Add check-proxy-health flag and implement Envoy health check on local… (#799)

* Add check-proxy-health flag and implement Envoy health check on local envoy running process. Disable executing graceful startup flow if graceful startup seconds grtr than 0.

* Refactor Envoy health check logic into `doHealthCheck` function and add unit tests for improved coverage and modularity.

* Fixed lint issue and added changelog

* Refactor Envoy health check to improve readability and maintainability by using `http.Status` constants, adjusting test cases, and streamlining function calls.

Author: nitin-sachdev-29

.changelog/799.txt

@@ -0,0 +1,3 @@
+```release-note:feature
+Implemented a subcommand "check-proxy-health" which checks whether locally running envoy proxy is ready or not by calling http endpoint /ready on evoy admin URL. This is implemented for kubelet startup and liveness probes when consul-dataplane is registered as sidecar container.
+```

cmd/consul-dataplane/config.go

@@ -14,7 +14,8 @@ import (
 )
 
 type FlagOpts struct {
-	dataplaneConfig DataplaneConfigFlags
+	dataplaneConfig  DataplaneConfigFlags
+	checkProxyHealth bool
 
 	printVersion bool
 	configFile   string

cmd/consul-dataplane/main.go

@@ -8,10 +8,12 @@ import (
 	"flag"
 	"fmt"
 	"log"
+	"net/http"
 	"os"
 	"os/signal"
 	"strings"
 	"syscall"
+	"time"
 
 	"github.com/hashicorp/consul-dataplane/pkg/consuldp"
 	"github.com/hashicorp/consul-dataplane/pkg/version"
@@ -27,6 +29,8 @@ func init() {
 	flagOpts = &FlagOpts{}
 	flags.BoolVar(&flagOpts.printVersion, "version", false, "Prints the current version of consul-dataplane.")
 
+	flags.BoolVar(&flagOpts.checkProxyHealth, "check-proxy-health", false, "checks envoy proxy health and exits with 0 if healthy, 1 otherwise.")
+
 	StringVar(flags, &flagOpts.dataplaneConfig.Mode, "mode", "DP_MODE", "dataplane mode. Value can be:\n"+
 		"1. sidecar - used when running as a sidecar to Consul services with xDS Server, Envoy, and DNS Server running; OR\n"+
 		"2. dns-proxy - used when running as a standalone application where DNS Server runs, but Envoy and xDS Server are enabled.\n")
@@ -157,6 +161,17 @@ func run() error {
 		return nil
 	}
 
+	consulDPDefaultFlags, err := buildDefaultConsulDPFlags()
+	if err != nil {
+		return err
+	}
+
+	if flagOpts.checkProxyHealth {
+		fmt.Printf("Checking envoy proxy health\n")
+		runProxyReadyCmd(consulDPDefaultFlags)
+		return nil
+	}
+
 	readServiceIDFromFile()
 	readProxyIDFromFile()
 	validateFlags()
@@ -231,3 +246,52 @@ func readProxyIDFromFile() {
 		flagOpts.dataplaneConfig.Proxy.ID = &s
 	}
 }
+
+func runProxyReadyCmd(config DataplaneConfigFlags) {
+	// Define the Envoy admin endpoint URL. This is typically internal and
+	// only accessible from within the Pod on the loopback interface.
+
+	adminPort := *config.Envoy.AdminBindPort
+
+	if flagOpts.dataplaneConfig.Envoy.AdminBindPort != nil {
+		adminPort = *flagOpts.dataplaneConfig.Envoy.AdminBindPort
+	}
+
+	doHealthCheck(adminPort, http.DefaultClient, os.Exit)
+}
+
+func doHealthCheck(adminPort int, client *http.Client, exitFunc func(int)) {
+	envoyAdminURL := fmt.Sprintf("http://127.0.0.1:%d/ready", adminPort)
+
+	// Create a context with a timeout for the HTTP request. This prevents
+	// the check from hanging indefinitely. A short timeout is best for probes.
+	ctx, cancel := context.WithTimeout(context.Background(), 3*time.Second)
+	defer cancel()
+
+	// Create a new HTTP request with the specified context.
+	req, err := http.NewRequestWithContext(ctx, "GET", envoyAdminURL, nil)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Error creating request: %v\n", err)
+		exitFunc(1)
+		return
+	}
+
+	// Perform the HTTP request.
+	resp, err := client.Do(req)
+	if err != nil {
+		fmt.Fprintf(os.Stderr, "Error connecting to Envoy admin endpoint: %v\n", err)
+		exitFunc(1)
+		return
+	}
+	defer resp.Body.Close()
+
+	// For a Kubernetes probe, the only thing that matters is the status code.
+	// A status code between 200 and 399 indicates success.
+	if resp.StatusCode >= http.StatusOK && resp.StatusCode < http.StatusBadRequest {
+		fmt.Println("Envoy proxy is ready.")
+		exitFunc(0)
+	} else {
+		fmt.Fprintf(os.Stderr, "Envoy proxy is not ready. Received status code: %d\n", resp.StatusCode)
+		exitFunc(1)
+	}
+}

cmd/consul-dataplane/main_test.go

@@ -0,0 +1,108 @@
+package main
+
+import (
+	"bytes"
+	"github.com/stretchr/testify/require"
+	"io"
+	"net/http"
+	"net/http/httptest"
+	"net/url"
+	"os"
+	"strconv"
+	"testing"
+)
+
+func TestDoHealthCheck(t *testing.T) {
+	tests := []struct {
+		name           string
+		statusCode     int
+		serverErr      bool
+		expectedExit   int
+		expectedOutput string
+	}{
+		{
+			name:           "success with 200",
+			statusCode:     http.StatusOK,
+			expectedExit:   0,
+			expectedOutput: "Envoy proxy is ready.\n",
+		},
+		{
+			name:           "success with 204",
+			statusCode:     http.StatusNoContent,
+			expectedExit:   0,
+			expectedOutput: "Envoy proxy is ready.\n",
+		},
+		{
+			name:           "failure with 404",
+			statusCode:     http.StatusNotFound,
+			expectedExit:   1,
+			expectedOutput: "Envoy proxy is not ready. Received status code: 404\n",
+		},
+		{
+			name:           "failure with 500",
+			statusCode:     http.StatusInternalServerError,
+			expectedExit:   1,
+			expectedOutput: "Envoy proxy is not ready. Received status code: 500\n",
+		},
+		{
+			name:           "server error",
+			serverErr:      true,
+			expectedExit:   1,
+			expectedOutput: "Error connecting to Envoy admin endpoint: ",
+		},
+	}
+
+	for _, tc := range tests {
+		t.Run(tc.name, func(t *testing.T) {
+			var exitCode int
+			mockExit := func(code int) {
+				exitCode = code
+			}
+
+			ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				require.Equal(t, "/ready", r.URL.Path)
+				require.Equal(t, "GET", r.Method)
+
+				if tc.serverErr {
+					panic("simulated server error")
+				}
+
+				w.WriteHeader(tc.statusCode)
+			}))
+			defer ts.Close()
+
+			client := ts.Client()
+			u, _ := url.Parse(ts.URL)
+			port, _ := strconv.Atoi(u.Port())
+
+			// Capture stdout/stderr
+			stdout := captureOutput(t, func() {
+				doHealthCheck(port, client, mockExit)
+			})
+
+			require.Contains(t, stdout, tc.expectedOutput)
+			require.Equal(t, tc.expectedExit, exitCode)
+
+		})
+	}
+}
+
+func captureOutput(t *testing.T, f func()) string {
+	oldStdout := os.Stdout
+	oldStderr := os.Stderr
+	r, w, _ := os.Pipe()
+	os.Stdout = w
+	os.Stderr = w
+
+	f()
+
+	w.Close()
+	os.Stdout = oldStdout
+	os.Stderr = oldStderr
+
+	var buf bytes.Buffer
+	if _, err := io.Copy(&buf, r); err != nil {
+		t.Fatalf("failed to copy output: %v", err)
+	}
+	return buf.String()
+}

pkg/consuldp/consul_dataplane.go

@@ -249,8 +249,6 @@ func (cdp *ConsulDataplane) Run(ctx context.Context) error {
 		return err
 	}
 
-	cdp.lifecycleConfig.gracefulStartup()
-
 	go func() {
 		select {
 		case <-ctx.Done():

pkg/envoy/proxy.go

@@ -396,6 +396,10 @@ func (p *Proxy) Ready() (bool, error) {
 			p.cfg.Logger.Error("envoy: admin endpoint not available", "error", err)
 			return false, err
 		}
+		if rsp != nil {
+			defer rsp.Body.Close()
+		}
+
 		return rsp.StatusCode == 200, nil
 	default:
 		return false, nil