Add the Killswitch client

[loic-sharma]

Killswitches allow you to turn off services' features remotely. This will be used to turn off the revalidation job if it causes pressure on the ingestion pipeline. The API is simple:

if (!_killswitchClient.IsActive("MyService.MyFeature"))
{
  _logger.LogWarning("My feature is disabled, don't do anything!");
  return;
}

Like the ITelemetryClient, services are expected to wrap the IKillswitchClient with higher-level abstractions. For example:

if (!_killswitchService.ShouldEnqueueRevalidation())
{
  _logger.LogWarning("Revalidations have been disabled!");
  return;
}

Killswitch Endpoint

Killswitches work by polling an endpoint that returns a JSON list of activated killswitches:

[
  "Revalidation.Enqueue",
  "Gallery.SymbolUploads"
  "Orchestrator.RepositorySigning"
]

This endpoint will be a JSON file hosted on Azure Blob Storage. An admin panel will be created on the Gallery to modify this file.

Design Decisions

Client uses HTTP endpoint instead of Azure Blob Storage

The fact that we use blob storage on the backend is an implementation detail. With blob storage, we'd need to add storage credentials to all services, which would increase the cost to on-board. As for privacy concerns, we could make the killswitch blob private but generate a URI with read-only access for services to consume.

Lastly, an HTTP implementation can support a push model through long-polling. As far as I know, this cannot be done using Azure Blob Storage.

Background Refresh

In this implementation, IsActive does not refresh the killswitch cache. Instead, a background task refreshes the cache periodically (every 5 minutes by default). This lets consumers of the killswitch client call IsActive as frequently as they'd like, including in hot paths.

Compared to Gallery's ContentObjectService

The HttpKillswitchClient is very similar to the ContentObjectService:

• Both refresh their state in the background
• Both store their state as JSON on an endpoint
• Both allow fast lookups of the currently cached values

The differences are:

• The ContentObjectService gives you high-level objects, allowing you to build complex feature flag logic. The HttpKillswitchClient can only determine whether a features should be on or off
• To add a new feature, the ContentObjectService requires code changes in both the Gallery as well as the service that owns the feature
• The ContentObjectService uses APIs specific to ASP.NET for background refreshes, and cannot be used by jobs (see this)
• The ContentObjectService fails silently if the latest settings cannot be fetched/parsed
• The ContentObjectService depends on Azure Blob Storage

Part of https://github.com/NuGet/Engineering/issues/1440

[loic-sharma]

TODO: Make this async, call RefreshAsync once before returning to ensure cache is primed.

[loic-sharma]

Fixed

[loic-sharma]

TODO: Throw if not started.

[loic-sharma]

Fixed

[loic-sharma]

TODO: Test malformed responses, that StartAsync refreshes in background once, that IsActive throws if not started

[loic-sharma]

Fixed

[loic-sharma]

ex.ToString() -> ex

[loic-sharma]

Fixed

[loic-sharma]

Get rid of packages.config references.

[loic-sharma]

Fixed

[skofman1]

what's the intended RefreshInterval? How often will IsActive be called?
If RefreshInterval is small and IsActive is not frequent this approach is inefficient. A different approach is to refresh when IsActive is called.

[shishirx34]

I am assuming IsActive will be called very frequently, specifically for revalidation job.. this could get out of hand. A decent RefreshInterval should work fine. It could be tweaked as per the calling job via config. Or may be add another config to determine when to refresh? Either via interval or with IsActive call?

[loic-sharma]

Each job can have its own refresh cadence. I'm thinking 5 minutes for the revalidate job.

The idea is to make IsActive as cheap as possible so that it can be called anywhere including critical and hot paths. Moving the network request into IsActive would limit where we can call IsActive.

[skofman1]

This is not thread safe. Start() can be called multiple times.

[loic-sharma]

Why isn't this thread-safe? As far as I can tell, it is. Reference assignment is atomic, and that's the only thing that the background thread interacts with.

Calling Start multiple times would cause the cache to be refreshed at a faster cadence. I can add a check to Start to ensure it's called just once, but I personally prefer simpler code.

[skofman1]

Calling Start multiple times would cause the cache to be refreshed at a faster cadence. I can add a check to Start to ensure it's called just once, but I personally prefer simpler code.

This is the reason. The code won't work as expected if Start() is called multiple times.

[loic-sharma]

Added a check to ensure Start is called just once.

[skofman1]

You are swallowing the exception and hiding issues. The correct behavior will be to add retries to protect against network issues, but throw on deserialization issues and other unrecoverable exceptions.

[loic-sharma]

This runs on a background thread, throwing would cause the background thread to end.

That being said, I agree that we should have some "hard fail" behavior when we repeatedly fail to reload the killswitches. I'll make IsActive throw if the cache's staleness reaches some threshold.

[loic-sharma]

Made IsActive throw if the cache reaches the configured staleness.

[skofman1]

why public if not part of the interface?

[loic-sharma]

It may be useful for downstream consumers. Its not on the interface as not all killswitch services that support push model don't need a concept of refresh.

It also enables easy testing.

[loic-sharma]

I talked to @shishirx34, I will add RefreshAsync to the interface.

[loic-sharma]

Fixed

[skofman1]

using HttpClient you assume the config blob is public, but it's an internal service config and should be private. Use IStorage interface.

[loic-sharma]

I considered this but decided against it. With blob storage, we'd need to add storage credentials to all jobs, which makes it harder to on-board a new service to killswitches. I don't think there's a need for killswitches to be private and there's precedent for public blobs: search auxiliary data, cursors, etc.. Really, the fact that we will use blob storage on the backend is an implementation detail.

Lastly, an HTTP implementation can support for a push model through long-polling. This requires a backend that supports long polling.

What do you think?

[agr]

We can have a SAS URL to a non-public blob with expiration 100 years in the future, can't we?

[loic-sharma]

@agr Yup, that could work.

[skofman1]

There will be two roles in the killswitch world: reader and writer. If you intend to separate them into two interfaces you should suffix this interface with Reader. You could also combine the two into a single KillSwitchService, however, since there's going to be only one writer (the gallery) I don't think it's a good idea.

[loic-sharma]

Good point. What do you think of HttpKillswitchClient so that it matches our naming in logging and service bus?

[loic-sharma]

Updated

[skofman1]

🕐

[skofman1]

I like the idea of having a system wide killswitch service, however this creates feature duplication in the gallery with the "feature flag" service. Both turn abilities on/off. We should discuss this on a team level.

[shishirx34]

nit: active killswitches

[shishirx34]

I am assuming IsActive will be called very frequently, specifically for revalidation job.. this could get out of hand. A decent RefreshInterval should work fine. It could be tweaked as per the calling job via config. Or may be add another config to determine when to refresh? Either via interval or with IsActive call?

[loic-sharma]

@skofman1 Sure. Let's talk about it after the next standup?

[loic-sharma]

We would like to implement this using storage APIs. Once services use the same APIs, we can look into a universal killswitch system