feat(health-check): Next.js health checks #351
Conversation
connordoman
added
chore
|
@connordoman rebase first pls. |
connordoman
force-pushed
the
gh-350-task-nextjs-health-checks
branch
from
cf28c77
to
1263e69
Compare
There was a problem hiding this comment.
I might have overlooked the security risk that this endpoint poses. Without auth, any one can keep triggering connections to services.
This can be solved by auth proxy setup but an easier way would be skipping auth for request coming from localhost. How is this implemented on the nodejs/nextjs side @connordoman ?
Would extracting the header X-Forwarded-For a good option?
|
This PR/issue depends on:
|
It's not fantastic to have direct access to these endpoints without auth, true, but realistically many services have non-authorized access to server health pages (discord for instance) |
Ahh i see. Thanks for the info. I suppose we can just move forward with non-auth, at least for simplicity for now. |
connordoman
force-pushed
the
gh-350-task-nextjs-health-checks
branch
from
4c9acfc
to
c7f687a
Compare
if rate limiting/securing this endpoint isn't part of the scope of this PR, is it ready to go? |
|
I am not sure it's ready tho.
|
|
|
|
Hmm tho I think the application will be set to have limited scope to the S3 bucket. Only read/write bucket content. So not sure if that would work. Our token locally has quite a broad scope. Can u check if there is anything like GetBucket? Or perhaps just blindly write a blob to both buckets. |
why would the application have limited scope? doesn't it have access to our sso token? |
When deployed, the application will receive a JWT that it could exchange for a short-term credentials. This is a feature called IAM role for service account (IRSA) for EKS and ROSA. The role ARN is annotated on the Service Account. For best practice, it should have minimal permissions as possible. I find this article very helpful: https://medium.com/@ankit.wal/the-how-of-iam-roles-for-service-accounts-irsa-on-aws-eks-3d76badb8942 |
|
With that being said, a production app cannot use our SSO token. Thus, must reply on this IRSA or other methods. Whatever way, the scope should be minimal as suggested from AWS docs. |
|
There are currently couple scopes that I think needed:
I think that's pretty much it. |
…test s3 availability
Signed-off-by: Paul Unger <44368989+MyStackOverflows@users.noreply.github.com>
|
fingers crossed I didn't goof the merge, link this comment in the future if it turns out I did |
There was a problem hiding this comment.
Very nice!
HTTP/1.1 200 OK
Connection: keep-alive
Date: Tue, 30 Jan 2024 04:07:30 GMT
Keep-Alive: timeout=5
Transfer-Encoding: chunked
content-type: application/json
vary: RSC, Next-Router-State-Tree, Next-Router-Prefetch, Next-Url
{
"data": {
"app_version": "0.1.0-dev",
"database_available": true,
"video_processor_available": true,
"video_storage_available": true
}
}
Welcome to PrivacyPal! 👋
Fixes: #350
Depends on #22
Description of the change:
This change adds endpoints at
/healthand/heath/livenessfor polling the status of the application and its dependencies.Simple connect or list operations are used to assess the status of:
Motivation for the change:
This allows us to coordinate modules of the system and improve up time.
TODO