fix: app and envoy container not shutting down gracefully

docker-compose/config/nginx/bucketeer.conf

@@ -109,7 +109,7 @@ server {
     add_header X-Content-Type-Options nosniff;
     add_header X-XSS-Protection "1; mode=block";
 
-    # Health check endpoint
+    # Health check endpoints
     location /health {
         proxy_pass https://api_health_backend;
         proxy_set_header Host $host;
@@ -118,6 +118,14 @@ server {
         proxy_set_header X-Forwarded-Proto $scheme;
     }
 
+    location /ready {
+        proxy_pass https://api_health_backend;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
     # API Gateway gRPC service (main API)
     location /bucketeer.gateway.Gateway {
         grpc_pass grpcs://api_grpc_backend;
@@ -192,7 +200,7 @@ server {
         return 204;
     }
 
-    # Health check endpoint
+    # Health check endpoints
     location /health {
         proxy_pass https://web_health_backend;
         proxy_set_header Host $host;
@@ -201,6 +209,14 @@ server {
         proxy_set_header X-Forwarded-Proto $scheme;
     }
 
+    location /ready {
+        proxy_pass https://web_health_backend;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+
     # gRPC/gRPC-Web service routes (backend handles both protocols)
     location /bucketeer.account.AccountService {
         if ($is_grpc_web = 1) {

manifests/bucketeer/charts/api/templates/backend-config.yaml

@@ -8,7 +8,11 @@ spec:
   healthCheck:
     requestPath: /health
     type: HTTP2
-  timeoutSec: 40
+    checkIntervalSec: 5
+    timeoutSec: 5
+    healthyThreshold: 1
+    unhealthyThreshold: 1
+  timeoutSec: 60
   connectionDraining:
     drainingTimeoutSec: 60
 {{- end }}

manifests/bucketeer/charts/api/templates/deployment.yaml

@@ -21,6 +21,7 @@ spec:
       annotations:
         checksum/config: {{ include (print $.Template.BasePath "/envoy-configmap.yaml") . | sha256sum }}
     spec:
+      terminationGracePeriodSeconds: {{ .Values.terminationGracePeriodSeconds | default 30 }}
       {{- with .Values.global.image.imagePullSecrets }}
       imagePullSecrets: {{- toYaml . | nindent 8 }}
       {{- end }}
@@ -145,6 +146,14 @@ spec:
               containerPort: {{ .Values.env.port }}
             - name: metrics
               containerPort: {{ .Values.env.metricsPort }}
+          startupProbe:
+            periodSeconds: {{ .Values.health.startupProbe.periodSeconds }}
+            failureThreshold: {{ .Values.health.startupProbe.failureThreshold }}
+            timeoutSeconds: {{ .Values.health.startupProbe.timeoutSeconds }}
+            httpGet:
+              path: /ready
+              port: service
+              scheme: HTTPS
           livenessProbe:
             initialDelaySeconds: {{ .Values.health.livenessProbe.initialDelaySeconds }}
             periodSeconds: {{ .Values.health.livenessProbe.periodSeconds }}
@@ -160,7 +169,7 @@ spec:
             failureThreshold: {{ .Values.health.readinessProbe.failureThreshold }}
             timeoutSeconds: {{ .Values.health.readinessProbe.timeoutSeconds }}
             httpGet:
-              path: /health
+              path: /ready
               port: service
               scheme: HTTPS
           resources:
@@ -172,9 +181,15 @@ spec:
             preStop:
               exec:
                 command:
-                  - "/bin/sh"
-                  - "-c"
-                  - "wget -O- --post-data='{}' http://localhost:$ENVOY_ADMIN_PORT/healthcheck/fail; while [ $(netstat -plunt | grep tcp | grep -v envoy | wc -l) -ne 0 ]; do sleep 1; done;"
+                  - /bin/sh
+                  - -c
+                  - |
+                    admin_port={{ .Values.envoy.adminPort }}
+                    # Wait for load balancer propagation (must match app container propagation delay)
+                    sleep 15
+                    wget -q -T 1 -O- --method=POST --body-data='' \
+                      "http://localhost:${admin_port}/drain_listeners?graceful" || true
+                    exit 0
           command: ["envoy"]
           args:
             - "-c"
@@ -201,10 +216,19 @@ spec:
               containerPort: {{ .Values.envoy.port }}
             - name: admin
               containerPort: {{ .Values.envoy.adminPort }}
+          startupProbe:
+            periodSeconds: {{ .Values.health.startupProbe.periodSeconds }}
+            failureThreshold: {{ .Values.health.startupProbe.failureThreshold }}
+            timeoutSeconds: {{ .Values.health.startupProbe.timeoutSeconds }}
+            httpGet:
+              path: /ready
+              port: admin
+              scheme: HTTP
           livenessProbe:
             initialDelaySeconds: {{ .Values.health.livenessProbe.initialDelaySeconds }}
             periodSeconds: {{ .Values.health.livenessProbe.periodSeconds }}
             failureThreshold: {{ .Values.health.livenessProbe.failureThreshold }}
+            timeoutSeconds: {{ .Values.health.livenessProbe.timeoutSeconds }}
             httpGet:
               path: /ready
               port: admin
@@ -213,11 +237,12 @@ spec:
             initialDelaySeconds: {{ .Values.health.readinessProbe.initialDelaySeconds }}
             periodSeconds: {{ .Values.health.readinessProbe.periodSeconds }}
             failureThreshold: {{ .Values.health.readinessProbe.failureThreshold }}
+            timeoutSeconds: {{ .Values.health.readinessProbe.timeoutSeconds }}
             httpGet:
               path: /ready
               port: admin
               scheme: HTTP
           resources:
 {{ toYaml .Values.envoy.resources | indent 12 }}
   strategy:
-    type: RollingUpdate
+{{ toYaml .Values.strategy | indent 4 }}