GEP 3388 Retry Budget API Implementation #3607
Conversation
k8s-ci-robot
added
do-not-merge/work-in-progress
k8s-ci-robot
added
do-not-merge/hold
|
Hi @ericdbishop. Thanks for your PR. I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
ericdbishop
changed the title
| // Retry defines the configuration for when to retry a request to a target | ||
| // backend. | ||
| // | ||
| // Implementations SHOULD retry on connection errors (disconnect, reset, timeout, | ||
| // TCP failure) if a retry stanza is configured. | ||
| // | ||
| // Support: Extended | ||
| // | ||
| // +optional | ||
| // <gateway:experimental> | ||
| Retry *CommonRetryPolicy `json:"retry,omitempty"` |
There was a problem hiding this comment.
Planning to correct this description (previously discussed here), but I'm also considering changing Retry to RetryBudget so we can better capture the distinction between a constrained budget on retries, versus the static count retries that are configured within HTTPRoute. I think CommonRetryPolicy is okay but would also be curious if we think RetryBudgetPolicy would be more self-explanatory.
There was a problem hiding this comment.
CommonRetryPolicy was originally an abstraction from the initial "two possible approaches" proposal just to minimize duplication - agreed that the Common* prefix is probably no longer appropriate, but not quite sure what the correct name should be here:
- I feel like
*Policyimplies a top-level resource likeBackendTrafficPolicythat is actually an impl of the policy attachment pattern, not a sub-resource. - We could just collapse the fields into
BackendTrafficPolicyinline, but I like the waySessionPersistenceis broken out currently - it feels like it will be more composable if we add additional functionality toBackendTrafficPolicy - I'm not quite sure yet if we do indeed want to narrow the scope down to
RetryBudgetor choose a name that could allow additional fields within this stanza.
There was a problem hiding this comment.
I agree with those points, I think it makes sense to leave the retry budget configuration broken out from BackendTrafficPolicy instead of inline. I could see replacing the name CommonRetryPolicy with something like RetryConstraint if we wanted to allow for the possibility down the line of constraining retries based off of something other than a budget.
There was a problem hiding this comment.
I took some liberty here in renaming Retry and the CommonRetryPolicy struct to RetryConstraint, but open to better suggestions.
| // Support: Extended | ||
| // | ||
| // +optional | ||
| BudgetPercent *int `json:"budgetPercent,omitempty"` |
There was a problem hiding this comment.
Previous comment on validation. The maximum valid argument for BudgetPercent should be 100 as that is effectively the same as having no retry budget at all, but should the minimum value we allow be 0? Should users be allowed to block all retries in that way?
There was a problem hiding this comment.
I set the minimum as 0 for the time being.
| // CommonRetryPolicy defines the configuration for when to retry a request. | ||
| type CommonRetryPolicy struct { |
There was a problem hiding this comment.
What's the minimum viable set of fields here for an implementation to say that they support retry budgets?
Given confirmation that Envoy's retry_budget spec could be modified to include a parameter that matches BudgetInterval, I think it would be safe to require that implementations should include all fields to be considered supporting retry budgets.
But that being said, I could see how BudgetInterval could be excluded to match Envoy's existing retry budget behavior which @mikemorris detailed here, making only MinRetryRate and BudgetPercent truly necessary.
There was a problem hiding this comment.
I could see how BudgetInterval could be excluded to match Envoy's existing retry budget behavior
In the context of @tonya11en's comment at #3573 (comment) and envoyproxy/envoy#30205 (comment), even though this could be possible to enable, I'm unsure if it would actually be desireable even for Envoy-based implementations of Gateway API?
This additionally has some bearing on the semantic meaning of budgetInterval: 0 (weird, effectively a rate with a division by zero unless we use it as a shorthand for Envoy's current behavior) vs if we want to prescribe a default interval when omitting the field entirely (which could make UX more concise).
There was a problem hiding this comment.
I do think having a default budgetInterval would make sense, going off of the default I see for Linkerd's ttl parameter, maybe 10s is reasonable? Agree about the meaning of budgetInterval: 0 being strange. Also, since it is a duration, it would require a unit of time. It does seem more desirable to require implementations to include all three parameters after seeing that additional context.
There was a problem hiding this comment.
Circling back to this, I'm not quite sure if we would need to remove the default here (to allow the field to be omitted without implicitly setting the value to 10s), or if kubebuilder defaults aren't even applicable for pointer types (and thus the annotation should be removed because it's irrelevant)?
k8s-ci-robot
added
size/XL
…orm with api structure
|
/retest |
There was a problem hiding this comment.
Thanks @ericdbishop! Largely LGTM, just a couple comments about validation
apisx/v1alpha2/shared_types.go
Outdated
| // | ||
| // Support: Extended | ||
| // +kubebuilder:validation:Minimum=0 | ||
| Count *int `json:"count,omitempty"` |
There was a problem hiding this comment.
We need to avoid unbounded values here, I'd recommend some kind of max here, even if that max is very high.
There was a problem hiding this comment.
The context in which this is currently used is for MinRetryRate as "an override for very low volume traffic" as @htuch described in https://github.com/kubernetes-sigs/gateway-api/pull/3607/files#r1964340430 but this struct type is (intentionally) sufficiently generic that it could be re-used in the future for #326. As such, I would defer to @htuch on what a "safe" maximum might entail for this at scale with a potential denominator as short as 1ms (I'm assuming there may be integer type maximums to keep in mind for implementations too)
There was a problem hiding this comment.
Given this is going to have a variable denominator, e.g. hour, I think you're just going to have to go with some type based limit or something that would make sense over a long period.
apisx/v1alpha2/shared_types.go
Outdated
| // time during which the given count of requests occur. | ||
| // | ||
| // Support: Extended | ||
| Interval *Duration `json:"interval,omitempty"` |
There was a problem hiding this comment.
This also feels like something that should have a min and max value. I'm assuming 1s is acceptable for a min, unclear what a good max is. Any ideas @htuch or @mikemorris?
There was a problem hiding this comment.
Can we actually enforce min/max constraints on GEP-2257 Duration types?
If so, I think 1ms is the minimum expressible through that format (even if logically a per-second rate may be more common, expressing rates with a denominator in milliseconds may be helpful for higher-throughput use cases to work around a count max constraint), assuming we want to exclude the "divide by zero" shorthand for Envoy's current behavior.
The max expressible appears to be 99999h - in practice I'd expect even a rate per hour may be unlikely to be configured, instead preferring enforce a more normal distribution over longer time spans, but maybe 1h, 12h or 24h is a reasonable max?
There was a problem hiding this comment.
Good question, I think we'd have to define min+max with CEL using > and < comparisons. A rough example is here: https://github.com/kubernetes-sigs/gateway-api/blob/main/apis/v1/httproute_types.go#L320.
I agree that any of 1h, 12h, and 24h would be reasonable here, but I'd prefer to start with the lower value 1h since it would be much harder to tighten this validation retroactively than to loosen it.
There was a problem hiding this comment.
The maximum GEP-2257 Duration is actually 99999h99999m99999s99999ms, which I would agree is quite a bit larger than would probably make sense here. I'm honestly not quite sure what kind of math we can do in CEL here, but a really simple check might be to disallow anything with more than two digits before h, or more than four before m or s?
There was a problem hiding this comment.
Fortunately CEL supports a duration type that is compatible with our duration, so we should be able to have pretty reasonable comparisons here.
There was a problem hiding this comment.
k8s-ci-robot
added
the
approved
There was a problem hiding this comment.
Thanks @ericdbishop! This is really close to the wire for v1.3. If you're able to squeeze this in today, I think we're good to go, otherwise may need to wait until the next release.
/approve
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: ericdbishop, robscott The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Co-authored-by: Rob Scott <[email protected]>
|
Assuming the question of where the validation expression should go gets resolved, I'm good with this, thanks for all the work @ericdbishop! 🙂 |
k8s-ci-robot
added
size/XXL
k8s-ci-robot
added
size/XL
|
/lgtm Nice work pushing this through! |
k8s-ci-robot
added
the
lgtm
|
/unhold |
k8s-ci-robot
removed
the
do-not-merge/hold
What type of PR is this?
/kind documentation
/kind feature
What this PR does / why we need it:
Implements GEP-3388: Retry Budgets
Which issue(s) this PR fixes:
Fixes #3388
Does this PR introduce a user-facing change?: