Listener: Add global conn limit opt out.

[wez470]

Commit Message: Add listener global conn limit opt out.
Additional Description: Allows listeners (including the admin) to opt out of the globally set max downstream connections limit. Further info on why this is desired can be read in the linked issue. Individual listeners that have opted out of the global connection limit can still set a local limit using https://www.envoyproxy.io/docs/envoy/latest/configuration/listeners/runtime.
Risk Level: small
Testing: function, unit, integration
Docs Changes: Added api docs + mention in overload manager docs
Release Notes:
Fixes #18678

[repokitteh-read-only]

As a reminder, PRs marked as draft will not be automatically assigned reviewers,
or be handled by maintainer-oncall triage.

Please mark your PR as ready when you want it to be reviewed!

🐱

Caused by: #18876 was opened by wez470.

see: more, trace.

[repokitteh-read-only]

CC @envoyproxy/api-shepherds: Your approval is needed for changes made to (api/envoy/|docs/root/api-docs/).
envoyproxy/api-shepherds assignee is @adisuissa
CC @envoyproxy/api-watchers: FYI only for changes made to (api/envoy/|docs/root/api-docs/).

🐱

Caused by: #18876 was opened by wez470.

see: more, trace.

[adisuissa]

Thanks for working on this.
Left a couple of comments on API and docs.

[wez470]

@adisuissa PTAL, thanks.

[adisuissa]

I just realized there are 3 things in play after this PR:

1. The global connections# limit (runtime flag)
2. The per-listener connections# limit (runtime flag)
3. The proposed ignore global-connections# limit field (for both the admin and general listeners).
   It may be somewhat hard to understand which of these override the others.

Question: would it make sense to have just the global and local limits, where the local limit overrides the global, and if set to 0, it is unlimited?
I guess these can also be fields instead of runtime flags.

[wez470]

Thanks for the comments @adisuissa!

Question: would it make sense to have just the global and local limits, where the local limit overrides the global, and if set to 0, it is unlimited?

This would satisfy the behaviour we want but I believe it's a question more so for maintainers. Making local limits override the global one is a breaking change. Today they can be used in tandem and a listener will be limited if it hits either limit. Further, AFAICT there's no way to set a local limit on the admin listener. So there's no way it could opt out without work to introduce some sort of local limit setting there.

[yanavlasov]

@wez470 would you be able to

Thanks for the comments @adisuissa!

Question: would it make sense to have just the global and local limits, where the local limit overrides the global, and if set to 0, it is unlimited?

This would satisfy the behaviour we want but I believe it's a question more so for maintainers. Making local limits override the global one is a breaking change. Today they can be used in tandem and a listener will be limited if it hits either limit. Further, AFAICT there's no way to set a local limit on the admin listener. So there's no way it could opt out without work to introduce some sort of local limit setting there.

Listener connection limit allows overriding global limit down. Having a separate flag to override up makes sense to me. I think we could make it so that if the listener limit is larger than global limit it acts as override up, but it may just make config more complicated.

[wez470]

Listener connection limit allows overriding global limit down. Having a separate flag to override up makes sense to me. I think we could make it so that if the listener limit is larger than global limit it acts as override up, but it may just make config more complicated.

I'll look into doing this. For the override up flag, were you thinking this would be a runtime flag?

[wez470]

I've realized that Listener connection limit allows overriding global limit down. Having a separate flag to override up makes sense to me. still misses some cases that the ignore global flag supports. If I want a listener that ignores the global limit, I have to make it handle more connections than the global limit. Although for my use case it would be okay to have a setup like this, there could be a case where you want a listener to only handle a handful of connections but still not be affected by the global limit. There would be no way to configure this with that approach. Thoughts?

[KBaichoo]

Given the below diagram:

I wonder if we'd want to end up with something more granular than global limits, but provide a grouping mechanism among subsets of listeners. e.g. Implement listener sets as in the middle of the diagram where listener 2 and 3 are limited by some maximum number, while listener 1 is not.

This would be a more generalized approach than global limit opt out (solving this use case of opting out the admin, and some particular listeners), and enable cases such as multi-tenant connection limits.

I think it would add some additional configuration complexity (e.g. to set up groups), but the behavior seems more predictable / intuitive than overriding possibly occurring in both directions. Thoughts?

[yanavlasov]

LGTM, modulo small const correctness nit.

/wait

[wez470]

@KBaichoo I like this idea. It is a little more work than I'd hoped to do to solve this issue personally, but I'm open to it if it's agreed that's the directions we should go.

[KBaichoo]

@wez470 I'm also happy with the current solution (opt out) as it seems to be heading in the direction where we might eventually want to go and is more intuitive than overriding bidirectionally based on implicit values or implicit comparisons.

[KBaichoo]

You might want to merge again since #19007 disabled a flaky QUIC test.

[wez470]

Thanks

[KBaichoo]

@adisuissa can you take a look as API Sheppard?

[adisuissa]

/lgtm api

[wez470]

@yanavlasov Can you PTAL?

[wez470]

Thanks all for reviewing!