WIP: config: Add FilterChain Discovery Service. #5385
Conversation
Fixes: 4540 Signed-off-by: Greg Greenway <ggreenway@apple.com>
|
I've broken ground on this feature. I'll try to update this frequently for early feedback/comments on the design and high-level implementation. |
Why? I don't feel strongly either way, but FilterChain is two words, so I gave the abbreviation two letters. |
Every other But it's mostly a matter of preference, I don't have any better arguments here. |
|
#4704 is introducing SRDS so having this be FCDS is probably fine |
|
@ggreenway fyi -- #5243 is introducing a config provider framework that may be helpful for the FCDS implementation. |
Thanks for the tip. I'll keep an eye on it. |
…test Signed-off-by: Greg Greenway <ggreenway@apple.com>
|
FDS is fine for me as well. @snowp agreed that we now have precedent for this, but shorter is better where we can get away with it I reckon :) |
htuch
left a comment
htuch
left a comment
There was a problem hiding this comment.
Thanks for getting this moving, this will be an enabler for on-demand LDS.
|
|
||
| package envoy.api.v2; | ||
|
|
||
| option java_generic_services = true; |
There was a problem hiding this comment.
Nit: Should this be down next to gogoproto decl? Seems like it makes sense to group options.
|
|
||
| // [#protodoc-title: Filter Chain Discovery Service] | ||
|
|
||
| // The resource_names field in DiscoveryRequest specifies a listener. |
There was a problem hiding this comment.
How come a listener and not a filter chain?
There was a problem hiding this comment.
My thought was that envoy would be telling the mgmt server which listener it needs the filter chains for. I believe this is similar to EDS, where the resource_names specify the clusters to get endpoints for.
There was a problem hiding this comment.
The only downside to this would be if a user wants multiple listeners to reference the same filter chain, and then specify it within a listener by name. I'm not sure it matters that much in practice so seems fine either way.
There was a problem hiding this comment.
May be I am missing something. In a situation where you have a single listener on original dst port having 100s of filter chains (one for each of the virtual listeners that we would otherwise be constructing with the ye ol bind-to-port), how would specifying the listener name be sufficient?
There was a problem hiding this comment.
@rshriram Envoy is asking the mgmt server "Please give me all the filterchains/matches for listener Foo".
| core.ConfigSource config = 1 [(validate.rules).message.required = true]; | ||
|
|
||
| // Optional alternative to the listener name to present to FCDS. | ||
| string filter_chain_name = 2; |
There was a problem hiding this comment.
I'm thinking we want to make filter chains first class named resource objects and name them directly, instead of making listeners pseudo-filterchains. This seems the cleanest thing to do, curious what the motivation was for the current approach you have in the PR?
There was a problem hiding this comment.
I was trying to copy the semantics of EDS for consistency.
Are you suggesting that the filter chains should be entirely independent of the listeners? That would allow multiple listeners to share a set of filter-chains, but we'd have to think carefully about the lifetime issues.
There was a problem hiding this comment.
I guess this is related to my comment above. I don't think @htuch is proposing actually sharing the chains (I think), but is suggesting that they have a first class name and we don't default to the listener name. As I said above I'm fine either way.
There was a problem hiding this comment.
I agree with @htuch . FilterChains should be the resource that is being requested (mandatory and never optional). We can combine it with the listener name for precision. I am not sure sharing filter chains makes sense in the common case
There was a problem hiding this comment.
As this is currently written, the set of filter chains can be given a first-class name; it just defaults to using the listener name if no name is specified. Is the suggestion here that this name be required instead of optional? Am I misunderstanding or missing something regarding this?
Also, note that the requested resource is always the set of filterchains/matches to use for a listener, not a single filter chain.
There was a problem hiding this comment.
I think it makes more sense to name individual filter chains as first class for the purpose of incremental xDS. This will future proof FDS to a larger extent. Essentially, the Listener has a list of filter chain names that describe the resources that come with it. When we lazy load, we will request an additional named filter chain resource.
I don't think we need to share filter chains across listeners; as an implementation detail you might if you really wanted to save overhead and expect many different listeners to have the same filter chains, but that probably isn't the starting point.
There was a problem hiding this comment.
If we did that, it would no longer solve the original problem: we want to be able to add/remove filter chains without modifying the listener (which would result in listener draining).
The answer may be to support both modes: either request "all filter chains for this listener", or request "filter chain X for this listener".
Won't most/all of the xDS APIs need to be augmented in a similar way to support lazy-loading?
There was a problem hiding this comment.
As discussed offline, it seems reasonable to make listener changes non-draining for the filter chain list.
stale
bot
added
stale
rshriram
left a comment
rshriram
left a comment
There was a problem hiding this comment.
Thanks for taking up this feature @ggreenway
How do you plan to handle the draining logic when a filterChain changes? Its almost as if the filterChain gets the listener level properties.
the stats also become interesting. The stats emitted inside that filterChain should ideally use the filterChain's name instead of the shared parent listener's name, if we are to distinguish what happened at each filter chain level.
Something worth keeping in mind is that we want this to be a functional replacement for the bindToPort+VirtualListener stuff we do in Istio (and some others as well).
My plan was make only connections on a modified/removed filter chain need draining. So the logic will need to match up connections to which filter chain they're using and which version of the filter chain config.
I agree, but think this issue is unrelated to this change. This is no more or less needed with this change than it was before (because we could already have had many many filter chains on a listener).
This is not my goal. If there are design tweaks needed to make that happen, please comment/review as this progresses. |
|
As discussed in the linked issue (#4540) I'm going to start with sorting out updating filterchains without full listener draining. FCDS can then be built on top of that. Closing this for now. |
7 participants
Signed-off-by: Greg Greenway ggreenway@apple.com
Description: TODO
Risk Level: TODO
Testing: TODO
Docs Changes: TODO
Release Notes: TODO
Fixes: #4540