config: remove grpc server max connection age options (#2427)

* config: remove grpc server max connection age options * remove docs
pomerium · Aug 3, 2021 · 94eb3c1 · 94eb3c1
1 parent 56bbc31
commit 94eb3c1
Show file tree

Hide file tree

Showing 7 changed files with 214 additions and 306 deletions.
diff --git a/config/options.go b/config/options.go
@@ -235,11 +235,6 @@ type Options struct {
 	GRPCClientTimeout       time.Duration `mapstructure:"grpc_client_timeout" yaml:"grpc_client_timeout,omitempty"`
 	GRPCClientDNSRoundRobin bool          `mapstructure:"grpc_client_dns_roundrobin" yaml:"grpc_client_dns_roundrobin,omitempty"`
 
-	// GRPCServerMaxConnectionAge sets MaxConnectionAge in the grpc ServerParameters used to create GRPC Services
-	GRPCServerMaxConnectionAge time.Duration `mapstructure:"grpc_server_max_connection_age" yaml:"grpc_server_max_connection_age,omitempty"`
-	// GRPCServerMaxConnectionAgeGrace sets MaxConnectionAgeGrace in the grpc ServerParameters used to create GRPC Services
-	GRPCServerMaxConnectionAgeGrace time.Duration `mapstructure:"grpc_server_max_connection_age_grace,omitempty" yaml:"grpc_server_max_connection_age_grace,omitempty"` //nolint: lll
-
 	// ForwardAuthEndpoint allows for a given route to be used as a forward-auth
 	// endpoint instead of a reverse proxy. Some third-party proxies that do not
 	// have rich access control capabilities (nginx, envoy, ambassador, traefik)
@@ -323,21 +318,19 @@ var defaultOptions = Options{
 		"X-XSS-Protection":          "1; mode=block",
 		"Strict-Transport-Security": "max-age=31536000; includeSubDomains; preload",
 	},
-	Addr:                            ":443",
-	ReadTimeout:                     30 * time.Second,
-	WriteTimeout:                    0, // support streaming by default
-	IdleTimeout:                     5 * time.Minute,
-	RefreshCooldown:                 5 * time.Minute,
-	GRPCAddr:                        ":443",
-	GRPCClientTimeout:               10 * time.Second, // Try to withstand transient service failures for a single request
-	GRPCClientDNSRoundRobin:         true,
-	GRPCServerMaxConnectionAge:      5 * time.Minute,
-	GRPCServerMaxConnectionAgeGrace: 5 * time.Minute,
-	AuthenticateCallbackPath:        "/oauth2/callback",
-	TracingSampleRate:               0.0001,
-	RefreshDirectoryInterval:        10 * time.Minute,
-	RefreshDirectoryTimeout:         1 * time.Minute,
-	QPS:                             1.0,
+	Addr:                     ":443",
+	ReadTimeout:              30 * time.Second,
+	WriteTimeout:             0, // support streaming by default
+	IdleTimeout:              5 * time.Minute,
+	RefreshCooldown:          5 * time.Minute,
+	GRPCAddr:                 ":443",
+	GRPCClientTimeout:        10 * time.Second, // Try to withstand transient service failures for a single request
+	GRPCClientDNSRoundRobin:  true,
+	AuthenticateCallbackPath: "/oauth2/callback",
+	TracingSampleRate:        0.0001,
+	RefreshDirectoryInterval: 10 * time.Minute,
+	RefreshDirectoryTimeout:  1 * time.Minute,
+	QPS:                      1.0,
 
 	AutocertOptions: AutocertOptions{
 		Folder: dataDir(),
@@ -1235,12 +1228,6 @@ func (o *Options) ApplySettings(ctx context.Context, settings *config.Settings)
 	if settings.GrpcInsecure != nil {
 		o.GRPCInsecure = settings.GetGrpcInsecure()
 	}
-	if settings.GrpcServerMaxConnectionAge != nil {
-		o.GRPCServerMaxConnectionAge = settings.GetGrpcServerMaxConnectionAge().AsDuration()
-	}
-	if settings.GrpcServerMaxConnectionAgeGrace != nil {
-		o.GRPCServerMaxConnectionAgeGrace = settings.GetGrpcServerMaxConnectionAgeGrace().AsDuration()
-	}
 	if settings.ForwardAuthUrl != nil {
 		o.ForwardAuthURLString = settings.GetForwardAuthUrl()
 	}

diff --git a/config/options_test.go b/config/options_test.go
@@ -303,14 +303,12 @@ func TestOptionsFromViper(t *testing.T) {
 			"good",
 			[]byte(`{"autocert_dir":"","insecure_server":true,"policy":[{"from": "https://from.example","to":"https://to.example"}]}`),
 			&Options{
-				Policies:                        []Policy{{From: "https://from.example", To: mustParseWeightedURLs(t, "https://to.example")}},
-				CookieName:                      "_pomerium",
-				CookieSecure:                    true,
-				InsecureServer:                  true,
-				CookieHTTPOnly:                  true,
-				GRPCServerMaxConnectionAge:      5 * time.Minute,
-				GRPCServerMaxConnectionAgeGrace: 5 * time.Minute,
-				AuthenticateCallbackPath:        "/oauth2/callback",
+				Policies:                 []Policy{{From: "https://from.example", To: mustParseWeightedURLs(t, "https://to.example")}},
+				CookieName:               "_pomerium",
+				CookieSecure:             true,
+				InsecureServer:           true,
+				CookieHTTPOnly:           true,
+				AuthenticateCallbackPath: "/oauth2/callback",
 				SetResponseHeaders: map[string]string{
 					"Strict-Transport-Security": "max-age=31536000; includeSubDomains; preload",
 					"X-Frame-Options":           "SAMEORIGIN",
@@ -330,22 +328,20 @@ func TestOptionsFromViper(t *testing.T) {
 			"good disable header",
 			[]byte(`{"autocert_dir":"","insecure_server":true,"headers": {"disable":"true"},"policy":[{"from": "https://from.example","to":"https://to.example"}]}`),
 			&Options{
-				Policies:                        []Policy{{From: "https://from.example", To: mustParseWeightedURLs(t, "https://to.example")}},
-				CookieName:                      "_pomerium",
-				AuthenticateCallbackPath:        "/oauth2/callback",
-				CookieSecure:                    true,
-				CookieHTTPOnly:                  true,
-				InsecureServer:                  true,
-				GRPCServerMaxConnectionAge:      5 * time.Minute,
-				GRPCServerMaxConnectionAgeGrace: 5 * time.Minute,
-				SetResponseHeaders:              map[string]string{"disable": "true"},
-				RefreshDirectoryTimeout:         1 * time.Minute,
-				RefreshDirectoryInterval:        10 * time.Minute,
-				QPS:                             1.0,
-				DataBrokerStorageType:           "memory",
-				EnvoyAdminAccessLogPath:         os.DevNull,
-				EnvoyAdminProfilePath:           os.DevNull,
-				EnvoyAdminAddress:               "127.0.0.1:9901",
+				Policies:                 []Policy{{From: "https://from.example", To: mustParseWeightedURLs(t, "https://to.example")}},
+				CookieName:               "_pomerium",
+				AuthenticateCallbackPath: "/oauth2/callback",
+				CookieSecure:             true,
+				CookieHTTPOnly:           true,
+				InsecureServer:           true,
+				SetResponseHeaders:       map[string]string{"disable": "true"},
+				RefreshDirectoryTimeout:  1 * time.Minute,
+				RefreshDirectoryInterval: 10 * time.Minute,
+				QPS:                      1.0,
+				DataBrokerStorageType:    "memory",
+				EnvoyAdminAccessLogPath:  os.DevNull,
+				EnvoyAdminProfilePath:    os.DevNull,
+				EnvoyAdminAddress:        "127.0.0.1:9901",
 			},
 			false,
 		},

diff --git a/docs/docs/upgrading.md b/docs/docs/upgrading.md
@@ -5,6 +5,11 @@ description: >-
   for Pomerium. Please read it carefully.
 ---
 
+# Since 0.14.0
+
+## Breaking
+
+The unused `grpc_server_max_connection_age` and `grpc_server_max_connection_age_grace` options were removed.
 # Since 0.13.0
 
 ## New

diff --git a/docs/reference/readme.md b/docs/reference/readme.md
@@ -384,28 +384,6 @@ Maximum time before canceling an upstream gRPC request. During transient failure
 Enable gRPC DNS based round robin load balancing. This method uses DNS to resolve endpoints and does client side load balancing of _all_ addresses returned by the DNS record. Do not disable unless you have a specific use case.
 
 
-#### GRPC Server Max Connection Age
-- Environmental Variable: `GRPC_SERVER_MAX_CONNECTION_AGE`
-- Config File Key: `grpc_server_max_connection_age`
-- Type: [Go Duration](https://golang.org/pkg/time/#Duration.String) `string`
-- Default: `5m`
-
-Set max connection age for GRPC servers. After this interval, servers ask clients to reconnect and perform any rediscovery for new/updated endpoints from DNS.
-
-See <https://godoc.org/google.golang.org/grpc/keepalive#ServerParameters> for details
-
-
-#### GRPC Server Max Connection Age Grace
-- Environmental Variable: `GRPC_SERVER_MAX_CONNECTION_AGE_GRACE`
-- Config File Key: `grpc_server_max_connection_age_grace`
-- Type: [Go Duration](https://golang.org/pkg/time/#Duration.String) `string`
-- Default: `5m`
-
-Additive period with `grpc_server_max_connection_age`, after which servers will force connections to close.
-
-See <https://godoc.org/google.golang.org/grpc/keepalive#ServerParameters> for details
-
-
 ### HTTP Redirect Address
 - Environmental Variable: `HTTP_REDIRECT_ADDR`
 - Config File Key: `http_redirect_addr`

diff --git a/docs/reference/settings.yaml b/docs/reference/settings.yaml
@@ -436,32 +436,6 @@ settings:
               - Default: `true`
             doc: |
               Enable gRPC DNS based round robin load balancing. This method uses DNS to resolve endpoints and does client side load balancing of _all_ addresses returned by the DNS record. Do not disable unless you have a specific use case.
-          - name: "GRPC Server Max Connection Age"
-            keys: ["grpc_server_max_connection_age"]
-            attributes: |
-              - Environmental Variable: `GRPC_SERVER_MAX_CONNECTION_AGE`
-              - Config File Key: `grpc_server_max_connection_age`
-              - Type: [Go Duration](https://golang.org/pkg/time/#Duration.String) `string`
-              - Default: `5m`
-            doc: |
-              Set max connection age for GRPC servers. After this interval, servers ask clients to reconnect and perform any rediscovery for new/updated endpoints from DNS.
-
-              See <https://godoc.org/google.golang.org/grpc/keepalive#ServerParameters> for details
-            shortdoc: |
-              Set max connection age for GRPC servers.
-          - name: "GRPC Server Max Connection Age Grace"
-            keys: ["grpc_server_max_connection_age_grace"]
-            attributes: |
-              - Environmental Variable: `GRPC_SERVER_MAX_CONNECTION_AGE_GRACE`
-              - Config File Key: `grpc_server_max_connection_age_grace`
-              - Type: [Go Duration](https://golang.org/pkg/time/#Duration.String) `string`
-              - Default: `5m`
-            doc: |
-              Additive period with `grpc_server_max_connection_age`, after which servers will force connections to close.
-
-              See <https://godoc.org/google.golang.org/grpc/keepalive#ServerParameters> for details
-            shortdoc: |
-              Additive period after which servers will force connections to close.
       - name: "HTTP Redirect Address"
         keys: ["http_redirect_addr"]
         attributes: |