healthcheck.Command)
+	err := rootCmd.Execute()
+	if err != nil {
+		os.Exit(1)
+	}
+}
--- a/cmd/radius/server.go
+++ b/cmd/radius/server.go
@ -1,78 +0,0 @@
-package main
-
-import (
-	"fmt"
-	"net/url"
-	"os"
-
-	log "github.com/sirupsen/logrus"
-
-	"goauthentik.io/internal/common"
-	"goauthentik.io/internal/debug"
-	"goauthentik.io/internal/outpost/ak"
-	"goauthentik.io/internal/outpost/radius"
-)
-
-const helpMessage = `authentik radius
-
-Required environment variables:
- AUTHENTIK_HOST: URL to connect to (format "http://authentik.company")
- AUTHENTIK_TOKEN: Token to authenticate with
- AUTHENTIK_INSECURE: Skip SSL Certificate verification`
-
-func main() {
-	log.SetLevel(log.DebugLevel)
-	log.SetFormatter(&log.JSONFormatter{
-		FieldMap: log.FieldMap{
-			log.FieldKeyMsg:  "event",
-			log.FieldKeyTime: "timestamp",
-		},
-		DisableHTMLEscape: true,
-	})
-	go debug.EnableDebugServer()
-	akURL, found := os.LookupEnv("AUTHENTIK_HOST")
-	if !found {
-		fmt.Println("env AUTHENTIK_HOST not set!")
-		fmt.Println(helpMessage)
-		os.Exit(1)
-	}
-	akToken, found := os.LookupEnv("AUTHENTIK_TOKEN")
-	if !found {
-		fmt.Println("env AUTHENTIK_TOKEN not set!")
-		fmt.Println(helpMessage)
-		os.Exit(1)
-	}
-
-	akURLActual, err := url.Parse(akURL)
-	if err != nil {
-		fmt.Println(err)
-		fmt.Println(helpMessage)
-		os.Exit(1)
-	}
-
-	ex := common.Init()
-	defer common.Defer()
-	go func() {
-		for {
-			<-ex
-			os.Exit(0)
-		}
-	}()
-
-	ac := ak.NewAPIController(*akURLActual, akToken)
-	if ac == nil {
-		os.Exit(1)
-	}
-	defer ac.Shutdown()
-
-	ac.Server = radius.NewServer(ac)
-
-	err = ac.Start()
-	if err != nil {
-		log.WithError(err).Panic("Failed to run server")
-	}
-
-	for {
-		<-ex
-	}
-}
--- a/cmd/server/healthcheck.go
+++ b/cmd/server/healthcheck.go
@ -25,7 +25,6 @@ var healthcheckCmd = &cobra.Command{
 			os.Exit(1)
 		}
 		mode := args[0]
-		config.Get()
 		exitCode := 1
 		log.WithField("mode", mode).Debug("checking health")
 		switch strings.ToLower(mode) {
--- a/internal/outpost/ak/healthcheck/cmd.go
+++ b/internal/outpost/ak/healthcheck/cmd.go
@ -0,0 +1,38 @@
+package healthcheck
+
+import (
+	"fmt"
+	"net/http"
+	"os"
+
+	log "github.com/sirupsen/logrus"
+	"github.com/spf13/cobra"
+	"goauthentik.io/internal/config"
+	"goauthentik.io/internal/utils/web"
+)
+
+var Command = &cobra.Command{
+	Use: "healthcheck",
+	Run: func(cmd *cobra.Command, args []string) {
+		config.Get()
+		os.Exit(check())
+	},
+}
+
+func check() int {
+	h := &http.Client{
+		Transport: web.NewUserAgentTransport("goauthentik.io/healthcheck", http.DefaultTransport),
+	}
+	url := fmt.Sprintf("http://%s/outpost.goauthentik.io/ping", config.Get().Listen.Metrics)
+	res, err := h.Head(url)
+	if err != nil {
+		log.WithError(err).Warning("failed to send healthcheck request")
+		return 1
+	}
+	if res.StatusCode >= 400 {
+		log.WithField("status", res.StatusCode).Warning("unhealthy status code")
+		return 1
+	}
+	log.Debug("successfully checked health")
+	return 0
+}
--- a/ldap.Dockerfile
+++ b/ldap.Dockerfile
@ -19,7 +19,7 @@ ENV GIT_BUILD_HASH=$GIT_BUILD_HASH

 COPY --from=builder /go/ldap /

-HEALTHCHECK --interval=5s --retries=20 --start-period=3s CMD [ "wget", "--spider", "http://localhost:9300/outpost.goauthentik.io/ping" ]
+HEALTHCHECK --interval=5s --retries=20 --start-period=3s CMD [ "/ldap", "healthcheck" ]

 EXPOSE 3389 6636 9300

--- a/proxy.Dockerfile
+++ b/proxy.Dockerfile
@ -32,7 +32,7 @@ COPY --from=web-builder /static/security.txt /web/security.txt
 COPY --from=web-builder /static/dist/ /web/dist/
 COPY --from=web-builder /static/authentik/ /web/authentik/

-HEALTHCHECK --interval=5s --retries=20 --start-period=3s CMD [ "wget", "--spider", "http://localhost:9300/outpost.goauthentik.io/ping" ]
+HEALTHCHECK --interval=5s --retries=20 --start-period=3s CMD [ "/proxy", "healthcheck" ]

 EXPOSE 9000 9300 9443

--- a/radius.Dockerfile
+++ b/radius.Dockerfile
@ -19,7 +19,7 @@ ENV GIT_BUILD_HASH=$GIT_BUILD_HASH

 COPY --from=builder /go/radius /

-HEALTHCHECK --interval=5s --retries=20 --start-period=3s CMD [ "wget", "--spider", "http://localhost:9300/outpost.goauthentik.io/ping" ]
+HEALTHCHECK --interval=5s --retries=20 --start-period=3s CMD [ "/radius", "healthcheck" ]

 EXPOSE 1812/udp 9300

--- a/tests/e2e/test_provider_oidc.py
+++ b/tests/e2e/test_provider_oidc.py
@ -6,7 +6,6 @@ from unittest.case import skipUnless

 from docker import DockerClient, from_env
 from docker.models.containers import Container
-from docker.types import Healthcheck
 from selenium.webdriver.common.by import By
 from selenium.webdriver.support import expected_conditions as ec

@ -41,14 +40,9 @@ class TestProviderOAuth2OIDC(SeleniumTestCase):
        sleep(1)
        client: DockerClient = from_env()
        container = client.containers.run(
-            image="ghcr.io/beryju/oidc-test-client:v1",
+            image="ghcr.io/beryju/oidc-test-client:1.3",
            detach=True,
            network_mode="host",
-            healthcheck=Healthcheck(
-                test=["CMD", "wget", "--spider", "http://localhost:9009/health"],
-                interval=5 * 100 * 1000000,
-                start_period=1 * 100 * 1000000,
-            ),
            environment={
                "OIDC_CLIENT_ID": self.client_id,
                "OIDC_CLIENT_SECRET": self.client_secret,
--- a/tests/e2e/test_provider_oidc_implicit.py
+++ b/tests/e2e/test_provider_oidc_implicit.py
@ -6,7 +6,6 @@ from unittest.case import skipUnless

 from docker import DockerClient, from_env
 from docker.models.containers import Container
-from docker.types import Healthcheck
 from selenium.webdriver.common.by import By
 from selenium.webdriver.support import expected_conditions as ec

@ -41,14 +40,9 @@ class TestProviderOAuth2OIDCImplicit(SeleniumTestCase):
        sleep(1)
        client: DockerClient = from_env()
        container = client.containers.run(
-            image="ghcr.io/beryju/oidc-test-client:v1",
+            image="ghcr.io/beryju/oidc-test-client:1.3",
            detach=True,
            network_mode="host",
-            healthcheck=Healthcheck(
-                test=["CMD", "wget", "--spider", "http://localhost:9009/health"],
-                interval=5 * 100 * 1000000,
-                start_period=1 * 100 * 1000000,
-            ),
            environment={
                "OIDC_CLIENT_ID": self.client_id,
                "OIDC_CLIENT_SECRET": self.client_secret,
--- a/tests/e2e/test_provider_saml.py
+++ b/tests/e2e/test_provider_saml.py
@ -6,7 +6,6 @@ from unittest.case import skipUnless

 from docker import DockerClient, from_env
 from docker.models.containers import Container
-from docker.types import Healthcheck
 from selenium.webdriver.common.by import By
 from selenium.webdriver.support import expected_conditions as ec

@ -40,14 +39,9 @@ class TestProviderSAML(SeleniumTestCase):
        if force_post:
            metadata_url += f"&force_binding={SAML_BINDING_POST}"
        container = client.containers.run(
-            image="ghcr.io/beryju/saml-test-sp:latest",
+            image="ghcr.io/beryju/saml-test-sp:1.1",
            detach=True,
            network_mode="host",
-            healthcheck=Healthcheck(
-                test=["CMD", "wget", "--spider", "http://localhost:9009/health"],
-                interval=5 * 100 * 1000000,
-                start_period=1 * 100 * 1000000,
-            ),
            environment={
                "SP_ENTITY_ID": provider.issuer,
                "SP_SSO_BINDING": "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST",
--- a/website/docs/flow/context/index.md
+++ b/website/docs/flow/context/index.md
@ -47,9 +47,7 @@ This data can be modified with policies. The data is also used by stages like [U

 Stores the final redirect URL that the user's browser will be sent to after the flow is finished executing successfully. This is set when an un-authenticated user attempts to access a secured application, and when a user authenticates/enrolls with an external source.

-#### Identifications tage
-
-##### `pending_user_identifier` (string)
+#### `pending_user_identifier` (string)

 If _Show matched user_ is disabled, this key will hold the user identifier entered by the user in the identification stage.