feat: implement ready and live health checks

Signed-off-by: Alessandro Yuichi Okimoto <yuichijpn@gmail.com>

Author: cre8ivejp

docker-compose/config/nginx/bucketeer.conf

@@ -109,7 +109,7 @@ server {
     add_header X-Content-Type-Options nosniff;
     add_header X-XSS-Protection "1; mode=block";
 
-    # Health check endpoint
+    # Health check endpoints
     location /health {
         proxy_pass https://api_health_backend;
         proxy_set_header Host $host;
@@ -118,6 +118,30 @@ server {
         proxy_set_header X-Forwarded-Proto $scheme;
     }
 
+    location /ready {
+        proxy_pass https://api_health_backend;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    location /live {
+        proxy_pass https://api_health_backend;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    location /drain {
+        proxy_pass https://api_health_backend;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
     # API Gateway gRPC service (main API)
     location /bucketeer.gateway.Gateway {
         grpc_pass grpcs://api_grpc_backend;
@@ -192,7 +216,7 @@ server {
         return 204;
     }
 
-    # Health check endpoint
+    # Health check endpoints
     location /health {
         proxy_pass https://web_health_backend;
         proxy_set_header Host $host;
@@ -201,6 +225,30 @@ server {
         proxy_set_header X-Forwarded-Proto $scheme;
     }
 
+    location /ready {
+        proxy_pass https://web_health_backend;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    location /live {
+        proxy_pass https://web_health_backend;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
+    location /drain {
+        proxy_pass https://web_health_backend;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
     # gRPC/gRPC-Web service routes (backend handles both protocols)
     location /bucketeer.account.AccountService {
         if ($is_grpc_web = 1) {

manifests/bucketeer/charts/api/templates/deployment.yaml

@@ -52,6 +52,17 @@ spec:
           image: "{{ .Values.image.repository }}:{{ .Values.global.image.tag }}"
           imagePullPolicy: {{ .Values.image.pullPolicy }}
           args: ["server"]
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                  - "/bin/sh"
+                  - "-c"
+                  - |
+                    # Drain the application to fail readiness probe
+                    wget --post-data='' --no-check-certificate -O- https://localhost:{{ .Values.env.port }}/drain || true
+                    # Wait a moment for the readiness probe to detect the drain
+                    sleep 3
           env:
             - name: BUCKETEER_API_PROFILE
               value: "{{.Values.env.profile}}"
@@ -157,7 +168,7 @@ spec:
             failureThreshold: {{ .Values.health.livenessProbe.failureThreshold }}
             timeoutSeconds: {{ .Values.health.livenessProbe.timeoutSeconds }}
             httpGet:
-              path: /health
+              path: /live
               port: service
               scheme: HTTPS
           readinessProbe:
@@ -166,7 +177,7 @@ spec:
             failureThreshold: {{ .Values.health.readinessProbe.failureThreshold }}
             timeoutSeconds: {{ .Values.health.readinessProbe.timeoutSeconds }}
             httpGet:
-              path: /health
+              path: /ready
               port: service
               scheme: HTTPS
           resources:
@@ -181,28 +192,15 @@ spec:
                   - "/bin/sh"
                   - "-c"
                   - |
-                    # Step 1: Fail Envoy health check so K8s removes pod from endpoints
-                    wget -O- --post-data='{}' http://localhost:$ENVOY_ADMIN_PORT/healthcheck/fail
-
-                    # Step 2: Wait for all active connections to drain (max 25s)
-                    # Uses Istio pattern: dynamically checks all connections excluding Envoy and TIME-WAIT
                     elapsed=0
                     max_wait=25
                     while [ $elapsed -lt $max_wait ]; do
-                      # Count active connections excluding Envoy process and TIME-WAIT states
                       active_conns=$(ss -Htlp state all | grep -vE '(envoy|TIME-WAIT)' | wc -l | xargs)
-                      if [ "$active_conns" -eq 0 ]; then
-                        echo "All connections drained after ${elapsed}s"
-                        break
-                      fi
-                      echo "Waiting for $active_conns connections to drain..."
+                      [ "$active_conns" -eq 0 ] && echo "Drained in ${elapsed}s" && break
                       sleep 1
                       elapsed=$((elapsed + 1))
                     done
-
-                    if [ $elapsed -ge $max_wait ]; then
-                      echo "Timeout reached, forcing shutdown with $active_conns remaining connections"
-                    fi
+                    [ $elapsed -ge $max_wait ] && echo "Timeout: $active_conns connections remain"
           command: ["envoy"]
           args:
             - "-c"
@@ -233,6 +231,7 @@ spec:
             initialDelaySeconds: {{ .Values.health.livenessProbe.initialDelaySeconds }}
             periodSeconds: {{ .Values.health.livenessProbe.periodSeconds }}
             failureThreshold: {{ .Values.health.livenessProbe.failureThreshold }}
+            timeoutSeconds: {{ .Values.health.livenessProbe.timeoutSeconds }}
             httpGet:
               path: /ready
               port: admin
@@ -241,6 +240,7 @@ spec:
             initialDelaySeconds: {{ .Values.health.readinessProbe.initialDelaySeconds }}
             periodSeconds: {{ .Values.health.readinessProbe.periodSeconds }}
             failureThreshold: {{ .Values.health.readinessProbe.failureThreshold }}
+            timeoutSeconds: {{ .Values.health.readinessProbe.timeoutSeconds }}
             httpGet:
               path: /ready
               port: admin

manifests/bucketeer/charts/api/templates/envoy-configmap.yaml

@@ -224,12 +224,27 @@ data:
                             allow_credentials: true
                             max_age: "86400"
                         routes:
-                          # Health check endpoint
+                          # Health check endpoints
                           - match:
                               prefix: /health
                             route:
                               cluster: api
                               timeout: 35s
+                          - match:
+                              prefix: /ready
+                            route:
+                              cluster: api
+                              timeout: 35s
+                          - match:
+                              prefix: /live
+                            route:
+                              cluster: api
+                              timeout: 35s
+                          - match:
+                              prefix: /drain
+                            route:
+                              cluster: api
+                              timeout: 35s
                           # API REST v1 Gateway routes (Deprecated)
                           - match:
                               prefix: /v1/gateway

manifests/bucketeer/charts/api/values.yaml

@@ -93,13 +93,13 @@ ingress:
 health:
   livenessProbe:
     initialDelaySeconds: 10
-    periodSeconds: 3
-    failureThreshold: 5
-    timeoutSeconds: 5
+    periodSeconds: 15
+    failureThreshold: 3
+    timeoutSeconds: 3
   readinessProbe:
     initialDelaySeconds: 10
     periodSeconds: 3
-    failureThreshold: 2
+    failureThreshold: 1
     timeoutSeconds: 3
 resources: {}
 serviceAccount:

manifests/bucketeer/charts/batch/templates/deployment.yaml

@@ -60,6 +60,17 @@ spec:
           {{- range .Values.env.nonPersistentChildRedis.addresses }}
             - --non-persistent-child-redis-addresses={{ . }}
           {{- end }}
+          lifecycle:
+            preStop:
+              exec:
+                command:
+                  - "/bin/sh"
+                  - "-c"
+                  - |
+                    # Drain the application to fail readiness probe
+                    wget --post-data='' --no-check-certificate -O- https://localhost:{{ .Values.env.port }}/drain || true
+                    # Wait a moment for the readiness probe to detect the drain
+                    sleep 3
           env:
             - name: BIGQUERY_WRITER_EMULATOR_HOST
               value: "{{.Values.env.bigqueryWriterEmulatorHost}}"
@@ -193,16 +204,18 @@ spec:
             initialDelaySeconds: {{ .Values.health.livenessProbe.initialDelaySeconds }}
             periodSeconds: {{ .Values.health.livenessProbe.periodSeconds }}
             failureThreshold: {{ .Values.health.livenessProbe.failureThreshold }}
+            timeoutSeconds: {{ .Values.health.livenessProbe.timeoutSeconds }}
             httpGet:
-              path: /health
+              path: /live
               port: service
               scheme: HTTPS
           readinessProbe:
             initialDelaySeconds: {{ .Values.health.readinessProbe.initialDelaySeconds }}
             periodSeconds: {{ .Values.health.readinessProbe.periodSeconds }}
             failureThreshold: {{ .Values.health.readinessProbe.failureThreshold }}
+            timeoutSeconds: {{ .Values.health.readinessProbe.timeoutSeconds }}
             httpGet:
-              path: /health
+              path: /ready
               port: service
               scheme: HTTPS
           resources:
@@ -217,28 +230,15 @@ spec:
                   - "/bin/sh"
                   - "-c"
                   - |
-                    # Step 1: Fail Envoy health check so K8s removes pod from endpoints
-                    wget -O- --post-data='{}' http://localhost:$ENVOY_ADMIN_PORT/healthcheck/fail
-
-                    # Step 2: Wait for all active connections to drain (max 25s)
-                    # Uses Istio pattern: dynamically checks all connections excluding Envoy and TIME-WAIT
                     elapsed=0
                     max_wait=25
                     while [ $elapsed -lt $max_wait ]; do
-                      # Count active connections excluding Envoy process and TIME-WAIT states
                       active_conns=$(ss -Htlp state all | grep -vE '(envoy|TIME-WAIT)' | wc -l | xargs)
-                      if [ "$active_conns" -eq 0 ]; then
-                        echo "All connections drained after ${elapsed}s"
-                        break
-                      fi
-                      echo "Waiting for $active_conns connections to drain..."
+                      [ "$active_conns" -eq 0 ] && echo "Drained in ${elapsed}s" && break
                       sleep 1
                       elapsed=$((elapsed + 1))
                     done
-
-                    if [ $elapsed -ge $max_wait ]; then
-                      echo "Timeout reached, forcing shutdown with $active_conns remaining connections"
-                    fi
+                    [ $elapsed -ge $max_wait ] && echo "Timeout: $active_conns connections remain"
           command: ["envoy"]
           args:
             - "-c"
@@ -264,6 +264,7 @@ spec:
             initialDelaySeconds: {{ .Values.health.livenessProbe.initialDelaySeconds }}
             periodSeconds: {{ .Values.health.livenessProbe.periodSeconds }}
             failureThreshold: {{ .Values.health.livenessProbe.failureThreshold }}
+            timeoutSeconds: {{ .Values.health.livenessProbe.timeoutSeconds }}
             httpGet:
               path: /ready
               port: admin
@@ -272,6 +273,7 @@ spec:
             initialDelaySeconds: {{ .Values.health.readinessProbe.initialDelaySeconds }}
             periodSeconds: {{ .Values.health.readinessProbe.periodSeconds }}
             failureThreshold: {{ .Values.health.readinessProbe.failureThreshold }}
+            timeoutSeconds: {{ .Values.health.readinessProbe.timeoutSeconds }}
             httpGet:
               path: /ready
               port: admin

manifests/bucketeer/charts/batch/templates/envoy-configmap.yaml

@@ -158,7 +158,7 @@ data:
                             - name: :path
                               string_match:
                                 exact: /health
-                          pass_through_mode: false
+                          pass_through_mode: true  # Changed to true to allow app to handle /health, /ready, /live, /drain
                       - name: envoy.filters.http.router
                         typed_config:
                           "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router

manifests/bucketeer/charts/batch/values.yaml

@@ -121,13 +121,13 @@ gcpMultiCluster:
 health:
   livenessProbe:
     initialDelaySeconds: 10
-    periodSeconds: 3
-    failureThreshold: 5
-    timeoutSeconds: 5
+    periodSeconds: 15
+    failureThreshold: 3
+    timeoutSeconds: 3
   readinessProbe:
     initialDelaySeconds: 10
     periodSeconds: 3
-    failureThreshold: 2
+    failureThreshold: 1
     timeoutSeconds: 3
 
 resources: {}