From 92591117a770ecce8d0b63b528030b4e166ae48a Mon Sep 17 00:00:00 2001
From: Jannik Hollenbach <jannik.hollenbach@iteratec.com>
Date: Wed, 20 Aug 2025 10:53:34 +0200
Subject: [PATCH] Make the healthchecks for the controller manager configurable
 via helm values.

Closes #2265

Signed-off-by: Jannik Hollenbach <jannik.hollenbach@iteratec.com>
---
 operator/README.md                      |  3 +++
 operator/docs/README.ArtifactHub.md     |  3 +++
 operator/templates/manager/manager.yaml | 12 ++----------
 operator/values.yaml                    | 17 +++++++++++++++++
 4 files changed, 25 insertions(+), 10 deletions(-)

diff --git a/operator/README.md b/operator/README.md
index 3a061a4a96..4313f12fd0 100644
--- a/operator/README.md
+++ b/operator/README.md
@@ -100,6 +100,9 @@ helm install securecodebox-operator oci://ghcr.io/securecodebox/helm/operator
 | nodeSelector | object | `{}` |  |
 | podSecurityContext | object | `{}` | Sets the securityContext on the operators pod level. See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container |
 | presignedUrlExpirationTimes | object | `{"hooks":"1h","parsers":"1h","scanners":"12h"}` | Duration how long presigned urls are valid |
+| probes | object | `{"liveness":{"httpGet":{"path":"/healthz","port":"healthchecks"},"initialDelaySeconds":15,"periodSeconds":20},"readiness":{"httpGet":{"path":"/readyz","port":"healthchecks"},"initialDelaySeconds":5,"periodSeconds":10}}` | Health and liveness probe configuration for the controller manager |
+| probes.liveness | object | `{"httpGet":{"path":"/healthz","port":"healthchecks"},"initialDelaySeconds":15,"periodSeconds":20}` | Liveness probe configuration |
+| probes.readiness | object | `{"httpGet":{"path":"/readyz","port":"healthchecks"},"initialDelaySeconds":5,"periodSeconds":10}` | Readiness probe configuration   |
 | resources | object | `{"limits":{"cpu":"100m","memory":"30Mi"},"requests":{"cpu":"100m","memory":"20Mi"}}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) |
 | s3.authType | string | `"access-secret-key"` | Authentication method. Supports access-secret-key (used by most s3 endpoint) and aws-irsa (Used by AWS EKS IAM Role to Kubenetes Service Account Binding. Support for AWS IRSA is considered experimental in the secureCodeBox) |
 | s3.awsStsEndpoint | string | `"https://sts.amazonaws.com"` | STS Endpoint used in AWS IRSA Authentication. Change this to the sts endpoint of your aws region. Only used when s3.authType is set to "aws-irsa" |
diff --git a/operator/docs/README.ArtifactHub.md b/operator/docs/README.ArtifactHub.md
index de2ad9579c..7dd4788cef 100644
--- a/operator/docs/README.ArtifactHub.md
+++ b/operator/docs/README.ArtifactHub.md
@@ -105,6 +105,9 @@ helm install securecodebox-operator oci://ghcr.io/securecodebox/helm/operator
 | nodeSelector | object | `{}` |  |
 | podSecurityContext | object | `{}` | Sets the securityContext on the operators pod level. See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container |
 | presignedUrlExpirationTimes | object | `{"hooks":"1h","parsers":"1h","scanners":"12h"}` | Duration how long presigned urls are valid |
+| probes | object | `{"liveness":{"httpGet":{"path":"/healthz","port":"healthchecks"},"initialDelaySeconds":15,"periodSeconds":20},"readiness":{"httpGet":{"path":"/readyz","port":"healthchecks"},"initialDelaySeconds":5,"periodSeconds":10}}` | Health and liveness probe configuration for the controller manager |
+| probes.liveness | object | `{"httpGet":{"path":"/healthz","port":"healthchecks"},"initialDelaySeconds":15,"periodSeconds":20}` | Liveness probe configuration |
+| probes.readiness | object | `{"httpGet":{"path":"/readyz","port":"healthchecks"},"initialDelaySeconds":5,"periodSeconds":10}` | Readiness probe configuration   |
 | resources | object | `{"limits":{"cpu":"100m","memory":"30Mi"},"requests":{"cpu":"100m","memory":"20Mi"}}` | CPU/memory resource requests/limits (see: https://kubernetes.io/docs/tasks/configure-pod-container/assign-memory-resource/, https://kubernetes.io/docs/tasks/configure-pod-container/assign-cpu-resource/) |
 | s3.authType | string | `"access-secret-key"` | Authentication method. Supports access-secret-key (used by most s3 endpoint) and aws-irsa (Used by AWS EKS IAM Role to Kubenetes Service Account Binding. Support for AWS IRSA is considered experimental in the secureCodeBox) |
 | s3.awsStsEndpoint | string | `"https://sts.amazonaws.com"` | STS Endpoint used in AWS IRSA Authentication. Change this to the sts endpoint of your aws region. Only used when s3.authType is set to "aws-irsa" |
diff --git a/operator/templates/manager/manager.yaml b/operator/templates/manager/manager.yaml
index f5f90a8382..c53505e148 100644
--- a/operator/templates/manager/manager.yaml
+++ b/operator/templates/manager/manager.yaml
@@ -52,17 +52,9 @@ spec:
             - name: healthchecks
               containerPort: 8081
           livenessProbe:
-            httpGet:
-              path: /healthz
-              port: healthchecks
-            initialDelaySeconds: 15
-            periodSeconds: 20
+            {{- toYaml .Values.probes.liveness | nindent 12 }}
           readinessProbe:
-            httpGet:
-              path: /readyz
-              port: healthchecks
-            initialDelaySeconds: 5
-            periodSeconds: 10
+            {{- toYaml .Values.probes.readiness | nindent 12 }}
           env:
             - name: TELEMETRY_ENABLED
               value: {{ .Values.telemetryEnabled | quote }}
diff --git a/operator/values.yaml b/operator/values.yaml
index 1cf1afc909..84fd9097a7 100644
--- a/operator/values.yaml
+++ b/operator/values.yaml
@@ -59,6 +59,23 @@ securityContext:
 # -- Sets the securityContext on the operators pod level. See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
 podSecurityContext: {}
 
+# -- Health and liveness probe configuration for the controller manager
+probes:
+  # -- Liveness probe configuration
+  liveness:
+    httpGet:
+      path: /healthz
+      port: healthchecks
+    initialDelaySeconds: 15
+    periodSeconds: 20
+  # -- Readiness probe configuration  
+  readiness:
+    httpGet:
+      path: /readyz
+      port: healthchecks
+    initialDelaySeconds: 5
+    periodSeconds: 10
+
 nodeSelector: {}
 
 # -- Configuration for the metrics the operator exports