search

project-zot / zot

zot - A scale-out production-ready vendor-neutral OCI-native container image/artifact registry (purely based on OCI Distribution Specification)
https://zotregistry.dev
Apache License 2.0
800 stars 92 forks source link

[Feat]: Add health endpoint #2487

Open AndersBennedsgaard opened 2 weeks ago

AndersBennedsgaard commented 2 weeks ago

Is your feature request related to a problem? Please describe.

I do not want to allow anonymous access to my Zot instance, and I also do not want to set the authorization header (using htpasswd) for my Kubernetes liveness probes, since that will expose a valid authentication header to anyone that has read access to deployments on my Kubernetes clusters.

Describe the solution you'd like

Add a /health or /healthz endpoint to Zot, which just returns HTTP 200. This shows that the server is up and running

Describe alternatives you've considered

Remove the liveness probes, or set a TCP liveness probe up instead, to test if the application listens on the configured port.

Additional context

Multiple issues and other references have been created for this, but they have either been closed with no explanation or explain that it is not needed (which I think it is. It is pretty standard practice for applications running in the cloud). Some references to existing issues/PRs include: https://github.com/project-zot/zot/issues/1767, https://github.com/project-zot/zot/issues/196, https://github.com/project-zot/zot/issues/2087, and https://github.com/project-zot/zot/pull/197

rchincha commented 2 weeks ago

@AndersBennedsgaard thanks for trying out zot!

Do you want to consider a liveness command instead? https://kubernetes.io/docs/tasks/configure-pod-container/configure-liveness-readiness-startup-probes/#define-a-liveness-command ^ this would give you more flexibility with curl for example.

AndersBennedsgaard commented 2 weeks ago

That would definitely be a possibility, yes. That would allow for you to mount the credentials as an environment variable from a Secret, instead of having it as plain-text in the Deployment. However, there is no curl, wget, or anything similar packaged into the Zot container at the moment since it is based on a distroless image, so if I wanted to use exec probes I would have to create a custom build with it.

But I would still prefer a health-check endpoint, to remove the requirement for managing extra credentials just for checking if the service is up. I could also just configure the ingress controller to expose the healthcheck path, if I didn't want users to access it