Add a flag to specify address to bind the healthz server (#7541)

* Add a flag to specify address to bind the healthz server Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com> * Add healthz host to the helm chart Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com> * Apply suggestions from code review Co-authored-by: Ricardo Katz <rikatz@users.noreply.github.com> Co-authored-by: Ricardo Katz <rikatz@users.noreply.github.com>
2021-08-26 16:13:23 +04:00 · 2021-08-26 16:13:23 +04:00 · 4c4013904a
commit 4c4013904a
parent 66c2a716da
7 changed files with 19 additions and 4 deletions
--- a/charts/ingress-nginx/templates/controller-daemonset.yaml
+++ b/charts/ingress-nginx/templates/controller-daemonset.yaml
@ -111,6 +111,9 @@ spec:
          {{- if not (eq .Values.controller.healthCheckPath "/healthz") }}
            - --health-check-path={{ .Values.controller.healthCheckPath }}
          {{- end }}
+          {{- if .Values.controller.healthCheckHost }}
+            - --healthz-host={{ .Values.controller.healthCheckHost }}
+          {{- end }}
          {{- if .Values.controller.watchIngressWithoutClass }}
            - --watch-ingress-without-class=true
          {{- end }}
--- a/charts/ingress-nginx/templates/controller-deployment.yaml
+++ b/charts/ingress-nginx/templates/controller-deployment.yaml
@ -109,6 +109,9 @@ spec:
          {{- if .Values.controller.maxmindLicenseKey }}
            - --maxmind-license-key={{ .Values.controller.maxmindLicenseKey }}
          {{- end }}
+          {{- if .Values.controller.healthCheckHost }}
+            - --healthz-host={{ .Values.controller.healthCheckHost }}
+          {{- end }}
          {{- if not (eq .Values.controller.healthCheckPath "/healthz") }}
            - --health-check-path={{ .Values.controller.healthCheckPath }}
          {{- end }}
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@ -311,6 +311,11 @@ controller:
  # the healthz-port parameter are forwarded internally to this path.
  healthCheckPath: "/healthz"

+  # Address to bind the health check endpoint.
+  # It is better to set this option to the internal node address
+  # if the ingress nginx controller is running in the hostNetwork: true mode.
+  healthCheckHost: ""
+
  ## Annotations to be added to controller pods
  ##
  podAnnotations: {}
--- a/cmd/nginx/flags.go
+++ b/cmd/nginx/flags.go
@ -162,6 +162,7 @@ Requires the update-status parameter.`)
 		sslProxyPort  = flags.Int("ssl-passthrough-proxy-port", 442, `Port to use internally for SSL Passthrough.`)
 		defServerPort = flags.Int("default-server-port", 8181, `Port to use for exposing the default server (catch-all).`)
 		healthzPort   = flags.Int("healthz-port", 10254, "Port to use for the healthz endpoint.")
+		healthzHost   = flags.String("healthz-host", "", "Address to bind the healthz endpoint.")

 		disableCatchAll = flags.Bool("disable-catch-all", false,
 			`Disable support for catch-all Ingresses`)
@ -286,6 +287,7 @@ https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-g
 		ShutdownGracePeriod:        *shutdownGracePeriod,
 		UseNodeInternalIP:          *useNodeInternalIP,
 		SyncRateLimit:              *syncRateLimit,
+		HealthCheckHost:            *healthzHost,
 		ListenPorts: &ngx_config.ListenPorts{
 			Default:  *defServerPort,
 			Health:   *healthzPort,
--- a/cmd/nginx/main.go
+++ b/cmd/nginx/main.go
@ -150,7 +150,7 @@ func main() {
 	registerHealthz(nginx.HealthPath, ngx, mux)
 	registerMetrics(reg, mux)

-	go startHTTPServer(conf.ListenPorts.Health, mux)
+	go startHTTPServer(conf.HealthCheckHost, conf.ListenPorts.Health, mux)
 	go ngx.Start()

 	handleSigterm(ngx, func(code int) {
@ -324,9 +324,9 @@ func registerProfiler() {
 	klog.Fatal(server.ListenAndServe())
 }

-func startHTTPServer(port int, mux *http.ServeMux) {
+func startHTTPServer(host string, port int, mux *http.ServeMux) {
 	server := &http.Server{
-		Addr:              fmt.Sprintf(":%v", port),
+		Addr:              fmt.Sprintf("%s:%v", host, port),
 		Handler:           mux,
 		ReadTimeout:       10 * time.Second,
 		ReadHeaderTimeout: 10 * time.Second,
--- a/docs/user-guide/cli-arguments.md
+++ b/docs/user-guide/cli-arguments.md
@ -23,6 +23,7 @@ They are set in the container spec of the `nginx-ingress-controller` Deployment
 | `--health-check-path`              | URL path of the health check endpoint. Configured inside the NGINX status server. All requests received on the port defined by the healthz-port parameter are forwarded internally to this path. (default "/healthz") |
 | `--health-check-timeout`           | Time limit, in seconds, for a probe to health-check-path to succeed. (default 10) |
 | `--healthz-port`                   | Port to use for the healthz endpoint. (default 10254) |
+| `--healthz-host`                   | Address to bind the healthz endpoint. |
 | `--http-port`                      | Port to use for servicing HTTP traffic. (default 80) |
 | `--https-port`                     | Port to use for servicing HTTPS traffic. (default 443) |
 | `--ingress-class`                  | Name of the ingress class this controller satisfies. The class of an Ingress object is set using the field IngressClassName in Kubernetes clusters version v1.18.0 or higher or the annotation "kubernetes.io/ingress.class" (deprecated). If this parameter is not set, or set to the default value of "nginx", it will handle ingresses with either an empty or "nginx" class name. |
--- a/internal/ingress/controller/controller.go
+++ b/internal/ingress/controller/controller.go
@ -83,7 +83,8 @@ type Configuration struct {
 	ElectionID             string
 	UpdateStatusOnShutdown bool

-	ListenPorts *ngx_config.ListenPorts
+	HealthCheckHost string
+	ListenPorts     *ngx_config.ListenPorts

 	DisableServiceExternalName bool