feat: add support for HTTP Probes

- Add HTTPProbeSpec to ProbeSpecSpec (URL + timeout)
- Implement probeHTTP() to send GET requests, treat 2xx/3xx as success
- Support machine proxy config via httpdefaults.PatchTransport
- Add HTTPProbeConfig v1alpha1 document and controller integration
- Add unit and integration tests for HTTP probe lifecycle

Signed-off-by: Pranav Patil <pranavppatil767@gmail.com>
Co-authored-by: Pranav Patil <pranavppatil767@gmail.com>
Signed-off-by: Mateusz Urbanek <mateusz.urbanek@siderolabs.com>

Author: shanduur

api/resource/definitions/network/network.proto

@@ -237,6 +237,14 @@ message EthernetStatusSpec {
   repeated talos.resource.definitions.enums.NethelpersWOLMode wake_on_lan = 10;
 }
 
+// HTTPProbeSpec describes the HTTP Probe.
+message HTTPProbeSpec {
+  // URL to probe: http:// or https:// URL.
+  common.URL url = 1;
+  // Timeout for the probe.
+  google.protobuf.Duration timeout = 2;
+}
+
 // HardwareAddrSpec describes spec for the link.
 message HardwareAddrSpec {
   // Name defines link name
@@ -502,10 +510,12 @@ message ProbeSpecSpec {
   google.protobuf.Duration interval = 1;
   // FailureThreshold is the number of consecutive failures for the probe to be considered failed after having succeeded.
   int64 failure_threshold = 2;
-  // One of the probe types should be specified, for now it's only TCP.
+  // TCP is the TCP probe spec. One of TCP or HTTP must be specified.
   TCPProbeSpec tcp = 3;
   // Configuration layer.
   talos.resource.definitions.enums.NetworkConfigLayer config_layer = 4;
+  // HTTP is the HTTP probe spec. One of TCP or HTTP must be specified.
+  HTTPProbeSpec http = 5;
 }
 
 // ProbeStatusSpec describes the Probe.

hack/release.toml

@@ -51,6 +51,13 @@ The default installer image has been updated to use the Image Factory.
         title = "Host DNS Configuration"
         description = """\
 HostDNS configuration was moved from the v1alpha1 config `.machine.features.hostDNS` field to the new `hostDNS` in the `ResolverConfig` document.
+"""
+
+    [notes.httpProbe]
+        title = "HTTP Probe Support"
+        description = """\
+Talos now supports HTTP network probes, allowing for monitoring of HTTP endpoints.
+HTTP responses with status 200-399 are considered successful, while connection and transport errors are treated as failures.
 """
 
 [make_deps]

internal/app/machined/pkg/controllers/network/internal/probe/probe.go

@@ -9,13 +9,16 @@ import (
 	"context"
 	"errors"
 	"net"
+	"net/http"
 	"sync"
 	"syscall"
 	"time"
 
+	"github.com/hashicorp/go-cleanhttp"
 	"github.com/siderolabs/gen/channel"
 	"go.uber.org/zap"
 
+	"github.com/siderolabs/talos/pkg/httpdefaults"
 	"github.com/siderolabs/talos/pkg/machinery/resources/network"
 )
 
@@ -121,11 +124,11 @@ func (runner *Runner) run(ctx context.Context, notifyCh chan<- Notification, log
 
 // probe runs a probe.
 func (runner *Runner) probe(ctx context.Context) error {
-	var zeroTCP network.TCPProbeSpec
-
 	switch {
-	case runner.Spec.TCP != zeroTCP:
+	case runner.Spec.TCP != (network.TCPProbeSpec{}):
 		return runner.probeTCP(ctx)
+	case runner.Spec.HTTP != (network.HTTPProbeSpec{}):
+		return runner.probeHTTP(ctx)
 	default:
 		return errors.New("no probe type specified")
 	}
@@ -152,3 +155,36 @@ func (runner *Runner) probeTCP(ctx context.Context) error {
 
 	return conn.Close()
 }
+
+// probeHTTP runs an HTTP probe.
+//
+// HTTP responses with status 200-399 are considered success.
+// Status 400+ and connection/transport errors are treated as failures.
+// The client honors the machine's proxy configuration via httpdefaults.PatchTransport.
+func (runner *Runner) probeHTTP(ctx context.Context) error {
+	client := &http.Client{
+		Transport: httpdefaults.PatchTransport(cleanhttp.DefaultTransport()),
+		CheckRedirect: func(*http.Request, []*http.Request) error {
+			return http.ErrUseLastResponse
+		},
+	}
+
+	ctx, cancel := context.WithTimeout(ctx, runner.Spec.HTTP.Timeout)
+	defer cancel()
+
+	req, err := http.NewRequestWithContext(ctx, http.MethodGet, runner.Spec.HTTP.URL.String(), nil)
+	if err != nil {
+		return err
+	}
+
+	resp, err := client.Do(req)
+	if err != nil {
+		return err
+	}
+
+	if resp.StatusCode < http.StatusOK || resp.StatusCode >= http.StatusBadRequest {
+		return errors.New("received non-success status code: " + resp.Status)
+	}
+
+	return resp.Body.Close()
+}

internal/app/machined/pkg/controllers/network/internal/probe/probe_test.go

@@ -9,6 +9,7 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"net/url"
+	"sync/atomic"
 	"testing"
 	"testing/synctest"
 	"time"
@@ -21,6 +22,18 @@ import (
 	"github.com/siderolabs/talos/pkg/machinery/resources/network"
 )
 
+type swapHandler struct {
+	v atomic.Value // stores http.Handler
+}
+
+func (h *swapHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
+	h.v.Load().(http.Handler).ServeHTTP(w, r)
+}
+
+func (h *swapHandler) Swap(newHandler http.Handler) {
+	h.v.Store(newHandler)
+}
+
 func TestProbeHTTP(t *testing.T) {
 	server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		w.WriteHeader(http.StatusOK)
@@ -151,3 +164,75 @@ func TestProbeConsecutiveFailures(t *testing.T) {
 		assert.False(t, notify.Status.Success)
 	})
 }
+
+func TestProbeHTTPProbe(t *testing.T) {
+	// Server returns 200 OK.
+	handler := &swapHandler{}
+	handler.Swap(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
+
+	server := httptest.NewServer(handler)
+	t.Cleanup(server.Close)
+
+	probeURL, err := url.Parse(server.URL)
+	require.NoError(t, err)
+
+	p := probe.Runner{
+		ID: "http-test",
+		Spec: network.ProbeSpecSpec{
+			Interval: 10 * time.Millisecond,
+			HTTP: network.HTTPProbeSpec{
+				URL:     probeURL,
+				Timeout: time.Second,
+			},
+		},
+	}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second)
+	t.Cleanup(cancel)
+
+	notifyCh := make(chan probe.Notification)
+
+	p.Start(ctx, notifyCh, zaptest.NewLogger(t))
+	t.Cleanup(p.Stop)
+
+	// probe should succeed — 2xx/3xx responses count as success
+	for range 3 {
+		assert.Equal(t, probe.Notification{
+			ID: "http-test",
+			Status: network.ProbeStatusSpec{
+				Success: true,
+			},
+		}, <-notifyCh)
+	}
+
+	// 4xx/5xx responses count as failure
+	handler.Swap(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.WriteHeader(http.StatusServiceUnavailable)
+	}))
+
+	for range 3 {
+		notification := <-notifyCh
+		assert.Equal(t, "http-test", notification.ID)
+		assert.False(t, notification.Status.Success)
+		assert.NotEmpty(t, notification.Status.LastError)
+	}
+
+	// stop the server — now the probe should fail
+	server.Close()
+
+	for {
+		notification := <-notifyCh
+
+		if notification.Status.Success {
+			continue
+		}
+
+		assert.Equal(t, "http-test", notification.ID)
+		assert.False(t, notification.Status.Success)
+		assert.NotEmpty(t, notification.Status.LastError)
+
+		break
+	}
+}

internal/app/machined/pkg/controllers/network/probe_config.go

@@ -131,6 +131,11 @@ func (ctrl *ProbeConfigController) parseMachineConfiguration(cfg *config.Machine
 				Endpoint: probeConfig.Endpoint(),
 				Timeout:  probeConfig.Timeout(),
 			}
+		case configconfig.NetworkHTTPProbeConfig:
+			spec.HTTP = network.HTTPProbeSpec{
+				URL:     probeConfig.URL().URL,
+				Timeout: probeConfig.Timeout(),
+			}
 		default:
 			panic(fmt.Sprintf("unsupported probe config type: %T", probeConfig))
 		}

internal/app/machined/pkg/controllers/network/probe_config_test.go

@@ -5,16 +5,19 @@
 package network_test
 
 import (
+	"net/url"
 	"testing"
 	"time"
 
 	"github.com/cosi-project/runtime/pkg/resource/rtestutils"
+	"github.com/siderolabs/gen/ensure"
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/suite"
 
 	"github.com/siderolabs/talos/internal/app/machined/pkg/controllers/ctest"
 	netctrl "github.com/siderolabs/talos/internal/app/machined/pkg/controllers/network"
 	"github.com/siderolabs/talos/pkg/machinery/config/container"
+	"github.com/siderolabs/talos/pkg/machinery/config/types/meta"
 	networkcfg "github.com/siderolabs/talos/pkg/machinery/config/types/network"
 	"github.com/siderolabs/talos/pkg/machinery/resources/config"
 	"github.com/siderolabs/talos/pkg/machinery/resources/network"
@@ -29,7 +32,7 @@ func (suite *ProbeConfigSuite) TestNoConfig() {
 	ctest.AssertNoResource[*network.ProbeSpec](suite, "tcp:proxy.example.com:3128", rtestutils.WithNamespace(network.NamespaceName))
 }
 
-func (suite *ProbeConfigSuite) TestSingleProbe() {
+func (suite *ProbeConfigSuite) TestSingleProbe() { //nolint:dupl
 	probeConfig := networkcfg.NewTCPProbeConfigV1Alpha1("proxy-check")
 	probeConfig.ProbeInterval = time.Second
 	probeConfig.ProbeFailureThreshold = 3
@@ -132,6 +135,58 @@ func (suite *ProbeConfigSuite) TestMultipleProbes() {
 	ctest.AssertNoResource[*network.ProbeSpec](suite, "configuration/tcp:8.8.8.8:53", rtestutils.WithNamespace(network.ConfigNamespaceName))
 }
 
+func (suite *ProbeConfigSuite) TestHTTPProbe() { //nolint:dupl
+	probeConfig := networkcfg.NewHTTPProbeConfigV1Alpha1("http-check")
+	probeConfig.ProbeInterval = time.Second
+	probeConfig.ProbeFailureThreshold = 3
+	probeConfig.HTTPEndpoint = meta.URL{URL: ensure.Value(url.Parse("https://example.com"))}
+	probeConfig.HTTPTimeout = 10 * time.Second
+
+	ctr, err := container.New(probeConfig)
+	suite.Require().NoError(err)
+
+	cfg := config.NewMachineConfig(ctr)
+	suite.Create(cfg)
+
+	ctest.AssertResources(
+		suite,
+		[]string{
+			"configuration/http:https://example.com",
+		}, func(r *network.ProbeSpec, asrt *assert.Assertions) {
+			asrt.Equal(time.Second, r.TypedSpec().Interval)
+			asrt.Equal(3, r.TypedSpec().FailureThreshold)
+			asrt.Equal("https://example.com", r.TypedSpec().HTTP.URL.String())
+			asrt.Equal(10*time.Second, r.TypedSpec().HTTP.Timeout)
+			asrt.Equal(network.ConfigMachineConfiguration, r.TypedSpec().ConfigLayer)
+		},
+		rtestutils.WithNamespace(network.ConfigNamespaceName),
+	)
+
+	// Update the probe config
+	ctest.UpdateWithConflicts(suite, cfg, func(r *config.MachineConfig) error {
+		docs := r.Container().Documents()
+		probeDoc := docs[0].(*networkcfg.HTTPProbeConfigV1Alpha1)
+		probeDoc.ProbeFailureThreshold = 5
+
+		return nil
+	})
+
+	ctest.AssertResources(
+		suite,
+		[]string{
+			"configuration/http:https://example.com",
+		}, func(r *network.ProbeSpec, asrt *assert.Assertions) {
+			asrt.Equal(5, r.TypedSpec().FailureThreshold)
+		},
+		rtestutils.WithNamespace(network.ConfigNamespaceName),
+	)
+
+	// Remove the config
+	suite.Destroy(cfg)
+
+	ctest.AssertNoResource[*network.ProbeSpec](suite, "configuration/http:https://example.com", rtestutils.WithNamespace(network.ConfigNamespaceName))
+}
+
 func TestProbeConfigSuite(t *testing.T) {
 	t.Parallel()