fix(infra): correct sparql-proxy and valkey healthchecks

caviri · caviri · commit a140a2edd6c1 · 2026-06-04T14:33:12.000+02:00
- sparql-proxy: add a public /healthz route to the Caddyfile and point the
  Docker healthcheck at it. The SPARQL surface (/ , /query, /update, /store)
  is auth-gated, so the old healthcheck on `/` got 401 and reported the
  healthy proxy as unhealthy. /healthz exposes no data — just liveness.
- valkey: require SORTINGHAT_REDIS_PASSWORD (matching SortingHat's auth) and
  pass it in the healthcheck — without it the worker's AUTH was rejected, it
  crash-looped, and Mordred's identities/enrichment phase stalled.
diff --git a/infra/open-pulse-stack/docker-compose.grimoirelab.yml b/infra/open-pulse-stack/docker-compose.grimoirelab.yml
@@ -18,10 +18,17 @@ services:
   valkey:
     image: valkey/valkey:8
     restart: unless-stopped
+    # SortingHat (server + worker) authenticate with SORTINGHAT_REDIS_PASSWORD,
+    # so Valkey must require that same password — otherwise the worker's AUTH is
+    # rejected ("AUTH called without any password configured"), it crash-loops,
+    # and Mordred's identities/enrichment phase stalls.
+    command: ["valkey-server", "--requirepass", "${SORTINGHAT_REDIS_PASSWORD:-replace-me}"]
     expose:
       - "6379"
     healthcheck:
-      test: ["CMD", "valkey-cli", "--raw", "incr", "ping"]
+      # Must authenticate now that requirepass is set, else the healthcheck fails
+      # and sortinghat_worker's `depends_on: service_healthy` never releases.
+      test: ["CMD", "valkey-cli", "-a", "${SORTINGHAT_REDIS_PASSWORD:-replace-me}", "--no-auth-warning", "--raw", "incr", "ping"]
       retries: 5
     volumes:
       - ${GRIMOIRE_DATA_DIR:-${OPEN_PULSE_DATA_DIR:-./data}/grimoirelab}/valkey:/data
diff --git a/infra/open-pulse-stack/docker-compose.yml b/infra/open-pulse-stack/docker-compose.yml
@@ -341,7 +341,9 @@ services:
       - ${OPEN_PULSE_DATA_DIR:-./data}/sparql-proxy/data:/data
       - ${OPEN_PULSE_DATA_DIR:-./data}/sparql-proxy/config:/config
     healthcheck:
-      test: ["CMD-SHELL", "wget -q --spider http://localhost:7878/ || exit 1"]
+      # Probe the public /healthz route (Caddyfile) — the SPARQL surface on
+      # `/` stays auth-gated, so hitting `/` here would 401 and false-fail.
+      test: ["CMD-SHELL", "wget -q --spider http://localhost:7878/healthz || exit 1"]
       interval: 15s
       timeout: 5s
       retries: 5
diff --git a/infra/services/sparql-proxy/Caddyfile b/infra/services/sparql-proxy/Caddyfile
@@ -21,6 +21,15 @@
 }
 
 :7878 {
+	# ── Liveness probe ────────────────────────────────────────────────
+	# Public (no auth, no data): just confirms Caddy is up. Lets Docker's
+	# healthcheck succeed without exposing the auth-gated SPARQL surface.
+	# Matched by its own `handle` so it terminates before the read-auth /
+	# reverse-proxy directives below.
+	handle /healthz {
+		respond "ok" 200
+	}
+
 	# ── Static dashboard UI ───────────────────────────────────────────
 	# Single-page BYOK dashboard for talking to Open Pulse services.
 	# Mounted from infra/services/sparql-proxy/projects-ui in the host.
