From 392ffd5a6007ce62bed15535fbc778e639939196 Mon Sep 17 00:00:00 2001 From: Pepe Fagoaga Date: Tue, 14 Apr 2026 18:35:26 +0200 Subject: [PATCH] fix(beat): make it dependant from API service (#10603) Co-authored-by: Josema Camacho --- api/CHANGELOG.md | 5 ++++ api/docker-entrypoint.sh | 1 - api/src/backend/config/guniconf.py | 2 +- .../templates/worker/deployment.yaml | 4 +++ .../templates/worker_beat/deployment.yaml | 4 +++ docker-compose-dev.yml | 27 ++++++++++++------- docker-compose.yml | 23 +++++++++++----- 7 files changed, 48 insertions(+), 18 deletions(-) diff --git a/api/CHANGELOG.md b/api/CHANGELOG.md index 6fd0bd83b5..892cd0cd88 100644 --- a/api/CHANGELOG.md +++ b/api/CHANGELOG.md @@ -8,6 +8,11 @@ All notable changes to the **Prowler API** are documented in this file. - Bump Poetry to `2.3.4` in Dockerfile and pre-commit hooks. Regenerate `api/poetry.lock` [(#10681)](https://github.com/prowler-cloud/prowler/pull/10681) +### 🐞 Fixed + +- Worker-beat race condition on cold start: replaced `sleep 15` with API service healthcheck dependency (Docker Compose) and init containers (Helm), aligned Gunicorn default port to `8080` [(#10603)](https://github.com/prowler-cloud/prowler/pull/10603) +- API container startup crash on Linux due to root-owned bind-mount preventing JWT key generation [(#10646)](https://github.com/prowler-cloud/prowler/pull/10646) + ### 🔐 Security - `pytest` from 8.2.2 to 9.0.3 to fix CVE-2025-71176 [(#10678)](https://github.com/prowler-cloud/prowler/pull/10678) diff --git a/api/docker-entrypoint.sh b/api/docker-entrypoint.sh index a980595af2..fb1e1693b4 100755 --- a/api/docker-entrypoint.sh +++ b/api/docker-entrypoint.sh @@ -56,7 +56,6 @@ start_worker() { start_worker_beat() { echo "Starting the worker-beat..." - sleep 15 poetry run python -m celery -A config.celery beat -l "${DJANGO_LOGGING_LEVEL:-info}" --scheduler django_celery_beat.schedulers:DatabaseScheduler } diff --git a/api/src/backend/config/guniconf.py b/api/src/backend/config/guniconf.py index a5b625874b..536fd97abb 100644 --- a/api/src/backend/config/guniconf.py +++ b/api/src/backend/config/guniconf.py @@ -15,7 +15,7 @@ from config.django.production import LOGGING as DJANGO_LOGGERS, DEBUG # noqa: E from config.custom_logging import BackendLogger # noqa: E402 BIND_ADDRESS = env("DJANGO_BIND_ADDRESS", default="127.0.0.1") -PORT = env("DJANGO_PORT", default=8000) +PORT = env("DJANGO_PORT", default=8080) # Server settings bind = f"{BIND_ADDRESS}:{PORT}" diff --git a/contrib/k8s/helm/prowler-app/templates/worker/deployment.yaml b/contrib/k8s/helm/prowler-app/templates/worker/deployment.yaml index 6c11a28f9b..88f034fc96 100644 --- a/contrib/k8s/helm/prowler-app/templates/worker/deployment.yaml +++ b/contrib/k8s/helm/prowler-app/templates/worker/deployment.yaml @@ -34,6 +34,10 @@ spec: securityContext: {{- toYaml . | nindent 8 }} {{- end }} + {{- with .Values.worker.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} containers: - name: worker {{- with .Values.worker.securityContext }} diff --git a/contrib/k8s/helm/prowler-app/templates/worker_beat/deployment.yaml b/contrib/k8s/helm/prowler-app/templates/worker_beat/deployment.yaml index 749ea946fd..c1ef9ebf0c 100644 --- a/contrib/k8s/helm/prowler-app/templates/worker_beat/deployment.yaml +++ b/contrib/k8s/helm/prowler-app/templates/worker_beat/deployment.yaml @@ -32,6 +32,10 @@ spec: securityContext: {{- toYaml . | nindent 8 }} {{- end }} + {{- with .Values.worker_beat.initContainers }} + initContainers: + {{- toYaml . | nindent 8 }} + {{- end }} containers: - name: worker-beat {{- with .Values.worker_beat.securityContext }} diff --git a/docker-compose-dev.yml b/docker-compose-dev.yml index 554177bc5c..b95945e7cb 100644 --- a/docker-compose-dev.yml +++ b/docker-compose-dev.yml @@ -1,4 +1,11 @@ services: + api-dev-init: + image: busybox:1.37.0 + volumes: + - ./_data/api:/data + command: ["sh", "-c", "chown -R 1000:1000 /data"] + restart: "no" + api-dev: hostname: "prowler-api" image: prowler-api-dev @@ -21,12 +28,20 @@ services: - ./_data/api:/home/prowler/.config/prowler-api - outputs:/tmp/prowler_api_output depends_on: + api-dev-init: + condition: service_completed_successfully postgres: condition: service_healthy valkey: condition: service_healthy neo4j: condition: service_healthy + healthcheck: + test: ["CMD-SHELL", "wget -q -O /dev/null http://127.0.0.1:${DJANGO_PORT:-8080}/api/v1/ || exit 1"] + interval: 10s + timeout: 5s + retries: 12 + start_period: 60s entrypoint: - "/home/prowler/docker-entrypoint.sh" - "dev" @@ -139,11 +154,7 @@ services: - ./api/docker-entrypoint.sh:/home/prowler/docker-entrypoint.sh - outputs:/tmp/prowler_api_output depends_on: - valkey: - condition: service_healthy - postgres: - condition: service_healthy - neo4j: + api-dev: condition: service_healthy ulimits: nofile: @@ -165,11 +176,7 @@ services: - path: ./.env required: false depends_on: - valkey: - condition: service_healthy - postgres: - condition: service_healthy - neo4j: + api-dev: condition: service_healthy ulimits: nofile: diff --git a/docker-compose.yml b/docker-compose.yml index 4112624dc2..5a4514546a 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -5,6 +5,13 @@ # docker compose -f docker-compose-dev.yml up # services: + api-init: + image: busybox:1.37.0 + volumes: + - ./_data/api:/data + command: ["sh", "-c", "chown -R 1000:1000 /data"] + restart: "no" + api: hostname: "prowler-api" image: prowlercloud/prowler-api:${PROWLER_API_VERSION:-stable} @@ -17,12 +24,20 @@ services: - ./_data/api:/home/prowler/.config/prowler-api - output:/tmp/prowler_api_output depends_on: + api-init: + condition: service_completed_successfully postgres: condition: service_healthy valkey: condition: service_healthy neo4j: condition: service_healthy + healthcheck: + test: ["CMD-SHELL", "wget -q -O /dev/null http://127.0.0.1:${DJANGO_PORT:-8080}/api/v1/ || exit 1"] + interval: 10s + timeout: 5s + retries: 12 + start_period: 60s entrypoint: - "/home/prowler/docker-entrypoint.sh" - "prod" @@ -114,9 +129,7 @@ services: volumes: - "output:/tmp/prowler_api_output" depends_on: - valkey: - condition: service_healthy - postgres: + api: condition: service_healthy ulimits: nofile: @@ -132,9 +145,7 @@ services: - path: ./.env required: false depends_on: - valkey: - condition: service_healthy - postgres: + api: condition: service_healthy ulimits: nofile: