diff --git a/charts/proxy/templates/bin/_liveness-probe.sh.tpl b/charts/proxy/templates/bin/_liveness-probe.sh.tpl deleted file mode 100644 index 54195cd6..00000000 --- a/charts/proxy/templates/bin/_liveness-probe.sh.tpl +++ /dev/null @@ -1,49 +0,0 @@ -#!/bin/bash - -set -eu - -IPTS_DIR=/tmp/liveness - -FAILURE=0 -{{- if .Values.livenessProbe.whitelist }} -WHITELIST='({{- join "|" .Values.livenessProbe.whitelist -}})' -{{- end }} - -REQUEST='GET /healthz HTTP/1.0\r\nHost: localhost:10256\r\n' - -if [[ $(echo -e "${REQUEST}" | socat - TCP4:localhost:10256 | grep -sc '200 OK') -lt 1 ]]; then - echo Failed proxy built-in HTTP health check. - echo -e "${REQUEST}" | socat - TCP4:localhost:10256 - FAILURE=1 -fi - -mkdir -p "${IPTS_DIR}" -iptables-save {{- if .Values.livenessProbe.whitelist }} | grep -Ev "${WHITELIST}" {{- end }} | grep -s 'has no endpoints' | sort > "${IPTS_DIR}/current" - -if [[ $(wc -l < "${IPTS_DIR}/current") -gt 0 ]]; then - if [[ "${IPTS_DIR}/previous" ]]; then - if cmp "${IPTS_DIR}/current" "${IPTS_DIR}/previous"; then - echo Some non-whitelisted services have no endpoints: - cat "${IPTS_DIR}/current" - FAILURE=1 - else - echo Detected issues have changed. Passing check: - diff "${IPTS_DIR}/previous" "${IPTS_DIR}/current" - fi - fi -fi - -mv "${IPTS_DIR}/current" "${IPTS_DIR}/previous" - -IPTABLES_IPS=$(iptables-save | grep -E 'KUBE-SEP.*to-destination' | sed 's/.*to-destination \(.*\):.*/\1/' | sort -u) -KUBECTL_IPS=$(kubectl get --all-namespaces -o json endpoints | jq -r '.items | arrays | .[] | objects | .subsets | arrays | .[] | objects | .addresses | arrays | .[] | objects | .ip' | sort -u) - -if [[ $(comm -23 <(echo "${IPTABLES_IPS}") <(echo "${KUBECTL_IPS}")) ]]; then - FAILURE=1 - echo "Found non-current Pod IPs in iptables rules:" - comm -23 <(echo "${IPTABLES_IPS}") <(echo "${KUBECTL_IPS}") -fi - -if [[ "${FAILURE}" == "1" ]]; then - exit 1 -fi diff --git a/charts/proxy/templates/bin/_readiness-probe.sh.tpl b/charts/proxy/templates/bin/_readiness-probe.sh.tpl deleted file mode 100644 index 3f87b48f..00000000 --- a/charts/proxy/templates/bin/_readiness-probe.sh.tpl +++ /dev/null @@ -1,5 +0,0 @@ -#!/bin/bash - -set -e - -iptables-save | grep 'default/kubernetes:https' diff --git a/charts/proxy/templates/configmap-bin.yaml b/charts/proxy/templates/configmap-bin.yaml deleted file mode 100644 index 8b98721c..00000000 --- a/charts/proxy/templates/configmap-bin.yaml +++ /dev/null @@ -1,26 +0,0 @@ -{{/* -# Copyright (c) 2018 AT&T Intellectual Property. All rights reserved. -# -# Licensed under the Apache License, Version 2.0 (the "License"); -# you may not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, -# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. */}} - ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: kubernetes-proxy-bin -data: - liveness-probe.sh: | -{{ tuple "bin/_liveness-probe.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} - readiness-probe.sh: | -{{ tuple "bin/_readiness-probe.sh.tpl" . | include "helm-toolkit.utils.template" | indent 4 }} -... diff --git a/charts/proxy/templates/daemonset.yaml b/charts/proxy/templates/daemonset.yaml index db05f475..1c22bf1e 100644 --- a/charts/proxy/templates/daemonset.yaml +++ b/charts/proxy/templates/daemonset.yaml @@ -14,6 +14,13 @@ See the License for the specific language governing permissions and limitations under the License. */}} +{{- define "probeTemplate" }} +httpGet: + path: /healthz + port: 10256 + scheme: HTTP +{{- end }} + {{- if .Values.manifests.daemonset_proxy }} {{- $envAll := . }} {{- $labels := tuple $envAll "kubernetes" "proxy" | include "helm-toolkit.snippets.kubernetes_metadata_labels" -}} @@ -75,20 +82,9 @@ spec: valueFrom: fieldRef: fieldPath: spec.nodeName - livenessProbe: -{{ toYaml .Values.livenessProbe.config | indent 10 }} - exec: - command: - - /tmp/bin/liveness-probe.sh - readinessProbe: - exec: - command: - - /tmp/bin/readiness-probe.sh - initialDelaySeconds: 15 - periodSeconds: 15 +{{ dict "envAll" . "component" "proxy" "container" "proxy" "type" "liveness" "probeTemplate" (include "probeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | trim | indent 8 }} +{{ dict "envAll" . "component" "proxy" "container" "proxy" "type" "readiness" "probeTemplate" (include "probeTemplate" . | fromYaml) | include "helm-toolkit.snippets.kubernetes_probe" | trim | indent 8 }} volumeMounts: - - name: bin - mountPath: /tmp/bin/ - mountPath: /run/xtables.lock name: xtables-lock readOnly: false @@ -97,10 +93,6 @@ spec: readOnly: true serviceAccountName: kube-proxy volumes: - - name: bin - configMap: - name: kubernetes-proxy-bin - defaultMode: 0555 - name: xtables-lock hostPath: path: /run/xtables.lock diff --git a/charts/proxy/values.yaml b/charts/proxy/values.yaml index 00ac6c36..f6cec724 100644 --- a/charts/proxy/values.yaml +++ b/charts/proxy/values.yaml @@ -47,6 +47,23 @@ pod: limits: memory: "1024Mi" cpu: "2000m" + probes: + proxy: + proxy: + liveness: + enabled: true + params: + initialDelaySeconds: 15 + timeoutSeconds: 15 + successThreshold: 1 + failureThreshold: 2 + readiness: + enabled: true + params: + initialDelaySeconds: 15 + timeoutSeconds: 15 + successThreshold: 1 + failureThreshold: 2 images: tags: @@ -72,17 +89,3 @@ network: kube_service: host: 127.0.0.1 port: 6553 - -livenessProbe: - config: - # NOTE(mark-burnett): To avoid cascading failure modes, it is - # important that these values are configured to avoid the possibility - # of CrashLoopBackoff for this pod. Otherwise, a small non-impacting - # issue could disable kube-proxy for the entire site. - failureThreshold: 10 - initialDelaySeconds: 15 - periodSeconds: 35 - successThreshold: 1 - timeoutSeconds: 10 - whitelist: - # - postgres