[Feature] Fix Gateway Probes with Auth Enabled (#1923)

Author: ajanikow

CHANGELOG.md

@@ -10,6 +10,7 @@
 - (Feature) Manual Upgrade Mode
 - (Feature) (Platform) SchedulerV2 Defaults Revert
 - (Bugfix) Enable Probes for Single & Gateway
+- (Bugfix) Fix Gateway Probes with Auth Enabled
 
 ## [1.2.49](https://github.com/arangodb/kube-arangodb/tree/1.2.49) (2025-06-17)
 - (Maintenance) Optimize go.mod

cmd/lifecycle.go

@@ -129,6 +129,9 @@ func cmdLifecyclePreStopRunFinalizer(cmd *cobra.Command, args []string) {
 				logger.Err(err).Fatal("Too many recent errors")
 				return
 			}
+		} else if p.DeletionTimestamp == nil {
+			// We are just restarting, no need for the finalizer wait
+			return
 		} else {
 			// We got our pod
 			finalizerCount := len(p.GetFinalizers())

pkg/deployment/resources/gateway/gateway_config_destination.go

@@ -72,6 +72,8 @@ type ConfigDestination struct {
 
 	AuthExtension *ConfigAuthZExtension `json:"authExtension,omitempty"`
 
+	HealthChecks ConfigDestinationHealthChecks `json:"healthChecks,omitempty"`
+
 	UpgradeConfigs ConfigDestinationsUpgrade `json:"upgradeConfigs,omitempty"`
 
 	TLS ConfigDestinationTLS `json:"tls,omitempty"`
@@ -103,6 +105,7 @@ func (c *ConfigDestination) Validate() error {
 			shared.PrefixResourceError("type", c.Type.Validate()),
 			shared.PrefixResourceError("protocol", c.Protocol.Validate()),
 			shared.PrefixResourceError("tls", c.TLS.Validate()),
+			shared.PrefixResourceError("healthChecks", c.HealthChecks.Validate()),
 			shared.PrefixResourceError("path", shared.ValidateAPIPath(c.GetPath())),
 			shared.PrefixResourceError("pathType", shared.ValidateOptionalInterface(c.Match)),
 			shared.PrefixResourceError("authExtension", c.AuthExtension.Validate()),
@@ -244,6 +247,7 @@ func (c *ConfigDestination) RenderCluster(name string) (*pbEnvoyClusterV3.Cluste
 				},
 			},
 		},
+		HealthChecks: c.HealthChecks.Render(),
 		TypedExtensionProtocolOptions: map[string]*anypb.Any{
 			"envoy.extensions.upstreams.http.v3.HttpProtocolOptions": hpo,
 		},

pkg/deployment/resources/gateway/gateway_config_destination_health.go

@@ -0,0 +1,66 @@
+//
+// DISCLAIMER
+//
+// Copyright 2025 ArangoDB GmbH, Cologne, Germany
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+//
+// Copyright holder is ArangoDB GmbH, Cologne, Germany
+//
+
+package gateway
+
+import (
+	"time"
+
+	pbEnvoyCoreV3 "github.com/envoyproxy/go-control-plane/envoy/config/core/v3"
+	"google.golang.org/protobuf/types/known/durationpb"
+
+	shared "github.com/arangodb/kube-arangodb/pkg/apis/shared"
+	"github.com/arangodb/kube-arangodb/pkg/util"
+)
+
+type ConfigDestinationHealthChecks []ConfigDestinationHealthCheck
+
+func (c ConfigDestinationHealthChecks) Validate() error {
+	return shared.ValidateInterfaceList(c)
+}
+
+func (c ConfigDestinationHealthChecks) Render() []*pbEnvoyCoreV3.HealthCheck {
+	ret := make([]*pbEnvoyCoreV3.HealthCheck, len(c))
+	for id := range c {
+		ret[id] = c[id].Render()
+	}
+	return ret
+}
+
+type ConfigDestinationHealthCheck struct {
+	Timeout *time.Duration `json:"timeout,omitempty"`
+
+	Interval *time.Duration `json:"interval,omitempty"`
+}
+
+func (c ConfigDestinationHealthCheck) Validate() error {
+	return nil
+}
+
+func (c ConfigDestinationHealthCheck) Render() *pbEnvoyCoreV3.HealthCheck {
+	return &pbEnvoyCoreV3.HealthCheck{
+		Timeout:  durationpb.New(util.OptionalType(c.Timeout, time.Second)),
+		Interval: durationpb.New(util.OptionalType(c.Interval, time.Second)),
+
+		HealthChecker: &pbEnvoyCoreV3.HealthCheck_TcpHealthCheck_{
+			TcpHealthCheck: &pbEnvoyCoreV3.HealthCheck_TcpHealthCheck{},
+		},
+	}
+}

pkg/deployment/resources/pod_creator_gateway.go

@@ -42,6 +42,10 @@ func GetGatewayConfigMapName(name string, parts ...string) string {
 func createGatewayVolumes(input pod.Input) pod.Volumes {
 	volumes := pod.NewVolumes()
 
+	volumes.AddVolume(k8sutil.LifecycleVolume())
+	volumes.AddVolumeMount(k8sutil.LifecycleVolumeMount())
+	volumes.Append(pod.JWT(), input)
+
 	volumes.AddVolume(k8sutil.CreateVolumeWithConfigMap(constants.GatewayVolumeName, GetGatewayConfigMapName(input.ApiObject.GetName())))
 	volumes.AddVolume(k8sutil.CreateVolumeWithConfigMap(constants.GatewayCDSVolumeName, GetGatewayConfigMapName(input.ApiObject.GetName(), "cds")))
 	volumes.AddVolume(k8sutil.CreateVolumeWithConfigMap(constants.GatewayLDSVolumeName, GetGatewayConfigMapName(input.ApiObject.GetName(), "lds")))

pkg/deployment/resources/pod_creator_gateway_container.go

@@ -81,7 +81,7 @@ func (a *MemberGatewayContainer) GetProbes() (*core.Probe, *core.Probe, *core.Pr
 		return nil, nil, nil, err
 	}
 
-	probeStartupConfig, err := a.resources.getReadinessProbe(a.Deployment, a.Group, a.Image)
+	probeStartupConfig, err := a.resources.getStartupProbe(a.Deployment, a.Group, a.Image)
 	if err != nil {
 		return nil, nil, nil, err
 	}

pkg/deployment/resources/pod_creator_gateway_pod.go

@@ -24,6 +24,7 @@ import (
 	"context"
 	"fmt"
 	"math"
+	"os"
 
 	core "k8s.io/api/core/v1"
 
@@ -125,6 +126,20 @@ func (m *MemberGatewayPod) GetInitContainers(cachedStatus interfaces.Inspector)
 		initContainers = append(initContainers, c...)
 	}
 
+	executable, err := os.Executable()
+	if err != nil {
+		return nil, err
+	}
+
+	{
+		sc := k8sutil.CreateSecurityContext(m.GroupSpec.SecurityContext)
+		c, err := k8sutil.InitLifecycleContainer(m.resources.context.GetOperatorImage(), executable, &m.Deployment.Lifecycle.Resources, sc)
+		if err != nil {
+			return nil, err
+		}
+		initContainers = append(initContainers, c)
+	}
+
 	res := kresources.ExtractPodInitContainerAcceptedResourceRequirement(m.GetContainerCreator().GetResourceRequirements())
 
 	initContainers = applyInitContainersResourceResources(initContainers, res)