From faeb2b7e7915acc16e8c162fb0c9542547de4472 Mon Sep 17 00:00:00 2001 From: Andreas Auernhammer Date: Wed, 3 Apr 2024 23:13:20 +0200 Subject: [PATCH] use `GenerateKey` as more reliable KMS health-check (#19404) This commit replaces the `KMS.Stat` API call with a `KMS.GenerateKey` call. This approach is more reliable since data key generation also works when the KMS backend is unavailable (temp. offline), but KES has cached the key. Ref: KES offline caching. With this change, it is less likely that MinIO readiness checks fail in cases where the KMS backend is offline. Signed-off-by: Andreas Auernhammer --- cmd/healthcheck-handler.go | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/cmd/healthcheck-handler.go b/cmd/healthcheck-handler.go index 19741228b..16fa92111 100644 --- a/cmd/healthcheck-handler.go +++ b/cmd/healthcheck-handler.go @@ -24,6 +24,7 @@ import ( "time" xhttp "github.com/minio/minio/internal/http" + "github.com/minio/minio/internal/kms" ) const unavailable = "offline" @@ -134,7 +135,7 @@ func ReadinessCheckHandler(w http.ResponseWriter, r *http.Request) { ctx, cancel := context.WithTimeout(r.Context(), time.Minute) defer cancel() - if _, err := GlobalKMS.Stat(ctx); err != nil { + if _, err := GlobalKMS.GenerateKey(ctx, "", kms.Context{"healthcheck": ""}); err != nil { switch r.Method { case http.MethodHead: apiErr := toAPIError(r.Context(), err)