Skip to content

skipper-ingress: disable automated healthcheck routes #9241

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 4 commits into from
May 13, 2025
Merged

skipper-ingress: disable automated healthcheck routes #9241

merged 4 commits into from
May 13, 2025

Conversation

ponimas
Copy link
Collaborator

@ponimas ponimas commented Apr 14, 2025
edited
Loading

Skipper provides two flags to control kubernetes healthcheck routes:
-kubernetes-healthcheck (true by default) that enables automatic healthcheck routes
and -reverse-source-predicate to select source predicate type.

Currently when routesrv is enabled (default state) it adds
automatic healthcheck routes and appends default filters to
all routes including healthcheck routes.

We want to avoid adding default filters to healthcheck routes. The explicit inlined checks were created in this PR.
This change disables automatic healthcheck routes provided by routesrv.

Additionally this PR add an iam anotation to these healhcheck routes to opt-out them from the authentication.

  • This PR should be merged only after this one is deployed.

@ponimas ponimas added the major Major feature changes or updates, e.g. feature rollout to a new country, new API calls. label Apr 14, 2025
@ponimas ponimas force-pushed the skipper/inline-kube-health-2 branch from c736504 to d6efa24 Compare April 14, 2025 19:39
@ponimas ponimas force-pushed the skipper/inline-kube-health-disable-checks-at-routeserv branch from 5e38359 to 758162c Compare April 14, 2025 19:42
@ponimas ponimas mentioned this pull request Apr 14, 2025
Merged
@ponimas ponimas changed the title skipper-ingress: explicit healthcheck routes pt.2 skipper-ingress: disable automated healthcheck routes Apr 14, 2025
@ponimas ponimas force-pushed the skipper/inline-kube-health-2 branch from d6efa24 to 2c8324b Compare April 22, 2025 12:34
@ponimas ponimas force-pushed the skipper/inline-kube-health-disable-checks-at-routeserv branch from 758162c to 97ab99a Compare April 22, 2025 12:35
@ponimas ponimas marked this pull request as ready for review April 22, 2025 12:40
@ponimas ponimas force-pushed the skipper/inline-kube-health-2 branch from 2c8324b to 362d805 Compare April 23, 2025 08:56
@ponimas ponimas force-pushed the skipper/inline-kube-health-disable-checks-at-routeserv branch from 97ab99a to d7df0bb Compare April 23, 2025 08:56
@ponimas ponimas force-pushed the skipper/inline-kube-health-2 branch 3 times, most recently from 1484a5e to be20c54 Compare April 25, 2025 09:05
@ponimas ponimas force-pushed the skipper/inline-kube-health-disable-checks-at-routeserv branch from d7df0bb to 1f2aad7 Compare April 25, 2025 09:07
Base automatically changed from skipper/inline-kube-health-2 to dev April 25, 2025 13:01
@ponimas ponimas force-pushed the skipper/inline-kube-health-disable-checks-at-routeserv branch from 1f2aad7 to 84f7a84 Compare April 25, 2025 14:17
@AlexanderYastrebov AlexanderYastrebov mentioned this pull request Apr 28, 2025
Closed
AlexanderYastrebov
AlexanderYastrebov reviewed Apr 28, 2025
View reviewed changes
@ponimas ponimas force-pushed the skipper/inline-kube-health-disable-checks-at-routeserv branch 2 times, most recently from 2f2fd1d to 89d9fa9 Compare May 6, 2025 12:40
@AlexanderYastrebov
Copy link
Member

We want to avoid adding default filters to healthcheck routes

With routesrv disabled Skipper will add default filters to healthcheck routes.
Lets hold on and think about how to make this safe.

ponimas added 3 commits May 12, 2025 13:42
@ponimas
skipper-ingress: disable automated healthcheck routes at routesrv
ca4c3a4 
Skipper provides two flags to control kubernetes healthcheck routes:
`-kubernetes-healthcheck` (true by default) that enables automatic healthcheck routes
and `-reverse-source-predicate` to select source predicate type.

Currently when routesrv is enabled (default state) it adds
automatic healthcheck routes and appends default filters to
all routes including healthcheck routes.

We want  to avoid adding default filters to healthcheck routes. The explicit inlined checks were created in #9206
This change disables automatic healthcheck routes provided by routesrv.

This reverts commit d6efa24.

Signed-off-by: Aleksandr Ponimaskin <[email protected]>
@ponimas
refactor: Remove IPv6 healthcheck CIDR whitelist config
75bf556 
Remove the conditional configuration for IPv6 healthcheck CIDR
whitelisting for routeserv in the skipper deployment manifest. This
option is no longer necessary as the healthchecks are moved to the
skipper-ingress level.

Signed-off-by: Aleksandr Ponimaskin <[email protected]>
@ponimas
Add IAM annotation to healthcheck routes
f2e588c 
We need to exclude healthcheck routes from the authentication even
cases when the routeserv is disabled to keep the backwards compartibility.
@ponimas ponimas force-pushed the skipper/inline-kube-health-disable-checks-at-routeserv branch from 89d9fa9 to f2e588c Compare May 12, 2025 11:42
AlexanderYastrebov
AlexanderYastrebov reviewed May 12, 2025
View reviewed changes
@AlexanderYastrebov
Copy link
Member

👍

1 similar comment
@ponimas
Copy link
Collaborator Author

ponimas commented May 12, 2025

👍

@AlexanderYastrebov AlexanderYastrebov merged commit 668a0d8 into dev May 13, 2025
15 checks passed
@AlexanderYastrebov AlexanderYastrebov deleted the skipper/inline-kube-health-disable-checks-at-routeserv branch May 13, 2025 08:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@AlexanderYastrebov AlexanderYastrebov AlexanderYastrebov left review comments

Assignees
No one assigned
Labels
do-not-merge major Major feature changes or updates, e.g. feature rollout to a new country, new API calls.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ponimas @AlexanderYastrebov