adding health checks

[areller]

adding health checks according to this #19

Changes

1. Replicas can be cancelled independent of the service
2. There are 2 new configurations for a service: liveness, readiness. each can hold these settings

http:
  path: /health
  port: 80 # default: pick the first binding of the service
  protocol: http # default: none
  headers:
    - name: A
       value: B
initialDelay: 5 # default: 0
period: 1 # default: 1
timeout: 1 # default: 1
successThreshold: 1 # default: 1
failureThreshold: 3 # default: 3

3. There are 2 new replica states: Healthy, Ready (Ready = passed both liveness and readiness probing. Healthy = passed liveness but not readiness).
   If neither liveness nor readiness were provided, replica will be upgraded to Ready upon creation. If only liveness if provided, replica will be upgraded to Ready upon passing the liveness probe. if only readiness is provided, replica will be upgraded to Healthy upon creation.
4. There is a ReplicaMonitor that reads the liveness and readiness probe configuration, and kills/changes the state of the replica according to probe results
5. Proxy and Ingress only forward to Ready replicas
6. The generated Kubernetes manifest contains the liveness and readiness configuration.

[davidfowl]

Why is there a loop here?

[areller]

When I implement the monitor, it might decide to kill a container because it's unhealthy. In that case I'd want the DockerRunner to recreate the replica.
Another way to do it, is to kill the container by calling docker restart, and then there is no need for that loop. what do you think?

[areller]

The argument behind the former, is that it's consistent with how I'll do it in ProcessRunner

[davidfowl]

The docker runner already restarts the replica albiet with the same name.

[areller]

@davidfowl I think that the problem with doing docker restart is that the health monitor won't be able to tell that the container was restarted (because there won't be Stopped and Started events). Unless, I explicitly send ReplicaState.Stopped and ReplicaState.Started events whenever I restart the container, but I don't like that approach.

[jkotalik]

From what I can tell with this loop, you would call docker rm and other commands I don't think you want to run:

tye/src/Microsoft.Tye.Hosting/DockerRunner.cs

Line 429 in 65c7ae0

result = await ProcessUtil.RunAsync("docker", $"rm {containerId}", throwOnError: false, cancellationToken: timeoutCts.Token);

The restart loop for rerunning docker is here:

tye/src/Microsoft.Tye.Hosting/DockerRunner.cs

Line 382 in 65c7ae0

var logsRes = await ProcessUtil.RunAsync("docker", $"logs -f {containerId}",

. Can you modify this loop instead?

[areller]

@jkotalik yeah, makes sense. I'll try doing it that way.

[areller]

@jkotalik changed the DockerRunner to do docker restart when StoppingTokenSource is canceled.

[areller]

@davidfowl there are two major things left

1. generating k8s yamls with liveness and readiness
2. I don't forward traffic to non ready replicas, unless there is a single replica. proxying with a single replica causes some tests that use external docker images (e.g. redis) to fail, and I need to check why.

Maybe it's best to start reviewing this PR and I can submit the rest later on this PR or another PR?

[davidfowl]

These 2 probes are bigger than the entire yaml, that makes me 😢

[areller]

@davidfowl yeah... I thought it's best to go with something flexible like in k8s, but you can get a way with just providing a path, the rest have default values

[areller]

I'll probably add the k8s manifest generation tomorrow.

[jkotalik]

@areller this change is amazing. Got my coffee ☕ and will be reviewing now.

[jkotalik]

Great start. I think there is some small cleanup tasks for code readability in the replica state management, but overall looks like the right idea.

[jkotalik]

I think you don't need ! here, other similar cases in this file as well.

Suggested change

	httpGet.Add("scheme", builderHttp.Protocol!.ToUpper());
	httpGet.Add("scheme", builderHttp.Protocol.ToUpper());

[areller]

yep. I removed it and it didn't throw any warnings. probably because it's inside a block that runs if builderHttp.Protocol != null.
It's weird because at times the compiler will throw a warning when not using the ! operator, even though the expression is in a context where it's guaranteed to not be null...

[areller]

found an example: if you go to ReplicaMonitor.cs:113 and remove the ! after serviceDesc.Readiness, the compiler will throw a warning, even though there is no way for that variable to be null at that point.

[jkotalik]

It does feel a bit awkward to have health checks per service rather than per endpoint, but it seems to be what k8s does. Or maybe we require a port?

[areller]

requiring a port will indeed make it more compatible with k8s, but it will make the tye.yaml more verbose and less maintainable in my opinion. one thing that k8s does to help with maintainability is to allow to specify a variable as a port. e.g.

port: liveness-port

[jkotalik]

Why add the check for service.Description.RunInfo is IngressRunInfo

[areller]

because I forgot to remove when added service.Description.Readiness is null :)

[jkotalik]

Suggested change

	if (probe.Http is null)
	if (probe.Http == null)

[jkotalik]

And for the rest of the file

[jkotalik]

Suggested change

	_logger.LogWarning("cannot start probing replica {name} because probe configuration is not set", _replica.Name);
	_logger.LogWarning("Cannot start probing replica {name} because probe configuration is not set", _replica.Name);

[jkotalik]

And for the rest of the file.

[jkotalik]

These logs should probably be at debug level.

[jkotalik]

This probably deserves a comment as well.

[jkotalik]

I think this overall looks good. There will be some follow up I'd like for us to do for polish, but can be done in a separate PR, including:

• Sample
• Docs
• Recipe

[jkotalik]

nit: return ConfigProbe instead of passing it in s.t you can set service.Liveness/service.Readiness directly.

[areller]

Yeah. That would probably make more sense but it will break compatibility with the rest of the methods. What do you think?

[jkotalik]

Can we add some tests for these parsing wise? Much faster for checking these kinds of conditions like making sure initialDelay can't be negative.

[areller]

I'll try to come up with something. You want it as part of this PR? or break it up in a different one?

[jkotalik]

I think following the structure here: https://github.com/dotnet/tye/blob/master/test/UnitTests/TyeDeserializationTests.cs#L25.

Mostly just parsing/ validation of tye.yaml to make sure we cover these edge cases correctly.

No preference whether we add them in this PR now or follow up, I'd just like them in general 😄

[jkotalik]

@davidfowl to review this on top of me.

[jkotalik]

I'm going to go ahead and merge this, let's do some follow up on top of it 😄 .

Again, thanks @areller for all the work you have done here

[areller]

@jkotalik thank you! Will create a PR in the following days