From 2e3da2bb64aaa2ea13329d6c0f0f7db68117bdde Mon Sep 17 00:00:00 2001
From: Trong Huu Nguyen <trong.huu.nguyen@nav.no>
Date: Mon, 7 Jul 2025 15:35:34 +0200
Subject: [PATCH] feat: add separate health probe listener

This adds an optional health probe listener, mostly for use in rutime
environments where you want separate public and private listeners.

The existing /oauth2/ping endpoint on the main listener is kept for
backwards compatibility.
---
 cmd/wonderwall/main.go | 33 +++++++++++++++++++++++++++------
 docs/configuration.md  |  3 ++-
 pkg/config/config.go   |  5 ++++-
 3 files changed, 33 insertions(+), 8 deletions(-)

diff --git a/cmd/wonderwall/main.go b/cmd/wonderwall/main.go
index 8df9124..87679f5 100644
--- a/cmd/wonderwall/main.go
+++ b/cmd/wonderwall/main.go
@@ -3,6 +3,7 @@ package main
 import (
 	"context"
 	"fmt"
+	"net/http"
 
 	_ "github.com/KimMachineGun/automemlimit"
 	log "github.com/sirupsen/logrus"
@@ -80,12 +81,32 @@ func run() error {
 
 	r := router.New(src, cfg)
 
-	go func() {
-		err := metrics.Handle(cfg.MetricsBindAddress, cfg.OpenID.Provider)
-		if err != nil {
-			log.Fatalf("fatal: metrics server error: %s", err)
-		}
-	}()
+	if cfg.MetricsBindAddress != "" {
+		go func() {
+			log.Infof("metrics: listening on %s", cfg.MetricsBindAddress)
+			err := metrics.Handle(cfg.MetricsBindAddress, cfg.OpenID.Provider)
+			if err != nil {
+				log.Fatalf("fatal: metrics server error: %s", err)
+			}
+		}()
+	}
+
+	if cfg.ProbeBindAddress != "" {
+		go func() {
+			mux := http.NewServeMux()
+			healthz := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+				w.WriteHeader(http.StatusOK)
+				w.Write([]byte("ok"))
+			})
+			mux.HandleFunc("/", healthz)
+			mux.HandleFunc("/healthz", healthz)
+			log.Infof("probe: listening on %s", cfg.ProbeBindAddress)
+			err := http.ListenAndServe(cfg.ProbeBindAddress, mux)
+			if err != nil {
+				log.Fatalf("fatal: probe server error: %s", err)
+			}
+		}()
+	}
 
 	return server.Start(cfg, r)
 }
diff --git a/docs/configuration.md b/docs/configuration.md
index c4b210d..f70be93 100644
--- a/docs/configuration.md
+++ b/docs/configuration.md
@@ -28,7 +28,8 @@ The following flags are available:
 | `ingress`                          | strings  |                      | Comma separated list of ingresses used to access the main application.                                                                                                                                                                                                             |
 | `log-format`                       | string   | `json`               | Log format, either `json` or `text`.                                                                                                                                                                                                                                               |
 | `log-level`                        | string   | `info`               | Logging verbosity level.                                                                                                                                                                                                                                                           |
-| `metrics-bind-address`             | string   | `127.0.0.1:3001`     | Listen address for metrics only.                                                                                                                                                                                                                                                   |
+| `metrics-bind-address`             | string   | `127.0.0.1:3001`     | Listen address for metrics only. Empty disables metrics                                                                                                                                                                                                                            |
+| `probe-bind-address`               | string   |                      | Listen address for health probe. Empty disables health probe.                                                                                                                                                                                                                      |
 | `openid.acr-values`                | string   |                      | Space separated string that configures the default security level (`acr_values`) parameter for authorization requests.                                                                                                                                                             |
 | `openid.audiences`                 | strings  |                      | List of additional trusted audiences (other than the client_id) for OpenID Connect id_token validation.                                                                                                                                                                            |
 | `openid.client-id`                 | string   |                      | Client ID for the OpenID client.                                                                                                                                                                                                                                                   |
diff --git a/pkg/config/config.go b/pkg/config/config.go
index 2fc3bfb..53218e4 100644
--- a/pkg/config/config.go
+++ b/pkg/config/config.go
@@ -21,6 +21,7 @@ type Config struct {
 	LogFormat                string        `json:"log-format"`
 	LogLevel                 string        `json:"log-level"`
 	MetricsBindAddress       string        `json:"metrics-bind-address"`
+	ProbeBindAddress         string        `json:"probe-bind-address"`
 	ShutdownGracefulPeriod   time.Duration `json:"shutdown-graceful-period"`
 	ShutdownWaitBeforePeriod time.Duration `json:"shutdown-wait-before-period"`
 	Version                  string        `json:"version"`
@@ -50,6 +51,7 @@ const (
 	LogFormat                = "log-format"
 	LogLevel                 = "log-level"
 	MetricsBindAddress       = "metrics-bind-address"
+	ProbeBindAddress         = "probe-bind-address"
 	ShutdownGracefulPeriod   = "shutdown-graceful-period"
 	ShutdownWaitBeforePeriod = "shutdown-wait-before-period"
 
@@ -71,7 +73,8 @@ func Initialize() (*Config, error) {
 	flag.String(BindAddress, "127.0.0.1:3000", "Listen address for public connections.")
 	flag.String(LogFormat, "json", "Log format, either 'json' or 'text'.")
 	flag.String(LogLevel, "info", "Logging verbosity level.")
-	flag.String(MetricsBindAddress, "127.0.0.1:3001", "Listen address for metrics only.")
+	flag.String(MetricsBindAddress, "127.0.0.1:3001", "Listen address for metrics only. Empty disables metrics.")
+	flag.String(ProbeBindAddress, "", "Listen address for health probe. Empty disables health probe.")
 	flag.Duration(ShutdownGracefulPeriod, 30*time.Second, "Graceful shutdown period when receiving a shutdown signal after which the server is forcibly exited.")
 	flag.Duration(ShutdownWaitBeforePeriod, 0*time.Second, "Wait period when receiving a shutdown signal before actually starting a graceful shutdown. Useful for allowing propagation of Endpoint updates in Kubernetes.")