Allow the allocator service to use the go http/2 server #2263
Comments
|
The only thought I had: Rather than having an on/off switch - maybe we should make two options to configure the ports for the gRPC and REST service: So:
Looking at our config settings, I think we actually could align on this nicely, since we have:
We could do the same thing, but as Probably some details to work out, but thought I would float the idea, see if it would stick. WDYT? |
|
The only difference is if someone wants to only install one handler (as in our case) it would be nice to have a way to also enable / disable the http (or grpc) service entirely. In particular, if I don't want to use http at all, it's unnecessary to create a second load balancer for it. |
|
Here is the relevant block from the helm configuration: |
|
There are a few fields outside of the http block that affect how the service endpoint (which is muxed right now) is configured. Since we would allow http / grpc to run on the same port, I think that means we would need to keep the settings (disabling TLS / mTLS) independent of the protocol block (as we do today). If the need arises, we could later move them into the protocol blocks but for that that just makes things more complicated without any real use case. It would be easy to add an |
(this would be instead of a WDYT? |
|
I agree with Robert that we should not create 2 LBs default. Hopefully many users will choose/use one and we keep the option of mux/cmux where we allow using the same port. Also I think it is OK to have mTLS & TLS disabled/enabled for both REST & gRPC. Regarding Mark's comment : #2263 (comment), I am OK as long as we can configure the Allocator service to run without non-http proxy but real/proper grpc service. |
|
It looks like we can create a single service that uses two ports for http / grpc. https://kubernetes.io/docs/concepts/services-networking/service/ says:
@markmandel - https://kubernetes.io/docs/concepts/services-networking/service/#publishing-services-service-types makes it sound like "none" isn't an option (why would you create a service that doesn't have a type - then you should just not create the service). Are you suggesting that we use None as a sentinel value to skip that part of the helm chart? |
Yes, exactly 👍🏻 We could do the same with an
Ahh, that sounds perfect then. |
|
Assuming that I'm reading the documentation correctly and we can use a single k8s service, I think we might want something like this (but this moves around helm values which is a breaking change for anyone who is customizing helm): The only thing missing is if we want a way to disable a listener entirely. Maybe we could use 0 to do that? |
|
With this organization, I don't think there is a need to disable the service. If you install the allocator but have no way to reach it, then why install the pod in the first place? But, it would be useful to be able to enable/disable http / grpc separately (both in the service definition and in the allocator pod). It'll be a bit tricky to write the helm for this, since it'll also need to check to see if the ports match (and then only add one port to the service) and otherwise add two, but it means that in all cases we will only get a single service / ELB created. |
This will mean that Agones will use muc/cmux? |
|
Btw, IMO the new values will make more sense:
The old names were a bit confusing to me (especially the annotations one) and I think this would clear that up. |
|
+1 |
|
Here's what I would expect: Default (existing behavior).This will mean that Agones will use the existing mux (or cmux) and that the service will have a single port on the LB. Both services enabled, two different portsAgones will use Only grpc (my feature request)Agones will use |
|
I suppose that instead of setting the port to 0 to disable we could have unspecified be disabling. Do you have an opinion on one vs. the other (for the helm configuration)? |
I like this one but I am OK with 0 as well (which is not that intuitive) |
The only objection I have to "0" being disabled, is 0 is nomenclature for an ephemeral port:
Are you saying that by default it would be disabled? Or I would have to explicitly set it the value to |
|
unspecified would be disabled, e.g. |
|
Sorry, not quite following. I'm assuming that both the gRPC and Http ports would be always be specified, because they will retain the default values of 443 for both ports to maintain backward compatibility? So I'm not sure how could they be unspecified? (Or I'm missing something obvious, which is possible.) |
|
We would specify them in the helm chart for compatibility (which will also put them into install.yaml). But if you removed them from the helm chart, then we could generate configs without those pieces. |
|
Also, if the ports aren't specified in a flag to the allocator service pod, it would also default to having them as they are now, which would also ensure compatibility (if anyone is not using the helm chart). |
How would you remove them, without them being set to the default value? |
Good point.... I'll tinker with helm a little and see what is possible. WDYT about using 0 to mean unspecified? I understand that it means ephemeral port in some situations, but I don't think it is a valid value for a LB port (but in a quick search I couldn't find anything to confirm). |
|
After a bit of tinkering, it looks like running helm with |
I would test this. I expect it will mean that helm will use the default value if not specified. From my understanding, Helm doesn't force you to declare all parameters in a values.yaml that is passed in on the command line. I think you would have to explicitly set the value, and have it be an explicitly blank value. Possible other idea: Set the port to -1 (or any video that's less than zero?)? Or if this is too confusing, should we should break this down more? allocator:
install: true
# ...
service:
http:
enabled: false
port: 443
grpc:
enabled: true
port: 443
# ... Thoughts? |
FWIW, I'd 👍 having finer granularity on these kinds of configuration. I would rather have production defaults specified in the values.yaml and minimize the number of |
Only one thing concerns me with this approach, we're not able to disable grpc and only enable http right? Also with both grpc and http enabled, the ports need to stay the same. It might not be intuitive and requires more documents to delimitate it. |
One thing I noticed while editing the helm configs is that we currently allow the externally exposed port to be configured (defaulting to 443) but we do not allow the target port to be configured (set to 8443). If we want the services on separate ports, we need to separate both the externally configured port and the target port to be distinct. If we want it to run as it does today we want the ports to be the same. But if you allow all 4 ports in the config, you can also get degenerate configurations (like the two external ports are the same but the target ports are different or the two external ports are different but the target ports are the same). How valuable is it to be able to set all of these ports vs. just having a toggle for http and grpc on/off (as originally proposed) and keeping the ports as they are today)? |
|
I've prototyped the change in #2272 (it still needs some documentation, but I don't want to write that until we agree on the structure of the helm changes). I went with because it seemed easiest / clearest having a boolean toggle instead of relying on the existence / non-existence of a field and/or using negative values in the helm configs (I still used negative values in the flags in the code to indicate not set). It also meant that I didn't have to use default values in the helm template, to @rcreasey's point above. Let me know what you think. |
@cindy52 - the way I implemented allows you to enable grpc, rest, or both. If you do both then they can be on the same port (using the mux) or on two different ports (so you still get
This will require some documentation for some edge cases:
|
|
@cindy52 has verified that my change works for our use case and I'd like to get this merged prior to the 1.18.0 release. Does anyone have any further comments on the helm field layout? |
LGTM! |
Is your feature request related to a problem? Please describe.
#1902 added support for REST to the allocator service, with a neat trick to reuse the same port for both gRPC and REST using a mux. However, in doing so, the allocator service switched from using
grpc.(*Server).Servetogrpc.(*Server).ServeHTTP, the latter of which is experimental and has noticeably worse performance.There are certainly cases where performance isn't an issue and it's convenient to run the protocols on the same port (only one exposed port / firewall rule).
However, we have a use case where we only need to run gRPC and the experimental implementation used by
grpc.(*Server).ServeHTTPis not compatible with the gRPC client (whereas the implementation ingrpc.(*Server).Serveworks as expected).Describe the solution you'd like
I'd like to add a flag to the allocator service to restore the old behavior: if set to true, the flag would disable the mux (and therefore the REST API) and use
grpc.(*Server).Serve. The flag would default to false, keeping the current behavior for compatibility.Describe alternatives you've considered
I've looked into https://github.com/soheilhy/cmux as a replacement mux that might still allow us to use
grpc.(*Server).Serve. It seems a bit complicated to set up, and I'm not sure how well it would work with our setup with client certs. So I'm opting for the simpler solution and we can revisit using cmux later if it makes sense.The text was updated successfully, but these errors were encountered: