From a64a7463e10e297d872e8e44d22dc393689ee54a Mon Sep 17 00:00:00 2001
From: Macley <26381427+Macleykun@users.noreply.github.com>
Date: Fri, 30 Jan 2026 22:22:39 +0100
Subject: [PATCH] Add healthcheck by default

---
 Dockerfile       | 6 ++++++
 Dockerfile.amd64 | 6 ++++++
 Dockerfile.arm64 | 6 ++++++
 3 files changed, 18 insertions(+)

diff --git a/Dockerfile b/Dockerfile
index 2cf735ab..612ee11f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -21,6 +21,8 @@ RUN make cloudflared
 
 # use a distroless base image with glibc
 FROM gcr.io/distroless/base-debian13:nonroot
+# Enable metrics for healthcheck
+ENV TUNNEL_METRICS=127.0.0.1:60123
 
 LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared"
 
@@ -33,6 +35,10 @@ COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cl
 # The `nonroot` user maps to `65532`, from: https://github.com/GoogleContainerTools/distroless/blob/main/common/variables.bzl#L18
 USER 65532:65532
 
+# Check if cloudflared is healthy
+HEALTHCHECK --interval=30s --timeout=30s --retries=3 \
+  CMD cloudflared tunnel --metrics localhost:60123 ready
+
 # command / entrypoint of container
 ENTRYPOINT ["cloudflared", "--no-autoupdate"]
 CMD ["version"]
diff --git a/Dockerfile.amd64 b/Dockerfile.amd64
index 871d0e24..34a416b9 100644
--- a/Dockerfile.amd64
+++ b/Dockerfile.amd64
@@ -16,6 +16,8 @@ RUN GOOS=linux GOARCH=amd64 make cloudflared
 
 # use a distroless base image with glibc
 FROM gcr.io/distroless/base-debian13:nonroot
+# Enable metrics for healthcheck
+ENV TUNNEL_METRICS=127.0.0.1:60123
 
 LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared"
 
@@ -28,6 +30,10 @@ COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cl
 # The `nonroot` user maps to `65532`, from: https://github.com/GoogleContainerTools/distroless/blob/main/common/variables.bzl#L18
 USER 65532:65532
 
+# Check if cloudflared is healthy
+HEALTHCHECK --interval=30s --timeout=30s --retries=3 \
+  CMD cloudflared tunnel --metrics localhost:60123 ready
+
 # command / entrypoint of container
 ENTRYPOINT ["cloudflared", "--no-autoupdate"]
 CMD ["version"]
diff --git a/Dockerfile.arm64 b/Dockerfile.arm64
index 6dba868c..22ecd59c 100644
--- a/Dockerfile.arm64
+++ b/Dockerfile.arm64
@@ -16,6 +16,8 @@ RUN GOOS=linux GOARCH=arm64 make cloudflared
 
 # use a distroless base image with glibc
 FROM gcr.io/distroless/base-debian13:nonroot-arm64
+# Enable metrics for healthcheck
+ENV TUNNEL_METRICS=127.0.0.1:60123
 
 LABEL org.opencontainers.image.source="https://github.com/cloudflare/cloudflared"
 
@@ -28,6 +30,10 @@ COPY --from=builder --chown=nonroot /go/src/github.com/cloudflare/cloudflared/cl
 # The `nonroot` user maps to `65532`, from: https://github.com/GoogleContainerTools/distroless/blob/main/common/variables.bzl#L18
 USER 65532:65532
 
+# Check if cloudflared is healthy
+HEALTHCHECK --interval=30s --timeout=30s --retries=3 \
+  CMD cloudflared tunnel --metrics localhost:60123 ready
+
 # command / entrypoint of container
 ENTRYPOINT ["cloudflared", "--no-autoupdate"]
 CMD ["version"]