Ingress HTTP/2 Support

[agau4779]

• Adds HTTP2 annotation to Service
• Creates alpha HealthCheck and BackendService resources when the protocol is HTTP/2, by using a composite BackendService type
• Tests for HealthCheck/BackendServices using HTTP/2

[agau4779]

/assign @nicksardo @bowei

[bowei]

alpha cannot be used on the beta, ga paths

[bowei]

we should probably keep the alpha types off of the ga paths.

[bowei]

we can't call alpha on the GA, beta paths.

[bowei]

We need to keep the alpha API by itself, alpha APIs have no SLO and are whitelist only.

[freehan]

does it need to be feature gated? or always turning it on is okay.

[agau4779]

@freehan - we're going to Feature Gate this.

[nicksardo]

/ok-to-test

[freehan]

This seems wrong. It will always update backend service. Please only update when necessary

Move this back to above

[freehan]

Do you have to distinguish between Alpha and GA backend services here?

Or consider have some helper function with BackendService struct

IIUC, the URLs are the same except for the API version part.

[freehan]

If no Instance Group needs to be added, why do you need to update?

edgeHop is mostly for linking backends and backend service

[agau4779]

Oops, good point. Removing

[freehan]

worth wraping this into a separate function that ensures protocol, hclink and description in a be

[freehan]

wrap this into a separate function to generate corresponding backends?

[freehan]

Please add some helper functions to this struct. For instance,

• Ensure protocol, healthcheck and description, (return if there is difference)
• Ensure Backends (check if current backend instance groups are super set)

[agau4779]

4de3e8b

[freehan]

Move the log line here to log it is updating backend service

[freehan]

Does this function has to be public?

[agau4779]

Opted to add new logging for update here - f6ca1c7

[freehan]

Probably need to copy the same pattern for NEG health checks. Need to ensure existing settings are preserved.
@nicksardo Do you think it is necessary for HTTP2?

[nicksardo]

Yea, settings should absolutely be preserved as they are done today. IIRC, we change some parameters for NEGs, but never the path value.

We'll also need to consider the case of NEGs + HTTP2.

[freehan]

@agau4779 need to rethink the logic here.

1. Need to handle PortSpecification + HTTP2
2. Need to preserve whatever user healthcheck configuration even if protocol or NEG setting changes.

[freehan]

Is there any possibility that Protocol is empty and GetAlphaGlobalBackendService keeps returning error?

[agau4779]

GetGlobalBackendService gets the GA BackendService but returns an empty string in the Protocol if the Protocol is not HTTP or HTTPS - so here, we're anticipating that the user created an Alpha BackendService with an HTTP2 protocol (currently alpha-only), so calling the GA path will return a blank protocol.

GetAlphaGlobalBackendService may run into an isForbidden error if the user is no longer Alpha whitelisted - in which case, might cause the Ingress controller to be stuck forever. Will add this warning in a code comment.

[freehan]

move to the following else block

[freehan]

existingProtocol := be.GetProtocol()
existingProtocol := be.GetDescription()

[freehan]

remove this since b.update() has a log already.

[freehan]

needUpdate := be.ensureProtocol(p.Protocol) 
needUpdate = needUpdate | be.ensureHealthCheck(hcLink) 
needUpdate = needUpdate | be.ensureDescription(p.Description())
if needUpdate {
     if err = b.update(be); err != nil {
 	return err
     }
}

or

if be.ensureConfig(p, hcLink) {
   if err = b.update(be); err != nil {
 	return err
    }
}

ensureConfig returns true if existing parameter does not match expected. Move all comparison between existing vs. expected into the helper functions.

[freehan]

existingHCLink := be.GetHealthCheckLink()

[freehan]

rename to ensureBackends?

[freehan]

s/igLinks/expectedIGs

[freehan]

@agau4779 need to rethink the logic here.

1. Need to handle PortSpecification + HTTP2
2. Need to preserve whatever user healthcheck configuration even if protocol or NEG setting changes.

[bowei]

can we have Alpha == nil denote that alpha compute type is used?

is there a possibility of isAlpha == true, but Alpha == nil?

[agau4779]

There is not - when getting an Alpha BackendService, or promoting an GA BackendService to Alpha, isAlpha is set to true. Looks like it's redundant if we can just check BackendService.Alpha == nil - removing.

[freehan]

move the original comments here.

[freehan]

hcLink not used right?

[freehan]

IIUC, if the existing backend-service is using HTTP2. If the new protocol set to HTTP. Then it will set protocol on the alpha object. Hence, during update, it will call Alpha API to update backend service.

Try to avoid calling alpha API as much as possible. SLA is different.

[agau4779]

Hmm, then should we convert it to a Ga backend service in this function?
e.g.

	if p.Protocol != annotations.ProtocolHTTP2 {
		be.Ga = toV1BackendService(be.Alpha)
		be.Alpha = nil
	}

[freehan]

merge NEG and isHttp2 conditions

[freehan]

Please also unit test the ensurexxxxx methods.

[freehan]

toAlphaBackendService is mostly for testing.

Are you confident about its reliability for production use?

[freehan]

Probably do this: ensureProtocol just ensures the protocol for both GA and Alpha objects if exists.

In update, pick the api to call.

[freehan]

Is it possible that alpha backend-service points to GA health check link? Or reverse (GA backend-service point to Alpha Health check)

IIRC, this is actually okay. But need to confirm.

[agau4779]

Shouldn't be possible - GetHealthCheckLink performs a check - if be.Alpha != nil && len(be.Alpha.HealthChecks) == 1 then hcLink will return an Alpha healthcheck link; otherwise a Ga link is returned.

The compute API currently returns the alpha version of the Healthcheck link through the Alpha API and the GA version of the link through the GA API (gcloud [alpha] compute backend-services describe [service-name]), so I agree that it should be ok.

[freehan]

quick question:
GA health checks supports HTTP2?

[agau4779]

GA Healthchecks do not support HTTP2. HTTP2 healthchecks are created through the Alpha API.

[freehan]

Seems incorrect. Does it preserve configs if oldHC is HTTPS or HTTP2?

[freehan]

Cannot think of a better way to avoid duplicate code.

Do you think it is worthwhile to hide the complexity behind ensureInstanceGroupBackends? And do something clever behind the scene and unit test it thoroughly.

[freehan]

Is it possible to only use GA backend service to ensure backends?

Will it overwrite the HTTP2 config?

[freehan]

If GA Backend-service set to HTTP2, you probably gets a validation error.

But if you get a GA backend-service, and update its backend without touching protocol. What will happen?

[agau4779]

We can't use the GA BackendService API. Verified that setting the Protocol on an HTTP or HTTPS BackendService to HTTP2 causes a validation error, and that modifying any other attribute on an HTTP2 BackendService causes the BackendService's Protocol to default to HTTP. The Sync loop eventually calls backends.go#Ensure then causes it to revert back to HTTP2.

[freehan]

LGTM

@bowei @nicksardo do you want another look?

[freehan]

/lgtm