feat: add optional admin HTTP server on separate port#5191
Open
simonswine wants to merge 2 commits into
Open
Conversation
marcsanmi
reviewed
May 29, 2026
| } | ||
|
|
||
| func (a *API) RegisterReadyHandler(handler http.Handler) { | ||
| a.RegisterRoute("/ready", handler, WithMethod("GET")) |
Contributor
There was a problem hiding this comment.
Was moving /ready onto the admin server intentional, or a side effect of routing everything non-data-plane through registerAdminRoute?
In exclusive mode it's removed from the main port and only served on the admin server (defaults to localhost:4042), so the helm readiness probe on the main service port would 404 and pods would never go Ready.
Contributor
Author
There was a problem hiding this comment.
Yes that was intentional as readiness error messages might return errors not to be seen for the public, there needs to be helm changes for metrics/profile collection anyhow in exclusive mode, so that is totally fine.
Adds an optional secondary HTTP server that exposes operational endpoints (metrics, pprof, admin/ops, rings, config) on a separate port, so they can be firewalled independently from the public-facing API port. Flags: -admin-server.mode disabled|additional|exclusive (default: disabled) -admin-server.http-listen-address (default: localhost) -admin-server.http-listen-port (default: 4042) Modes: - disabled: no change, all routes on main port (backward compatible) - additional: admin server starts, operational routes served on both ports - exclusive: admin server starts, operational routes removed from main port Routes moved to admin server: - /metrics, /debug/pprof (exclusive mode only) - /admin index page, /ready, /runtime_config - /api (grpc-gateway: status/config/buildinfo) - /debug/fgprof - All ring pages (/ring, /distributor/ring, /store-gateway/ring, etc.) - /memberlist, /overrides-exporter/ring, /compactor/ring - /ops/object-store/* (admin ops) - /metastore-nodes, /metastore-client-test - /ring-segment-writer - /query-diagnostics/* The main server /admin page retains swagger and UI links. The admin server /admin page shows operational links only. Static assets (/static/, /assets/) are served on both servers so CSS/JS works for query-diagnostics pages on the admin port. Uses a plain net/http server (not dskit) wrapped as a dskit IdleService for lifecycle management, with a gorilla mux router for correct path parameter handling.
simonswine
force-pushed
the
cw/admin-server
branch
from
ce3365c to
bd4d101
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds an optional secondary HTTP server (-admin-server.mode=disabled|additional|exclusive) that exposes operational endpoints (metrics, pprof, rings, config, admin/ops) on a dedicated port (default localhost:4042), so they can be firewalled independently from the public API port.
This is step one and a couple of extra things needs adressing: