* Health API: integrate apiserver readiness into /api/health
The /api/health endpoint is used as the Kubernetes readiness probe for
ST Grafana. Previously it only checked database connectivity, so
Kubernetes would route traffic before the apiserver's boot sequence
completed — causing 503s for aggregated API requests during the brief
window where serviceAvailable=false in proxy handlers.
When the apiserver's clientConfigProvider is available, /api/health now
makes an internal call to /readyz via DirectlyServeHTTP. If /readyz
returns non-200 (boot sequence health checks haven't passed), /api/health
returns 503 with "apiserver": "not ready" in the response body.
This eliminates user-facing 503s during pod startup without requiring
changes to deployment manifests (readiness probe stays on /api/health).
Stress test results (mt-tilt, 5 replicas scaling up simultaneously):
- 1240 requests during scale-up, zero 503s
When clientConfigProvider is nil (no apiserver, OSS without aggregation,
or unit tests), the check is skipped — no behavior change.
Companion to grafana-enterprise#11254 which adds the
remote-apiservice-initialization boot sequence health check.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Health API: use timeout for apiserver readiness check
DirectlyServeHTTP blocks until the apiserver is ready. Without a
timeout, the health check would hang during startup (or in tests where
the apiserver hasn't started). Use a 2-second context timeout so the
health check returns "not ready" promptly instead of blocking.
Also check for context timeout explicitly — httptest.NewRecorder
defaults to status 200 if no response is written, which would
incorrectly pass the readiness check on timeout.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* Health API: integrate apiserver readiness into /api/health
The /api/health endpoint is used as the Kubernetes readiness probe for
ST Grafana. Previously it only checked database connectivity, so
Kubernetes would route traffic before the apiserver's boot sequence
completed — causing 503s for aggregated API requests during the brief
window where serviceAvailable=false in proxy handlers.
Add IsReady() to the DirectRestConfigProvider interface. The
eventualRestConfigProvider implements it with a non-blocking select on
the ready channel — returns true immediately once the apiserver has
started, false otherwise.
When the apiserver is not ready, /api/health returns 503 with
"apiserver": "not ready" in the response body. When clientConfigProvider
is nil (no apiserver, or unit tests), the check is skipped.
Stress test results (mt-tilt, 5 replicas scaling up simultaneously):
- 1240 requests during scale-up, zero 503s
Companion to grafana-enterprise#11254 which adds the
remote-apiservice-initialization boot sequence health check.
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* make gofmt
* fix
* regenerate health response with apiserver key
* make gen-apps
* fix
* remaining gen-apps
* lint
* gofmt
* trigger build
* fix
* fix
* fix
* lint frontend
---------
Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
* replace usage of folder guardians with access control evaluators
* remove NewByFolderUID guardian
* bring up to date
* fix test
* more test fixes, and don't fetch the folder before evaluating lib element access
* change what error is returned
* fix alerting test
* try to fix linter errors
* replace the use of newByFolder guardian with direct access control evaluator checks
* remove newByFolder guardian
* remove unintentional changes
* remove unintentional changes
* undo unwanted change
* Unistore: Declare a new storage to set default folder permissions
Signed-off-by: Maicon Costa <maiconscosta@gmail.com>
* Remove the setting of default permissions from folder legacy storage
Signed-off-by: Maicon Costa <maiconscosta@gmail.com>
* Disable setting of folder permissions when Api Server is enabled
Signed-off-by: Maicon Costa <maiconscosta@gmail.com>
* Reverts grafana/grafana#100019
Signed-off-by: Maicon Costa <maiconscosta@gmail.com>
* Add unit test
Signed-off-by: Maicon Costa <maiconscosta@gmail.com>
* check error on unit test
Signed-off-by: Maicon Costa <maiconscosta@gmail.com>
* Add unit test
Signed-off-by: Maicon Costa <maiconscosta@gmail.com>
* Remove unused fields
Signed-off-by: Maicon Costa <maiconscosta@gmail.com>
* Add unit tests for folder_storage
Signed-off-by: Maicon Costa <maiconscosta@gmail.com>
* Remove duplicated import
Signed-off-by: Maicon Costa <maiconscosta@gmail.com>
* Fix unit test
Signed-off-by: Maicon Costa <maiconscosta@gmail.com>
---------
Signed-off-by: Maicon Costa <maiconscosta@gmail.com>
* Handle both user and service accounts when resolving identity name for dashboards and folders
Co-authored-by: Misi <mgyongyosi@users.noreply.github.com>
* Implement k8s count handler
* Fix endpoint
* Fix type converstions
* Add tests for foldercounts
* Add more tests
* Only use sql-fallback if no values in unistore
* Update gomod
* Fix test
* Update pkg/api/folder_test.go
Co-authored-by: Bruno Abrantes <bruno.abrantes@grafana.com>
* Go.mod
---------
Co-authored-by: Bruno Abrantes <bruno.abrantes@grafana.com>
* Add route for update folders via apiserver
Signed-off-by: Maicon Costa <maiconscosta@gmail.com>
---------
Signed-off-by: Maicon Costa <maiconscosta@gmail.com>
* Enable getting folders with kubernetes client
* Add TestIntegrationFolderGetPermissions
* Set full path as part of legacy get
* Replace implementation for setting fullpath
* Add folder get test
* Escape forward slash in parent titles
* Replace test for access control metadata
* Add test case to TestIntegrationFolderGetPermissions
* Improve fetching of access control
Adds more spans for timing in accesscontrol and remove permission deduplicating code after benchmarking
---------
Signed-off-by: Dave Henderson <dave.henderson@grafana.com>
Co-authored-by: Dave Henderson <dave.henderson@grafana.com>
Co-authored-by: Ieva <ieva.vasiljeva@grafana.com>
* Chore: Remove FolderID from DTO Folder
* chore: add OrgID field to an instance of SaveDashboardCommand
* chore: add another OrgID to pair with the FolderUID:
* chore: add OrgId to Folder struct and expectedParentOrgIDs to testCase struct, unsure if last part is necessary
* Fix folder test, add expected orgID
* chore: regen specs
---------
Co-authored-by: Ida Furjesova <ida.furjesova@grafana.com>
* remove metadata for single folder listing
* extendTests
* remove ac metadata from dash and folder search results
* remove test
* remove one more test
* put ac metadata back for single folder API responses
* extend tests
* remove ac metadata from folder frontend object
* undo unneeded change
* PR feedback
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
---------
Co-authored-by: Gabriel MABILLE <gamab@users.noreply.github.com>
* Nested Folders: Fix move response
Fix JSON tags to be consistent with the GET endpoint
* Add API test for moving to root folder
* Allow move to root folder
* Fix failure message
* Update OpenAPI specification
* protect moving folders to a subfolder and creating folders in a subfolder
* folder update endpoint isn't used for folder parent update
* lint
* move permission check logic to services, fix tests
* linting
* add nested folder scope inheritance to managed permission services
* add a more specific erorr
* remove circular dependencies
* use errutil for returning erorr
* fix tests
* fix tests
* define a new error in ac package
