From 4c4013904a2a4f5c42245db3fbf0515ec1be33d7 Mon Sep 17 00:00:00 2001
From: Maksim Nabokikh <max.nabokih@gmail.com>
Date: Thu, 26 Aug 2021 16:13:23 +0400
Subject: [PATCH] Add a flag to specify address to bind the healthz server
 (#7541)

* Add a flag to specify address to bind the healthz server

Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>

* Add healthz host to the helm chart

Signed-off-by: m.nabokikh <maksim.nabokikh@flant.com>

* Apply suggestions from code review

Co-authored-by: Ricardo Katz <rikatz@users.noreply.github.com>

Co-authored-by: Ricardo Katz <rikatz@users.noreply.github.com>
---
 charts/ingress-nginx/templates/controller-daemonset.yaml  | 3 +++
 charts/ingress-nginx/templates/controller-deployment.yaml | 3 +++
 charts/ingress-nginx/values.yaml                          | 5 +++++
 cmd/nginx/flags.go                                        | 2 ++
 cmd/nginx/main.go                                         | 6 +++---
 docs/user-guide/cli-arguments.md                          | 1 +
 internal/ingress/controller/controller.go                 | 3 ++-
 7 files changed, 19 insertions(+), 4 deletions(-)

diff --git a/charts/ingress-nginx/templates/controller-daemonset.yaml b/charts/ingress-nginx/templates/controller-daemonset.yaml
index 34986e568..2e6b32170 100644
--- a/charts/ingress-nginx/templates/controller-daemonset.yaml
+++ b/charts/ingress-nginx/templates/controller-daemonset.yaml
@@ -111,6 +111,9 @@ spec:
           {{- if not (eq .Values.controller.healthCheckPath "/healthz") }}
             - --health-check-path={{ .Values.controller.healthCheckPath }}
           {{- end }}
+          {{- if .Values.controller.healthCheckHost }}
+            - --healthz-host={{ .Values.controller.healthCheckHost }}
+          {{- end }}
           {{- if .Values.controller.watchIngressWithoutClass }}
             - --watch-ingress-without-class=true
           {{- end }}
diff --git a/charts/ingress-nginx/templates/controller-deployment.yaml b/charts/ingress-nginx/templates/controller-deployment.yaml
index f17975de3..681955f6f 100644
--- a/charts/ingress-nginx/templates/controller-deployment.yaml
+++ b/charts/ingress-nginx/templates/controller-deployment.yaml
@@ -109,6 +109,9 @@ spec:
           {{- if .Values.controller.maxmindLicenseKey }}
             - --maxmind-license-key={{ .Values.controller.maxmindLicenseKey }}
           {{- end }}
+          {{- if .Values.controller.healthCheckHost }}
+            - --healthz-host={{ .Values.controller.healthCheckHost }}
+          {{- end }}
           {{- if not (eq .Values.controller.healthCheckPath "/healthz") }}
             - --health-check-path={{ .Values.controller.healthCheckPath }}
           {{- end }}
diff --git a/charts/ingress-nginx/values.yaml b/charts/ingress-nginx/values.yaml
index e64e4ca2f..8ef8ea8e7 100644
--- a/charts/ingress-nginx/values.yaml
+++ b/charts/ingress-nginx/values.yaml
@@ -311,6 +311,11 @@ controller:
   # the healthz-port parameter are forwarded internally to this path.
   healthCheckPath: "/healthz"
 
+  # Address to bind the health check endpoint.
+  # It is better to set this option to the internal node address
+  # if the ingress nginx controller is running in the hostNetwork: true mode.
+  healthCheckHost: ""
+
   ## Annotations to be added to controller pods
   ##
   podAnnotations: {}
diff --git a/cmd/nginx/flags.go b/cmd/nginx/flags.go
index aabade07e..7e6db6533 100644
--- a/cmd/nginx/flags.go
+++ b/cmd/nginx/flags.go
@@ -162,6 +162,7 @@ Requires the update-status parameter.`)
 		sslProxyPort  = flags.Int("ssl-passthrough-proxy-port", 442, `Port to use internally for SSL Passthrough.`)
 		defServerPort = flags.Int("default-server-port", 8181, `Port to use for exposing the default server (catch-all).`)
 		healthzPort   = flags.Int("healthz-port", 10254, "Port to use for the healthz endpoint.")
+		healthzHost   = flags.String("healthz-host", "", "Address to bind the healthz endpoint.")
 
 		disableCatchAll = flags.Bool("disable-catch-all", false,
 			`Disable support for catch-all Ingresses`)
@@ -286,6 +287,7 @@ https://blog.maxmind.com/2019/12/18/significant-changes-to-accessing-and-using-g
 		ShutdownGracePeriod:        *shutdownGracePeriod,
 		UseNodeInternalIP:          *useNodeInternalIP,
 		SyncRateLimit:              *syncRateLimit,
+		HealthCheckHost:            *healthzHost,
 		ListenPorts: &ngx_config.ListenPorts{
 			Default:  *defServerPort,
 			Health:   *healthzPort,
diff --git a/cmd/nginx/main.go b/cmd/nginx/main.go
index b21e1012e..cd98effb0 100644
--- a/cmd/nginx/main.go
+++ b/cmd/nginx/main.go
@@ -150,7 +150,7 @@ func main() {
 	registerHealthz(nginx.HealthPath, ngx, mux)
 	registerMetrics(reg, mux)
 
-	go startHTTPServer(conf.ListenPorts.Health, mux)
+	go startHTTPServer(conf.HealthCheckHost, conf.ListenPorts.Health, mux)
 	go ngx.Start()
 
 	handleSigterm(ngx, func(code int) {
@@ -324,9 +324,9 @@ func registerProfiler() {
 	klog.Fatal(server.ListenAndServe())
 }
 
-func startHTTPServer(port int, mux *http.ServeMux) {
+func startHTTPServer(host string, port int, mux *http.ServeMux) {
 	server := &http.Server{
-		Addr:              fmt.Sprintf(":%v", port),
+		Addr:              fmt.Sprintf("%s:%v", host, port),
 		Handler:           mux,
 		ReadTimeout:       10 * time.Second,
 		ReadHeaderTimeout: 10 * time.Second,
diff --git a/docs/user-guide/cli-arguments.md b/docs/user-guide/cli-arguments.md
index d51c75994..9c9ce0a9b 100644
--- a/docs/user-guide/cli-arguments.md
+++ b/docs/user-guide/cli-arguments.md
@@ -23,6 +23,7 @@ They are set in the container spec of the `nginx-ingress-controller` Deployment
 | `--health-check-path`              | URL path of the health check endpoint. Configured inside the NGINX status server. All requests received on the port defined by the healthz-port parameter are forwarded internally to this path. (default "/healthz") |
 | `--health-check-timeout`           | Time limit, in seconds, for a probe to health-check-path to succeed. (default 10) |
 | `--healthz-port`                   | Port to use for the healthz endpoint. (default 10254) |
+| `--healthz-host`                   | Address to bind the healthz endpoint. |
 | `--http-port`                      | Port to use for servicing HTTP traffic. (default 80) |
 | `--https-port`                     | Port to use for servicing HTTPS traffic. (default 443) |
 | `--ingress-class`                  | Name of the ingress class this controller satisfies. The class of an Ingress object is set using the field IngressClassName in Kubernetes clusters version v1.18.0 or higher or the annotation "kubernetes.io/ingress.class" (deprecated). If this parameter is not set, or set to the default value of "nginx", it will handle ingresses with either an empty or "nginx" class name. |
diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go
index e7b53b770..72a1afa63 100644
--- a/internal/ingress/controller/controller.go
+++ b/internal/ingress/controller/controller.go
@@ -83,7 +83,8 @@ type Configuration struct {
 	ElectionID             string
 	UpdateStatusOnShutdown bool
 
-	ListenPorts *ngx_config.ListenPorts
+	HealthCheckHost string
+	ListenPorts     *ngx_config.ListenPorts
 
 	DisableServiceExternalName bool