envoyproxy · alyssawilk · Mar 13, 2019 · Feb 14, 2019 · Mar 4, 2019 · Mar 4, 2019
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -137,6 +137,56 @@ maximize the chances of your PR being merged.
   [envoy-filter-example](https://github.com/envoyproxy/envoy-filter-example) (for example making a new
   branch so that CI can pass) it is your responsibility to follow through with merging those
   changes back to master once the CI dance is done.
+* If your PR is a high risk change, the reviewer may ask that you runtime guard
+  it. See the section on runtime guarding below.
+
+
+# Runtime guarding
+
+Some high risk changes in Envoy are deemed worthy of runtime guarding. Instead of just replacing
+old code with new code, both code paths are supported for between one Envoy release (if it is
+guarded due to performance concerns) and a full deprecation cycle (if it is a high risk behavioral
+change).
+
+The canonical way to runtime guard a feature is
+```
+if (Runtime::runtimeFeatureEnabled("envoy.reloadable_features.my_feature_name")) {
+  [new code path]
+} else {
+  [old_code_path]
+}
+```
+Runtime guarded features named with the "envoy.reloadable_features." prefix must be safe to flip
+true or false on running Envoy instances. In some situations, for example the buffer rewrite in
+[#5441](https://github.com/envoyproxy/envoy/pull/5441), it may make more sense to
+latch the value in a member variable on class creation, for example:
+
+```
+bool use_new_code_path_ =
+    Runtime::runtimeFeatureEnabled("envoy.reloadable_features.my_feature_name")
+```
+
+Runtime guarded features may either set true (running the new code by default) in the initial PR,
+after a testing interval, or during the next release cycle, at the PR author's and reviewing
+maintainer's discretion. Generally all runtime guarded features will be set true when a
+release is cut, and the old code path will be deprecated at that time. Runtime features
+are set true by default by inclusion in
+[source/common/runtime/runtime_features.h](https://github.com/envoyproxy/envoy/blob/master/source/common/runtime/runtime_features.h)
+
+There are four suggested options for testing new runtime features:
+
+1. Create a per-test Runtime::LoaderSingleton as done in [DeprecatedFieldsTest.IndividualFieldDisallowedWithRuntimeOverride](https://github.com/envoyproxy/envoy/blob/master/test/common/protobuf/utility_test.cc)
+2. Create a [parameterized test](https://github.com/google/googletest/blob/master/googletest/docs/advanced.md#how-to-write-value-parameterized-tests)
+   where the set up of the test sets the new runtime value explicitly to
+   GetParam() as outlined in (1).
+3. Set up integration tests with custom runtime defaults as documented in the
+   [integration test README](https://github.com/envoyproxy/envoy/blob/master/test/integration/README.md)
+4. Run a given unit test with the new runtime value explicitly set true as done
+   for [runtime_flag_override_test](https://github.com/envoyproxy/envoy/blob/master/test/common/runtime/BUILD) 
+
+Runtime code is held to the same standard as regular Envoy code, so both the old
+path and the new should have 100% coverage both with the feature defaulting true
+and false.
 
 # PR review policy for maintainers
 

diff --git a/docs/root/configuration/runtime.rst b/docs/root/configuration/runtime.rst
@@ -93,7 +93,7 @@ Users are encouraged to go to :repo:`DEPRECATED.md <DEPRECATED.md>` to see how t
 migrate to the new code path and make sure it is suitable for their use case.
 
 In the second phase the message and filename will be added to
-:repo:`runtime_features.h <source/common/runtime/runtime_features.h>`
+:repo:`runtime_features.cc <source/common/runtime/runtime_features.cc>`
 and use of that configuration field will cause the config to be rejected by default. 
 This fail-by-default mode can be overridden in runtime configuration by setting
 envoy.deprecated_features.filename.proto:fieldname to true. For example, for a deprecated field

diff --git a/include/envoy/runtime/runtime.h b/include/envoy/runtime/runtime.h
@@ -83,6 +83,13 @@ class Snapshot {
   // configuration of "false" in runtime config.
   virtual bool deprecatedFeatureEnabled(const std::string& key) const PURE;
 
+  // Returns true if a runtime feature is enabled.
+  //
+  // Runtime features are used to easily allow switching between old and new code paths for high
+  // risk changes. The intent is for the old code path to be short lived - the old code path is
+  // deprecated as the feature is defaulted true, and removed with the following Envoy release.
+  virtual bool runtimeFeatureEnabled(const std::string& key) const PURE;
+
   /**
    * Test if a feature is enabled using the built in random generator. This is done by generating
    * a random number in the range 0-99 and seeing if this number is < the value stored in the

diff --git a/source/common/protobuf/utility.h b/source/common/protobuf/utility.h
@@ -195,7 +195,7 @@ class MessageUtil {
    * @param message message to validate.
    * @param loader optional a pointer to the runtime loader for live deprecation status.
    * @throw ProtoValidationException if deprecated fields are used and listed
-   *   Runtime::DisallowedFeatures
+   *    in disallowed_features in runtime_features.h
    */
   static void
   checkForDeprecation(const Protobuf::Message& message,

diff --git a/source/common/runtime/BUILD b/source/common/runtime/BUILD
@@ -10,7 +10,10 @@ envoy_package()
 
 envoy_cc_library(
     name = "runtime_lib",
-    srcs = ["runtime_impl.cc"],
+    srcs = [
+        "runtime_features.cc",
+        "runtime_impl.cc",
+    ],
     hdrs = [
         "runtime_features.h",
         "runtime_impl.h",

diff --git a/source/common/runtime/runtime_features.cc b/source/common/runtime/runtime_features.cc
@@ -0,0 +1,37 @@
+#include "common/runtime/runtime_features.h"
+
+namespace Envoy {
+namespace Runtime {
+
+// Add additional features here to enable the new code paths by default.
+//
+// These features should not be overridden with run-time guards without a bug
+// being filed on github as once high risk features are true by default, the
+// old code path will be removed with the next release.
+constexpr const char* runtime_features[] = {
+    // Enabled
+    "envoy.reloadable_features.test_feature_true",
+    // Disabled
+    // "envoy.reloadable_features.test_feature_false",
+};
+
+// TODO(alyssawilk) handle deprecation of reloadable_features. Ideally runtime
+// override of a deprecated feature will log(warn) on runtime-load if not deprecated
+// and hard-fail once it has been deprecated.
+constexpr const char* disallowed_features[] = {
+    // Acts as both a test entry for deprecated.proto and a marker for the Envoy
+    // deprecation scripts.
+    "envoy.deprecated_features.deprecated.proto:is_deprecated_fatal",
+};
+
+RuntimeFeatures::RuntimeFeatures() {
+  for (auto& feature : disallowed_features) {
+    disallowed_features_.insert(feature);
+  }
+  for (auto& feature : runtime_features) {
+    enabled_features_.insert(feature);
+  }
+}
+
+} // namespace Runtime
+} // namespace Envoy
diff --git a/source/common/runtime/runtime_features.h b/source/common/runtime/runtime_features.h
@@ -9,29 +9,32 @@
 namespace Envoy {
 namespace Runtime {
 
-const char* disallowed_features[] = {
-    // Acts as both a test entry for deprecated.proto and a marker for the Envoy
-    // deprecation scripts.
-    "envoy.deprecated_features.deprecated.proto:is_deprecated_fatal",
-};
-
-class DisallowedFeatures {
+// TODO(alyssawilk) convert these to string view.
+class RuntimeFeatures {
 public:
-  DisallowedFeatures() {
-    for (auto& feature : disallowed_features) {
-      disallowed_features_.insert(feature);
-    }
-  }
+  RuntimeFeatures();
 
+  // This tracks proto configured features, to determine if a given deprecated
+  // feature is still allowed, or has been made fatal-by-default per the Envoy
+  // deprecation process.
   bool disallowedByDefault(const std::string& feature) const {
     return disallowed_features_.find(feature) != disallowed_features_.end();
   }
 
+  // This tracks config-guarded code paths, to determine if a given
+  // runtime-guarded-code-path has the new code run by default or the old code.
+  bool enabledByDefault(const std::string& feature) const {
+    return enabled_features_.find(feature) != enabled_features_.end();
+  }
+
 private:
+  friend class RuntimeFeaturesPeer;
+
   absl::flat_hash_set<std::string> disallowed_features_;
+  absl::flat_hash_set<std::string> enabled_features_;
 };
 
-using DisallowedFeaturesDefaults = ConstSingleton<DisallowedFeatures>;
+using RuntimeFeaturesDefaults = ConstSingleton<RuntimeFeatures>;
 
 } // namespace Runtime
 } // namespace Envoy
diff --git a/source/common/runtime/runtime_impl.cc b/source/common/runtime/runtime_impl.cc
@@ -22,6 +22,16 @@
 namespace Envoy {
 namespace Runtime {
 
+bool runtimeFeatureEnabled(const std::string& feature) {
+  ASSERT(absl::StartsWith(feature, "envoy.reloadable_features"));
+  if (Runtime::LoaderSingleton::getExisting()) {
+    return Runtime::LoaderSingleton::getExisting()->snapshot().runtimeFeatureEnabled(feature);
+  }
+  ENVOY_LOG_TO_LOGGER(Envoy::Logger::Registry::getLog(Envoy::Logger::Id::runtime), warn,
+                      "Unable to use runtime singleton for feature {}", feature);
+  return RuntimeFeaturesDefaults::get().enabledByDefault(feature);
+}
+
 const size_t RandomGeneratorImpl::UUID_LENGTH = 36;
 
 uint64_t RandomGeneratorImpl::random() {
@@ -152,7 +162,7 @@ bool SnapshotImpl::deprecatedFeatureEnabled(const std::string& key) const {
   bool stored = getBoolean(key, allowed);
   // If not, the default value is based on disallowedByDefault.
   if (!stored) {
-    allowed = !DisallowedFeaturesDefaults::get().disallowedByDefault(key);
+    allowed = !RuntimeFeaturesDefaults::get().disallowedByDefault(key);
   }
 
   if (!allowed) {
@@ -165,6 +175,18 @@ bool SnapshotImpl::deprecatedFeatureEnabled(const std::string& key) const {
   return true;
 }
 
+bool SnapshotImpl::runtimeFeatureEnabled(const std::string& key) const {
+  bool enabled = false;
+  // See if this value is explicitly set as a runtime boolean.
+  bool stored = getBoolean(key, enabled);
+  // If not, the default value is based on runtime_features.
+  if (!stored) {
+    enabled = RuntimeFeaturesDefaults::get().enabledByDefault(key);
+  }
+
+  return enabled;
+}
+
 bool SnapshotImpl::featureEnabled(const std::string& key, uint64_t default_value,
                                   uint64_t random_value, uint64_t num_buckets) const {
   return random_value % num_buckets < std::min(getInteger(key, default_value), num_buckets);

diff --git a/source/common/runtime/runtime_impl.h b/source/common/runtime/runtime_impl.h
@@ -24,6 +24,8 @@
 namespace Envoy {
 namespace Runtime {
 
+bool runtimeFeatureEnabled(const std::string& feature);
+
 using RuntimeSingleton = ThreadSafeSingleton<Loader>;
 
 /**
@@ -72,6 +74,7 @@ class SnapshotImpl : public Snapshot,
 
   // Runtime::Snapshot
   bool deprecatedFeatureEnabled(const std::string& key) const override;
+  bool runtimeFeatureEnabled(const std::string& key) const override;
   bool featureEnabled(const std::string& key, uint64_t default_value, uint64_t random_value,
                       uint64_t num_buckets) const override;
   bool featureEnabled(const std::string& key, uint64_t default_value) const override;

diff --git a/test/common/runtime/BUILD b/test/common/runtime/BUILD
@@ -3,6 +3,7 @@ licenses(["notice"])  # Apache 2
 load(
     "//bazel:envoy_build_system.bzl",
     "envoy_cc_test",
+    "envoy_cc_test_library",
     "envoy_package",
 )
 
@@ -15,6 +16,16 @@ filegroup(
     srcs = glob(["test_data/**"]),
 )
 
+envoy_cc_test_library(
+    name = "utility_lib",
+    hdrs = [
+        "utility.h",
+    ],
+    deps = [
+        "//source/common/runtime:runtime_lib",
+    ],
+)
+
 envoy_cc_test(
     name = "runtime_impl_test",
     srcs = ["runtime_impl_test.cc"],
@@ -31,6 +42,18 @@ envoy_cc_test(
     ],
 )
 
+envoy_cc_test(
+    name = "runtime_flag_override_test",
+    srcs = ["runtime_flag_override_test.cc"],
+    args = [
+        "--runtime-feature-override-for-tests=envoy.reloadable_features.test_feature_false",
+    ],
+    coverage = False,
+    deps = [
+        "//source/common/runtime:runtime_lib",
+    ],
+)
+
 envoy_cc_test(
     name = "uuid_util_test",
     srcs = ["uuid_util_test.cc"],

diff --git a/test/common/runtime/runtime_flag_override_test.cc b/test/common/runtime/runtime_flag_override_test.cc
@@ -0,0 +1,15 @@
+#include "common/runtime/runtime_impl.h"
+
+#include "gmock/gmock.h"
+
+namespace Envoy {
+namespace Runtime {
+
+// In the envoy_cc_test declaration, the flag is set
+// "--runtime-feature-override-for-tests=envoy.reloadable_features.test_feature_false"
+TEST(RuntimeFlagOverrideTest, OverridesWork) {
+  EXPECT_TRUE(Runtime::runtimeFeatureEnabled("envoy.reloadable_features.test_feature_false"));
+}
+
+} // namespace Runtime
+} // namespace Envoy
diff --git a/test/common/runtime/runtime_impl_test.cc b/test/common/runtime/runtime_impl_test.cc
@@ -119,6 +119,14 @@ TEST_F(DiskBackedLoaderImplTest, All) {
   // File1 is not a boolean.
   EXPECT_EQ(false, snapshot->getBoolean("file1", value));
 
+  // Feature defaults.
+  EXPECT_EQ(false, snapshot->runtimeFeatureEnabled("envoy.reloadable_features.test_feature_false"));
+  EXPECT_EQ(true, snapshot->runtimeFeatureEnabled("envoy.reloadable_features.test_feature_true"));
+
+  // Feature defaults via helper function.
+  EXPECT_EQ(false, runtimeFeatureEnabled("envoy.reloadable_features.test_feature_false"));
+  EXPECT_EQ(true, runtimeFeatureEnabled("envoy.reloadable_features.test_feature_true"));
+
   // Files with comments.
   EXPECT_EQ(123UL, loader->snapshot().getInteger("file5", 1));
   EXPECT_EQ("/home#about-us", loader->snapshot().get("file6"));
@@ -297,5 +305,14 @@ TEST_F(DiskLayerTest, Loop) {
       EnvoyException, "Walk recursion depth exceded 16");
 }
 
+TEST(NoRuntime, FeatureEnabled) {
+  // Make sure the registry is not set up.
+  ASSERT_TRUE(Runtime::LoaderSingleton::getExisting() == nullptr);
+
+  // Feature defaults should still work.
+  EXPECT_EQ(false, runtimeFeatureEnabled("envoy.reloadable_features.test_feature_false"));
+  EXPECT_EQ(true, runtimeFeatureEnabled("envoy.reloadable_features.test_feature_true"));
+}
+
 } // namespace Runtime
 } // namespace Envoy
diff --git a/test/common/runtime/utility.h b/test/common/runtime/utility.h
@@ -0,0 +1,22 @@
+#pragma once
+
+#include "common/runtime/runtime_features.h"
+
+namespace Envoy {
+namespace Runtime {
+
+class RuntimeFeaturesPeer {
+public:
+  static bool addFeature(const std::string& feature) {
+    return const_cast<Runtime::RuntimeFeatures*>(&Runtime::RuntimeFeaturesDefaults::get())
+        ->enabled_features_.insert(feature)
+        .second;
+  }
+  static void removeFeature(const std::string& feature) {
+    const_cast<Runtime::RuntimeFeatures*>(&Runtime::RuntimeFeaturesDefaults::get())
+        ->enabled_features_.erase(feature);
+  }
+};
+
+} // namespace Runtime
+} // namespace Envoy
diff --git a/test/mocks/runtime/mocks.h b/test/mocks/runtime/mocks.h
@@ -28,6 +28,7 @@ class MockSnapshot : public Snapshot {
   ~MockSnapshot() override;
 
   MOCK_CONST_METHOD1(deprecatedFeatureEnabled, bool(const std::string& key));
+  MOCK_CONST_METHOD1(runtimeFeatureEnabled, bool(const std::string& key));
   MOCK_CONST_METHOD2(featureEnabled, bool(const std::string& key, uint64_t default_value));
   MOCK_CONST_METHOD3(featureEnabled,
                      bool(const std::string& key, uint64_t default_value, uint64_t random_value));

diff --git a/test/test_common/BUILD b/test/test_common/BUILD
@@ -35,6 +35,8 @@ envoy_cc_test_library(
         "//source/common/json:json_loader_lib",
         "//source/common/network:utility_lib",
         "//source/server:options_lib",
+        "//test/common/runtime:utility_lib",
+        "//test/mocks/server:server_mocks",
     ],
 )