cmd: Add health check commands

[tleef]

Related issue

Proposed changes

Add health check commands to the oathkeeper CLI.

motivation:
Support for Docker HEALTHCHECK

Docker's HEALTHCHECK instruction executes a command e.g. CMD curl -f http://localhost/ || exit 1 in the container to determine the health status of the container. The exit code of the command determines the health status. The possible exit codes are:

• 0: success - the container is healthy and ready for use
• 1: unhealthy - the container is not working correctly
• 2: reserved - do not use this exit code

Rather than using curl (which is not available in the official oathkeeper image) to query the oathkeeper api, we can query the api using oathkeeper's CLI. This has a few advantages:

• No additional dependencies e.g. curl
• The health check is portable to other environments
• The health check can be more rigorous than would otherwise be possible with a simple http tool

See this blog post for more details.

example usage:
In keeping with the conventions already in place by the rules command, the new health command has the following usage

• oathkeeper health -e <endpoint> alive for checking liveness
• oathkeeper health -e <endpoint> ready for checking readiness

$ oathkeeper health -e http://localhost:4456 ready
{
    "status": "ok"
}

Checklist

• I have read the contributing guidelines
• I have read the security policy
• I confirm that this pull request does not address a security
  vulnerability. If this pull request addresses a security vulnerability, I
  confirm that I got green light (please contact
  [email protected]) from the maintainers to push
  the changes.
• I have added tests that prove my fix is effective or that my feature works
• I have added necessary documentation within the code base (if appropriate)
• I have documented my changes in the
  developer guide (if appropriate)

Further comments

[claassistantio]

All committers have signed the CLA.

[aeneasr]

Awesome! Just some documentation things. Also, I think these command should exit with a status code of 1 if the check fails!

[aeneasr]

Please add a long description here, with at least one example, showcasing how to use this command.

[aeneasr]

Also, you should add a warning:

If the target endpoint runs behind a Load Balancer, this command will effectively test the health of the Load Balancer, not the actual ORY Oathkeeper deployment.

[tleef]

I added the Load Balancer warning to the parent health command since that is where the endpoint flag is declared.

[aeneasr]

Most devs do not read the "top level" command docs, only the specific docs. It makes sense to have the note in all three!

[tleef]

Done

[aeneasr]

I think this command should exit with an error code of 1 if the instance is not yet alive. Any response from the server that has a status code of != 200 means that this instance is not alive yet.

[tleef]

I added explicit exit codes in all cases now. cmdx.Must(err, "%s", err) will exit 1 if there was an error e.g. a 404 response. If no error, it will exit 1 if r.Payload.Status != "ok". Otherwise, exit 0

[aeneasr]

Ah right, I forgot that the API will return an error if the code is not 200. We should still print out the received status code, which will make it easier to debug :)

[tleef]

The error status code is printed in the error message. For example:

$ oathkeeper health -e http://localhost:4456/bad ready
> unknown error (status 404): {resp:0xc0028aee10}

I can't find any way to get a reference to the StatusCode based on the what the internal API client returns.

[aeneasr]

You can type assert the error with runtime.APIError and then you have access to the Response, code, and so on, so e.g.

if apiErr, ok := err.(*runtime.APIError); ok {
// ...
} else {
// ...
}

[aeneasr]

however, I think it's ok as it is at the moment!

[aeneasr]

Please apply the comments from health_alive here as well!

[tleef]

Done

[aeneasr]

Thank you for the changes, a few last things and then we're good to go! :)

[aeneasr]

Most devs do not read the "top level" command docs, only the specific docs. It makes sense to have the note in all three!

[aeneasr]

No need for os.Exit(0), this is always the case!

[tleef]

I removed the explicit exit 0 for both

[aeneasr]

There should be an error message here. Something like:

fmt.Printf("The endpoint does not appear to be healthy, received HTTP Status Code %d and status %s\n", r.StatusCode, r.Payload.Status)

(I think the status code is r.StatusCode).

[tleef]

The HTTP StatusCode doesn't appear to be available. The internal API client returns the following struct

type IsInstanceReadyOK struct {
	Payload *models.SwaggerHealthStatus
}

If the HTTP status code isn't a 200, it will be printed as an error and the process will exit 1 which is handled by cmdx.Must(err, "%s", err). Otherwise, the Payload is always printed so you can see the payload status

[aeneasr]

Yeah, you're right!

[aeneasr]

Thank you!

[tleef]

Thanks for all your help reviewing! Does this mean I get to chat in the #contibutors channel now? ;)

[aeneasr]

Credit where credit is due ;) You're now able to write in the contributors channel!