From 6dcbd1432e87a355bb903ed2341553295c3f8a1f Mon Sep 17 00:00:00 2001 From: Jannik Straube Date: Tue, 7 Apr 2026 20:33:40 +0200 Subject: [PATCH] Exempt /liveness and /readiness from auth MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Kubernetes liveness and readiness probes can't carry Bearer tokens or API keys, so authenticating them gates the router's own readiness on having a valid token, which is a chicken-and-egg problem when JWT verification is enabled: /readiness -> 401 -> probe fails -> pod NotReady -> service has no ready endpoints -> platform's find_router_url returns None -> the orchestrator bypasses the router entirely -> no per-run metrics The endpoints expose no sensitive data — just 'process is alive' and 'at least one worker is ready' — so it's safe to leave them open. User-facing /health and /health_generate keep auth. --- src/server.rs | 19 +++++++------------ 1 file changed, 7 insertions(+), 12 deletions(-) diff --git a/src/server.rs b/src/server.rs index 60612475..3c5250b2 100644 --- a/src/server.rs +++ b/src/server.rs @@ -189,21 +189,16 @@ async fn transparent_proxy_handler(State(state): State>, req: Requ } // Health check endpoints -async fn liveness(State(state): State>, req: Request) -> Response { - let headers = req.headers().clone(); - if let Err(response) = authorize_request(&state, &headers).await { - return response; - } - +// +// /liveness and /readiness are intentionally unauthenticated so kube +// probes (which can't carry Bearer tokens) keep working when JWT or +// API-key auth is enabled. They expose no sensitive information — just +// "the router process is alive" / "at least one worker is ready". +async fn liveness(State(state): State>, _req: Request) -> Response { state.router.liveness() } -async fn readiness(State(state): State>, req: Request) -> Response { - let headers = req.headers().clone(); - if let Err(response) = authorize_request(&state, &headers).await { - return response; - } - +async fn readiness(State(state): State>, _req: Request) -> Response { state.router.readiness() }