api: support retry on in BackendTrafficPolicy

[tmsnan]

api: support retry on in BackendTrafficPolicy

Relates to #1821 & #1907

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (20b8497) 64.71% compared to head (d3057c4) 64.71%.

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #2168   +/-   ##
=======================================
  Coverage   64.71%   64.71%           
=======================================
  Files         115      115           
  Lines       17431    17431           
=======================================
  Hits        11281    11281           
  Misses       5433     5433           
  Partials      717      717           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[arkodg]

@kflynn and @AliceProxy, can you help review this one

[kflynn]

@arkodg @tmsnan Sorry for the delay here! and many thanks for digging into this, I appreciate that. 🙂

That said, I'd like to formalize something I've said on many other occasions:

Flynn's First Law of Envoy: Having end users interact directly with Envoy configuration concepts is almost always a huge mistake. 🙂

In Linkerd, the basic retry configuration is one line: isRetryable: true. You can go beyond that, but you don't have to. In Emissary, it's a little more complex than that, but it's still only... three lines, I think? The fact that Envoy has a ton of options is nearly always irrelevant to the user; let's not force them to use configuration structures that look anything like Envoy.

My strong preference here is that the base case should be a single line of configuration: to get sane retries with good defaults, the user should need only to add isRetryable: true, or something very similar, at the top level of the BackendTrafficPolicy. Having a separate stanza for configuring policy is entirely reasonable but it should be optional.

It's certainly possible that I missed something here, and if so I apologize! 🙂 But in Envoy Gateway's name, the "Gateway" word is the really important bit, right? 🙂

[tmsnan]

@arkodg @tmsnan Sorry for the delay here! and many thanks for digging into this, I appreciate that. 🙂

That said, I'd like to formalize something I've said on many other occasions:

Flynn's First Law of Envoy: Having end users interact directly with Envoy configuration concepts is almost always a huge mistake. 🙂

In Linkerd, the basic retry configuration is one line: isRetryable: true. You can go beyond that, but you don't have to. In Emissary, it's a little more complex than that, but it's still only... three lines, I think? The fact that Envoy has a ton of options is nearly always irrelevant to the user; let's not force them to use configuration structures that look anything like Envoy.

My strong preference here is that the base case should be a single line of configuration: to get sane retries with good defaults, the user should need only to add isRetryable: true, or something very similar, at the top level of the BackendTrafficPolicy. Having a separate stanza for configuring policy is entirely reasonable but it should be optional.

It's certainly possible that I missed something here, and if so I apologize! 🙂 But in Envoy Gateway's name, the "Gateway" word is the really important bit, right? 🙂

1. IMO, the RetryStrategy in BackendTrafficPolicy offers a more comprehensive range of options. Users can customize the retry backoff strategy, retry budget strategy, and retry triggering conditions. However, these advanced features may be too complex for typical Gateway(Not envoy) users. We need to consider whether to fully retain these higher-order uses.

2. It is indeed true that most users do not customize the configuration and prefer to use the recommended settings provided by the gateway to enable the retry feature. I agree with this. Perhaps we could also keep the above-mentioned API and add a toggle switch to enable the commonly used retry function. @arkodg @kflynn

[kflynn]

@tmsnan, so sorry for the delay (again)!

In practice, we haven't really found that everything needs support, and many things just don't get used all that often. Here's an alternative that deliberately tries to minimize the amount of indentation and configuration needed for the things I think are very common:

Suggestion

---
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: BackendTrafficPolicy
metadata:
  name: example-policy
spec:
  ...
  isRetryable: true
  retryStrategy:
    maxBudget: 20    # percentage, default 20%
    maxRetries: 0    # count, if nonzero, maxBudget is ignored
    maxParallel: 3   # Optional
    minConcurrent: 3 # Optional

    retryOn:
      trigger: trigger-enum (see below)
      httpStatus: []int # valid when trigger is "retriable-status-code"

    perRetry:
      timeout: duration # optional
      idleTimeout: duration # optional
      backoff: # optional
        baseInterval: duration # required
        maxInterval: duration # optional
        # we can add rate limited based backoff config here if we want to

trigger-enum: one of
  5xx                       # HTTP events
  gateway-error             
  disconnect-reset
  connect-fail
  retriable-4xx
  refused-stream
  retriable-status-codes

  cancelled                 # GRPC events
  deadline-exceeded
  internal
  resource-exhausted
  unavailable

The idea here is that the proxy should know whether it's speaking HTTP or gRPC to a given backend. There's no point in configuring HTTP retries for a gRPC backend, and minimal config shouldn't require rewriting the retry config if you change types. (Obviously if you change protocols when you have configured a trigger, you'd need to change that.)

Examples

These are not meant to be exhaustive; they're meant to show specific cases that might come up.

Minimal config

---
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: BackendTrafficPolicy
metadata:
  name: example-policy
spec:
  isRetryable: true

Just give me retries and don't make me think about it. This will enable budgeted retries with a 20% retry budget. (Why budgeted and not counted? because the user experience is better for really simple configurations.)

Minimal counted retries

---
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: BackendTrafficPolicy
metadata:
  name: example-policy
spec:
  isRetryable: true
  retryStrategy:
    maxRetries: 1

Retry, but only once. (It might be worth considering whether the presence of retryStrategy implies isRetryable: true...)

Retry only on 499 or 505 (I don't recommend this)

---
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: BackendTrafficPolicy
metadata:
  name: example-policy
spec:
  isRetryable: true
  retryStrategy:
    retryOn:
      trigger: retriable-status-codes
      httpStatus: [ 499, 505 ]

Budgeted retries, but only retry on 499 or 505 status codes.

Retry, controlling timing, on gRPC cancelled.

---
apiVersion: gateway.envoyproxy.io/v1alpha1
kind: BackendTrafficPolicy
metadata:
  name: example-policy
spec:
  isRetryable: true
  retryStrategy:
    retryOn:
      trigger: cancelled
    perRetry:
      timeout: 250ms
      idleTimeout: 5s
      backoff:
        baseInterval: 100ms
        maxInterval: 10s

Summary

This is the kind of thing I mean when I say that we don't need to expose all the Envoy config. Envoy's API almost always considers every possible configuration as equal weight, as well as allowing a certain amount of configuration that's kind of nonsensical -- in practice people do not mix HTTP and gRPC to the same endpoint, for example, so configuring both at the same time just doesn't make much sense. We can - and should - be more opinionated, so that the common things are easy.

In, of course, my opinion. 🙂

[tmsnan]

@kflynn, thanks, the API looks much simpler, and there's really no need to distinguish between HTTP and gRPC retry trigger conditions. It's a minor point that we might need to configure multiple conditions in the trigger simultaneously.

apiVersion: gateway.envoyproxy.io/v1alpha1
kind: BackendTrafficPolicy
metadata:
  name: example-policy
spec:
  isRetryable: true
  retryStrategy:
    retryOn:
      trigger:  gateway-error, retriable-4xx

I will update the API later.

[github-actions]

🚀 Deployed on https://gateway-pr-2168-preview--eg-preview.netlify.app

[arkodg]

I would prefer we didn't include that and instead relied only on Retry

[arkodg]

can we rename to retry ? all fields in here are singular

[arkodg]

is this numRetries or maxRetries ?

[arkodg]

lets add some defaults ?

[tmsnan]

like istio?

    retryOn:
      trigger: retriable-status-codes，connection-failure,  refused-stream, unavailable,cancelled
      httpStatus: [ 503 ]

[arkodg]

yeah as well as numRetries

[arkodg]

hey @tmsnan, sorry for the delay in review

1. can we rm MaxBudget , MaxParallel & MinConcurrent in this first iteration
2. can we decide on sane defaults, so when a user sets

retry: {}

it results in

• NumRetries - X
• RetryOn.Triggers - [......]

[tmsnan]

hey @tmsnan, sorry for the delay in review

1. can we rm MaxBudget , MaxParallel & MinConcurrent in this first iteration
2. can we decide on sane defaults, so when a user sets

retry: {}

it results in

• NumRetries - X
• RetryOn.Triggers - [......]

done

[arkodg]

needs a validation annotation

[arkodg]

can we also rm IdleTimeout in the first iteration ?

[arkodg]

hey @tmsnan, this API is pretty close to the finish line, can you address the review comments ? tia

[guydc]

maybe int32 is more explicit. Also, we can validate that the value is >= 0.

[guydc]

maybe validate status in accepted range 1xx - 5xx

[tmsnan]

hey @tmsnan, this API is pretty close to the finish line, can you address the review comments ? tia

Sorry for the late reply, there have been some family matters recently, and I will handle them soon.

[arkodg]

hey @tmsnan, this API is pretty close to the finish line, can you address the review comments ? tia

Sorry for the late reply, there have been some family matters recently, and I will handle them soon.

Sorry to hear @tmsnan.
No rush to pick up this PR, @guydc can help move this PR forward

[guydc]

Closing as this work was merged in #2657