Skip to content

Commit

Permalink
improvement(neutronapi): Enhance readiness probe to verify SSL certif…
Browse files Browse the repository at this point in the history
…icate presence

- Updated the existing readiness probe in the Neutron API deployment to check for the presence of the internal.crt SSL certificate before marking the pod as ready.
- Applied the SSL certificate check to the HTTPD container as well, ensuring secure traffic handling.
- Improved the deployment reliability by ensuring that pods are only marked as ready when they have the necessary SSL certificates in place.
  • Loading branch information
son-vyas committed Aug 29, 2024
1 parent 7c5c6cf commit 95db72b
Showing 1 changed file with 21 additions and 15 deletions.
36 changes: 21 additions & 15 deletions pkg/neutronapi/deployment.go
Original file line number Diff line number Diff line change
Expand Up @@ -41,12 +41,12 @@ func Deployment(
labels map[string]string,
annotations map[string]string,
) (*appsv1.Deployment, error) {
// TODO(lucasagomes): Look into how to implement separated probes
// for the httpd and neutron-api containers. Right now the code uses
// the same liveness and readiness probes for both containers which
// only checks the port 9696 (NeutronPublicPort) which is the port
// that httpd is listening to. Ideally, we should also include a
// probe on port 9697 which is the port that neutron-api binds to
// TODO(lucasagomes): Look into how to implement separated probes
// for the httpd and neutron-api containers. Right now the code uses
// the same liveness and readiness probes for both containers which
// only checks the port 9696 (NeutronPublicPort) which is the port
// that httpd is listening to. Ideally, we should also include a
// probe on port 9697 which is the port that neutron-api binds to
livenessProbe := &corev1.Probe{
TimeoutSeconds: 30,
PeriodSeconds: 30,
Expand All @@ -56,8 +56,14 @@ func Deployment(
TimeoutSeconds: 30,
PeriodSeconds: 30,
InitialDelaySeconds: 5,
Exec: &corev1.ExecAction{
Command: []string{
"cat",
"/etc/pki/tls/certs/internal.crt",
},
},
}
args := []string{"-c", ServiceCommand}
args := []string{"-c", ServiceCommand}
httpdArgs := []string{"-DFOREGROUND"}

//
Expand All @@ -71,7 +77,7 @@ func Deployment(
Path: "/",
Port: intstr.IntOrString{Type: intstr.Int, IntVal: int32(NeutronPublicPort)},
}

// Use HTTPS if TLS is enabled
if instance.Spec.TLS.API.Enabled(service.EndpointPublic) {
livenessProbe.HTTPGet.Scheme = corev1.URISchemeHTTPS
readinessProbe.HTTPGet.Scheme = corev1.URISchemeHTTPS
Expand All @@ -93,6 +99,7 @@ func Deployment(
httpdVolumeMounts = append(httpdVolumeMounts, instance.Spec.TLS.CreateVolumeMounts(nil)...)
}

// handle TLS certificates for HTTPD
for _, endpt := range []service.Endpoint{service.EndpointInternal, service.EndpointPublic} {
if instance.Spec.TLS.API.Enabled(endpt) {
var tlsEndptCfg tls.GenericService
Expand Down Expand Up @@ -134,8 +141,7 @@ func Deployment(
Selector: &metav1.LabelSelector{
MatchLabels: labels,
},
PodManagementPolicy: appsv1.ParallelPodManagement,
Replicas: instance.Spec.Replicas,
Replicas: instance.Spec.Replicas,
Template: corev1.PodTemplateSpec{
ObjectMeta: metav1.ObjectMeta{
Annotations: annotations,
Expand All @@ -154,6 +160,7 @@ func Deployment(
VolumeMounts: apiVolumeMounts,
Resources: instance.Spec.Resources,
LivenessProbe: livenessProbe,
ReadinessProbe: readinessProbe,
TerminationMessagePolicy: corev1.TerminationMessageFallbackToLogsOnError,
},
{
Expand All @@ -175,14 +182,13 @@ func Deployment(
},
},
}

// If possible two pods of the same service should not
// run on the same worker node. If this is not possible
// the get still created on the same worker node.
// If possible two pods of the same service should not
// run on the same worker node. If this is not possible
// the get still created on the same worker node.
deployment.Spec.Template.Spec.Affinity = affinity.DistributePods(
common.AppSelector,
[]string{
ServiceName,
ServiceName,
},
corev1.LabelHostname,
)
Expand Down

0 comments on commit 95db72b

Please sign in to comment.