connect: fix failover through a mesh gateway to a remote datacenter

Failover is pushed entirely down to the data plane by creating envoy
clusters and putting each successive destination in a different load
assignment priority band. For example this shows that normally requests
go to 1.2.3.4:8080 but when that fails they go to 6.7.8.9:8080:

- name: foo
  load_assignment:
    cluster_name: foo
    policy:
      overprovisioning_factor: 100000
    endpoints:
    - priority: 0
      lb_endpoints:
      - endpoint:
          address:
            socket_address:
              address: 1.2.3.4
              port_value: 8080
    - priority: 1
      lb_endpoints:
      - endpoint:
          address:
            socket_address:
              address: 6.7.8.9
              port_value: 8080

Mesh gateways route requests based solely on the SNI header tacked onto
the TLS layer. Envoy currently only lets you configure the outbound SNI
header at the cluster layer.

If you try to failover through a mesh gateway you ideally would
configure the SNI value per endpoint, but that's not possible in envoy
today.

This PR introduces a simpler way around the problem for now:

1. We identify any target of failover that will use mesh gateway mode local or
   remote and then further isolate any resolver node in the compiled discovery
   chain that has a failover destination set to one of those targets.

2. For each of these resolvers we will perform a small measurement of
   comparative healths of the endpoints that come back from the health API for the
   set of primary target and serial failover targets. We walk the list of targets
   in order and if any endpoint is healthy we return that target, otherwise we
   move on to the next target.

3. The CDS and EDS endpoints both perform the measurements in (2) for the
   affected resolver nodes.

4. For CDS this measurement selects which TLS SNI field to use for the cluster
   (note the cluster is always going to be named for the primary target)

5. For EDS this measurement selects which set of endpoints will populate the
   cluster. Priority tiered failover is ignored.

One of the big downsides to this approach to failover is that the failover
detection and correction is going to be controlled by consul rather than
deferring that entirely to the data plane as with the prior version. This also
means that we are bound to only failover using official health signals and
cannot make use of data plane signals like outlier detection to affect
failover.

In this specific scenario the lack of data plane signals is ok because the
effectiveness is already muted by the fact that the ultimate destination
endpoints will have their data plane signals scrambled when they pass through
the mesh gateway wrapper anyway so we're not losing much.

Another related fix is that we now use the endpoint health from the
underlying service, not the health of the gateway (regardless of
failover mode).

Author: rboyer

agent/consul/discovery_chain_endpoint.go

@@ -60,6 +60,7 @@ func (c *DiscoveryChain) Get(args *structs.DiscoveryChainRequest, reply *structs
 				ServiceName:            args.Name,
 				CurrentNamespace:       evalNS,
 				CurrentDatacenter:      evalDC,
+				UseInDatacenter:        c.srv.config.Datacenter,
 				OverrideMeshGateway:    args.OverrideMeshGateway,
 				OverrideProtocol:       args.OverrideProtocol,
 				OverrideConnectTimeout: args.OverrideConnectTimeout,

agent/consul/discoverychain/compile.go

@@ -12,8 +12,9 @@ import (
 
 type CompileRequest struct {
 	ServiceName       string
-	CurrentNamespace  string
-	CurrentDatacenter string
+	CurrentNamespace  string // TODO(rb): rename to EvaluateInDatacenter
+	CurrentDatacenter string // TODO(rb): rename to EvaluateInNamespace
+	UseInDatacenter   string // where the results will be used from
 
 	// OverrideMeshGateway allows for the setting to be overridden for any
 	// resolver in the compiled chain.
@@ -55,6 +56,7 @@ func Compile(req CompileRequest) (*structs.CompiledDiscoveryChain, error) {
 		serviceName       = req.ServiceName
 		currentNamespace  = req.CurrentNamespace
 		currentDatacenter = req.CurrentDatacenter
+		useInDatacenter   = req.UseInDatacenter
 		entries           = req.Entries
 	)
 	if serviceName == "" {
@@ -66,6 +68,9 @@ func Compile(req CompileRequest) (*structs.CompiledDiscoveryChain, error) {
 	if currentDatacenter == "" {
 		return nil, fmt.Errorf("currentDatacenter is required")
 	}
+	if useInDatacenter == "" {
+		return nil, fmt.Errorf("useInDatacenter is required")
+	}
 	if entries == nil {
 		return nil, fmt.Errorf("entries is required")
 	}
@@ -74,6 +79,7 @@ func Compile(req CompileRequest) (*structs.CompiledDiscoveryChain, error) {
 		serviceName:            serviceName,
 		currentNamespace:       currentNamespace,
 		currentDatacenter:      currentDatacenter,
+		useInDatacenter:        useInDatacenter,
 		overrideMeshGateway:    req.OverrideMeshGateway,
 		overrideProtocol:       req.OverrideProtocol,
 		overrideConnectTimeout: req.OverrideConnectTimeout,
@@ -108,6 +114,7 @@ type compiler struct {
 	serviceName            string
 	currentNamespace       string
 	currentDatacenter      string
+	useInDatacenter        string
 	overrideMeshGateway    structs.MeshGatewayConfig
 	overrideProtocol       string
 	overrideConnectTimeout time.Duration
@@ -250,8 +257,20 @@ func (c *compiler) compile() (*structs.CompiledDiscoveryChain, error) {
 		return nil, err
 	}
 
-	for targetID, _ := range c.loadedTargets {
-		if _, ok := c.retainedTargets[targetID]; !ok {
+	for targetID, target := range c.loadedTargets {
+		if _, ok := c.retainedTargets[targetID]; ok {
+			// Flip mesh gateway modes back to none if sharing a datacenter.
+			// TODO (mesh-gateway)- maybe allow using a gateway within a datacenter at some point
+
+			meshGateway := structs.MeshGatewayModeDefault
+			if target.Datacenter != c.useInDatacenter {
+				meshGateway = target.MeshGateway.Mode
+			}
+
+			if meshGateway != target.MeshGateway.Mode {
+				target.MeshGateway.Mode = meshGateway
+			}
+		} else {
 			delete(c.loadedTargets, targetID)
 		}
 	}

agent/consul/discoverychain/compile_test.go

@@ -37,12 +37,13 @@ func TestCompile(t *testing.T) {
 		"service redirect":                                 testcase_ServiceRedirect(),
 		"service and subset redirect":                      testcase_ServiceAndSubsetRedirect(),
 		"datacenter redirect":                              testcase_DatacenterRedirect(),
+		"datacenter redirect with mesh gateways":           testcase_DatacenterRedirect_WithMeshGateways(),
 		"service failover":                                 testcase_ServiceFailover(),
 		"service failover through redirect":                testcase_ServiceFailoverThroughRedirect(),
 		"circular resolver failover":                       testcase_Resolver_CircularFailover(),
 		"service and subset failover":                      testcase_ServiceAndSubsetFailover(),
 		"datacenter failover":                              testcase_DatacenterFailover(),
-		"service failover with mesh gateways":              testcase_ServiceFailover_WithMeshGateways(),
+		"datacenter failover with mesh gateways":           testcase_DatacenterFailover_WithMeshGateways(),
 		"noop split to resolver with default subset":       testcase_NoopSplit_WithDefaultSubset(),
 		"resolver with default subset":                     testcase_Resolve_WithDefaultSubset(),
 		"resolver with no entries and inferring defaults":  testcase_DefaultResolver(),
@@ -94,6 +95,7 @@ func TestCompile(t *testing.T) {
 				ServiceName:       "main",
 				CurrentNamespace:  "default",
 				CurrentDatacenter: "dc1",
+				UseInDatacenter:   "dc1",
 				Entries:           tc.entries,
 			}
 			if tc.setup != nil {
@@ -941,6 +943,49 @@ func testcase_DatacenterRedirect() compileTestCase {
 	return compileTestCase{entries: entries, expect: expect}
 }
 
+func testcase_DatacenterRedirect_WithMeshGateways() compileTestCase {
+	entries := newEntries()
+	entries.GlobalProxy = &structs.ProxyConfigEntry{
+		Kind: structs.ProxyDefaults,
+		Name: structs.ProxyConfigGlobal,
+		MeshGateway: structs.MeshGatewayConfig{
+			Mode: structs.MeshGatewayModeRemote,
+		},
+	}
+	entries.AddResolvers(
+		&structs.ServiceResolverConfigEntry{
+			Kind: "service-resolver",
+			Name: "main",
+			Redirect: &structs.ServiceResolverRedirect{
+				Datacenter: "dc9",
+			},
+		},
+	)
+
+	expect := &structs.CompiledDiscoveryChain{
+		Protocol:  "tcp",
+		StartNode: "resolver:main.default.dc9",
+		Nodes: map[string]*structs.DiscoveryGraphNode{
+			"resolver:main.default.dc9": &structs.DiscoveryGraphNode{
+				Type: structs.DiscoveryGraphNodeTypeResolver,
+				Name: "main.default.dc9",
+				Resolver: &structs.DiscoveryResolver{
+					ConnectTimeout: 5 * time.Second,
+					Target:         "main.default.dc9",
+				},
+			},
+		},
+		Targets: map[string]*structs.DiscoveryTarget{
+			"main.default.dc9": newTarget("main", "", "default", "dc9", func(t *structs.DiscoveryTarget) {
+				t.MeshGateway = structs.MeshGatewayConfig{
+					Mode: structs.MeshGatewayModeRemote,
+				}
+			}),
+		},
+	}
+	return compileTestCase{entries: entries, expect: expect}
+}
+
 func testcase_ServiceFailover() compileTestCase {
 	entries := newEntries()
 	entries.AddResolvers(
@@ -1145,7 +1190,7 @@ func testcase_DatacenterFailover() compileTestCase {
 	return compileTestCase{entries: entries, expect: expect}
 }
 
-func testcase_ServiceFailover_WithMeshGateways() compileTestCase {
+func testcase_DatacenterFailover_WithMeshGateways() compileTestCase {
 	entries := newEntries()
 	entries.GlobalProxy = &structs.ProxyConfigEntry{
 		Kind: structs.ProxyDefaults,
@@ -1159,7 +1204,7 @@ func testcase_ServiceFailover_WithMeshGateways() compileTestCase {
 			Kind: "service-resolver",
 			Name: "main",
 			Failover: map[string]structs.ServiceResolverFailover{
-				"*": {Service: "backup"},
+				"*": {Datacenters: []string{"dc2", "dc4"}},
 			},
 		},
 	)
@@ -1175,18 +1220,22 @@ func testcase_ServiceFailover_WithMeshGateways() compileTestCase {
 					ConnectTimeout: 5 * time.Second,
 					Target:         "main.default.dc1",
 					Failover: &structs.DiscoveryFailover{
-						Targets: []string{"backup.default.dc1"},
+						Targets: []string{
+							"main.default.dc2",
+							"main.default.dc4",
+						},
 					},
 				},
 			},
 		},
 		Targets: map[string]*structs.DiscoveryTarget{
-			"main.default.dc1": newTarget("main", "", "default", "dc1", func(t *structs.DiscoveryTarget) {
+			"main.default.dc1": newTarget("main", "", "default", "dc1", nil),
+			"main.default.dc2": newTarget("main", "", "default", "dc2", func(t *structs.DiscoveryTarget) {
 				t.MeshGateway = structs.MeshGatewayConfig{
 					Mode: structs.MeshGatewayModeRemote,
 				}
 			}),
-			"backup.default.dc1": newTarget("backup", "", "default", "dc1", func(t *structs.DiscoveryTarget) {
+			"main.default.dc4": newTarget("main", "", "default", "dc4", func(t *structs.DiscoveryTarget) {
 				t.MeshGateway = structs.MeshGatewayConfig{
 					Mode: structs.MeshGatewayModeRemote,
 				}
@@ -1308,11 +1357,7 @@ func testcase_DefaultResolver_WithProxyDefaults() compileTestCase {
 			},
 		},
 		Targets: map[string]*structs.DiscoveryTarget{
-			"main.default.dc1": newTarget("main", "", "default", "dc1", func(t *structs.DiscoveryTarget) {
-				t.MeshGateway = structs.MeshGatewayConfig{
-					Mode: structs.MeshGatewayModeRemote,
-				}
-			}),
+			"main.default.dc1": newTarget("main", "", "default", "dc1", nil),
 		},
 	}
 	return compileTestCase{entries: entries, expect: expect, expectIsDefault: true}

agent/consul/discoverychain/testing.go

@@ -11,6 +11,7 @@ func TestCompileConfigEntries(
 	serviceName string,
 	currentNamespace string,
 	currentDatacenter string,
+	useInDatacenter string,
 	setup func(req *CompileRequest),
 	entries ...structs.ConfigEntry,
 ) *structs.CompiledDiscoveryChain {
@@ -22,6 +23,7 @@ func TestCompileConfigEntries(
 		ServiceName:       serviceName,
 		CurrentNamespace:  currentNamespace,
 		CurrentDatacenter: currentDatacenter,
+		UseInDatacenter:   useInDatacenter,
 		Entries:           set,
 	}
 	if setup != nil {

agent/consul/state/config_entry.go

@@ -444,10 +444,13 @@ func (s *Store) testCompileDiscoveryChain(
 
 	// Note we use an arbitrary namespace and datacenter as those would not
 	// currently affect the graph compilation in ways that matter here.
+	//
+	// TODO(rb): we should thread a better value than "dc1" down here as that is going to sometimes show up in user facing errors
 	req := discoverychain.CompileRequest{
 		ServiceName:       chainName,
 		CurrentNamespace:  "default",
 		CurrentDatacenter: "dc1",
+		UseInDatacenter:   "dc1",
 		Entries:           speculativeEntries,
 	}
 	_, err = discoverychain.Compile(req)

agent/proxycfg/manager_test.go

@@ -46,7 +46,7 @@ func TestManager_BasicLifecycle(t *testing.T) {
 	roots, leaf := TestCerts(t)
 
 	dbDefaultChain := func() *structs.CompiledDiscoveryChain {
-		return discoverychain.TestCompileConfigEntries(t, "db", "default", "dc1",
+		return discoverychain.TestCompileConfigEntries(t, "db", "default", "dc1", "dc1",
 			func(req *discoverychain.CompileRequest) {
 				// This is because structs.TestUpstreams uses an opaque config
 				// to override connect timeouts.
@@ -59,7 +59,7 @@ func TestManager_BasicLifecycle(t *testing.T) {
 		)
 	}
 	dbSplitChain := func() *structs.CompiledDiscoveryChain {
-		return discoverychain.TestCompileConfigEntries(t, "db", "default", "dc1",
+		return discoverychain.TestCompileConfigEntries(t, "db", "default", "dc1", "dc1",
 			func(req *discoverychain.CompileRequest) {
 				// This is because structs.TestUpstreams uses an opaque config
 				// to override connect timeouts.
@@ -201,6 +201,10 @@ func TestManager_BasicLifecycle(t *testing.T) {
 							"db.default.dc1": TestUpstreamNodes(t),
 						},
 					},
+					WatchedGateways: nil, // Clone() clears this out
+					WatchedGatewayEndpoints: map[string]map[string]structs.CheckServiceNodes{
+						"db": {},
+					},
 					UpstreamEndpoints: map[string]structs.CheckServiceNodes{},
 				},
 				Datacenter: "dc1",
@@ -241,6 +245,10 @@ func TestManager_BasicLifecycle(t *testing.T) {
 							"v2.db.default.dc1": TestUpstreamNodesAlternate(t),
 						},
 					},
+					WatchedGateways: nil, // Clone() clears this out
+					WatchedGatewayEndpoints: map[string]map[string]structs.CheckServiceNodes{
+						"db": {},
+					},
 					UpstreamEndpoints: map[string]structs.CheckServiceNodes{},
 				},
 				Datacenter: "dc1",

agent/proxycfg/snapshot.go

@@ -12,7 +12,10 @@ type configSnapshotConnectProxy struct {
 	DiscoveryChain           map[string]*structs.CompiledDiscoveryChain // this is keyed by the Upstream.Identifier(), not the chain name
 	WatchedUpstreams         map[string]map[string]context.CancelFunc
 	WatchedUpstreamEndpoints map[string]map[string]structs.CheckServiceNodes
-	UpstreamEndpoints        map[string]structs.CheckServiceNodes // DEPRECATED:see:WatchedUpstreamEndpoints
+	WatchedGateways          map[string]map[string]context.CancelFunc
+	WatchedGatewayEndpoints  map[string]map[string]structs.CheckServiceNodes
+
+	UpstreamEndpoints map[string]structs.CheckServiceNodes // DEPRECATED:see:WatchedUpstreamEndpoints
 }
 
 type configSnapshotMeshGateway struct {
@@ -74,6 +77,7 @@ func (s *ConfigSnapshot) Clone() (*ConfigSnapshot, error) {
 	switch s.Kind {
 	case structs.ServiceKindConnectProxy:
 		snap.ConnectProxy.WatchedUpstreams = nil
+		snap.ConnectProxy.WatchedGateways = nil
 	case structs.ServiceKindMeshGateway:
 		snap.MeshGateway.WatchedDatacenters = nil
 		snap.MeshGateway.WatchedServices = nil