zero/connect: add re-run health checks command (#5219)

* zero/connect: add run health checks and shutdown commands

* fix proto

* trigger re-run on command

* add handler

* rename runPeriodicHealthChecksLeased

internal/zero/connect-mux/config.go

@@ -11,6 +11,7 @@ type config struct {
 	onDisconnected           func(ctx context.Context)
 	onBundleUpdated          func(ctx context.Context, key string)
 	onBootstrapConfigUpdated func(ctx context.Context)
+	onRunHealthChecks        func(ctx context.Context)
 	onTelemetryRequested     func(ctx context.Context, req *connect.TelemetryRequest)
 }
 
@@ -45,6 +46,13 @@ func WithOnBootstrapConfigUpdated(onBootstrapConfigUpdated func(context.Context)
 	}
 }
 
+// WithOnRunHealthChecks sets the callback for when health checks are run
+func WithOnRunHealthChecks(onRunHealthChecks func(context.Context)) WatchOption {
+	return func(cfg *config) {
+		cfg.onRunHealthChecks = onRunHealthChecks
+	}
+}
+
 func WithOnTelemetryRequested(onTelemetryRequested func(context.Context, *connect.TelemetryRequest)) WatchOption {
 	return func(cfg *config) {
 		cfg.onTelemetryRequested = onTelemetryRequested
@@ -58,6 +66,7 @@ func newConfig(opts ...WatchOption) *config {
 		WithOnDisconnected(func(_ context.Context) {}),
 		WithOnBundleUpdated(func(_ context.Context, _ string) {}),
 		WithOnBootstrapConfigUpdated(func(_ context.Context) {}),
+		WithOnRunHealthChecks(func(_ context.Context) {}),
 		WithOnTelemetryRequested(func(_ context.Context, _ *connect.TelemetryRequest) {}),
 	} {
 		opt(cfg)

internal/zero/connect-mux/messages.go

@@ -54,6 +54,8 @@ func dispatch(ctx context.Context, cfg *config, msg message) error {
 			cfg.onBootstrapConfigUpdated(ctx)
 		case *connect.Message_TelemetryRequest:
 			cfg.onTelemetryRequested(ctx, msg.Message.GetTelemetryRequest())
+		case *connect.Message_RunHealthChecksRequest:
+			cfg.onRunHealthChecks(ctx)
 		default:
 			log.Ctx(ctx).Debug().Msg("unknown message type, ignored")
 		}

internal/zero/controller/controller.go

@@ -16,6 +16,7 @@ import (
 	sdk "github.com/pomerium/pomerium/internal/zero/api"
 	"github.com/pomerium/pomerium/internal/zero/bootstrap"
 	"github.com/pomerium/pomerium/internal/zero/bootstrap/writers"
+	connect_mux "github.com/pomerium/pomerium/internal/zero/connect-mux"
 	"github.com/pomerium/pomerium/internal/zero/healthcheck"
 	"github.com/pomerium/pomerium/internal/zero/reconciler"
 	"github.com/pomerium/pomerium/internal/zero/telemetry"
@@ -157,7 +158,7 @@ func (c *controller) runZeroControlLoop(ctx context.Context) error {
 			WithLease(
 				c.runReconcilerLeased,
 				c.runSessionAnalyticsLeased,
-				c.runPeriodicHealthChecksLeased,
+				c.runHealthChecksLeased,
 				leaseStatus.MonitorLease,
 			),
 		)
@@ -193,9 +194,17 @@ func (c *controller) runSessionAnalyticsLeased(ctx context.Context, client datab
 	})
 }
 
-func (c *controller) runPeriodicHealthChecksLeased(ctx context.Context, client databroker.DataBrokerServiceClient) error {
+func (c *controller) runHealthChecksLeased(ctx context.Context, client databroker.DataBrokerServiceClient) error {
 	return retry.WithBackoff(ctx, "zero-healthcheck", func(ctx context.Context) error {
-		return healthcheck.RunChecks(ctx, c.bootstrapConfig, client)
+		checker := healthcheck.NewChecker(c.bootstrapConfig, client)
+		eg, ctx := errgroup.WithContext(ctx)
+		eg.Go(func() error { return checker.Run(ctx) })
+		eg.Go(func() error {
+			return c.api.Watch(ctx, connect_mux.WithOnRunHealthChecks(func(_ context.Context) {
+				checker.ForceCheck()
+			}))
+		})
+		return eg.Wait()
 	})
 }
 

internal/zero/controller/mux_log.go

@@ -4,9 +4,11 @@ import (
 	"context"
 
 	"github.com/rs/zerolog"
+	"google.golang.org/protobuf/encoding/protojson"
 
 	"github.com/pomerium/pomerium/internal/log"
 	connect_mux "github.com/pomerium/pomerium/internal/zero/connect-mux"
+	"github.com/pomerium/pomerium/pkg/zero/connect"
 )
 
 func (c *controller) RunConnectLog(ctx context.Context) error {
@@ -25,5 +27,12 @@ func (c *controller) RunConnectLog(ctx context.Context) error {
 		connect_mux.WithOnBundleUpdated(func(_ context.Context, key string) {
 			logger.Debug().Str("key", key).Msg("bundle updated")
 		}),
+		connect_mux.WithOnRunHealthChecks(func(_ context.Context) {
+			logger.Debug().Msg("run health checks")
+		}),
+		connect_mux.WithOnTelemetryRequested(func(_ context.Context, req *connect.TelemetryRequest) {
+			data, _ := protojson.Marshal(req)
+			logger.Debug().RawJSON("request", data).Msg("telemetry requested")
+		}),
 	)
 }

internal/zero/healthcheck/check_routes.go

@@ -26,7 +26,7 @@ import (
 // it resolves the DNS entry and tries to access a pomerium jwks route
 // we should hit ourselves and observe the same public key that we have in our configuration
 // otherwise, something is misconfigured on the DNS level
-func (c *checker) CheckRoutes(ctx context.Context) error {
+func (c *Checker) CheckRoutes(ctx context.Context) error {
 	key, err := getClusterPublicKey(c.bootstrap.GetConfig())
 	if err != nil {
 		health.ReportInternalError(health.RoutesReachable, err)

internal/zero/healthcheck/checks.go

@@ -12,27 +12,37 @@ import (
 	"github.com/pomerium/pomerium/pkg/grpc/databroker"
 )
 
-func RunChecks(
-	ctx context.Context,
+type Checker struct {
+	bootstrap        config.Source
+	databrokerClient databroker.DataBrokerServiceClient
+	forceCheck       chan struct{}
+	configs          atomic.Value
+}
+
+func NewChecker(
 	bootstrap config.Source,
 	databrokerClient databroker.DataBrokerServiceClient,
-) error {
-	c := &checker{
+) *Checker {
+	c := &Checker{
 		bootstrap:        bootstrap,
 		databrokerClient: databrokerClient,
 		forceCheck:       make(chan struct{}, 1),
 	}
+	return c
+}
+
+func (c *Checker) Run(ctx context.Context) error {
 	eg, ctx := errgroup.WithContext(ctx)
 	eg.Go(func() error { c.Scheduler(ctx); return nil })
 	eg.Go(func() error { return c.ConfigSyncer(ctx) })
 	return eg.Wait()
 }
 
-type checker struct {
-	bootstrap        config.Source
-	databrokerClient databroker.DataBrokerServiceClient
-	forceCheck       chan struct{}
-	configs          atomic.Value
+func (c *Checker) ForceCheck() {
+	select {
+	case c.forceCheck <- struct{}{}:
+	default:
+	}
 }
 
 func getConfig(records []*databroker.Record) ([]*configpb.Config, error) {

internal/zero/healthcheck/scheduler.go

@@ -12,7 +12,7 @@ const (
 	runHealthCheckMinInterval  = time.Minute
 )
 
-func (c *checker) Scheduler(ctx context.Context) {
+func (c *Checker) Scheduler(ctx context.Context) {
 	bo := backoff.NewExponentialBackOff()
 	bo.MaxElapsedTime = 0
 	bo.MaxInterval = runHealthChecksMaxInterval

internal/zero/healthcheck/syncer.go

@@ -9,12 +9,12 @@ import (
 	"github.com/pomerium/pomerium/pkg/protoutil"
 )
 
-func (c *checker) ConfigSyncer(ctx context.Context) error {
+func (c *Checker) ConfigSyncer(ctx context.Context) error {
 	syncer := databroker.NewSyncer("zero-health-check", c, databroker.WithTypeURL(protoutil.GetTypeURL(new(configpb.Config))))
 	return syncer.Run(ctx)
 }
 
-func (c *checker) GetConfigs() []*configpb.Config {
+func (c *Checker) GetConfigs() []*configpb.Config {
 	configs := c.configs.Load()
 	if configs == nil {
 		return nil
@@ -23,12 +23,12 @@ func (c *checker) GetConfigs() []*configpb.Config {
 }
 
 // ClearRecords implements databroker.Syncer interface
-func (c *checker) ClearRecords(_ context.Context) {
+func (c *Checker) ClearRecords(_ context.Context) {
 	c.configs.Store([]*configpb.Config{})
 }
 
 // UpdateRecords implements databroker.Syncer interface
-func (c *checker) UpdateRecords(_ context.Context, _ uint64, records []*databroker.Record) {
+func (c *Checker) UpdateRecords(_ context.Context, _ uint64, records []*databroker.Record) {
 	if len(records) == 0 {
 		return
 	}
@@ -39,13 +39,10 @@ func (c *checker) UpdateRecords(_ context.Context, _ uint64, records []*databrok
 		return
 	}
 	c.configs.Store(cfgs)
-	select {
-	case c.forceCheck <- struct{}{}:
-	default:
-	}
+	c.ForceCheck()
 }
 
 // GetDataBrokerServiceClient implements databroker.Syncer interface
-func (c *checker) GetDataBrokerServiceClient() databroker.DataBrokerServiceClient {
+func (c *Checker) GetDataBrokerServiceClient() databroker.DataBrokerServiceClient {
 	return c.databrokerClient
 }

pkg/zero/connect/connect.pb.go

@@ -92,6 +92,7 @@ type Message struct {
 	//	*Message_ConfigUpdated
 	//	*Message_BootstrapConfigUpdated
 	//	*Message_TelemetryRequest
+	//	*Message_RunHealthChecksRequest
 	Message isMessage_Message `protobuf_oneof:"message"`
 }
 
@@ -155,6 +156,13 @@ func (x *Message) GetTelemetryRequest() *TelemetryRequest {
 	return nil
 }
 
+func (x *Message) GetRunHealthChecksRequest() *RunHealthChecksRequest {
+	if x, ok := x.GetMessage().(*Message_RunHealthChecksRequest); ok {
+		return x.RunHealthChecksRequest
+	}
+	return nil
+}
+
 type isMessage_Message interface {
 	isMessage_Message()
 }
@@ -171,12 +179,18 @@ type Message_TelemetryRequest struct {
 	TelemetryRequest *TelemetryRequest `protobuf:"bytes,3,opt,name=telemetry_request,json=telemetryRequest,proto3,oneof"`
 }
 
+type Message_RunHealthChecksRequest struct {
+	RunHealthChecksRequest *RunHealthChecksRequest `protobuf:"bytes,5,opt,name=run_health_checks_request,json=runHealthChecksRequest,proto3,oneof"`
+}
+
 func (*Message_ConfigUpdated) isMessage_Message() {}
 
 func (*Message_BootstrapConfigUpdated) isMessage_Message() {}
 
 func (*Message_TelemetryRequest) isMessage_Message() {}
 
+func (*Message_RunHealthChecksRequest) isMessage_Message() {}
+
 // ConfigUpdated is sent when the configuration has been updated
 // for the connected Pomerium Core deployment
 type ConfigUpdated struct {
@@ -269,6 +283,45 @@ func (*BootstrapConfigUpdated) Descriptor() ([]byte, []int) {
 	return file_connect_proto_rawDescGZIP(), []int{3}
 }
 
+// RunHealthChecksRequest is sent to request the Pomerium Core to re-run its health checks
+type RunHealthChecksRequest struct {
+	state         protoimpl.MessageState
+	sizeCache     protoimpl.SizeCache
+	unknownFields protoimpl.UnknownFields
+}
+
+func (x *RunHealthChecksRequest) Reset() {
+	*x = RunHealthChecksRequest{}
+	if protoimpl.UnsafeEnabled {
+		mi := &file_connect_proto_msgTypes[4]
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		ms.StoreMessageInfo(mi)
+	}
+}
+
+func (x *RunHealthChecksRequest) String() string {
+	return protoimpl.X.MessageStringOf(x)
+}
+
+func (*RunHealthChecksRequest) ProtoMessage() {}
+
+func (x *RunHealthChecksRequest) ProtoReflect() protoreflect.Message {
+	mi := &file_connect_proto_msgTypes[4]
+	if protoimpl.UnsafeEnabled && x != nil {
+		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
+		if ms.LoadMessageInfo() == nil {
+			ms.StoreMessageInfo(mi)
+		}
+		return ms
+	}
+	return mi.MessageOf(x)
+}
+
+// Deprecated: Use RunHealthChecksRequest.ProtoReflect.Descriptor instead.
+func (*RunHealthChecksRequest) Descriptor() ([]byte, []int) {
+	return file_connect_proto_rawDescGZIP(), []int{4}
+}
+
 // TelemetryRequest is sent to request current telemetry data from the Pomerium Core to be sent to the Zero Cloud.
 type TelemetryRequest struct {
 	state         protoimpl.MessageState
@@ -286,7 +339,7 @@ type TelemetryRequest struct {
 func (x *TelemetryRequest) Reset() {
 	*x = TelemetryRequest{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_connect_proto_msgTypes[4]
+		mi := &file_connect_proto_msgTypes[5]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -299,7 +352,7 @@ func (x *TelemetryRequest) String() string {
 func (*TelemetryRequest) ProtoMessage() {}
 
 func (x *TelemetryRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_connect_proto_msgTypes[4]
+	mi := &file_connect_proto_msgTypes[5]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -312,7 +365,7 @@ func (x *TelemetryRequest) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use TelemetryRequest.ProtoReflect.Descriptor instead.
 func (*TelemetryRequest) Descriptor() ([]byte, []int) {
-	return file_connect_proto_rawDescGZIP(), []int{4}
+	return file_connect_proto_rawDescGZIP(), []int{5}
 }
 
 func (x *TelemetryRequest) GetSessionAnalytics() *SessionAnalyticsRequest {
@@ -346,7 +399,7 @@ type SessionAnalyticsRequest struct {
 func (x *SessionAnalyticsRequest) Reset() {
 	*x = SessionAnalyticsRequest{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_connect_proto_msgTypes[5]
+		mi := &file_connect_proto_msgTypes[6]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -359,7 +412,7 @@ func (x *SessionAnalyticsRequest) String() string {
 func (*SessionAnalyticsRequest) ProtoMessage() {}
 
 func (x *SessionAnalyticsRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_connect_proto_msgTypes[5]
+	mi := &file_connect_proto_msgTypes[6]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -372,7 +425,7 @@ func (x *SessionAnalyticsRequest) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use SessionAnalyticsRequest.ProtoReflect.Descriptor instead.
 func (*SessionAnalyticsRequest) Descriptor() ([]byte, []int) {
-	return file_connect_proto_rawDescGZIP(), []int{5}
+	return file_connect_proto_rawDescGZIP(), []int{6}
 }
 
 // EnvoyMetricsRequest is used to request current envoy metrics
@@ -390,7 +443,7 @@ type EnvoyMetricsRequest struct {
 func (x *EnvoyMetricsRequest) Reset() {
 	*x = EnvoyMetricsRequest{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_connect_proto_msgTypes[6]
+		mi := &file_connect_proto_msgTypes[7]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -403,7 +456,7 @@ func (x *EnvoyMetricsRequest) String() string {
 func (*EnvoyMetricsRequest) ProtoMessage() {}
 
 func (x *EnvoyMetricsRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_connect_proto_msgTypes[6]
+	mi := &file_connect_proto_msgTypes[7]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -416,7 +469,7 @@ func (x *EnvoyMetricsRequest) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use EnvoyMetricsRequest.ProtoReflect.Descriptor instead.
 func (*EnvoyMetricsRequest) Descriptor() ([]byte, []int) {
-	return file_connect_proto_rawDescGZIP(), []int{6}
+	return file_connect_proto_rawDescGZIP(), []int{7}
 }
 
 func (x *EnvoyMetricsRequest) GetMetrics() []string {
@@ -446,7 +499,7 @@ type PomeriumMetricsRequest struct {
 func (x *PomeriumMetricsRequest) Reset() {
 	*x = PomeriumMetricsRequest{}
 	if protoimpl.UnsafeEnabled {
-		mi := &file_connect_proto_msgTypes[7]
+		mi := &file_connect_proto_msgTypes[8]
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		ms.StoreMessageInfo(mi)
 	}
@@ -459,7 +512,7 @@ func (x *PomeriumMetricsRequest) String() string {
 func (*PomeriumMetricsRequest) ProtoMessage() {}
 
 func (x *PomeriumMetricsRequest) ProtoReflect() protoreflect.Message {
-	mi := &file_connect_proto_msgTypes[7]
+	mi := &file_connect_proto_msgTypes[8]
 	if protoimpl.UnsafeEnabled && x != nil {
 		ms := protoimpl.X.MessageStateOf(protoimpl.Pointer(x))
 		if ms.LoadMessageInfo() == nil {
@@ -472,7 +525,7 @@ func (x *PomeriumMetricsRequest) ProtoReflect() protoreflect.Message {
 
 // Deprecated: Use PomeriumMetricsRequest.ProtoReflect.Descriptor instead.
 func (*PomeriumMetricsRequest) Descriptor() ([]byte, []int) {
-	return file_connect_proto_rawDescGZIP(), []int{7}
+	return file_connect_proto_rawDescGZIP(), []int{8}
 }
 
 func (x *PomeriumMetricsRequest) GetMetrics() []string {
@@ -491,7 +544,7 @@ var file_connect_proto_rawDesc = []byte{
 	0x73, 0x74, 0x12, 0x1a, 0x0a, 0x08, 0x68, 0x6f, 0x73, 0x74, 0x6e, 0x61, 0x6d, 0x65, 0x18, 0x01,
 	0x20, 0x01, 0x28, 0x09, 0x52, 0x08, 0x68, 0x6f, 0x73, 0x74, 0x6e, 0x61, 0x6d, 0x65, 0x12, 0x18,
 	0x0a, 0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18, 0x02, 0x20, 0x01, 0x28, 0x09, 0x52,
-	0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x8e, 0x02, 0x0a, 0x07, 0x4d, 0x65, 0x73,
+	0x07, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0xf2, 0x02, 0x0a, 0x07, 0x4d, 0x65, 0x73,
 	0x73, 0x61, 0x67, 0x65, 0x12, 0x45, 0x0a, 0x0e, 0x63, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x5f, 0x75,
 	0x70, 0x64, 0x61, 0x74, 0x65, 0x64, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1c, 0x2e, 0x70,
 	0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2e, 0x7a, 0x65, 0x72, 0x6f, 0x2e, 0x43, 0x6f, 0x6e,
@@ -507,53 +560,61 @@ var file_connect_proto_rawDesc = []byte{
 	0x65, 0x73, 0x74, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x1f, 0x2e, 0x70, 0x6f, 0x6d, 0x65,
 	0x72, 0x69, 0x75, 0x6d, 0x2e, 0x7a, 0x65, 0x72, 0x6f, 0x2e, 0x54, 0x65, 0x6c, 0x65, 0x6d, 0x65,
 	0x74, 0x72, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x48, 0x00, 0x52, 0x10, 0x74, 0x65,
-	0x6c, 0x65, 0x6d, 0x65, 0x74, 0x72, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x42, 0x09,
-	0x0a, 0x07, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x3c, 0x0a, 0x0d, 0x43, 0x6f, 0x6e,
-	0x66, 0x69, 0x67, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x64, 0x12, 0x2b, 0x0a, 0x11, 0x63, 0x68,
-	0x61, 0x6e, 0x67, 0x65, 0x73, 0x65, 0x74, 0x5f, 0x76, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x18,
-	0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x10, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x65, 0x74,
-	0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x18, 0x0a, 0x16, 0x42, 0x6f, 0x6f, 0x74, 0x73,
-	0x74, 0x72, 0x61, 0x70, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65,
-	0x64, 0x22, 0xce, 0x02, 0x0a, 0x10, 0x54, 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x74, 0x72, 0x79, 0x52,
-	0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x58, 0x0a, 0x11, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f,
-	0x6e, 0x5f, 0x61, 0x6e, 0x61, 0x6c, 0x79, 0x74, 0x69, 0x63, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28,
-	0x0b, 0x32, 0x26, 0x2e, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2e, 0x7a, 0x65, 0x72,
-	0x6f, 0x2e, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x41, 0x6e, 0x61, 0x6c, 0x79, 0x74, 0x69,
-	0x63, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x48, 0x00, 0x52, 0x10, 0x73, 0x65, 0x73,
-	0x73, 0x69, 0x6f, 0x6e, 0x41, 0x6e, 0x61, 0x6c, 0x79, 0x74, 0x69, 0x63, 0x73, 0x88, 0x01, 0x01,
-	0x12, 0x4c, 0x0a, 0x0d, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x5f, 0x6d, 0x65, 0x74, 0x72, 0x69, 0x63,
-	0x73, 0x18, 0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x22, 0x2e, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69,
-	0x75, 0x6d, 0x2e, 0x7a, 0x65, 0x72, 0x6f, 0x2e, 0x45, 0x6e, 0x76, 0x6f, 0x79, 0x4d, 0x65, 0x74,
-	0x72, 0x69, 0x63, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x48, 0x01, 0x52, 0x0c, 0x65,
-	0x6e, 0x76, 0x6f, 0x79, 0x4d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x73, 0x88, 0x01, 0x01, 0x12, 0x55,
-	0x0a, 0x10, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x5f, 0x6d, 0x65, 0x74, 0x72, 0x69,
-	0x63, 0x73, 0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x25, 0x2e, 0x70, 0x6f, 0x6d, 0x65, 0x72,
-	0x69, 0x75, 0x6d, 0x2e, 0x7a, 0x65, 0x72, 0x6f, 0x2e, 0x50, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75,
-	0x6d, 0x4d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x48,
-	0x02, 0x52, 0x0f, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x4d, 0x65, 0x74, 0x72, 0x69,
-	0x63, 0x73, 0x88, 0x01, 0x01, 0x42, 0x14, 0x0a, 0x12, 0x5f, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f,
-	0x6e, 0x5f, 0x61, 0x6e, 0x61, 0x6c, 0x79, 0x74, 0x69, 0x63, 0x73, 0x42, 0x10, 0x0a, 0x0e, 0x5f,
-	0x65, 0x6e, 0x76, 0x6f, 0x79, 0x5f, 0x6d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x73, 0x42, 0x13, 0x0a,
-	0x11, 0x5f, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x5f, 0x6d, 0x65, 0x74, 0x72, 0x69,
-	0x63, 0x73, 0x22, 0x19, 0x0a, 0x17, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x41, 0x6e, 0x61,
-	0x6c, 0x79, 0x74, 0x69, 0x63, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0x47, 0x0a,
-	0x13, 0x45, 0x6e, 0x76, 0x6f, 0x79, 0x4d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x73, 0x52, 0x65, 0x71,
-	0x75, 0x65, 0x73, 0x74, 0x12, 0x18, 0x0a, 0x07, 0x6d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x73, 0x18,
-	0x01, 0x20, 0x03, 0x28, 0x09, 0x52, 0x07, 0x6d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x73, 0x12, 0x16,
-	0x0a, 0x06, 0x6c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x06,
-	0x6c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x22, 0x32, 0x0a, 0x16, 0x50, 0x6f, 0x6d, 0x65, 0x72, 0x69,
-	0x75, 0x6d, 0x4d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74,
-	0x12, 0x18, 0x0a, 0x07, 0x6d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28,
-	0x09, 0x52, 0x07, 0x6d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x73, 0x32, 0x51, 0x0a, 0x07, 0x43, 0x6f,
-	0x6e, 0x6e, 0x65, 0x63, 0x74, 0x12, 0x46, 0x0a, 0x09, 0x53, 0x75, 0x62, 0x73, 0x63, 0x72, 0x69,
-	0x62, 0x65, 0x12, 0x1f, 0x2e, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2e, 0x7a, 0x65,
-	0x72, 0x6f, 0x2e, 0x53, 0x75, 0x62, 0x73, 0x63, 0x72, 0x69, 0x62, 0x65, 0x52, 0x65, 0x71, 0x75,
-	0x65, 0x73, 0x74, 0x1a, 0x16, 0x2e, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2e, 0x7a,
-	0x65, 0x72, 0x6f, 0x2e, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x30, 0x01, 0x42, 0x2f, 0x5a,
-	0x2d, 0x67, 0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6f, 0x6d, 0x65,
-	0x72, 0x69, 0x75, 0x6d, 0x2f, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2f, 0x70, 0x6b,
-	0x67, 0x2f, 0x7a, 0x65, 0x72, 0x6f, 0x2f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x62, 0x06,
-	0x70, 0x72, 0x6f, 0x74, 0x6f, 0x33,
+	0x6c, 0x65, 0x6d, 0x65, 0x74, 0x72, 0x79, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x62,
+	0x0a, 0x19, 0x72, 0x75, 0x6e, 0x5f, 0x68, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x5f, 0x63, 0x68, 0x65,
+	0x63, 0x6b, 0x73, 0x5f, 0x72, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x18, 0x05, 0x20, 0x01, 0x28,
+	0x0b, 0x32, 0x25, 0x2e, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2e, 0x7a, 0x65, 0x72,
+	0x6f, 0x2e, 0x52, 0x75, 0x6e, 0x48, 0x65, 0x61, 0x6c, 0x74, 0x68, 0x43, 0x68, 0x65, 0x63, 0x6b,
+	0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x48, 0x00, 0x52, 0x16, 0x72, 0x75, 0x6e, 0x48,
+	0x65, 0x61, 0x6c, 0x74, 0x68, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65,
+	0x73, 0x74, 0x42, 0x09, 0x0a, 0x07, 0x6d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x22, 0x3c, 0x0a,
+	0x0d, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x55, 0x70, 0x64, 0x61, 0x74, 0x65, 0x64, 0x12, 0x2b,
+	0x0a, 0x11, 0x63, 0x68, 0x61, 0x6e, 0x67, 0x65, 0x73, 0x65, 0x74, 0x5f, 0x76, 0x65, 0x72, 0x73,
+	0x69, 0x6f, 0x6e, 0x18, 0x01, 0x20, 0x01, 0x28, 0x03, 0x52, 0x10, 0x63, 0x68, 0x61, 0x6e, 0x67,
+	0x65, 0x73, 0x65, 0x74, 0x56, 0x65, 0x72, 0x73, 0x69, 0x6f, 0x6e, 0x22, 0x18, 0x0a, 0x16, 0x42,
+	0x6f, 0x6f, 0x74, 0x73, 0x74, 0x72, 0x61, 0x70, 0x43, 0x6f, 0x6e, 0x66, 0x69, 0x67, 0x55, 0x70,
+	0x64, 0x61, 0x74, 0x65, 0x64, 0x22, 0x18, 0x0a, 0x16, 0x52, 0x75, 0x6e, 0x48, 0x65, 0x61, 0x6c,
+	0x74, 0x68, 0x43, 0x68, 0x65, 0x63, 0x6b, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22,
+	0xce, 0x02, 0x0a, 0x10, 0x54, 0x65, 0x6c, 0x65, 0x6d, 0x65, 0x74, 0x72, 0x79, 0x52, 0x65, 0x71,
+	0x75, 0x65, 0x73, 0x74, 0x12, 0x58, 0x0a, 0x11, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x5f,
+	0x61, 0x6e, 0x61, 0x6c, 0x79, 0x74, 0x69, 0x63, 0x73, 0x18, 0x01, 0x20, 0x01, 0x28, 0x0b, 0x32,
+	0x26, 0x2e, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2e, 0x7a, 0x65, 0x72, 0x6f, 0x2e,
+	0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x41, 0x6e, 0x61, 0x6c, 0x79, 0x74, 0x69, 0x63, 0x73,
+	0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x48, 0x00, 0x52, 0x10, 0x73, 0x65, 0x73, 0x73, 0x69,
+	0x6f, 0x6e, 0x41, 0x6e, 0x61, 0x6c, 0x79, 0x74, 0x69, 0x63, 0x73, 0x88, 0x01, 0x01, 0x12, 0x4c,
+	0x0a, 0x0d, 0x65, 0x6e, 0x76, 0x6f, 0x79, 0x5f, 0x6d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x73, 0x18,
+	0x02, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x22, 0x2e, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d,
+	0x2e, 0x7a, 0x65, 0x72, 0x6f, 0x2e, 0x45, 0x6e, 0x76, 0x6f, 0x79, 0x4d, 0x65, 0x74, 0x72, 0x69,
+	0x63, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x48, 0x01, 0x52, 0x0c, 0x65, 0x6e, 0x76,
+	0x6f, 0x79, 0x4d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x73, 0x88, 0x01, 0x01, 0x12, 0x55, 0x0a, 0x10,
+	0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x5f, 0x6d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x73,
+	0x18, 0x03, 0x20, 0x01, 0x28, 0x0b, 0x32, 0x25, 0x2e, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75,
+	0x6d, 0x2e, 0x7a, 0x65, 0x72, 0x6f, 0x2e, 0x50, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x4d,
+	0x65, 0x74, 0x72, 0x69, 0x63, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x48, 0x02, 0x52,
+	0x0f, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x4d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x73,
+	0x88, 0x01, 0x01, 0x42, 0x14, 0x0a, 0x12, 0x5f, 0x73, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x5f,
+	0x61, 0x6e, 0x61, 0x6c, 0x79, 0x74, 0x69, 0x63, 0x73, 0x42, 0x10, 0x0a, 0x0e, 0x5f, 0x65, 0x6e,
+	0x76, 0x6f, 0x79, 0x5f, 0x6d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x73, 0x42, 0x13, 0x0a, 0x11, 0x5f,
+	0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x5f, 0x6d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x73,
+	0x22, 0x19, 0x0a, 0x17, 0x53, 0x65, 0x73, 0x73, 0x69, 0x6f, 0x6e, 0x41, 0x6e, 0x61, 0x6c, 0x79,
+	0x74, 0x69, 0x63, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x22, 0x47, 0x0a, 0x13, 0x45,
+	0x6e, 0x76, 0x6f, 0x79, 0x4d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65,
+	0x73, 0x74, 0x12, 0x18, 0x0a, 0x07, 0x6d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x73, 0x18, 0x01, 0x20,
+	0x03, 0x28, 0x09, 0x52, 0x07, 0x6d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x73, 0x12, 0x16, 0x0a, 0x06,
+	0x6c, 0x61, 0x62, 0x65, 0x6c, 0x73, 0x18, 0x02, 0x20, 0x03, 0x28, 0x09, 0x52, 0x06, 0x6c, 0x61,
+	0x62, 0x65, 0x6c, 0x73, 0x22, 0x32, 0x0a, 0x16, 0x50, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d,
+	0x4d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x73, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73, 0x74, 0x12, 0x18,
+	0x0a, 0x07, 0x6d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x73, 0x18, 0x01, 0x20, 0x03, 0x28, 0x09, 0x52,
+	0x07, 0x6d, 0x65, 0x74, 0x72, 0x69, 0x63, 0x73, 0x32, 0x51, 0x0a, 0x07, 0x43, 0x6f, 0x6e, 0x6e,
+	0x65, 0x63, 0x74, 0x12, 0x46, 0x0a, 0x09, 0x53, 0x75, 0x62, 0x73, 0x63, 0x72, 0x69, 0x62, 0x65,
+	0x12, 0x1f, 0x2e, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2e, 0x7a, 0x65, 0x72, 0x6f,
+	0x2e, 0x53, 0x75, 0x62, 0x73, 0x63, 0x72, 0x69, 0x62, 0x65, 0x52, 0x65, 0x71, 0x75, 0x65, 0x73,
+	0x74, 0x1a, 0x16, 0x2e, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2e, 0x7a, 0x65, 0x72,
+	0x6f, 0x2e, 0x4d, 0x65, 0x73, 0x73, 0x61, 0x67, 0x65, 0x30, 0x01, 0x42, 0x2f, 0x5a, 0x2d, 0x67,
+	0x69, 0x74, 0x68, 0x75, 0x62, 0x2e, 0x63, 0x6f, 0x6d, 0x2f, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69,
+	0x75, 0x6d, 0x2f, 0x70, 0x6f, 0x6d, 0x65, 0x72, 0x69, 0x75, 0x6d, 0x2f, 0x70, 0x6b, 0x67, 0x2f,
+	0x7a, 0x65, 0x72, 0x6f, 0x2f, 0x63, 0x6f, 0x6e, 0x6e, 0x65, 0x63, 0x74, 0x62, 0x06, 0x70, 0x72,
+	0x6f, 0x74, 0x6f, 0x33,
 }
 
 var (
@@ -568,31 +629,33 @@ func file_connect_proto_rawDescGZIP() []byte {
 	return file_connect_proto_rawDescData
 }
 
-var file_connect_proto_msgTypes = make([]protoimpl.MessageInfo, 8)
+var file_connect_proto_msgTypes = make([]protoimpl.MessageInfo, 9)
 var file_connect_proto_goTypes = []any{
 	(*SubscribeRequest)(nil),        // 0: pomerium.zero.SubscribeRequest
 	(*Message)(nil),                 // 1: pomerium.zero.Message
 	(*ConfigUpdated)(nil),           // 2: pomerium.zero.ConfigUpdated
 	(*BootstrapConfigUpdated)(nil),  // 3: pomerium.zero.BootstrapConfigUpdated
-	(*TelemetryRequest)(nil),        // 4: pomerium.zero.TelemetryRequest
-	(*SessionAnalyticsRequest)(nil), // 5: pomerium.zero.SessionAnalyticsRequest
-	(*EnvoyMetricsRequest)(nil),     // 6: pomerium.zero.EnvoyMetricsRequest
-	(*PomeriumMetricsRequest)(nil),  // 7: pomerium.zero.PomeriumMetricsRequest
+	(*RunHealthChecksRequest)(nil),  // 4: pomerium.zero.RunHealthChecksRequest
+	(*TelemetryRequest)(nil),        // 5: pomerium.zero.TelemetryRequest
+	(*SessionAnalyticsRequest)(nil), // 6: pomerium.zero.SessionAnalyticsRequest
+	(*EnvoyMetricsRequest)(nil),     // 7: pomerium.zero.EnvoyMetricsRequest
+	(*PomeriumMetricsRequest)(nil),  // 8: pomerium.zero.PomeriumMetricsRequest
 }
 var file_connect_proto_depIdxs = []int32{
 	2, // 0: pomerium.zero.Message.config_updated:type_name -> pomerium.zero.ConfigUpdated
 	3, // 1: pomerium.zero.Message.bootstrap_config_updated:type_name -> pomerium.zero.BootstrapConfigUpdated
-	4, // 2: pomerium.zero.Message.telemetry_request:type_name -> pomerium.zero.TelemetryRequest
-	5, // 3: pomerium.zero.TelemetryRequest.session_analytics:type_name -> pomerium.zero.SessionAnalyticsRequest
-	6, // 4: pomerium.zero.TelemetryRequest.envoy_metrics:type_name -> pomerium.zero.EnvoyMetricsRequest
-	7, // 5: pomerium.zero.TelemetryRequest.pomerium_metrics:type_name -> pomerium.zero.PomeriumMetricsRequest
-	0, // 6: pomerium.zero.Connect.Subscribe:input_type -> pomerium.zero.SubscribeRequest
-	1, // 7: pomerium.zero.Connect.Subscribe:output_type -> pomerium.zero.Message
-	7, // [7:8] is the sub-list for method output_type
-	6, // [6:7] is the sub-list for method input_type
-	6, // [6:6] is the sub-list for extension type_name
-	6, // [6:6] is the sub-list for extension extendee
-	0, // [0:6] is the sub-list for field type_name
+	5, // 2: pomerium.zero.Message.telemetry_request:type_name -> pomerium.zero.TelemetryRequest
+	4, // 3: pomerium.zero.Message.run_health_checks_request:type_name -> pomerium.zero.RunHealthChecksRequest
+	6, // 4: pomerium.zero.TelemetryRequest.session_analytics:type_name -> pomerium.zero.SessionAnalyticsRequest
+	7, // 5: pomerium.zero.TelemetryRequest.envoy_metrics:type_name -> pomerium.zero.EnvoyMetricsRequest
+	8, // 6: pomerium.zero.TelemetryRequest.pomerium_metrics:type_name -> pomerium.zero.PomeriumMetricsRequest
+	0, // 7: pomerium.zero.Connect.Subscribe:input_type -> pomerium.zero.SubscribeRequest
+	1, // 8: pomerium.zero.Connect.Subscribe:output_type -> pomerium.zero.Message
+	8, // [8:9] is the sub-list for method output_type
+	7, // [7:8] is the sub-list for method input_type
+	7, // [7:7] is the sub-list for extension type_name
+	7, // [7:7] is the sub-list for extension extendee
+	0, // [0:7] is the sub-list for field type_name
 }
 
 func init() { file_connect_proto_init() }
@@ -650,7 +713,7 @@ func file_connect_proto_init() {
 			}
 		}
 		file_connect_proto_msgTypes[4].Exporter = func(v any, i int) any {
-			switch v := v.(*TelemetryRequest); i {
+			switch v := v.(*RunHealthChecksRequest); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -662,7 +725,7 @@ func file_connect_proto_init() {
 			}
 		}
 		file_connect_proto_msgTypes[5].Exporter = func(v any, i int) any {
-			switch v := v.(*SessionAnalyticsRequest); i {
+			switch v := v.(*TelemetryRequest); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -674,7 +737,7 @@ func file_connect_proto_init() {
 			}
 		}
 		file_connect_proto_msgTypes[6].Exporter = func(v any, i int) any {
-			switch v := v.(*EnvoyMetricsRequest); i {
+			switch v := v.(*SessionAnalyticsRequest); i {
 			case 0:
 				return &v.state
 			case 1:
@@ -686,6 +749,18 @@ func file_connect_proto_init() {
 			}
 		}
 		file_connect_proto_msgTypes[7].Exporter = func(v any, i int) any {
+			switch v := v.(*EnvoyMetricsRequest); i {
+			case 0:
+				return &v.state
+			case 1:
+				return &v.sizeCache
+			case 2:
+				return &v.unknownFields
+			default:
+				return nil
+			}
+		}
+		file_connect_proto_msgTypes[8].Exporter = func(v any, i int) any {
 			switch v := v.(*PomeriumMetricsRequest); i {
 			case 0:
 				return &v.state
@@ -702,15 +777,16 @@ func file_connect_proto_init() {
 		(*Message_ConfigUpdated)(nil),
 		(*Message_BootstrapConfigUpdated)(nil),
 		(*Message_TelemetryRequest)(nil),
+		(*Message_RunHealthChecksRequest)(nil),
 	}
-	file_connect_proto_msgTypes[4].OneofWrappers = []any{}
+	file_connect_proto_msgTypes[5].OneofWrappers = []any{}
 	type x struct{}
 	out := protoimpl.TypeBuilder{
 		File: protoimpl.DescBuilder{
 			GoPackagePath: reflect.TypeOf(x{}).PkgPath(),
 			RawDescriptor: file_connect_proto_rawDesc,
 			NumEnums:      0,
-			NumMessages:   8,
+			NumMessages:   9,
 			NumExtensions: 0,
 			NumServices:   1,
 		},

pkg/zero/connect/connect.proto

@@ -20,6 +20,7 @@ message Message {
     ConfigUpdated config_updated = 1;
     BootstrapConfigUpdated bootstrap_config_updated = 2;
     TelemetryRequest telemetry_request = 3;
+    RunHealthChecksRequest run_health_checks_request = 5;
   }
 }
 
@@ -36,6 +37,9 @@ message ConfigUpdated {
 // config.
 message BootstrapConfigUpdated {}
 
+// RunHealthChecksRequest is sent to request the Pomerium Core to re-run its health checks
+message RunHealthChecksRequest {}
+
 // TelemetryRequest is sent to request current telemetry data from the Pomerium Core to be sent to the Zero Cloud.
 message TelemetryRequest {
   // include_session_analytics requests current MAU/DAU data