fix: race condition when stopping health check during shutdown (#2177)

Signed-off-by: Alessandro Yuichi Okimoto <yuichijpn@gmail.com>

Author: cre8ivejp

manifests/bucketeer/charts/api/templates/deployment.yaml

@@ -185,10 +185,11 @@ spec:
                   - -c
                   - |
                     admin_port={{ .Values.envoy.adminPort }}
-                    # Wait for load balancer propagation (must match app container propagation delay)
-                    sleep 15
                     wget -q -T 1 -O- --method=POST --body-data='' \
                       "http://localhost:${admin_port}/drain_listeners?graceful" || true
+
+                    # Wait for load balancer propagation (must match app container propagation delay)
+                    sleep 15
                     exit 0
           command: ["envoy"]
           args:

manifests/bucketeer/charts/batch/templates/deployment.yaml

@@ -223,10 +223,11 @@ spec:
                   - -c
                   - |
                     admin_port={{ .Values.envoy.adminPort }}
-                    # Wait for load balancer propagation (must match app container propagation delay)
-                    sleep 15
                     wget -q -T 1 -O- --method=POST --body-data='' \
                       "http://localhost:${admin_port}/drain_listeners?graceful" || true
+
+                    # Wait for load balancer propagation (must match app container propagation delay)
+                    sleep 15
                     exit 0
           command: ["envoy"]
           args:

manifests/bucketeer/charts/subscriber/templates/deployment.yaml

@@ -205,8 +205,6 @@ spec:
                   - -c
                   - |
                     admin_port={{ .Values.envoy.adminPort }}
-                    # Wait for load balancer propagation (must match app container propagation delay)
-                    sleep 15
                     wget -q -T 1 -O- --method=POST --body-data='' \
                       "http://localhost:${admin_port}/drain_listeners?graceful" || true
                     exit 0

manifests/bucketeer/charts/web/templates/deployment.yaml

@@ -273,10 +273,11 @@ spec:
                   - -c
                   - |
                     admin_port={{ .Values.envoy.adminPort }}
-                    # Wait for load balancer propagation (must match app container propagation delay)
-                    sleep 15
                     wget -q -T 1 -O- --method=POST --body-data='' \
                       "http://localhost:${admin_port}/drain_listeners?graceful" || true
+
+                    # Wait for load balancer propagation (must match app container propagation delay)
+                    sleep 15
                     exit 0
           command: ["envoy"]
           args:

pkg/api/cmd/server.go

@@ -567,16 +567,16 @@ func (s *server) Run(ctx context.Context, metrics metrics.Metrics, logger *zap.L
 	defer func() {
 		shutdownStartTime := time.Now()
 
-		// Wait for K8s endpoint propagation
-		// This prevents "context deadline exceeded" errors during high traffic.
-		time.Sleep(propagationDelay)
-
 		// Mark as unhealthy so readiness probes fail
 		// This ensures Kubernetes readiness probe fails on next check,
 		// preventing new traffic from being routed to this pod.
 		healthChecker.Stop()
 		restHealthChecker.Stop()
 
+		// Wait for K8s endpoint propagation
+		// This prevents "context deadline exceeded" errors during high traffic.
+		time.Sleep(propagationDelay)
+
 		// Shutdown order matters due to dependencies:
 		// 1. apiGateway/httpServer make gRPC calls to the backend server
 		// 2. We MUST drain them BEFORE stopping the backend sever

pkg/batch/cmd/server/server.go

@@ -632,15 +632,15 @@ func (s *server) Run(ctx context.Context, metrics metrics.Metrics, logger *zap.L
 	defer func() {
 		shutdownStartTime := time.Now()
 
-		// Wait for K8s endpoint propagation
-		// This prevents "context deadline exceeded" errors during high traffic.
-		time.Sleep(propagationDelay)
-
 		// Mark as unhealthy so readiness probes fail
 		// This ensures Kubernetes readiness probe fails on next check,
 		// preventing new traffic from being routed to this pod.
 		healthChecker.Stop()
 
+		// Wait for K8s endpoint propagation
+		// This prevents "context deadline exceeded" errors during high traffic.
+		time.Sleep(propagationDelay)
+
 		// Gracefully stop gRPC Gateway (calls the gRPC server internally)
 		batchGateway.Stop(serverShutDownTimeout)
 

pkg/health/health.go

@@ -46,7 +46,8 @@ func (s Status) String() string {
 type check func(context.Context) Status
 
 type checker struct {
-	status uint32
+	status  uint32
+	stopped uint32 // 0 = running, 1 = stopped
 
 	interval time.Duration
 	timeout  time.Duration
@@ -104,6 +105,13 @@ func (hc *checker) Run(ctx context.Context) {
 }
 
 func (hc *checker) check(ctx context.Context) {
+	// Don't run checks if already stopped
+	// This prevents the race condition where Stop() sets status to Unhealthy
+	// but then check() overrides it back to Healthy
+	if hc.isStopped() {
+		return
+	}
+
 	resultChan := make(chan Status, len(hc.checks))
 	ctx, cancel := context.WithTimeout(ctx, hc.timeout)
 	defer cancel()
@@ -118,7 +126,12 @@ func (hc *checker) check(ctx context.Context) {
 			return
 		}
 	}
-	hc.setStatus(Healthy)
+
+	// Only set to Healthy if not stopped
+	// This prevents the race condition during shutdown
+	if !hc.isStopped() {
+		hc.setStatus(Healthy)
+	}
 }
 
 func (hc *checker) ServeReadyHTTP(resp http.ResponseWriter, req *http.Request) {
@@ -148,6 +161,13 @@ func (hc *checker) setStatus(s Status) {
 	atomic.StoreUint32(&hc.status, uint32(s))
 }
 
+func (hc *checker) isStopped() bool {
+	return atomic.LoadUint32(&hc.stopped) == 1
+}
+
 func (hc *checker) Stop() {
+	// Set stopped flag first to prevent any concurrent check() from setting status back to Healthy
+	atomic.StoreUint32(&hc.stopped, 1)
+	// Then set status to Unhealthy
 	hc.setStatus(Unhealthy)
 }

pkg/health/health_test.go

@@ -372,3 +372,162 @@ func TestGRPCReadyAffectedByStop(t *testing.T) {
 		})
 	}
 }
+
+func TestStopPreventsCheckFromSettingHealthy(t *testing.T) {
+	t.Parallel()
+	patterns := []struct {
+		desc             string
+		setupFunc        func() *restChecker
+		expectedStatus   int
+		expectedStopped  bool
+		expectedInternal Status
+	}{
+		{
+			desc: "check() after Stop() does not override status to Healthy",
+			setupFunc: func() *restChecker {
+				healthyCheck := func(ctx context.Context) Status {
+					return Healthy
+				}
+				c := NewRestChecker(version, service, WithCheck("healthy", healthyCheck))
+				c.check(context.Background())
+				return c
+			},
+			expectedStatus:   http.StatusServiceUnavailable,
+			expectedStopped:  true,
+			expectedInternal: Unhealthy,
+		},
+		{
+			desc: "multiple check() calls after Stop() remain Unhealthy",
+			setupFunc: func() *restChecker {
+				healthyCheck := func(ctx context.Context) Status {
+					return Healthy
+				}
+				c := NewRestChecker(version, service, WithCheck("healthy", healthyCheck))
+				c.check(context.Background())
+				return c
+			},
+			expectedStatus:   http.StatusServiceUnavailable,
+			expectedStopped:  true,
+			expectedInternal: Unhealthy,
+		},
+	}
+
+	for _, p := range patterns {
+		t.Run(p.desc, func(t *testing.T) {
+			checker := p.setupFunc()
+
+			// Verify initial state is healthy
+			if checker.getStatus() != Healthy {
+				t.Errorf("Initial state should be Healthy, got %v", checker.getStatus())
+			}
+
+			// Call Stop()
+			checker.Stop()
+
+			// Verify stopped flag is set
+			if !checker.isStopped() {
+				t.Error("Expected isStopped() to be true after Stop()")
+			}
+
+			// Verify status is Unhealthy
+			if checker.getStatus() != Unhealthy {
+				t.Errorf("Expected status to be Unhealthy after Stop(), got %v", checker.getStatus())
+			}
+
+			// Call check() to simulate the race condition
+			// This should NOT override the status back to Healthy
+			checker.check(context.Background())
+
+			// Verify status remains Unhealthy
+			if checker.getStatus() != p.expectedInternal {
+				t.Errorf("Expected status to remain %v after check(), got %v",
+					p.expectedInternal, checker.getStatus())
+			}
+
+			// Verify HTTP response is 503
+			req := httptest.NewRequest("GET", fmt.Sprintf("%s%s%s", version, service, readyPath), nil)
+			resp := httptest.NewRecorder()
+			checker.ServeReadyHTTP(resp, req)
+			if resp.Code != p.expectedStatus {
+				t.Errorf("Expected HTTP status %d, got %d", p.expectedStatus, resp.Code)
+			}
+
+			// Call check() multiple times to ensure it stays Unhealthy
+			for i := 0; i < 5; i++ {
+				checker.check(context.Background())
+				if checker.getStatus() != p.expectedInternal {
+					t.Errorf("After %d check() calls, expected status %v, got %v",
+						i+1, p.expectedInternal, checker.getStatus())
+				}
+			}
+		})
+	}
+}
+
+func TestStopWithRunningGoroutine(t *testing.T) {
+	t.Parallel()
+	patterns := []struct {
+		desc          string
+		setupFunc     func() (*restChecker, context.CancelFunc)
+		expectedErr   error
+		expectedFinal int
+	}{
+		{
+			desc: "Stop() prevents Run() goroutine from setting status to Healthy",
+			setupFunc: func() (*restChecker, context.CancelFunc) {
+				healthyCheck := func(ctx context.Context) Status {
+					return Healthy
+				}
+				c := NewRestChecker(version, service,
+					WithCheck("healthy", healthyCheck),
+					WithInterval(10*time.Millisecond))
+				ctx, cancel := context.WithCancel(context.Background())
+				go c.Run(ctx)
+				// Wait for first check to complete
+				time.Sleep(50 * time.Millisecond)
+				return c, cancel
+			},
+			expectedErr:   nil,
+			expectedFinal: http.StatusServiceUnavailable,
+		},
+	}
+
+	for _, p := range patterns {
+		t.Run(p.desc, func(t *testing.T) {
+			checker, cancel := p.setupFunc()
+			defer cancel()
+
+			// Verify initial state is healthy
+			if checker.getStatus() != Healthy {
+				t.Errorf("Initial state should be Healthy, got %v", checker.getStatus())
+			}
+
+			// Call Stop() while Run() goroutine is still running
+			checker.Stop()
+
+			// Verify status is immediately Unhealthy
+			if checker.getStatus() != Unhealthy {
+				t.Errorf("Expected status to be Unhealthy immediately after Stop(), got %v",
+					checker.getStatus())
+			}
+
+			// Wait for multiple check intervals to pass
+			// The Run() goroutine should NOT override status back to Healthy
+			time.Sleep(100 * time.Millisecond)
+
+			// Verify status remains Unhealthy
+			if checker.getStatus() != Unhealthy {
+				t.Errorf("Expected status to remain Unhealthy after waiting, got %v",
+					checker.getStatus())
+			}
+
+			// Verify HTTP response is 503
+			req := httptest.NewRequest("GET", fmt.Sprintf("%s%s%s", version, service, readyPath), nil)
+			resp := httptest.NewRecorder()
+			checker.ServeReadyHTTP(resp, req)
+			if resp.Code != p.expectedFinal {
+				t.Errorf("Expected HTTP status %d, got %d", p.expectedFinal, resp.Code)
+			}
+		})
+	}
+}

pkg/web/cmd/server/server.go

@@ -861,15 +861,17 @@ func (s *server) Run(ctx context.Context, metrics metrics.Metrics, logger *zap.L
 	defer func() {
 		shutdownStartTime := time.Now()
 
-		// Wait for K8s endpoint propagation
-		// This prevents "context deadline exceeded" errors during high traffic.
-		time.Sleep(propagationDelay)
-
 		// Mark as unhealthy so readiness probes fail
 		// This ensures Kubernetes readiness probe fails on next check,
 		// preventing new traffic from being routed to this pod.
-		healthcheckServer.Stop(5 * time.Second)
+		// IMPORTANT: Stop the health checker FIRST before stopping the HTTP server
+		// to prevent race condition where health checks return 200 during shutdown
 		restHealthChecker.Stop()
+		healthcheckServer.Stop(5 * time.Second)
+
+		// Wait for K8s endpoint propagation
+		// This prevents "context deadline exceeded" errors during high traffic.
+		time.Sleep(propagationDelay)
 
 		// Stop REST servers in parallel (these call gRPC servers internally)
 		// Stop these first to drain REST traffic before stopping gRPC