Gateway health status

renuka-fernando · renuka-fernando · commit 0a43f5779b75 · 2026-02-13T18:32:05.000+05:30
diff --git a/gateway/docker-compose.yaml b/gateway/docker-compose.yaml
@@ -65,6 +65,12 @@ services:
       - GATEWAY_CONTROLLER_HOST=gateway-controller
       - MOESIF_KEY=${MOESIF_KEY:-}
       - LOG_LEVEL=info
+    healthcheck:
+      test: ["CMD", "health-check.sh"]
+      interval: 5s
+      timeout: 3s
+      retries: 10
+      start_period: 15s
     volumes:
       - ./configs/config.toml:/etc/policy-engine/config.toml:ro
     networks:
diff --git a/gateway/gateway-controller/api/openapi-admin.yaml b/gateway/gateway-controller/api/openapi-admin.yaml
@@ -41,6 +41,24 @@ paths:
               schema:
                 $ref: "#/components/schemas/ErrorResponse"
 
+  /health:
+    get:
+      summary: Health check
+      description: |
+        Returns the health status of the gateway controller.
+        This endpoint is not subject to IP whitelist restrictions so that
+        Docker and Kubernetes health probes can reach it.
+      operationId: getHealth
+      tags:
+        - System
+      responses:
+        "200":
+          description: Gateway controller is healthy
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/HealthResponse"
+
   /xds_sync_status:
     get:
       summary: Get xDS policy sync status
@@ -172,6 +190,17 @@ components:
         xds_sync:
           $ref: "#/components/schemas/ConfigDumpXDSSync"
 
+    HealthResponse:
+      type: object
+      properties:
+        status:
+          type: string
+          description: Health status ("healthy")
+        timestamp:
+          type: string
+          format: date-time
+          description: Timestamp of the health check
+
     XDSSyncStatusResponse:
       type: object
       properties:
diff --git a/gateway/gateway-controller/pkg/adminapi/generated/generated.go b/gateway/gateway-controller/pkg/adminapi/generated/generated.go
diff --git a/gateway/gateway-controller/pkg/adminserver/server.go b/gateway/gateway-controller/pkg/adminserver/server.go
@@ -7,6 +7,7 @@ import (
 	"log/slog"
 	"net"
 	"net/http"
+	"time"
 
 	adminapi "github.com/wso2/api-platform/gateway/gateway-controller/pkg/adminapi/generated"
 	"github.com/wso2/api-platform/gateway/gateway-controller/pkg/config"
@@ -37,6 +38,8 @@ func NewServer(cfg *config.AdminServerConfig, apiServer apiServer, logger *slog.
 
 	mux.Handle("/config_dump", ipWhitelistMiddleware(cfg.AllowedIPs, http.HandlerFunc(s.handleConfigDump)))
 	mux.Handle("/xds_sync_status", ipWhitelistMiddleware(cfg.AllowedIPs, http.HandlerFunc(s.handleXDSSyncStatus)))
+	// Health endpoint is registered without IP whitelist so Docker/k8s health probes can reach it
+	mux.Handle("/health", http.HandlerFunc(s.handleHealth))
 
 	s.httpSrv = &http.Server{
 		Addr:    fmt.Sprintf(":%d", cfg.Port),
@@ -93,6 +96,22 @@ func (s *Server) handleXDSSyncStatus(w http.ResponseWriter, r *http.Request) {
 	_ = json.NewEncoder(w).Encode(resp)
 }
 
+func (s *Server) handleHealth(w http.ResponseWriter, r *http.Request) {
+	if r.Method != http.MethodGet {
+		http.Error(w, "Method not allowed", http.StatusMethodNotAllowed)
+		return
+	}
+
+	resp := map[string]string{
+		"status":    "healthy",
+		"timestamp": time.Now().UTC().Format(time.RFC3339),
+	}
+
+	w.Header().Set("Content-Type", "application/json")
+	w.WriteHeader(http.StatusOK)
+	_ = json.NewEncoder(w).Encode(resp)
+}
+
 func ipWhitelistMiddleware(allowedIPs []string, next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		clientIP := extractClientIP(r)
diff --git a/gateway/gateway-controller/pkg/adminserver/server_test.go b/gateway/gateway-controller/pkg/adminserver/server_test.go
@@ -100,6 +100,48 @@ func TestAdminServer_MethodNotAllowed(t *testing.T) {
 	assert.Equal(t, http.StatusMethodNotAllowed, rr.Code)
 }
 
+func TestAdminServer_HealthHandler(t *testing.T) {
+	stub := &stubAPIServer{}
+	s := NewServer(&config.AdminServerConfig{Port: 9092, AllowedIPs: []string{"*"}}, stub, slog.Default())
+
+	req := httptest.NewRequest(http.MethodGet, "/health", nil)
+	req.RemoteAddr = "127.0.0.1:12345"
+	rr := httptest.NewRecorder()
+
+	s.httpSrv.Handler.ServeHTTP(rr, req)
+	assert.Equal(t, http.StatusOK, rr.Code)
+
+	var body map[string]string
+	assert.NoError(t, json.NewDecoder(rr.Body).Decode(&body))
+	assert.Equal(t, "healthy", body["status"])
+	assert.NotEmpty(t, body["timestamp"])
+}
+
+func TestAdminServer_HealthHandler_MethodNotAllowed(t *testing.T) {
+	stub := &stubAPIServer{}
+	s := NewServer(&config.AdminServerConfig{Port: 9092, AllowedIPs: []string{"*"}}, stub, slog.Default())
+
+	req := httptest.NewRequest(http.MethodPost, "/health", nil)
+	req.RemoteAddr = "127.0.0.1:12345"
+	rr := httptest.NewRecorder()
+
+	s.httpSrv.Handler.ServeHTTP(rr, req)
+	assert.Equal(t, http.StatusMethodNotAllowed, rr.Code)
+}
+
+func TestAdminServer_HealthHandler_NoIPWhitelist(t *testing.T) {
+	stub := &stubAPIServer{}
+	// Restrict IPs to only 127.0.0.1 — health should still be accessible from other IPs
+	s := NewServer(&config.AdminServerConfig{Port: 9092, AllowedIPs: []string{"127.0.0.1"}}, stub, slog.Default())
+
+	req := httptest.NewRequest(http.MethodGet, "/health", nil)
+	req.RemoteAddr = "192.168.1.10:12345"
+	rr := httptest.NewRecorder()
+
+	s.httpSrv.Handler.ServeHTTP(rr, req)
+	assert.Equal(t, http.StatusOK, rr.Code)
+}
+
 func TestIsIPAllowed(t *testing.T) {
 	assert.True(t, isIPAllowed("127.0.0.1", []string{"*"}))
 	assert.True(t, isIPAllowed("127.0.0.1", []string{"0.0.0.0/0"}))
diff --git a/gateway/gateway-runtime/Dockerfile b/gateway/gateway-runtime/Dockerfile
@@ -140,8 +140,9 @@ COPY --from=policy-compiler /workspace/output/policy-engine/policy-engine /app/p
 COPY router/config/envoy-bootstrap.yaml /etc/envoy/envoy.yaml
 COPY router/config/config-override.yaml /etc/envoy/config-override.yaml
 COPY docker-entrypoint.sh /usr/local/bin/docker-entrypoint.sh
+COPY health-check.sh /usr/local/bin/health-check.sh
 
-RUN chmod +x /app/policy-engine /usr/local/bin/docker-entrypoint.sh
+RUN chmod +x /app/policy-engine /usr/local/bin/docker-entrypoint.sh /usr/local/bin/health-check.sh
 
 RUN groupadd -r -g 10001 wso2 && \
     useradd -r -u 10001 -g wso2 -s /sbin/nologin -c "WSO2 Application User" wso2 && \
diff --git a/gateway/it/docker-compose.test.yaml b/gateway/it/docker-compose.test.yaml
@@ -82,7 +82,7 @@ services:
       mock-openapi:
         condition: service_healthy
     healthcheck:
-      test: ["CMD", "bash", "-c", "wget --quiet --tries=1 --spider http://localhost:9901/ready && wget --quiet --tries=1 --spider http://localhost:9002/health"]
+      test: ["CMD", "health-check.sh"]
       interval: 5s
       timeout: 3s
       retries: 10
diff --git a/gateway/it/features/health.feature b/gateway/it/features/health.feature
@@ -48,6 +48,18 @@ Feature: Gateway Health Check
     When I send a GET request to the gateway controller health endpoint
     Then the response status code should be 200
 
+  # ==================== GATEWAY CONTROLLER ADMIN HEALTH ====================
+
+  Scenario: Gateway controller admin health endpoint returns OK
+    When I send a GET request to the gateway controller admin health endpoint
+    Then the response status code should be 200
+    And the response should indicate healthy status
+
+  Scenario: Gateway controller admin health endpoint returns valid JSON
+    When I send a GET request to the gateway controller admin health endpoint
+    Then the response status code should be 200
+    And the response should be valid JSON
+
   # ==================== POLICY ENGINE HEALTH ====================
 
   Scenario: Policy engine health endpoint returns OK
diff --git a/gateway/it/steps_health.go b/gateway/it/steps_health.go
@@ -41,6 +41,7 @@ func RegisterHealthSteps(ctx *godog.ScenarioContext, state *TestState, httpSteps
 	ctx.Step(`^the gateway services are running$`, h.theGatewayServicesAreRunning)
 	ctx.Step(`^I send a GET request to the gateway controller health endpoint$`, h.iSendGETRequestToGatewayControllerHealth)
 	ctx.Step(`^I send a GET request to the router ready endpoint$`, h.iSendGETRequestToRouterReady)
+	ctx.Step(`^I send a GET request to the gateway controller admin health endpoint$`, h.iSendGETRequestToGatewayControllerAdminHealth)
 	ctx.Step(`^I send a GET request to the policy engine health endpoint$`, h.iSendGETRequestToPolicyEngineHealth)
 	// Note: "the response status code should be X" is registered in AssertSteps which uses HTTPSteps response
 	ctx.Step(`^the response should indicate healthy status$`, h.theResponseShouldIndicateHealthyStatus)
@@ -71,6 +72,12 @@ func (h *HealthSteps) iSendGETRequestToRouterReady() error {
 	return h.httpSteps.SendGETRequest(url)
 }
 
+// iSendGETRequestToGatewayControllerAdminHealth sends a GET request to the gateway controller admin health endpoint
+func (h *HealthSteps) iSendGETRequestToGatewayControllerAdminHealth() error {
+	url := fmt.Sprintf("%s/health", h.state.Config.GatewayControllerAdminURL)
+	return h.httpSteps.SendGETRequest(url)
+}
+
 // iSendGETRequestToPolicyEngineHealth sends a GET request to the policy engine health endpoint
 func (h *HealthSteps) iSendGETRequestToPolicyEngineHealth() error {
 	url := fmt.Sprintf("%s/health", h.state.Config.PolicyEngineURL)
@@ -100,6 +107,7 @@ func (h *HealthSteps) iCheckHealthOfAllGatewayServices() error {
 		url  string
 	}{
 		{"gateway-controller", fmt.Sprintf("%s/health", h.state.Config.GatewayControllerURL)},
+		{"gateway-controller-admin", fmt.Sprintf("%s/health", h.state.Config.GatewayControllerAdminURL)},
 		{"router", fmt.Sprintf("http://localhost:%s/ready", EnvoyAdminPort)},
 		{"policy-engine", fmt.Sprintf("%s/health", h.state.Config.PolicyEngineURL)},
 	}
diff --git a/kubernetes/helm/gateway-helm-chart/values.yaml b/kubernetes/helm/gateway-helm-chart/values.yaml
@@ -463,17 +463,15 @@ gateway:
       podLabels: {}
       priorityClassName: ""
       livenessProbe:
-        httpGet:
-          path: /server_info
-          port: envoy-admin
+        exec:
+          command: ["health-check.sh"]
         initialDelaySeconds: 30
         periodSeconds: 10
         timeoutSeconds: 5
         failureThreshold: 3
       readinessProbe:
-        httpGet:
-          path: /server_info
-          port: envoy-admin
+        exec:
+          command: ["health-check.sh"]
         initialDelaySeconds: 10
         periodSeconds: 5
         timeoutSeconds: 3
