docs(operator): add network tuning and idle connection timeout docs (kroxylicious#3533)

SamBarker · web-flow · commit 8d368429fd6c · 2026-03-26T09:48:46.000Z
diff --git a/kroxylicious-docs/docs/_assemblies/assembly-operator-advanced-proxy-tuning.adoc b/kroxylicious-docs/docs/_assemblies/assembly-operator-advanced-proxy-tuning.adoc
@@ -0,0 +1,16 @@
+:_mod-docs-content-type: ASSEMBLY
+
+// file included in the following:
+//
+// kroxylicious-operator/index.adoc
+
+
+[id='assembly-operator-advanced-proxy-tuning-{context}']
+= Advanced proxy tuning
+
+[role="_abstract"]
+Configure advanced network and connection settings for the proxy.
+
+include::../_modules/configuring/con-kafkaproxy-network-settings.adoc[leveloffset=+1]
+
+include::../_modules/configuring/con-kafkaproxy-idle-timeouts.adoc[leveloffset=+1]
diff --git a/kroxylicious-docs/docs/_modules/configuring/con-configuring-idle-timeouts.adoc b/kroxylicious-docs/docs/_modules/configuring/con-configuring-idle-timeouts.adoc
@@ -7,20 +7,19 @@
 The proxy can automatically disconnect idle client connections to reclaim resources.
 Idle timeout configuration is completely optional and disabled by default, allowing you to opt in only when needed for your deployment.
 
-== Two-stage timeout mechanism
+== When to enable idle timeouts
+
+include::../../_snippets/snip-idle-timeout-when-to-enable.adoc[]
+
+== When not to enable idle timeouts
 
-The proxy supports two independent idle timeout settings that apply at different stages of the connection lifecycle:
+include::../../_snippets/snip-idle-timeout-when-not-to-enable.adoc[]
 
-* **Unauthenticated timeout** (`unauthenticatedIdleTimeout`) - Applies to connections where the proxy cannot detect the completion of authentication. The proxy considers authentication to be complete if either of the following hold true:
-1. A transport subject builder creates a subject with an identity. Usually this would be from a client TLS certificate.
-2. A SASL inspection or termination filter has invoked `io.kroxylicious.proxy.filter.FilterContext.clientSaslAuthenticationSuccess` method.
-* **Authenticated timeout** (`authenticatedIdleTimeout`) - Applies to connections where an identity can be established. This timeout applies for the remainder of the connection's lifetime.
+== How idle timeouts work
 
-Both timeout settings are optional and have no default values.
-You can configure one, both, or neither depending on your requirements.
-Timeout values use Go-style duration format (for example, `30s` for 30 seconds, `5m` for 5 minutes, `1h` for 1 hour).
-Supported units are: `d` (days), `h` (hours), `m` (minutes), `s` (seconds), `ms` (milliseconds), `μs` or `us` (microseconds), and `ns` (nanoseconds).
-Units can be combined, such as `1h30m` or `90s`.
+include::../../_snippets/snip-idle-timeout-how-it-works.adoc[]
+
+include::../../_snippets/snip-idle-timeout-duration-format.adoc[]
 
 == Configuration examples
 
@@ -59,34 +58,6 @@ virtualClusters:
 <1> Disconnect unauthenticated connections after 30 seconds of inactivity.
 <2> Disconnect authenticated connections after 10 minutes of inactivity.
 
-== When to enable idle timeouts
-
-Consider enabling idle timeouts in the following scenarios:
-
-* **Misbehaving clients** - Clients that abandon connections without properly closing them, leaving resources allocated unnecessarily.
-* **High-scale deployments** - Environments with many clients where connection resources (memory, file descriptors) are constrained.
-* **Connection exhaustion prevention** - Deployments approaching operating system or network limits on concurrent connections.
-* **Network infrastructure requirements** - Environments where network infrastructure (firewalls, load balancers) drops idle connections, and you want the proxy to disconnect gracefully first.
-* **Different security postures** - Scenarios where unauthenticated connections require stricter timeouts than authenticated connections for security reasons.
-
-== When not to enable idle timeouts
-
-Avoid enabling idle timeouts in the following scenarios:
-
-* **Legitimate idle connections** - Applications where clients maintain long-lived connections with extended idle periods, such as consumers with long poll timeouts or applications using connection pooling.
-* **Stable network infrastructure** - Environments with reliable network infrastructure and no issues with idle connection management.
-* **Minimal overhead desired** - Deployments where the proxy's monitoring overhead should be kept to an absolute minimum.
-* **No resource constraints** - Systems with ample connection resources and no risk of connection exhaustion.
-
 == Monitoring idle disconnects
 
-The proxy tracks idle disconnects using the `kroxylicious_client_to_proxy_disconnects_total` metric with `cause="idle_timeout"`.
-This counter is incremented each time a connection is closed due to exceeding the configured idle timeout.
-
-The `kroxylicious_client_to_proxy_disconnects_total` metric also tracks other disconnect scenarios:
-
-* `cause="idle_timeout"` - Connection exceeded the configured idle timeout duration
-* `cause="client_closed"` - The downstream client initiated the connection close
-* `cause="server_closed"` - The upstream node closed the connection, causing the proxy to close the client connection
-
-For more information about connection metrics, see xref:con-prometheus-metrics-proxy-{context}[Overview of proxy metrics].
+include::../../_snippets/snip-idle-timeout-monitoring.adoc[]
diff --git a/kroxylicious-docs/docs/_modules/configuring/con-configuring-network-settings.adoc b/kroxylicious-docs/docs/_modules/configuring/con-configuring-network-settings.adoc
@@ -13,19 +13,29 @@ These settings control low-level Netty behavior and are optional, with sensible
 network:
   proxy: # <1>
     workerThreadCount: 8 # <2>
-    shutdownQuietPeriodSeconds: 10 # <3>
-  management: # <4>
+    shutdownQuietPeriod: 5s # <3>
+    shutdownTimeout: 20s # <4>
+  management: # <5>
     workerThreadCount: 2
-    shutdownQuietPeriodSeconds: 5
+    shutdownQuietPeriod: 5s
+    shutdownTimeout: 20s
 virtualClusters:
   # ...
 ----
-<1> Network settings for the proxy endpoints that handle client connections.
+<1> Network settings for the proxy listener that handles client connections.
 <2> Optional: Number of Netty worker threads for handling concurrent connections. Defaults to twice the number of available processors.
-<3> Optional: Grace period in seconds during which the proxy continues processing existing connections before shutting down. Defaults to 0.
-<4> Network settings for the management HTTP endpoints. Can be configured independently from proxy settings.
+<3> Optional: Grace period during which the proxy continues to accept and complete in-flight requests before shutting down. If no new requests arrive during this window, shutdown proceeds. Defaults to `2s` if not specified. Uses Go-style duration format (for example, `30s`, `5m`).
+<4> Optional: Maximum time allowed for the proxy to complete shutdown. If shutdown does not complete within this period, it is forced. Defaults to `15s` if not specified. Uses Go-style duration format.
+<5> Network settings for the management HTTP server. Can be configured independently from the proxy listener settings.
+
+Supported duration units are: `h` (hours), `m` (minutes), `s` (seconds), `ms` (milliseconds), `μs` or `us` (microseconds), and `ns` (nanoseconds).
+Units can be combined, for example `1m30s`.
 
-* All network settings are optional. The proxy will use sensible defaults if not specified.
 * The `workerThreadCount` setting allows tuning for high-concurrency deployments. Increasing this value can improve throughput when handling many simultaneous client connections.
-* The `shutdownQuietPeriodSeconds` setting provides a graceful shutdown window, allowing in-flight requests to complete before the proxy terminates.
-* Proxy and management endpoints can have different thread pool sizes and shutdown behaviors based on their different workload characteristics.
+* The `shutdownQuietPeriod` and `shutdownTimeout` settings together control graceful shutdown behaviour. `shutdownQuietPeriod` should always be less than or equal to `shutdownTimeout`.
+
+[NOTE]
+====
+The `shutdownQuietPeriodSeconds` property (an integer number of seconds) is deprecated and will be removed in a future release.
+Use `shutdownQuietPeriod` with a Go-style duration string instead (for example, `shutdownQuietPeriod: 2s`).
+====
diff --git a/kroxylicious-docs/docs/_modules/configuring/con-kafkaproxy-idle-timeouts.adoc b/kroxylicious-docs/docs/_modules/configuring/con-kafkaproxy-idle-timeouts.adoc
@@ -0,0 +1,66 @@
+:_mod-docs-content-type: CONCEPT
+
+// file included in the following:
+//
+// kroxylicious-operator/_assemblies/assembly-operator-deploy-a-proxy.adoc
+
+[id='con-kafkaproxy-idle-timeouts-{context}']
+= Configuring idle connection timeouts
+
+[role="_abstract"]
+The proxy can automatically disconnect idle client connections to reclaim resources.
+Idle timeout configuration is optional and disabled by default. Enable it only when required for your deployment.
+Idle timeouts are configured under `spec.network.proxy` in the `KafkaProxy` resource and apply only to the proxy listener — they are not available for the management HTTP server.
+When enabled, idle disconnects are observable via the `kroxylicious_client_to_proxy_disconnects_total` metric.
+
+== When to enable idle timeouts
+
+include::../../_snippets/snip-idle-timeout-when-to-enable.adoc[]
+
+== When not to enable idle timeouts
+
+include::../../_snippets/snip-idle-timeout-when-not-to-enable.adoc[]
+
+== How idle timeouts work
+
+include::../../_snippets/snip-idle-timeout-how-it-works.adoc[]
+
+include::../../_snippets/snip-idle-timeout-duration-format.adoc[]
+
+== Configuration examples
+
+.Example: Unauthenticated timeout only
+[source,yaml]
+----
+kind: KafkaProxy
+apiVersion: kroxylicious.io/v1alpha1
+metadata:
+  namespace: my-proxy
+  name: simple
+spec:
+  network:
+    proxy:
+      unauthenticatedIdleTimeout: 30s # <1>
+----
+<1> Disconnect connections that remain unauthenticated for more than 30 seconds.
+
+.Example: Both timeouts configured
+[source,yaml]
+----
+kind: KafkaProxy
+apiVersion: kroxylicious.io/v1alpha1
+metadata:
+  namespace: my-proxy
+  name: simple
+spec:
+  network:
+    proxy:
+      unauthenticatedIdleTimeout: 30s # <1>
+      authenticatedIdleTimeout: 10m # <2>
+----
+<1> Disconnect unauthenticated connections after 30 seconds of inactivity.
+<2> Disconnect authenticated connections after 10 minutes of inactivity.
+
+== Monitoring idle disconnects
+
+include::../../_snippets/snip-idle-timeout-monitoring.adoc[]
diff --git a/kroxylicious-docs/docs/_modules/configuring/con-kafkaproxy-network-settings.adoc b/kroxylicious-docs/docs/_modules/configuring/con-kafkaproxy-network-settings.adoc
@@ -0,0 +1,43 @@
+:_mod-docs-content-type: CONCEPT
+
+// file included in the following:
+//
+// kroxylicious-operator/_assemblies/assembly-operator-deploy-a-proxy.adoc
+
+[id='con-kafkaproxy-network-settings-{context}']
+= Advanced network tuning for a proxy
+
+[role="_abstract"]
+The `spec.network` section of a `KafkaProxy` resource provides low-level tuning options for the proxy listener and management HTTP server.
+The defaults are suitable for most deployments — only configure these settings if you have a specific operational reason to do so.
+
+.Example `KafkaProxy` with network tuning applied
+[source,yaml]
+----
+kind: KafkaProxy
+apiVersion: kroxylicious.io/v1alpha1
+metadata:
+  namespace: my-proxy
+  name: simple
+spec:
+  network:
+    proxy:
+      workerThreadCount: 8
+      shutdownQuietPeriod: 5s
+      shutdownTimeout: 20s
+    management:
+      workerThreadCount: 2
+      shutdownQuietPeriod: 5s
+      shutdownTimeout: 20s
+----
+where:
+
+* `spec.network.proxy` configures network tuning for the proxy listener that handles Kafka client connections. All fields are optional.
+* `workerThreadCount` is the number of threads available to process requests across client connections. Each connection is pinned to one thread, but a single thread can serve many connections. More threads increase parallelism but also CPU consumption. Tune this in conjunction with the pod's CPU limits and validate under realistic load. Defaults to twice the number of available processors.
+* `shutdownQuietPeriod` is the grace period during which the proxy continues to accept and complete in-flight requests before shutting down. If no new requests arrive during this window, shutdown proceeds. Defaults to `2s` if not specified.
+* `shutdownTimeout` is the maximum time allowed for the proxy to complete shutdown, including the quiet period. If shutdown does not complete within this period, it is forced. Defaults to `15s` if not specified. Set this to a value less than the pod's `terminationGracePeriodSeconds` (Kubernetes default: `30s`) to ensure the proxy can finish gracefully before Kubernetes forcibly terminates the pod.
+* `spec.network.management` configures network tuning for the management HTTP server that serves metrics and health endpoints. Supports the same settings as the proxy listener, and can be configured independently.
+
+Duration values use a string-based Go-style duration format (for example, `30s`, `5m`).
+Supported units are: `m` (minutes), `s` (seconds), `ms` (milliseconds), `μs` or `us` (microseconds), and `ns` (nanoseconds).
+Units can be combined, for example `1m30s`.
diff --git a/kroxylicious-docs/docs/_snippets/snip-idle-timeout-duration-format.adoc b/kroxylicious-docs/docs/_snippets/snip-idle-timeout-duration-format.adoc
@@ -0,0 +1,7 @@
+:_mod-docs-content-type: SNIPPET
+
+Both timeout settings are optional and have no default values.
+You can configure one, both, or neither depending on your requirements.
+Timeout values use a string-based duration format, following Go conventions (for example, `30s`, `5m`).
+Supported units are: `h` (hours), `m` (minutes), `s` (seconds), `ms` (milliseconds), `μs` or `us` (microseconds), and `ns` (nanoseconds).
+Units can be combined, for example `1m30s`.
diff --git a/kroxylicious-docs/docs/_snippets/snip-idle-timeout-how-it-works.adoc b/kroxylicious-docs/docs/_snippets/snip-idle-timeout-how-it-works.adoc
@@ -0,0 +1,15 @@
+:_mod-docs-content-type: SNIPPET
+
+The proxy supports two independent timeout settings that apply at different stages of the connection lifecycle:
+
+* *Unauthenticated timeout* (`unauthenticatedIdleTimeout`): applies to connections where the proxy has not yet detected completed authentication. The proxy considers authentication complete if either of the following is true:
+** A transport subject builder (a component that extracts an authenticated identity from transport-layer attributes) creates a subject with an identity (for example, from a client TLS certificate).
+** A SASL inspection or termination filter invokes `io.kroxylicious.proxy.filter.FilterContext.clientSaslAuthenticationSuccess`.
+* *Authenticated timeout* (`authenticatedIdleTimeout`): applies to connections where an identity has been established, for the remainder of the connection's lifetime.
+
+[NOTE]
+====
+For the proxy to detect authentication completion, you must configure either TLS client certificate authentication or a SASL inspection or termination filter.
+Without one of these, all connections remain in the unauthenticated state for their entire lifetime, and `authenticatedIdleTimeout` has no effect.
+For more information, see the link:{SASLInspectionGuideUrl}[SASL inspection filter guide].
+====
diff --git a/kroxylicious-docs/docs/_snippets/snip-idle-timeout-monitoring.adoc b/kroxylicious-docs/docs/_snippets/snip-idle-timeout-monitoring.adoc
@@ -0,0 +1,12 @@
+:_mod-docs-content-type: SNIPPET
+
+The proxy tracks idle disconnects using the `kroxylicious_client_to_proxy_disconnects_total` metric with `cause="idle_timeout"`.
+This counter increments each time a connection is closed after exceeding the configured idle timeout.
+
+The `kroxylicious_client_to_proxy_disconnects_total` metric also tracks other disconnect scenarios:
+
+* `cause="idle_timeout"` - Connection exceeded the configured idle timeout duration
+* `cause="client_closed"` - The downstream client initiated the connection close
+* `cause="server_closed"` - The upstream node closed the connection, causing the proxy to close the client connection
+
+For more information about connection metrics, see xref:con-prometheus-metrics-proxy-{context}[Overview of proxy metrics].
diff --git a/kroxylicious-docs/docs/_snippets/snip-idle-timeout-when-not-to-enable.adoc b/kroxylicious-docs/docs/_snippets/snip-idle-timeout-when-not-to-enable.adoc
@@ -0,0 +1,6 @@
+:_mod-docs-content-type: SNIPPET
+
+Avoid enabling idle timeouts in the following scenarios:
+
+* *Legitimate idle connections*: applications that maintain long-lived connections with extended idle periods, such as consumers with long poll timeouts or applications using connection pooling.
+* *Stable network infrastructure*: environments with reliable network infrastructure and no issues with idle connection management.
diff --git a/kroxylicious-docs/docs/_snippets/snip-idle-timeout-when-to-enable.adoc b/kroxylicious-docs/docs/_snippets/snip-idle-timeout-when-to-enable.adoc
@@ -0,0 +1,7 @@
+:_mod-docs-content-type: SNIPPET
+
+Consider enabling idle timeouts in the following scenarios:
+
+* *Security posture*: unauthenticated connections can be closed quickly to limit the window for abuse, while authenticated connections get a more generous timeout.
+* *Unclosed connections*: clients that abandon connections without properly closing them, leaving resources allocated unnecessarily.
+* *Network infrastructure requirements*: environments where firewalls or load balancers drop idle connections, configure the proxy to disconnect gracefully first.
diff --git a/kroxylicious-docs/docs/kroxylicious-operator/index.adoc b/kroxylicious-docs/docs/kroxylicious-operator/index.adoc
@@ -33,6 +33,9 @@ include::_assemblies/assembly-operator-secure-proxy.adoc[leveloffset=+1]
 ifdef::parent-context[:context: {parent-context}]
 ifndef::parent-context[:!context:]
 
+// advanced proxy tuning
+include::_assemblies/assembly-operator-advanced-proxy-tuning.adoc[leveloffset=+1]
+
 // // monitoring proxies
 include::_assemblies/assembly-operator-monitoring.adoc[leveloffset=+1]
 
