Hello! Would you help me understand how the readiness check works? The docs say "This endpoint returns a HTTP 200 status code when Ory Oathkeeper is up running and the environment dependencies (e.g. the database) are responsive as well." However, Oathkeeper doesn't need a database. What dependencies does it check then? Where can I find the ReadyCheckers? I'm asking because this check constantly fails in my setup, even though oathkeeper is operative.

[oathkeeper] {"audience":"application","error":{"message":"The requested resource could not be found"},"http_request":{"headers":{"accept-encoding":"gzip","user-agent":"Go-http-client/2.0"},"host":"oathkeeper.test-tls.svc.cluster.local:4456","method":"GET","path":"/health/ready","query":null,"remote":"172.31.6.205:9927","scheme":"https"},"http_response":{"status_code":503},"level":"error","msg":"An error occurred while handling a request","service_name":"ORY Oathkeeper","service_version":"v0.40.6","time":"2024-01-09T14:55:46.544664509Z"}

are you sure you're not getting a tls handshake error? I would bet money that's what you're getting. since 503 is the standard error for tls handshake failure.

That could be right as there is no tls in the above setup. However, even with tls in place I'm getting 500 instead:

# curl <https://oathkeeper.test.svc.cluster.local:4456/health/alive>
{"status":"ok"}
# curl <https://oathkeeper.test.svc.cluster.local:4456/health/ready>
{"error":{"code":500,"status":"Internal Server Error","message":"The requested resource could not be found"}}

try:

curl --insecure ...

--insecure

gives the same output. I tried both with and without tls. When oathkeeper listens on tls, I get 500 rather than 503 response.

try port 4455? you're right - I forgot about that.

It resolves the host but gets stuck trying to connect. Aren't the health checks available only on api port?

show me the curl you ran with

http

instead of

https

Or just run this:

curl <http://oathkeeper.test.svc.cluster.local:4456/health/ready>

# curl <http://oathkeeper.test.svc.cluster.local:4456/health/ready>
{"error":{"code":500,"status":"Internal Server Error","message":"The requested resource could not be found"}}

[oathkeeper] {"audience":"application","error":{"message":"The requested resource could not be found"},"http_request":{"headers":{"accept-encoding":"gzip","user-agent":"Go-http-client/1.1"},"host":"localhost:4456","method":"GET","path":"/health/ready","query":null,"remote":"[::1]:33966","scheme":"http"},"http_response":{"status_code":503},"level":"error","msg":"An error occurred while handling a request","service_name":"ORY Oathkeeper","service_version":"v0.40.6","time":"2024-01-10T09:15:32.165277395Z"}

Interesting. Curl returns 500 but the container logs show 503.