server: allow specifying the healthcheck addresses #1325
Conversation
π WalkthroughWalkthroughIntroduces health-check host configuration: adds public π Recent review detailsConfiguration used: Path: .coderabbit.yml Review profile: CHILL Plan: Pro π Files selected for processing (5)
π§ Files skipped from review as they are similar to previous changes (4)
π Additional comments (2)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
0967888 to
7d59b3f
Compare
|
I can also update |
There was a problem hiding this comment.
Actionable comments posted: 3
Caution
Some comments are outside the diff and canβt be posted inline due to platform limitations.
β οΈ Outside diff range comments (2)
server/src/healthcheck.rs (2)
129-150: LDAPS: fix IPv6 connect and robust SNI for IP addresses
- Connecting via
format!("{address}:{port}")breaks for IPv6. Use tuple form.rustls::ServerName::try_from(address)may not accept IPs as strings. Prefer IpAddr when address is an IP.-#[instrument(skip_all, level = "info", err, fields(address = %address, port = %ldaps_options.port))] +#[instrument(skip_all, level = "info", err, fields(address = %address, port = %ldaps_options.port))] pub async fn check_ldaps(address: &str, ldaps_options: &LdapsOptions) -> Result<()> { @@ - let url = format!("{address}:{}", ldaps_options.port); + // Use tuple for IPv4/IPv6-safe connect @@ - .connect( - rustls::ServerName::try_from(address).context("while parsing the server name")?, - TcpStream::connect(&url) + .connect( + { + if let Ok(ip) = address.parse::<std::net::IpAddr>() { + rustls::ServerName::IpAddress(ip) + } else { + rustls::ServerName::try_from(address) + .context("while parsing the server name")? + } + }, + TcpStream::connect((address, ldaps_options.port)) .await .context("while connecting TCP")?, )
153-159: HTTP health URL fails for IPv6 literals
http://{address}:{port}/healthneeds brackets for IPv6. Build the URL accordingly.-pub async fn check_api(address: &str, port: u16) -> Result<()> { - reqwest::get(format!("http://{address}:{port}/health")) +pub async fn check_api(address: &str, port: u16) -> Result<()> { + let url = if address.parse::<std::net::IpAddr>().map(|ip| ip.is_ipv6()).unwrap_or(false) { + format!("http://[{address}]:{port}/health") + } else { + format!("http://{address}:{port}/health") + }; + reqwest::get(url) .await? .error_for_status()?; info!("Success"); Ok(()) }
π Review details
Configuration used: Path: .coderabbit.yml
Review profile: CHILL
Plan: Pro
π Files selected for processing (4)
server/src/cli.rs(2 hunks)server/src/configuration.rs(1 hunks)server/src/healthcheck.rs(3 hunks)server/src/main.rs(1 hunks)
π§ Files skipped from review as they are similar to previous changes (1)
- server/src/main.rs
There was a problem hiding this comment.
Actionable comments posted: 0
Caution
Some comments are outside the diff and canβt be posted inline due to platform limitations.
β οΈ Outside diff range comments (1)
server/src/healthcheck.rs (1)
140-150: ServerName should not use bracketed IPv6.Line 145 constructs
ServerNamefromsafe_addresswhich includes brackets for IPv6 (e.g.,[2001:db8::42]). TLS SNI expects a hostname or raw IP address, not URL-formatted brackets. This likely causes TLS connection failures for IPv6 addresses.Apply this diff:
- let safe_address = get_ipv6_safe_address(address); - let url = format!("{}:{}", safe_address, ldaps_options.port); check_ldap_endpoint( tls_connector .connect( - rustls::ServerName::try_from(safe_address.as_str()) + rustls::ServerName::try_from(address) .context("while parsing the server name")?, - TcpStream::connect(&url) + TcpStream::connect((address, ldaps_options.port)) .await .context("while connecting TCP")?, )This also switches TCP connect to tuple form (per the
check_ldapdiscussion).
β»οΈ Duplicate comments (1)
server/src/healthcheck.rs (1)
73-78: Past review concern still applies: use tuple connect form.The previous review correctly identified that tuple form
TcpStream::connect((address, port))is the idiomatic approach that handles IPv6 without string manipulation. Whileget_ipv6_safe_addressworks for URLs, it's unnecessary for TCP connect.Apply this diff:
pub async fn check_ldap(address: &str, port: u16) -> Result<()> { check_ldap_endpoint( - TcpStream::connect(format!("{}:{}", get_ipv6_safe_address(address), port)).await?, + TcpStream::connect((address, port)).await?, ) .await }
π§Ή Nitpick comments (1)
server/src/healthcheck.rs (1)
170-180: LGTM with minor style note.Logic correctly handles hostnames, IPv4, IPv6, and prevents double-bracketing. The explicit
returnis idiomatic but optional in Rust.Optional: Rust convention prefers implicit return:
fn get_ipv6_safe_address(address: &str) -> String { - return if address + if address .parse::<std::net::IpAddr>() .map(|ip| ip.is_ipv6()) .unwrap_or(false) { format!("[{address}]") } else { address.to_string() - }; + } }
π Review details
Configuration used: Path: .coderabbit.yml
Review profile: CHILL
Plan: Pro
π Files selected for processing (1)
server/src/healthcheck.rs(3 hunks)
π Additional comments (2)
server/src/healthcheck.rs (2)
158-168: LGTM!HTTP URLs correctly require bracketed IPv6 literals, and
get_ipv6_safe_addresshandles this properly.
182-196: LGTM!Tests cover the essential cases (localhost, IPv4, IPv6) for the helper function.
There was a problem hiding this comment.
Actionable comments posted: 0
Caution
Some comments are outside the diff and canβt be posted inline due to platform limitations.
β οΈ Outside diff range comments (1)
server/src/healthcheck.rs (1)
140-149: Simplify TCP connect and support IPv6 in ServerName
- Use
TcpStream::connect((address, ldaps_options.port))instead ofget_ipv6_url_safe_address+ URL formatting.- Parse
addressasIpAddrand constructServerName::IpAddress(ip)for literals, falling back to DNS names viaServerName::try_from.Example diff:
- let safe_address = get_ipv6_url_safe_address(address); - let url = format!("{}:{}", safe_address, ldaps_options.port); - check_ldap_endpoint( - tls_connector - .connect( - rustls::ServerName::try_from(address) - .context("while parsing the server name")?, - TcpStream::connect(&url) + let server_name = match address.parse::<std::net::IpAddr>() { + Ok(ip) => rustls::ServerName::IpAddress(ip), + Err(_) => rustls::ServerName::try_from(address) + .context("while parsing the server name")?, + }; + check_ldap_endpoint( + tls_connector + .connect( + server_name, + TcpStream::connect((address, ldaps_options.port)) ) .await .context("while connecting TLS")?, ) .await
π§Ή Nitpick comments (2)
server/src/healthcheck.rs (2)
73-78: IPv6 issue resolved; tuple form still preferred for TCP connect.The
get_ipv6_url_safe_addresshelper now correctly wraps IPv6 addresses in brackets, addressing the past review comment's concern. However, the tuple formTcpStream::connect((address, port))remains cleanerβit handles IPv4/IPv6 without needing the helper and is more idiomatic.Apply this diff:
pub async fn check_ldap(address: &str, port: u16) -> Result<()> { - check_ldap_endpoint( - TcpStream::connect(format!("{}:{}", get_ipv6_url_safe_address(address), port)).await?, - ) - .await + check_ldap_endpoint(TcpStream::connect((address, port)).await?).await }
170-180: Consider adding a doc comment.The logic is correct. A brief doc comment would clarify when to use this helper (HTTP URLs, display) versus the tuple form (TCP connections).
Example:
+/// Wraps IPv6 addresses in brackets for URL/display purposes. +/// For TCP connections, prefer the tuple form `(address, port)` instead. fn get_ipv6_url_safe_address(address: &str) -> String {
π Review details
Configuration used: Path: .coderabbit.yml
Review profile: CHILL
Plan: Pro
π Files selected for processing (1)
server/src/healthcheck.rs(3 hunks)
π Additional comments (2)
server/src/healthcheck.rs (2)
158-168: Correct use of helper for HTTP URLs.The helper function is correctly used hereβHTTP URLs require brackets for IPv6 literals.
182-196: Tests cover key cases.The tests verify localhost, IPv4, and IPv6 handling correctly.
Ah, I just saw your comment. Yes, we want docs there! |
There was a problem hiding this comment.
Actionable comments posted: 1
π Review details
Configuration used: Path: .coderabbit.yml
Review profile: CHILL
Plan: Pro
π Files selected for processing (3)
lldap_config.docker_template.toml(2 hunks)server/src/configuration.rs(2 hunks)server/src/healthcheck.rs(3 hunks)
π§ Files skipped from review as they are similar to previous changes (1)
- server/src/configuration.rs
π§° Additional context used
π§ Learnings (1)
π Learning: 2025-09-14T13:45:50.460Z
Learnt from: CR
PR: lldap/lldap#0
File: .github/copilot-instructions.md:0-0
Timestamp: 2025-09-14T13:45:50.460Z
Learning: Applies to lldap_config.docker_template.toml : Use lldap_config.docker_template.toml as the reference starting point for new configurations
Applied to files:
lldap_config.docker_template.toml
π Additional comments (6)
lldap_config.docker_template.toml (1)
34-37: LGTM!The HTTP healthcheck documentation is clear and the variable name is correct.
server/src/healthcheck.rs (5)
73-75: LGTM!Tuple form correctly handles both IPv4 and IPv6 addresses.
152-162: LGTM!Correctly uses
get_ipv6_url_safe_addressto wrap IPv6 addresses in brackets for URL construction.
164-174: LGTM!The helper correctly wraps IPv6 addresses in brackets for URLs while leaving hostnames and IPv4 addresses unchanged.
176-190: LGTM!Tests cover localhost, IPv4, and IPv6 cases appropriately.
129-149: Verify IP address support in ServerName conversion.
rustls::ServerName::try_from(address)may reject IPv4/IPv6 literals; either parseaddressasIpAddrand useServerName::IpAddress, or confirm your custom verifier permits IP endpoints.
This change adds two new optional configuration options: - `ldap_healthcheck_host` to pair with `ldap_host` - `http_healthcheck_host` to pair with `http_host` These both default to `localhost` to preserve the existing behavior. Fixes lldap#700
β¦.docker_template.toml`
2696286 to
ee48927
Compare
There was a problem hiding this comment.
Actionable comments posted: 2
π Review details
Configuration used: Path: .coderabbit.yml
Review profile: CHILL
Plan: Pro
π Files selected for processing (5)
lldap_config.docker_template.toml(1 hunks)server/src/cli.rs(4 hunks)server/src/configuration.rs(4 hunks)server/src/healthcheck.rs(3 hunks)server/src/main.rs(1 hunks)
π§ Files skipped from review as they are similar to previous changes (2)
- lldap_config.docker_template.toml
- server/src/configuration.rs
π§° Additional context used
𧬠Code graph analysis (1)
server/src/main.rs (1)
server/src/healthcheck.rs (3)
check_ldap(73-75)check_ldaps(130-149)check_api(152-158)
π Additional comments (2)
server/src/main.rs (1)
258-269: LGTM!The healthcheck calls correctly pass the configured host addresses from
config.healthcheck_options. Timeout and error handling remain unchanged.server/src/healthcheck.rs (1)
73-74: LGTM!The function signatures correctly accept
hostparameters and use them appropriately:
check_ldapandcheck_ldapsuse tuple form(host, port)for TCP connections (handles IPv4/IPv6 correctly)check_ldapsconstructsServerNamefrom the provided hostcheck_apibuilds the health URL with the provided hostAlso applies to: 129-141, 152-153
ee48927 to
fadfac1
Compare
This change adds two new optional configuration options:
ldap_healthcheck_hostto pair withldap_hosthttp_healthcheck_hostto pair withhttp_hostThese new options will allow someone to specify a specific address for
ldap_hostandhttp_hostand still have functional health checks, as health checks were previously hard-coded to check againstlocalhostprior to this change. These new settings default tolocalhostto preserve the existing behavior.Fixes #700