Support custom subscription name for Pub/Sub health check

[patpe]

First, the main issue that I want to address can be seen by looking at https://github.com/Predictly/gcp-pubsub-health where Kubernetes put's the pod in an restart loop since it fails to respond to /actuator/health.

Here are my thoughts that went into designing a solution:

1. Started investigating adding pubsub state to PubSubTemplate, PubSubSubscriberTemplate or PubSubPublisherTemplate, decided not to go down this route since it would add code and variables that would have nothing to do with the main flow of these classes
2. Decided to handle the issues I saw by pulling messages async in the existing PubSubHealthIndicator which will make it possible to return with an unknown state during the health check even if the application is under heavy load
3. Added support for customizing both health check subscription and timeout according to @elefeint's initial ideas

My concerns related to this could be mitigated by documenting how these attributes in the new PubSubHealthIndicatorProperties should NOT be used

I have tested my code in the gcp-pubsub-health application and it removes the issue with Kubernetes restarting the application due to liveness timeouts, under load it responds based on the timeout configured in the new property spring.cloud.gcp.pubsub.health.timeout-millis with the following

"pubSub": {
  "status": "UNKNOWN",
  "details": {
    "error": "java.util.concurrent.TimeoutException: null"
  }
}

If this looks good I can go ahead and update the docs as well. First time contributing so any feedback is welcome.

[ttomsu]

Mostly looks good - great work for a first pass!

Left a comment for @meltsufin / @elefeint re: which return codes we want use for up/down signaling.

[ttomsu]

Not necessary to invoke super() here.

[ttomsu]

Hmm... Given that we're now encouraging "bring your own subscription to use for health checks", do we really want to say that a not found is ok? Seems to me like this would mask a misconfiguration error, and the error would be swallowed

[meltsufin]

I don't know if we want to require users to bring their own subscription. This certainly would need to be documented well to clear up the confusion on why setting a custom subscription for health check if optional.

That being said, if the user provides a subscription, NOT_FOUND or PERMISSION_DENIED would indeed be error conditions.

[elefeint]

I agree that custom subscription should be optional -- for backwards compatibility, and for users who can't create a dedicated subscription due to permission structure.

So there are two paths through the healthcheck, which I'd probably handle as follows:

1. a random subscription expected to return NOT_FOUND or PERMISSION_DENIED. Any other exception would signal downtime.
2. a custom subscription, for which the expected "up" signal is not getting any exception. Either receiving messages or pulling an empty batch would be "up". But getting not found OR permission denied should be unexpected. My reasoning is that if a team/org has enough permissions to create a dedicated subscription, they are likely able to set permissions appropriately.

[elefeint]

The if/else will become even more unwieldy with my suggestions, btw, so you may want a helper method.

[dzou]

Would it be better to keep the custom subscription as a field of the PubSubHealthIndicator or introduce a new wrapper class like in here (via PubSubHealthTemplate)?

On my first pass I thought keeping the custom subscription in the PubSubHealthIndicator as an optional string would be simpler to avoid introducing a new class, but am curious to hear everyone's thoughts.

[meltsufin]

I don't see much benefit in making PubSubHealthTemplate part of our public API.
It can either be subsumed under PubSubHealthIndicator, or just made package-private. I would be fine with either.

[meltsufin]

I don't know if we want to require users to bring their own subscription. This certainly would need to be documented well to clear up the confusion on why setting a custom subscription for health check if optional.

That being said, if the user provides a subscription, NOT_FOUND or PERMISSION_DENIED would indeed be error conditions.

[meltsufin]

Wouldn't you want builder.up() after this line?

[meltsufin]

This subscription should be validated as existing as early as possible. (Fail fast)

[patpe]

Continued working on this and got to a point where it started to get a bit confusing. Consider the following scenario:

PubSubHealthIndicatorAutoConfiguration#pubSubHealthContributor is called with a map of more than one PubSubTemplate and the properties contains a specified subscription. What does this setup mean?

Will it be possible to have several PubSubTemplate beans each pointing to different projects? If so, how should we use the specified subscription? Throw IllegalArgumentException if subscription specified and there are more than one PubSubTemplate bean?

Validate in PubSubHealthIndicatorAutoConfiguration#pubSubHealthContributor which of the PubSubTemplate beans can read from the specified subscription, let the rest pull from UUID.randomUUID()?

[meltsufin]

@patpe One thing to note is that subscription name could be relative or fully-qualified as in projects/<project_name>/subscriptions/<subscription_name>}. If a relative one is used, it will automatically be routed to the project of the PubSubTemplate bean. Otherwise, the user is explicitly asking to connect to a specific project, which will work seamlessly regardless of which project is defined for the specific PubSubTemplate bean.
So, I don't really see much of an issue here.

[patpe]

@meltsufin I understand your point. My concern is the scenario where multiple PubSubTemplate beans are configured and they have separate CredentialsProvider that does eventually not refer to the same project. This is, in theory, possible to do and if there are more than one PubSubTemplate bean a likely reason. Think of a proxy service that reads from one project and writes to the project it is itself running in, cross organization or department in a business.

Which of the PubSubTemplate (i.e. GCP projects) should the health check assume that the configured subscription is in? I will go down the route of validating that a configured subscription is available in all configured PubSubTemplate and fail to start if it does not exist in one of them. This could/should then be documented as a limitation that a configured subscription has to exist in all projects and if this is not possible to setup, the user should leave subscription out in which case it will pull from a randomly generated subscription.

[patpe]

Updated PR which now supports the following

1. User can configure a custom subscription and timeout for health check
2. If specified, the subscription has to exist in all available PubSubTemplate or the application will not start (BeanInitializationException will be thrown)
3. Health checks against PubSub done async and expected to return response within specified timeout (1000ms default)
4. If a custom subscription has been specified, the async pull against pubsub will signal unknown for TimeoutException and down for any other exception
5. If no custom subscription has been specified, the async pull is done against a random subscription name and will signal ok for NOT_FOUND and PERMISSION_DENIED in ApiException, unknown for TimeoutException and down for anything else

[meltsufin]

Was the intent to make the health-check async? If so, currently it doesn't seem to be doing it because of the future.get(). You would instead need to register a success and a failure callback on the future, which will in turn set the heath status. This will probably be easier to do if you merged the PubSubHealthTemplate with the PubSubHealthIndicator into a single class.

[ttomsu]

Also please take a look at the Sonar Cloud report for the 5 code smells - they should be pretty simple to fix.

[patpe]

Thanks for the feedback, incorporated your suggestions. ⛷️ for a week, hence late reply.

Was the intent to make the health-check async? If so, currently it doesn't seem to be doing it because of the future.get().

The intent was never to make the health check async and this is just poor naming of the PR from me. The intent was to use the async functionality of the PubSub API to guarantee a response from the health check in a configurable amount of time, thereby avoiding not returning a response under heavy load to the Kubernetes health probe.

That being said, if making the health probe async is a better solution I can continue working with that as a target. My gut feeling about making it async was that the use case did not merit introducing that level of complexity.

[meltsufin]

Since PubSubHealthTemplate is now a package-private class, we can't make it part of the public interface here. So, we'll have to accept a bean of PubSubHealthTemplate like before and just create the PubSubHealthTemplate internally. Alternatively, you can just move the methods from the PubSubHealthTemplate class into this class and remove PubSubHealthTemplate altogether.

[meltsufin]

I think it's worth noting here that the custom subscription doesn't have to have messages on it. Also, it's important for users to realize that the topic that the custom subscription is for needs to be dedicated to the health check. I'm very worried that users will accidentally create a health subscription to a topic that is also used for other purposes and potentially lose messages.

[meltsufin]

Can this bit of code duplication with the PubSubHealthIndicator be avoided?

[meltsufin]

I know at first I said it probably didn't matter that we're introducing this additional class, as long as it's package-private, but I'm now seeing more complexity introduced due to it. What's the benefit you're seeing from having this class?

[patpe]

Refactored so that PubSubHealthTemplate isn't needed anymore and added javadoc to PubSubHealthIndicator about the behaviour when pulling messages.

I have some thoughts about the way the health indicator is validated. Should it

1. be moved to the PubSubHealthIndicator constructor?
2. be removed (no other HealthIndicator seems to have this behaviour)?

@meltsufin I agree with your concerns and I have some doubts about the current implementation in this PR. If forced to choose between the following two scenarios

1. pulling and acking a message from a business subscription which has been accidentally configured as health check subscription
2. not ack:ing messages on a health check subscription that will produce side effects in GCP statistics (expired metric)

I would prefer to trigger option 2 since it is the lesser of the two evils. Should we perhaps remove the ack?

[meltsufin]

I have some thoughts about the way the health indicator is validated. Should it

1. be moved to the PubSubHealthIndicator constructor?
2. be removed (no other HealthIndicator seems to have this behaviour)?

The nice thing about validation in the constructor is that we force any problems to surface during app startup, but on the other hand, if no other health indicator does it, I think it should be fine to just remove it.

@meltsufin I agree with your concerns and I have some doubts about the current implementation in this PR. If forced to choose between the following two scenarios

1. pulling and acking a message from a business subscription which has been accidentally configured as health check subscription
2. not ack:ing messages on a health check subscription that will produce side effects in GCP statistics (expired metric)

I would prefer to trigger option 2 since it is the lesser of the two evils. Should we perhaps remove the ack?

What do you think of a compromise where we just add a configuration property for acking and default it to false?

[meltsufin]

@patpe I would like to help you polish this PR. Would you mind giving me access to your fork?

[patpe]

@patpe I would like to help you polish this PR. Would you mind giving me access to your fork?

Thanks @meltsufin, I have given you access and you should be receiving a notification about it soon. Combining this PR with work proved a greater challenge than I anticipated, will dive into it again right now.

[patpe]

@meltsufin Added support for toggling acknowledge of messages on or off, off by default.

[meltsufin]

@patpe I've polished up the pull request and added some reference documentation. Please see if looks good to you.

[elefeint]

My only substantial comment is about subscription names needing to start with a letter.

Otherwise lgtm with minor suggestions.

[elefeint]

Subscription names must start with a letter. I'd suggest a prefix of "spring-cloud-gcp-healthcheck".
https://googleapis.dev/java/google-cloud-pubsub/latest/com/google/pubsub/v1/Subscription.Builder.html#setName-java.lang.String-

[elefeint]

I'd add a comment after the if block for // ignore expected exceptions in lieu of the else clause.

[elefeint]

Don't need to mock it; use ApiFutures.immediateFuture(). It might help with unchecked warnings, too, since you can return a typed list.

[meltsufin]

Since I actually want to verify calls on the future, I think I'll keep the mock.

[elefeint]

Since this is testing context loading, might want to verify that the health indicator validation got invoked (that template.pullAsync() got called)

[elefeint]

ApiFutures.immediateFailedFuture() will help.

[dzou]

Suggested change

	void customSubsription_TimeoutException() throws Exception {
	void customSubscription_TimeoutException() throws Exception {

[dzou]

I think using the future.get(..) is blocking right? Should you register a callback here?

[meltsufin]

We decided to keep it synchronous.

[dzou]

I see. Is there a benefit to using pullAsync vs. the Sync pull then?

didn't mean to approve yet

[sonarcloud]

Kudos, SonarCloud Quality Gate passed!

0 Bugs
0 Vulnerabilities
0 Security Hotspots
0 Code Smells

100.0% Coverage
0.0% Duplication