From 21885f94575eb921c4d7fdfe8b3513bda05972c2 Mon Sep 17 00:00:00 2001
From: Harshavardhana <harsha@minio.io>
Date: Mon, 6 Feb 2023 08:55:56 -0800
Subject: [PATCH] fix: liveness/readiness must return errors if KMS is
 unreachable (#16540)

---
 cmd/healthcheck-handler.go | 26 ++++++++++++++++++++++----
 1 file changed, 22 insertions(+), 4 deletions(-)

diff --git a/cmd/healthcheck-handler.go b/cmd/healthcheck-handler.go
index 26e2fbd06..4a9a5c0ec 100644
--- a/cmd/healthcheck-handler.go
+++ b/cmd/healthcheck-handler.go
@@ -21,13 +21,14 @@ import (
 	"context"
 	"net/http"
 	"strconv"
+	"time"
 
 	xhttp "github.com/minio/minio/internal/http"
 )
 
 const unavailable = "offline"
 
-func shouldProxy() bool {
+func isServerInitialized() bool {
 	return newObjectLayerFn() == nil
 }
 
@@ -35,7 +36,7 @@ func shouldProxy() bool {
 func ClusterCheckHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := newContext(r, w, "ClusterCheckHandler")
 
-	if shouldProxy() {
+	if isServerInitialized() {
 		w.Header().Set(xhttp.MinIOServerStatus, unavailable)
 		writeResponse(w, http.StatusServiceUnavailable, nil, mimeNone)
 		return
@@ -73,7 +74,7 @@ func ClusterCheckHandler(w http.ResponseWriter, r *http.Request) {
 func ClusterReadCheckHandler(w http.ResponseWriter, r *http.Request) {
 	ctx := newContext(r, w, "ClusterReadCheckHandler")
 
-	if shouldProxy() {
+	if isServerInitialized() {
 		w.Header().Set(xhttp.MinIOServerStatus, unavailable)
 		writeResponse(w, http.StatusServiceUnavailable, nil, mimeNone)
 		return
@@ -100,11 +101,28 @@ func ReadinessCheckHandler(w http.ResponseWriter, r *http.Request) {
 
 // LivenessCheckHandler - Checks if the process is up. Always returns success.
 func LivenessCheckHandler(w http.ResponseWriter, r *http.Request) {
-	if shouldProxy() {
+	if isServerInitialized() {
 		// Service not initialized yet
 		w.Header().Set(xhttp.MinIOServerStatus, unavailable)
 	}
 
+	// Verify if KMS is reachable if its configured
+	if GlobalKMS != nil {
+		ctx, cancel := context.WithTimeout(r.Context(), time.Minute)
+		defer cancel()
+
+		if _, err := GlobalKMS.Stat(ctx); err != nil {
+			switch r.Method {
+			case http.MethodHead:
+				apiErr := toAPIError(r.Context(), err)
+				writeResponse(w, apiErr.HTTPStatusCode, nil, mimeNone)
+			case http.MethodGet:
+				writeErrorResponse(r.Context(), w, toAPIError(r.Context(), err), r.URL)
+			}
+			return
+		}
+	}
+
 	if globalEtcdClient != nil {
 		// Borrowed from
 		// https://github.com/etcd-io/etcd/blob/main/etcdctl/ctlv3/command/ep_command.go#L118