health: Add flag to set HTTP port

cilium-health/launch/endpoint.go

@@ -10,6 +10,7 @@ import (
 	"os"
 	"os/exec"
 	"path/filepath"
+	"strconv"
 	"strings"
 	"time"
 
@@ -20,7 +21,6 @@ import (
 	"github.com/cilium/cilium/pkg/defaults"
 	"github.com/cilium/cilium/pkg/endpoint"
 	"github.com/cilium/cilium/pkg/endpoint/regeneration"
-	healthDefaults "github.com/cilium/cilium/pkg/health/defaults"
 	"github.com/cilium/cilium/pkg/health/probe"
 	"github.com/cilium/cilium/pkg/identity/cache"
 	ipamOption "github.com/cilium/cilium/pkg/ipam/option"
@@ -360,7 +360,7 @@ func LaunchAsEndpoint(baseCtx context.Context,
 	ep.UpdateLabels(ctx, labels.LabelHealth, nil, true)
 
 	// Initialize the health client to talk to this instance.
-	client := &Client{host: "http://" + net.JoinHostPort(healthIP.String(), fmt.Sprintf("%d", healthDefaults.HTTPPathPort))}
+	client := &Client{host: "http://" + net.JoinHostPort(healthIP.String(), strconv.Itoa(option.Config.ClusterHealthPort))}
 	metrics.SubprocessStart.WithLabelValues(ciliumHealth).Inc()
 
 	return client, nil

cilium-health/launch/launcher.go

@@ -48,6 +48,7 @@ func Launch() (*CiliumHealth, error) {
 		Debug:         option.Config.Opts.IsEnabled(option.Debug),
 		ProbeInterval: serverProbeInterval,
 		ProbeDeadline: serverProbeDeadline,
+		HTTPPathPort:  option.Config.ClusterHealthPort,
 	}
 
 	ch.server, err = server.NewServer(config)

cilium-health/responder/main.go

@@ -9,6 +9,7 @@ import (
 	"os"
 	"os/signal"
 
+	healthDefaults "github.com/cilium/cilium/pkg/health/defaults"
 	"github.com/cilium/cilium/pkg/health/probe/responder"
 	"github.com/cilium/cilium/pkg/pidfile"
 
@@ -31,7 +32,7 @@ func main() {
 		listen      int
 	)
 	flag.StringVar(&pidfilePath, "pidfile", "", "Write pid to the specified file")
-	flag.IntVar(&listen, "listen", 4240, "Port on which the responder listens")
+	flag.IntVar(&listen, "listen", healthDefaults.HTTPPathPort, "Port on which the responder listens")
 	flag.Parse()
 
 	// Shutdown gracefully to halt server and remove pidfile

daemon/cmd/daemon_main.go

@@ -208,6 +208,9 @@ func init() {
 	flags.Int(option.AgentHealthPort, defaults.AgentHealthPort, "TCP port for agent health status API")
 	option.BindEnv(option.AgentHealthPort)
 
+	flags.Int(option.ClusterHealthPort, defaults.ClusterHealthPort, "TCP port for cluster-wide network connectivity health API")
+	option.BindEnv(option.ClusterHealthPort)
+
 	flags.StringSlice(option.AgentLabels, []string{}, "Additional labels to identify this agent")
 	option.BindEnv(option.AgentLabels)
 

install/kubernetes/cilium/templates/cilium-configmap.yaml

@@ -138,6 +138,12 @@ data:
   # for cilium-health.
   agent-health-port: "{{ .Values.healthPort }}"
 {{- end }}
+
+{{- if hasKey .Values "clusterHealthPort" }}
+  # Set the TCP port for the agent health API. This port is used for cilium-health.
+  cluster-health-port: "{{ .Values.clusterHealthPort }}"
+{{- end }}
+
 {{- if hasKey .Values "policyEnforcementMode" }}
   # The agent can be put into the following three policy enforcement modes
   # default, always and never.

pkg/defaults/defaults.go

@@ -11,6 +11,9 @@ const (
 	// AgentHealthPort is the default value for option.AgentHealthPort
 	AgentHealthPort = 9876
 
+	// ClusterHealthPort is the default value for option.ClusterHealthPort
+	ClusterHealthPort = 4240
+
 	// GopsPortAgent is the default value for option.GopsPort in the agent
 	GopsPortAgent = 9890
 

pkg/health/defaults/defaults.go

@@ -15,14 +15,5 @@ const (
 	SockPathEnv = "CILIUM_HEALTH_SOCK"
 
 	// HTTPPathPort is used for probing base HTTP path connectivity
-	HTTPPathPort = 4240
-
-	// L7PathPort is used for probing L7 path connectivity
-	L7PathPort = 4241
-
-	// ServicePathPort is used for probing service redirect path connectivity
-	ServicePathPort = 4242
-
-	// ServiceL7PathPort is used for probing service redirect path connectivity with L7
-	ServiceL7PathPort = 4243
+	HTTPPathPort = daemon.ClusterHealthPort
 )

pkg/health/server/prober.go

@@ -11,7 +11,6 @@ import (
 
 	"github.com/cilium/cilium/api/v1/health/models"
 	ciliumModels "github.com/cilium/cilium/api/v1/models"
-	"github.com/cilium/cilium/pkg/health/defaults"
 	"github.com/cilium/cilium/pkg/health/probe"
 	"github.com/cilium/cilium/pkg/lock"
 	"github.com/cilium/cilium/pkg/logging/logfields"
@@ -204,15 +203,17 @@ func (p *prober) setNodes(added nodeMap, removed nodeMap) {
 	}
 }
 
-func (p *prober) httpProbe(node string, ip string, port int) *models.ConnectivityStatus {
+const httpPathDescription = "Via L3"
+
+func (p *prober) httpProbe(node string, ip string) *models.ConnectivityStatus {
 	result := &models.ConnectivityStatus{}
 
-	host := "http://" + net.JoinHostPort(ip, strconv.Itoa(port))
+	host := "http://" + net.JoinHostPort(ip, strconv.Itoa(p.server.Config.HTTPPathPort))
 	scopedLog := log.WithFields(logrus.Fields{
 		logfields.NodeName: node,
 		logfields.IPAddr:   ip,
 		"host":             host,
-		"path":             PortToPaths[port],
+		"path":             httpPathDescription,
 	})
 
 	scopedLog.Debug("Greeting host")
@@ -268,23 +269,17 @@ func (p *prober) runHTTPProbe() {
 				logfields.IPAddr:   ip.String(),
 			})
 
-			status := &models.PathStatus{}
-			ports := map[int]**models.ConnectivityStatus{
-				defaults.HTTPPathPort: &status.HTTP,
-			}
-			for port, result := range ports {
-				*result = p.httpProbe(name, ip.String(), port)
-				if status.HTTP.Status != "" {
-					scopedLog.WithFields(logrus.Fields{
-						logfields.Port: port,
-					}).Debugf("Failed to probe: %s", status.HTTP.Status)
-				}
+			resp := p.httpProbe(name, ip.String())
+			if resp.Status != "" {
+				scopedLog.WithFields(logrus.Fields{
+					logfields.Port: p.server.Config.HTTPPathPort,
+				}).Debugf("Failed to probe: %s", resp.Status)
 			}
 
 			peer := ipString(ip.String())
 			p.Lock()
 			if _, ok := p.results[peer]; ok {
-				p.results[peer].HTTP = status.HTTP
+				p.results[peer].HTTP = resp
 			} else {
 				// While we weren't holding the lock, the
 				// pinger's OnIdle() callback fired and updated

pkg/health/server/server.go

@@ -24,12 +24,6 @@ import (
 
 var (
 	log = logging.DefaultLogger.WithField(logfields.LogSubsys, "health-server")
-
-	// PortToPaths is a convenience map for access to the ports and their
-	// common string representations
-	PortToPaths = map[int]string{
-		defaults.HTTPPathPort: "Via L3",
-	}
 )
 
 // Config stores the configuration data for a cilium-health server.
@@ -38,6 +32,7 @@ type Config struct {
 	CiliumURI     string
 	ProbeInterval time.Duration
 	ProbeDeadline time.Duration
+	HTTPPathPort  int
 }
 
 // ipString is an IP address used as a more descriptive type name in maps.
@@ -58,8 +53,8 @@ type Server struct {
 	// a diff of the nodes added and removed based on this clientID.
 	clientID int64
 
-	tcpServers []*responder.Server // Servers for external pings
-	startTime  time.Time
+	httpPathServer *responder.Server // HTTP server for external pings
+	startTime      time.Time
 
 	// The lock protects against read and write access to the IP->Node map,
 	// the list of statuses as most recently seen, and the last time a
@@ -248,7 +243,7 @@ func (s *Server) runActiveServices() error {
 }
 
 // Serve spins up the following goroutines:
-// * TCP API Server: Responders to the health API "/hello" message, one per path
+// * HTTP API Server: Responder to the health API "/hello" message
 // * Prober: Periodically run pings across the cluster at a configured interval
 //   and update the server's connectivity status cache.
 // * Unix API Server: Handle all health API requests over a unix socket.
@@ -257,12 +252,9 @@ func (s *Server) runActiveServices() error {
 func (s *Server) Serve() (err error) {
 	errors := make(chan error)
 
-	for i := range s.tcpServers {
-		srv := s.tcpServers[i]
-		go func() {
-			errors <- srv.Serve()
-		}()
-	}
+	go func() {
+		errors <- s.httpPathServer.Serve()
+	}()
 
 	go func() {
 		errors <- s.runActiveServices()
@@ -275,9 +267,7 @@ func (s *Server) Serve() (err error) {
 
 // Shutdown server and clean up resources
 func (s *Server) Shutdown() {
-	for i := range s.tcpServers {
-		s.tcpServers[i].Shutdown()
-	}
+	s.httpPathServer.Shutdown()
 	s.Server.Shutdown()
 }
 
@@ -306,7 +296,6 @@ func NewServer(config Config) (*Server, error) {
 	server := &Server{
 		startTime:    time.Now(),
 		Config:       config,
-		tcpServers:   []*responder.Server{},
 		connectivity: &healthReport{},
 	}
 
@@ -323,10 +312,7 @@ func NewServer(config Config) (*Server, error) {
 	server.Client = cl
 	server.Server = *server.newServer(swaggerSpec)
 
-	for port := range PortToPaths {
-		srv := responder.NewServer(port)
-		server.tcpServers = append(server.tcpServers, srv)
-	}
+	server.httpPathServer = responder.NewServer(config.HTTPPathPort)
 
 	return server, nil
 }

pkg/option/config.go

@@ -42,9 +42,12 @@ var (
 )
 
 const (
-	// AgentHealthPort is the TCP port for the agent health status API.
+	// AgentHealthPort is the TCP port for agent health status API
 	AgentHealthPort = "agent-health-port"
 
+	// ClusterHealthPort is the TCP port for cluster-wide network connectivity health API
+	ClusterHealthPort = "cluster-health-port"
+
 	// AgentLabels are additional labels to identify this agent
 	AgentLabels = "agent-labels"
 
@@ -1209,9 +1212,12 @@ type DaemonConfig struct {
 	// Monitor contains the configuration for the node monitor.
 	Monitor *models.MonitorStatus
 
-	// AgentHealthPort is the TCP port for the agent health status API.
+	// AgentHealthPort is the TCP port for agent health status API
 	AgentHealthPort int
 
+	// ClusterHealthPort is the TCP port for cluster-wide network connectivity health API
+	ClusterHealthPort int
+
 	// AgentLabels contains additional labels to identify this agent in monitor events.
 	AgentLabels []string
 
@@ -2364,6 +2370,7 @@ func (c *DaemonConfig) Populate() {
 	var err error
 
 	c.AgentHealthPort = viper.GetInt(AgentHealthPort)
+	c.ClusterHealthPort = viper.GetInt(ClusterHealthPort)
 	c.AgentLabels = viper.GetStringSlice(AgentLabels)
 	c.AllowICMPFragNeeded = viper.GetBool(AllowICMPFragNeeded)
 	c.AllowLocalhost = viper.GetString(AllowLocalhost)