cmd/contour: Envoy Shutdown Manager

[stevesloka]

Fixes #145 by adding a new set of commands to Contour which will watch the Envoy Prometheus endpoint to block the pod from terminating while there are open connections.

Also adds a sample Grafana panel which shows the open connections by listener:

[codecov]

Codecov Report

Merging #2227 into master will decrease coverage by 0.88%.
The diff coverage is 23.52%.

@@            Coverage Diff             @@
##           master    #2227      +/-   ##
==========================================
- Coverage   78.24%   77.35%   -0.89%     
==========================================
  Files          57       58       +1     
  Lines        5070     5154      +84     
==========================================
+ Hits         3967     3987      +20     
- Misses       1017     1080      +63     
- Partials       86       87       +1

Impacted Files	Coverage Δ
cmd/contour/contour.go	3.94% <0%> (-0.22%)	⬇️
cmd/contour/shutdownmanager.go	25% <25%> (ø)

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update c364699...572fdc2. Read the comment docs.

[stevesloka]

I'm thinking of adding a flow diagram to the docs to explain the sequence of events and the options.

[youngnick]

I think a flow diagram is an excellent idea.

[jpeach]

I'm reviewing now.

[jpeach]

I particularly liked how you bundled the examples and documentation changes in this PR :)

[youngnick]

LGTM overall with a couple of questions. I think the docs are great, nice work.

[davecheney]

I think that’s technically v0.9.1 upstream, but for whatever reason go modules doesn’t want to use that version number and is reverting to the hash.

…

On 19 Feb 2020, at 11:57 am, James Peach ***@***.***> wrote: @jpeach commented on this pull request. In go.mod: > @@ -19,6 +19,7 @@ require ( github.com/konsorten/go-windows-terminal-sequences v1.0.2 // indirect github.com/prometheus/client_golang v1.1.0 github.com/prometheus/client_model v0.0.0-20190812154241-14fe0d1b01d4 + github.com/prometheus/common v0.6.0 Yeh, there doesn't seem to be any version numbering consistency across these packages 🤷‍♂ — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub, or unsubscribe.

[jpeach]

A few nits around log message formatting and so forth. I'd like a bit more clarity around how we should handle errors posting to the health check fail URL though.

[jpeach]

@stevesloka Did we reach a resolution here? What is meant to happen to the shutdown process if we couldn't fail the healthcheck out?

[jpeach]

Can you use ENVOY_HTTP_LISTENER and ENVOY_HTTPS_LISTENER here?

[stevesloka]

The ENV vars? No, these strings match labels in the prometheus metrics.

[jpeach]

I meant these. But I suppose these strings are coded in so many places that one more doesn't hurt :)

Resolve this if you want to keep this as is.

[stevesloka]

oh I see. Hmm, possibly. As it's written now we'd get an import cycle by referencing those since the contour package already references the metrics one.

[stevesloka]

maybe can lift the const somewhere else. It feels bad to add more to the shutdown manager file.

[stevesloka]

Did we reach a resolution here? What is meant to happen to the shutdown process if we couldn't fail the healthcheck out?

@jpeach If we can't tell Envoy to start draining connections then the readiness probe will fail and the pod will wait the total number of terminationGracePeriodSeconds before dropping all the connections that Envoy.

[jpeach]

we can't tell Envoy to start draining connections then the readiness probe will fail and the pod will wait the total number of terminationGracePeriodSeconds before dropping all the connections that Envoy.

@stevesloka So in that case, are we worse off than before? That is, envoy isn't draining, but the shutdown is going to take the full termination period. If we don't retry here, we are guaranteed to consume the full grace period, right? Whereas if we retry, we might succeed and at least start the draining.

[stevesloka]

So in that case, are we worse off than before?

Worse off than before what? I'm not following. The current preStop hook does the exact same call and has the exact same behavior.

That is, envoy isn't draining, but the shutdown is going to take the full termination period. If we don't retry here, we are guaranteed to consume the full grace period, right?

Yes, we'll use the entire grace period unless somehow the connections all drain by themselves.

Whereas if we retry, we might succeed and at least start the draining.

I'd prefer to make this a new issue to follow up on. I honestly do not see this as a case that would be hit. I do think it is possible, but I'd prefer to not make this PR hold on this. Thoughts?

[jpeach]

Worse off than before what? I'm not following. The current preStop hook does the exact same call and has the exact same behavior.

The current preStop calls the fail once and then pod shutdown continues. This preStop blocks pod shutdown until the connection count converges. Previously, the preStop would never hold up pod shutdown.

I'd prefer to make this a new issue to follow up on.

Sure, that seems fine.

[stevesloka]

Retry issue: #2262

[davecheney]

should be versioned or :latest