[cmd/tunnel/run] Add health endpoint

Author: dilyevsky

pkg/cmd/tunnel/cmd.go

@@ -212,7 +212,9 @@ func loadTunnelNodeFromStdin() (*corev1alpha.TunnelNode, error) {
 
 func init() {
 	createCmd.Flags().StringVarP(&tunnelNodeFile, "file", "f", "", "Path to the TunnelNode file to create.")
+
 	updateCmd.Flags().StringVarP(&tunnelNodeFile, "file", "f", "", "Path to the TunnelNode file to update.")
+
 	tunnelRunCmd.Flags().StringVarP(&tunnelNodePcapPath, "pcap", "p", "", "Path to the TunnelNode file to create.")
 	tunnelRunCmd.Flags().StringVarP(&tunnelModeS, "mode", "m", "user", "Mode to run the TunnelNode in.")
 	tunnelRunCmd.Flags().BoolVar(&insecureSkipVerify, "insecure-skip-verify", false, "Skip TLS certificate verification.")
@@ -221,6 +223,7 @@ func init() {
 	tunnelRunCmd.Flags().IntVar(&minConns, "min-conns", 1, "Minimum number of connections to maintain.")
 	tunnelRunCmd.Flags().StringVar(&dnsListenAddr, "dns-addr", "127.0.0.1:8053", "Listen address for the DNS proxy. Note that you must configure backplane to use this address as well.")
 	tunnelRunCmd.Flags().BoolVar(&autoCreate, "auto", false, "Automatically create TunnelNode if it doesn't exist.")
+	tunnelRunCmd.Flags().StringVar(&healthAddr, "health-addr", "localhost:8080", "Listen address for health endpoint (default: localhost:8080).")
 
 	tunnelCmd.AddCommand(createCmd)
 	tunnelCmd.AddCommand(getCmd)

pkg/cmd/tunnel/run.go

@@ -5,6 +5,7 @@ import (
 	"fmt"
 	"log/slog"
 	"math/rand"
+	"net/http"
 	"net/netip"
 	"os"
 	"sync"
@@ -72,6 +73,7 @@ var (
 	minConns           int
 	dnsListenAddr      string
 	autoCreate         bool
+	healthAddr         string
 
 	preserveDefaultGwDsts []netip.Prefix
 )
@@ -232,6 +234,33 @@ func (t *tunnelNodeReconciler) run(ctx context.Context, tn *corev1alpha.TunnelNo
 		return nil
 	})
 
+	// Start health endpoint server if configured
+	if healthAddr != "" {
+		mux := http.NewServeMux()
+		mux.HandleFunc("/healthz", t.healthHandler)
+
+		healthServer := &http.Server{
+			Addr:    healthAddr,
+			Handler: mux,
+		}
+
+		g.Go(func() error {
+			slog.Info("Starting health endpoint server", slog.String("address", healthAddr))
+			if err := healthServer.ListenAndServe(); err != nil && err != http.ErrServerClosed {
+				slog.Error("Health server failed", slog.Any("error", err))
+				return err
+			}
+			return nil
+		})
+
+		g.Go(func() error {
+			<-gctx.Done()
+			shutdownCtx, cancel := context.WithTimeout(context.Background(), 5*time.Second)
+			defer cancel()
+			return healthServer.Shutdown(shutdownCtx)
+		})
+	}
+
 	r, err := tunnel.BuildClientRouter(
 		tunnel.WithPcapPath(tunnelNodePcapPath),
 		tunnel.WithMode(tunnelMode),
@@ -403,3 +432,32 @@ func (t *tunnelNodeReconciler) reconcile(ctx context.Context, req ctrl.Request)
 
 	return ctrl.Result{}, nil
 }
+
+// healthHandler returns 200 OK when at least one tunnel connection is active, 503 otherwise.
+// This endpoint is used for health checks to determine if the tunnel node has active connections.
+// The health endpoint is only started when the --health-endpoint flag is provided with a valid
+// address (e.g., ":8080" or "0.0.0.0:8080").
+//
+// Response codes:
+//   - 200 OK: At least one tunnel connection is active
+//   - 503 Service Unavailable: No active tunnel connections
+func (t *tunnelNodeReconciler) healthHandler(w http.ResponseWriter, r *http.Request) {
+	t.tunMu.RLock()
+	defer t.tunMu.RUnlock()
+
+	// Check if we have at least one active connection
+	activeConns := 0
+	for _, conn := range t.tunDialerWorkers {
+		if conn.conn != nil && conn.conn.Context().Err() == nil {
+			activeConns++
+		}
+	}
+
+	if activeConns > 0 {
+		w.WriteHeader(http.StatusOK)
+		fmt.Fprintf(w, "OK - %d active connection(s)\n", activeConns)
+	} else {
+		w.WriteHeader(http.StatusServiceUnavailable)
+		fmt.Fprintf(w, "UNHEALTHY - no active connections\n")
+	}
+}