feat: Pre shutdown delay (#655)

* don't return Ok on `/ready` during the first 5 seconds * add a small pre-shutdown delay to further smooth out k8s rolling releases * fix endpoint doc
sebadob · Dec 16, 2024 · 1c390d7 · 1c390d7
1 parent 2aecf6e
commit 1c390d7
Show file tree

Hide file tree

Showing 5 changed files with 54 additions and 52 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -4,9 +4,9 @@
 
 ### Changes
 
-Even though not recommended at all, it is not possible to opt-out of the `refresh_token` nbf claim, and disable it.
+Even though not recommended at all, it is now possible to opt-out of the `refresh_token` nbf claim, and disable it.
 
-By default, A `refresh_token` will not valid before `access_token_lifetime - 60 seconds`, but some (bad) client
+By default, A `refresh_token` will not be valid before `access_token_lifetime - 60 seconds`, but some (bad) client
 implementations try to refresh `access_tokens` while they are still valid for a long time. To opt-out, you get a new
 config variable:
 
@@ -28,7 +28,7 @@ config variable:
 DISABLE_REFRESH_TOKEN_NBF=false
 ```
 
-[]()
+[#651](https://github.com/sebadob/rauthy/pull/653)
 
 ## v0.27.1
 

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/justfile b/justfile
@@ -229,6 +229,9 @@ test-backend-stop:
       rm {{ file_test_pid }}
     fi
 
+    # we need to sleep 5 seconds because the lockfiles will take 4.5 seconds to be deleted
+    sleep 5
+
 # runs a single test with hiqlite - needs the backend being started manually
 test *test:
     #!/usr/bin/env bash
@@ -348,6 +351,9 @@ build image="ghcr.io/sebadob/rauthy": build-ui
     #!/usr/bin/env bash
     set -euxo pipefail
 
+    # make sure base image is up to date
+    docker pull gcr.io/distroless/cc-debian12:nonroot
+
     mkdir -p out/empty
 
     # IMPORTANT: We can't use `cross` for the x86 build because it uses a way too old

diff --git a/src/api/src/generic.rs b/src/api/src/generic.rs
@@ -612,8 +612,6 @@ pub async fn get_health() -> impl Responder {
 )]
 #[get("/ready")]
 pub async fn get_ready() -> impl Responder {
-    // TODO we probably only want to return OK, because with Hiqlite, we would not even get here
-    // if it would not be ready.
     HttpResponse::Ok().finish()
 }
 

diff --git a/src/bin/src/main.rs b/src/bin/src/main.rs
@@ -213,7 +213,7 @@ https://github.com/sebadob/rauthy/releases/tag/v0.27.0
             warn!(
                 r#"
 
-Error looking up PasswordPolicy - this is most probably a know 0.27.0 bug.
+Error looking up PasswordPolicy - this is most probably a known 0.27.0 bug.
 Inserting default Policy to fix it.
 You should visit the Admin UI -> Config -> Password Policy and adjust it to your needs.
 
@@ -256,6 +256,10 @@ Error: {}
     }
 
     actix.join().unwrap().unwrap();
+
+    // sleep 1 sec before shutting down the raft -> makes k8s rolling releases a bit smoother
+    // as we can't utilize readiness probes because of a chicken-and-egg problem
+    time::sleep(Duration::from_secs(2)).await;
     DB::client().shutdown().await.unwrap();
 
     Ok(())