From 48f6db779e68dd2c2fdfaa374422b72832f70a38 Mon Sep 17 00:00:00 2001
From: mrjoelkamp <joel.kamp@docker.com>
Date: Wed, 24 Jul 2024 14:16:20 -0500
Subject: [PATCH 1/2] feat: add readiness probe

---
 README.md                                        | 14 +++-----------
 .../templates/attest-provider-deployment.yaml    |  5 +++++
 main.go                                          |  9 ++++++++-
 pkg/handler/ready.go                             | 16 ++++++++++++++++
 4 files changed, 32 insertions(+), 12 deletions(-)
 create mode 100644 pkg/handler/ready.go

diff --git a/README.md b/README.md
index f8374dc..fa3769c 100644
--- a/README.md
+++ b/README.md
@@ -55,19 +55,11 @@ make docker-buildx
 # load the image into kind
 make kind-load-image
 
-# Choose one of the following ways to deploy the external data provider:
-
-# 1. client and server auth enabled (recommended)
-helm install attest-provider charts/external-data-provider \
+# deploy attest provider
+helm install attest-provider charts/attest-provider \
     --set provider.tls.caBundle="$(cat certs/ca.crt | base64 | tr -d '\n\r')" \
+    --set image="docker/attest-provider:dev" \
     --namespace "${NAMESPACE:-gatekeeper-system}"
-
-# 2. client auth disabled and server auth enabled
-helm install attest-provider charts/external-data-provider \
-    --set clientCAFile="" \
-    --set provider.tls.caBundle="$(cat certs/ca.crt | base64 | tr -d '\n\r')" \
-    --namespace "${NAMESPACE:-gatekeeper-system}" \
-    --create-namespace
 ```
 
 4. Install constraint template and constraint.
diff --git a/charts/attest-provider/templates/attest-provider-deployment.yaml b/charts/attest-provider/templates/attest-provider-deployment.yaml
index cc6372e..326752e 100644
--- a/charts/attest-provider/templates/attest-provider-deployment.yaml
+++ b/charts/attest-provider/templates/attest-provider-deployment.yaml
@@ -68,6 +68,11 @@ spec:
           mountPath: {{ .Values.certDir }}
           readOnly: true
         {{- end }}
+        readinessProbe:
+          httpGet:
+            path: /ready
+            port: {{ .Values.port }}
+            scheme: HTTPS
       restartPolicy: Always
       nodeSelector:
         kubernetes.io/os: linux
diff --git a/main.go b/main.go
index 2d13c5f..798ad22 100644
--- a/main.go
+++ b/main.go
@@ -101,8 +101,15 @@ func main() {
 		os.Exit(1)
 	}
 
+	readyHandler, err := handler.NewReadyHandler()
+	if err != nil {
+		klog.ErrorS(err, "unable to create ready handler")
+		os.Exit(1)
+	}
+
 	mux.Handle("POST /validate", http.TimeoutHandler(validateHandler, handlerTimeout, timeoutError))
 	mux.Handle("POST /mutate", http.TimeoutHandler(mutateHandler, handlerTimeout, timeoutError))
+	mux.Handle("GET /ready", readyHandler)
 
 	server := &http.Server{
 		Addr:              fmt.Sprintf(":%d", port),
@@ -125,7 +132,7 @@ func main() {
 		clientCAs.AppendCertsFromPEM(caCert)
 
 		config.ClientCAs = clientCAs
-		config.ClientAuth = tls.RequireAndVerifyClientCert
+		config.ClientAuth = tls.VerifyClientCertIfGiven
 		server.TLSConfig = config
 	}
 
diff --git a/pkg/handler/ready.go b/pkg/handler/ready.go
new file mode 100644
index 0000000..b711b57
--- /dev/null
+++ b/pkg/handler/ready.go
@@ -0,0 +1,16 @@
+package handler
+
+import (
+	"net/http"
+)
+
+type readyHandler struct{}
+
+// NewReadyHandler returns a readiness probe handler.
+func NewReadyHandler() (http.Handler, error) {
+	return &readyHandler{}, nil
+}
+
+func (h *readyHandler) ServeHTTP(w http.ResponseWriter, _ *http.Request) {
+	w.WriteHeader(http.StatusOK)
+}

From 44a8819a5be5196a0004af7b0501de33d8f7a99b Mon Sep 17 00:00:00 2001
From: mrjoelkamp <joel.kamp@docker.com>
Date: Thu, 25 Jul 2024 09:27:18 -0500
Subject: [PATCH 2/2] refactor: inline ready handler

---
 main.go              | 10 +++-------
 pkg/handler/ready.go | 16 ----------------
 2 files changed, 3 insertions(+), 23 deletions(-)
 delete mode 100644 pkg/handler/ready.go

diff --git a/main.go b/main.go
index 798ad22..d399f55 100644
--- a/main.go
+++ b/main.go
@@ -101,15 +101,11 @@ func main() {
 		os.Exit(1)
 	}
 
-	readyHandler, err := handler.NewReadyHandler()
-	if err != nil {
-		klog.ErrorS(err, "unable to create ready handler")
-		os.Exit(1)
-	}
-
 	mux.Handle("POST /validate", http.TimeoutHandler(validateHandler, handlerTimeout, timeoutError))
 	mux.Handle("POST /mutate", http.TimeoutHandler(mutateHandler, handlerTimeout, timeoutError))
-	mux.Handle("GET /ready", readyHandler)
+	mux.Handle("GET /ready", http.HandlerFunc(func(w http.ResponseWriter, _ *http.Request) {
+		w.WriteHeader(http.StatusOK)
+	}))
 
 	server := &http.Server{
 		Addr:              fmt.Sprintf(":%d", port),
diff --git a/pkg/handler/ready.go b/pkg/handler/ready.go
deleted file mode 100644
index b711b57..0000000
--- a/pkg/handler/ready.go
+++ /dev/null
@@ -1,16 +0,0 @@
-package handler
-
-import (
-	"net/http"
-)
-
-type readyHandler struct{}
-
-// NewReadyHandler returns a readiness probe handler.
-func NewReadyHandler() (http.Handler, error) {
-	return &readyHandler{}, nil
-}
-
-func (h *readyHandler) ServeHTTP(w http.ResponseWriter, _ *http.Request) {
-	w.WriteHeader(http.StatusOK)
-}