feat: early listening; 503 status; healthcheck uses `/api/op/definition`

[csmig]

This PR refactors the API bootstrap code so we start listening on STIGMAN_API_PORT before any database migrations are started. The goal is to discourage container orchestration platforms from declaring our container unhealthy during a long-running migration, which has lead to container shutdowns and incomplete migrations.

The refactored code:

• adds middle-ware that returns 503 Service Unavailable for all requests except GET /api/op/definition while the authentication and database dependencies are being setup. The hope is that deployments will send requests to that endpoint to determine healthiness and/or liveness. It is the only endpoint that does not require authentication or database access.
• updates our built-in healtheck.js to use the GET /api/op/definition endpoint
• removes Dockerfile HEALTHCHECK (see comment below)
• updates our Dockerfile HEALTHCHECK statement with --start-interval=10s so we enter healthy status sooner.

[csmig]

Appears the GitHub runner using ubuntu-latest has an older version of docker which does not support --start-interval in the HEALTHCHECK. Will need to remove that.

Related question: should we even include an explicit HEALTHCHECK in our Dockerfile? I did so because I thought DISA guidance required it. But that document refers to liveness and readiness probes, which are k8s concepts not Docker. And I notice few major projects incorporate HEALTHCHECK into their published containers, neither MySQL nor Keycloak for example.

[sonarcloud[bot]]

Quality Gate passed for 'nuwcdivnpt_stig-manager-api'

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
65.6% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud