helm: use /ready from Envoy admin iface for healthprobes on daemonset

With this commit, the Envoy DaemonSet uses the "/ready" from the Envoy admin interface for health probes (startup, live & ready). Therefore, an additional listener (default: 9878) gets added to Envoy. Reusage of prometheus listener is prevented to keep the things separated and provide the flexiblity which might be needed for prometheus. Signed-off-by: Marco Hofstetter <marco.hofstetter@isovalent.com>
cilium · May 12, 2023 · 859d2a9 · 859d2a9
1 parent 7ddd865
commit 859d2a9
Show file tree

Hide file tree

Showing 6 changed files with 75 additions and 19 deletions.
diff --git a/Documentation/helm-values.rst b/Documentation/helm-values.rst
diff --git a/install/kubernetes/cilium/README.md b/install/kubernetes/cilium/README.md
diff --git a/install/kubernetes/cilium/files/cilium-envoy/configmap/bootstrap-config.json b/install/kubernetes/cilium/files/cilium-envoy/configmap/bootstrap-config.json
@@ -58,8 +58,73 @@
             ]
           }
         ]
-      }
+      },
       {{- end }}
+      {
+        "name": "envoy-health-listener",
+        "address": {
+          "socket_address": {
+            "address": {{ .Values.ipv4.enabled | ternary "127.0.0.1" "::1" | quote }},
+            "port_value": {{ .Values.envoy.healthPort }}
+          }
+        },
+        {{- if and .Values.ipv4.enabled .Values.ipv6.enabled }}
+        "additional_addresses": [
+          {
+            "address": {
+              "socket_address": {
+                "address": "::1",
+                "port_value": {{ .Values.envoy.healthPort }}
+              }
+            }
+          }
+        ],
+        {{- end }}
+        "filter_chains": [
+          {
+            "filters": [
+              {
+                "name": "envoy.filters.network.http_connection_manager",
+                "typed_config": {
+                  "@type": "type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager",
+                  "stat_prefix": "envoy-health-listener",
+                  "route_config": {
+                    "virtual_hosts": [
+                      {
+                        "name": "health",
+                        "domains": [
+                          "*"
+                        ],
+                        "routes": [
+                          {
+                            "name": "health",
+                            "match": {
+                              "prefix": "/healthz"
+                            },
+                            "route": {
+                              "cluster": "envoy-admin",
+                              "prefix_rewrite": "/ready"
+                            }
+                          }
+                        ]
+                      }
+                    ]
+                  },
+                  "http_filters": [
+                    {
+                      "name": "envoy.filters.http.router",
+                      "typed_config": {
+                        "@type": "type.googleapis.com/envoy.extensions.filters.http.router.v3.Router"
+                      }
+                    }
+                  ],
+                  "stream_idle_timeout": "0s"
+                }
+              }
+            ]
+          }
+        ]
+      }
     ],
     "clusters": [
       {

diff --git a/install/kubernetes/cilium/templates/cilium-envoy/daemonset.yaml b/install/kubernetes/cilium/templates/cilium-envoy/daemonset.yaml
@@ -73,26 +73,20 @@ spec:
         {{- if semverCompare ">=1.20-0" .Capabilities.KubeVersion.Version }}
         startupProbe:
           httpGet:
-            host: {{ .Values.ipv4.enabled | ternary "127.0.0.1" "::1" | quote }}
+            host: "localhost"
             path: /healthz
             port: {{ .Values.envoy.healthPort }}
             scheme: HTTP
-            httpHeaders:
-            - name: "brief"
-              value: "true"
           failureThreshold: {{ .Values.envoy.startupProbe.failureThreshold }}
           periodSeconds: {{ .Values.envoy.startupProbe.periodSeconds }}
           successThreshold: 1
         {{- end }}
         livenessProbe:
           httpGet:
-            host: {{ .Values.ipv4.enabled | ternary "127.0.0.1" "::1" | quote }}
+            host: "localhost"
             path: /healthz
             port: {{ .Values.envoy.healthPort }}
             scheme: HTTP
-            httpHeaders:
-            - name: "brief"
-              value: "true"
           {{- if semverCompare "<1.20-0" .Capabilities.KubeVersion.Version }}
           # The initial delay for the liveness probe is intentionally large to
           # avoid an endless kill & restart cycle if in the event that the initial
@@ -107,13 +101,10 @@ spec:
           timeoutSeconds: 5
         readinessProbe:
           httpGet:
-            host: {{ .Values.ipv4.enabled | ternary "127.0.0.1" "::1" | quote }}
+            host: "localhost"
             path: /healthz
             port: {{ .Values.envoy.healthPort }}
             scheme: HTTP
-            httpHeaders:
-            - name: "brief"
-              value: "true"
           {{- if semverCompare "<1.20-0" .Capabilities.KubeVersion.Version }}
           initialDelaySeconds: 5
           {{- end }}

diff --git a/install/kubernetes/cilium/values.yaml b/install/kubernetes/cilium/values.yaml
diff --git a/install/kubernetes/cilium/values.yaml.tmpl b/install/kubernetes/cilium/values.yaml.tmpl
@@ -1775,7 +1775,7 @@ envoy:
   terminationGracePeriodSeconds: 1
 
   # -- TCP port for the health API.
-  healthPort: 9879
+  healthPort: 9878
 
   updateStrategy:
     type: RollingUpdate