-
Notifications
You must be signed in to change notification settings - Fork 150
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Actuator Health Endpoint returns 503 when app is working but Spring Cloud Vault points to standby #112
Comments
Thanks for the ticket. From your report, I read that you're using Vault HA with direct server communication (no load balancer in between). I'm not sure adding cluster-awareness right now is a good path to follow. True cluster-awareness would mean that cluster state reflects down to the client so the endpoint gets updated and sends requests to the active host. I created spring-projects/spring-vault#98 to track Vault cluster efforts. The |
@mp911de thanks for the tip. I'll definitely try a custom |
Maybe there is even a less-invasive change possible for now (until we get to cluster support). Starting with Vault 0.6.2, a standby node isn't an issue anymore. The health response gives us all required details to decide whether we're communicating with an instance that forwards requests or not. The health check could adapt to the version: Responses without a Version number are pre-0.6.1, Version number starting with Does this make sense? |
Prior to 0.6.2, Vault's default behavior was to return a redirect to the leader for any operations sent to a standby node (except for some or maybe all of the Assuming the underlying client library is set to automatically follow redirects (which I believe is the default behavior in both OkHttp and HttpClient), I'm not sure it would have been an issue on older Vault releases either. Also, in 0.6.2 onwards you can configure Vault to use the older redirect behavior. Though I can't imagine why someone would want to do this, it would probably be difficult for a client to know ahead of time which is the case. In any case, it doesn't really matter - if the underlying http library follows redirects, then requests sent to a standby node should still succeed from an application perspective. |
I'm inclined to change standby state to /cc @singram |
Changed Vault standby node health check result to |
I met the same issue, implementing custom health check, the app working fine, but return 503 on endpoint /actuator/health. Did you find the solution? |
Is this still an issue after upgrading? If so, please file a new ticket. |
Starting in version 0.6.2, requests to a standby Vault server are automatically forwarded to the active member, and thus complete successfully (except apparently for requests to the system backend).
However,
VaultHealthIndicator
will reportOUT_OF_SERVICE
in such a scenario, meaning if you are using Spring Boot Actuator endpoints to provide status information (for example, using/management/health
for a status check in a load balancer), the actuator endpoint will report an HTTP 503 status even though the application is successfully communicating with Vault and able to service requests.A fallback approach could query the
/sys/leader
endpoint and, ifha_enabled: true
is returned in the response payload, fire a subsequent request to theleader_address
to check the healthThe text was updated successfully, but these errors were encountered: