From c7abc5ad0ce9eaa0594529e54445b0594d601464 Mon Sep 17 00:00:00 2001
From: Flavio Castelli <fcastelli@suse.com>
Date: Wed, 5 Mar 2025 10:13:09 +0100
Subject: [PATCH] fix: change default readiness probe port

The default value used by by readiness probe http server must be
different from the one used to expose the validation endpoints. Having
the same port causes the process to fail because two webservers are
trying to bind to the same port.

Port 3000 is still used by default to expose the actual validation
endpoints, while port 8081 is used to expose the readiness probe
endpoint.

By default the Policy Server does not enforce TLS on its main port,
because of that using a default value of 8443 instead of 3000 would lead
to some confusion (assuming https has to be used instead of http).

To be honest, this is not relevant for the Kubewarden stack, since the
kubewarden-controller has always been tuning the PolicyServer
deployment to use port 8443. This is more useful for developers and for
users that run Policy Server outside of Kubernetes.

Fixes https://github.com/kubewarden/policy-server/issues/1117

Signed-off-by: Flavio Castelli <fcastelli@suse.com>
---
 Dockerfile  | 5 +++++
 cli-docs.md | 2 +-
 src/cli.rs  | 2 +-
 3 files changed, 7 insertions(+), 2 deletions(-)

diff --git a/Dockerfile b/Dockerfile
index 8857a8fe..46626d53 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -50,5 +50,10 @@ COPY --from=cfg /etc/passwd /etc/passwd
 COPY --from=cfg /etc/group /etc/group
 COPY ./Cargo.lock /Cargo.lock
 USER 65533:65533
+# Default port, should be used when tls is not enabled
 EXPOSE 3000
+# Readiness probe port, always http
+EXPOSE 8081
+# To be used when tls is enabled
+EXPOSE 8443
 ENTRYPOINT ["/policy-server"]
diff --git a/cli-docs.md b/cli-docs.md
index fe44c467..341f8c64 100644
--- a/cli-docs.md
+++ b/cli-docs.md
@@ -64,7 +64,7 @@ This document contains the help content for the `policy-server` command-line pro
   Default value: `3000`
 * `--readiness-probe-port <READINESS_PROBE_PORT>` — Expose readiness endpoint on READINESS_PROBE_PORT
 
-  Default value: `3000`
+  Default value: `8081`
 * `--sigstore-cache-dir <SIGSTORE_CACHE_DIR>` — Directory used to cache sigstore data
 
   Default value: `sigstore-data`
diff --git a/src/cli.rs b/src/cli.rs
index 10af68ab..8df6cb52 100644
--- a/src/cli.rs
+++ b/src/cli.rs
@@ -71,7 +71,7 @@ pub(crate) fn build_cli() -> Command {
         Arg::new("readiness-probe-port")
             .long("readiness-probe-port")
             .value_name("READINESS_PROBE_PORT")
-            .default_value("3000")
+            .default_value("8081")
             .env("KUBEWARDEN_READINESS_PROBE_PORT")
             .help("Expose readiness endpoint on READINESS_PROBE_PORT"),