Feature Request: add health checks to oidc-discovery-provider

[chdalski]

Currently the oidc-discovery-provider has no purposive health check endpoints.

It would be nice if the oidc-discovery-provider would get similar configurable endpoints as the server/agent, which currently are:

health_checks {
        listener_enabled = true
        bind_address = "localhost"
        bind_port = "8080"
        live_path = "/live"
        ready_path = "/ready"
}

See: https://github.com/spiffe/spire/blob/main/doc/spire_server.md#health-check-configuration

• Version: 1.3.0
• Platform: k8s
• Subsystem: oidc-discovery-provider

[azdagron]

I think this is very reasonable. Happy to discuss a design here.

[chdalski]

@azdagron From my understanding so far the oidc-discovery-provider is, contrary to the spire server/agent, a single web-service process.
So for "ready" I would expect something as simple as http 200 if the service is up and running.
For the "live" part my understanding would be that the web-service can successfully access the workload api, meaning that /keys and /.well-known/openid-configuration endpoints are served, while it's not an assurance that the configuration is correct at all.

Would that be sufficient?

[azdagron]

That sounds good to me. As far as the configuration shape, SPIREs configuration shape here has some historic choices that we can probably avoid until necessary. I think to start out we could probably elide listener_enabled and bind_address. The former can be assumed if the health_checks section is present at all, and the latter should probably always be localhost unless there is a compelling reason to expose the health endpoint off-box.

I think the other configuration keys could have reasonable defaults as well, so at a minimum, to enable health checks, all you'd have to do is add the following:

health_checks {}