pangolin_mirror/newt
1
0
Fork 0
mirror of https://github.com/fosrl/newt.git synced 2026-03-06 10:46:40 +00:00
Code Issues Packages Projects Releases Wiki Activity

Allow health check to http self signed by default

Browse Source 
Fixes #122
This commit is contained in:
Owen
2025-09-01 10:56:08 -07:00
parent 87ac5c97e3
commit c5c0143013
2 changed files with 33 additions and 12 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
healthcheck/healthcheck.go
View File

@@ -2,6 +2,7 @@ package healthcheck
import ( import (
"context" "context"
"crypto/tls"
"encoding/json" "encoding/json"
"fmt" "fmt"
"net/http" "net/http"
@@ -66,20 +67,31 @@ type StatusChangeCallback func(targets map[int]*Target)
// Monitor manages health check targets and their monitoring // Monitor manages health check targets and their monitoring
type Monitor struct { type Monitor struct {
targets map[int]*Target targets map[int]*Target
mutex sync.RWMutex mutex sync.RWMutex
callback StatusChangeCallback callback StatusChangeCallback
client *http.Client client *http.Client
enforceCert bool
} }
// NewMonitor creates a new health check monitor // NewMonitor creates a new health check monitor
func NewMonitor(callback StatusChangeCallback) *Monitor { func NewMonitor(callback StatusChangeCallback, enforceCert bool) *Monitor {
logger.Info("Creating new health check monitor") logger.Info("Creating new health check monitor with certificate enforcement: %t", enforceCert)
// Configure TLS settings based on certificate enforcement
transport := &http.Transport{
TLSClientConfig: &tls.Config{
InsecureSkipVerify: !enforceCert,
},
}
return &Monitor{ return &Monitor{
targets: make(map[int]*Target), targets: make(map[int]*Target),
callback: callback, callback: callback,
enforceCert: enforceCert,
client: &http.Client{ client: &http.Client{
Timeout: 30 * time.Second, Timeout: 30 * time.Second,
Transport: transport,
}, },
} }
} }
@@ -367,6 +379,11 @@ func (m *Monitor) performHealthCheck(target *Target) {
logger.Debug("Target %d: performing health check %d to %s", logger.Debug("Target %d: performing health check %d to %s",
target.Config.ID, target.CheckCount, url) target.Config.ID, target.CheckCount, url)
if target.Config.Scheme == "https" {
logger.Debug("Target %d: HTTPS health check with certificate enforcement: %t",
target.Config.ID, m.enforceCert)
}
// Create request // Create request
ctx, cancel := context.WithTimeout(context.Background(), time.Duration(target.Config.Timeout)*time.Second) ctx, cancel := context.WithTimeout(context.Background(), time.Duration(target.Config.Timeout)*time.Second)
defer cancel() defer cancel()

10
main.go
View File

@@ -114,6 +114,7 @@ var (
authorizedKeysFile string authorizedKeysFile string
preferEndpoint string preferEndpoint string
healthMonitor *healthcheck.Monitor healthMonitor *healthcheck.Monitor
enforceHealthcheckCert bool
// New mTLS configuration variables // New mTLS configuration variables
tlsClientCert string tlsClientCert string
@@ -138,10 +139,12 @@ func main() {
keepInterfaceEnv := os.Getenv("KEEP_INTERFACE") keepInterfaceEnv := os.Getenv("KEEP_INTERFACE")
acceptClientsEnv := os.Getenv("ACCEPT_CLIENTS") acceptClientsEnv := os.Getenv("ACCEPT_CLIENTS")
useNativeInterfaceEnv := os.Getenv("USE_NATIVE_INTERFACE") useNativeInterfaceEnv := os.Getenv("USE_NATIVE_INTERFACE")
enforceHealthcheckCertEnv := os.Getenv("ENFORCE_HC_CERT")
keepInterface = keepInterfaceEnv == "true" keepInterface = keepInterfaceEnv == "true"
acceptClients = acceptClientsEnv == "true" acceptClients = acceptClientsEnv == "true"
useNativeInterface = useNativeInterfaceEnv == "true" useNativeInterface = useNativeInterfaceEnv == "true"
enforceHealthcheckCert = enforceHealthcheckCertEnv == "true"
dockerSocket = os.Getenv("DOCKER_SOCKET") dockerSocket = os.Getenv("DOCKER_SOCKET")
pingIntervalStr := os.Getenv("PING_INTERVAL") pingIntervalStr := os.Getenv("PING_INTERVAL")
@@ -206,8 +209,8 @@ func main() {
if acceptClientsEnv == "" { if acceptClientsEnv == "" {
flag.BoolVar(&acceptClients, "accept-clients", false, "Accept clients on the WireGuard interface") flag.BoolVar(&acceptClients, "accept-clients", false, "Accept clients on the WireGuard interface")
} }
if tlsPrivateKey == "" { if enforceHealthcheckCertEnv == "" {
flag.StringVar(&tlsPrivateKey, "tls-client-cert", "", "Path to client certificate used for mTLS") flag.BoolVar(&enforceHealthcheckCert, "enforce-hc-cert", false, "Enforce certificate validation for health checks (default: false, accepts any cert)")
} }
if dockerSocket == "" { if dockerSocket == "" {
flag.StringVar(&dockerSocket, "docker-socket", "", "Path or address to Docker socket (typically unix:///var/run/docker.sock)") flag.StringVar(&dockerSocket, "docker-socket", "", "Path or address to Docker socket (typically unix:///var/run/docker.sock)")
@@ -364,6 +367,7 @@ func main() {
logger.Debug("Endpoint: %v", endpoint) logger.Debug("Endpoint: %v", endpoint)
logger.Debug("Log Level: %v", logLevel) logger.Debug("Log Level: %v", logLevel)
logger.Debug("Docker Network Validation Enabled: %v", dockerEnforceNetworkValidationBool) logger.Debug("Docker Network Validation Enabled: %v", dockerEnforceNetworkValidationBool)
logger.Debug("Health Check Certificate Enforcement: %v", enforceHealthcheckCert)
// Add new TLS debug logging // Add new TLS debug logging
if tlsClientCert != "" { if tlsClientCert != "" {
@@ -429,7 +433,7 @@ func main() {
if err != nil { if err != nil {
logger.Error("Failed to send health check status update: %v", err) logger.Error("Failed to send health check status update: %v", err)
} }
}) }, enforceHealthcheckCert)
var pingWithRetryStopChan chan struct{} var pingWithRetryStopChan chan struct{}