connect: fix failover through a mesh gateway to a remote datacenter (#6259)

Failover is pushed entirely down to the data plane by creating envoy
clusters and putting each successive destination in a different load
assignment priority band. For example this shows that normally requests
go to 1.2.3.4:8080 but when that fails they go to 6.7.8.9:8080:

- name: foo
  load_assignment:
    cluster_name: foo
    policy:
      overprovisioning_factor: 100000
    endpoints:
    - priority: 0
      lb_endpoints:
      - endpoint:
          address:
            socket_address:
              address: 1.2.3.4
              port_value: 8080
    - priority: 1
      lb_endpoints:
      - endpoint:
          address:
            socket_address:
              address: 6.7.8.9
              port_value: 8080

Mesh gateways route requests based solely on the SNI header tacked onto
the TLS layer. Envoy currently only lets you configure the outbound SNI
header at the cluster layer.

If you try to failover through a mesh gateway you ideally would
configure the SNI value per endpoint, but that's not possible in envoy
today.

This PR introduces a simpler way around the problem for now:

1. We identify any target of failover that will use mesh gateway mode local or
   remote and then further isolate any resolver node in the compiled discovery
   chain that has a failover destination set to one of those targets.

2. For each of these resolvers we will perform a small measurement of
   comparative healths of the endpoints that come back from the health API for the
   set of primary target and serial failover targets. We walk the list of targets
   in order and if any endpoint is healthy we return that target, otherwise we
   move on to the next target.

3. The CDS and EDS endpoints both perform the measurements in (2) for the
   affected resolver nodes.

4. For CDS this measurement selects which TLS SNI field to use for the cluster
   (note the cluster is always going to be named for the primary target)

5. For EDS this measurement selects which set of endpoints will populate the
   cluster. Priority tiered failover is ignored.

One of the big downsides to this approach to failover is that the failover
detection and correction is going to be controlled by consul rather than
deferring that entirely to the data plane as with the prior version. This also
means that we are bound to only failover using official health signals and
cannot make use of data plane signals like outlier detection to affect
failover.

In this specific scenario the lack of data plane signals is ok because the
effectiveness is already muted by the fact that the ultimate destination
endpoints will have their data plane signals scrambled when they pass through
the mesh gateway wrapper anyway so we're not losing much.

Another related fix is that we now use the endpoint health from the
underlying service, not the health of the gateway (regardless of
failover mode).

Author: rboyer

agent/cache-types/discovery_chain_test.go

@@ -16,7 +16,7 @@ func TestCompiledDiscoveryChain(t *testing.T) {
 	typ := &CompiledDiscoveryChain{RPC: rpc}
 
 	// just do the default chain
-	chain := discoverychain.TestCompileConfigEntries(t, "web", "default", "dc1", nil)
+	chain := discoverychain.TestCompileConfigEntries(t, "web", "default", "dc1", "dc1", nil)
 
 	// Expect the proper RPC call. This also sets the expected value
 	// since that is return-by-pointer in the arguments.

agent/consul/discovery_chain_endpoint.go

@@ -58,8 +58,9 @@ func (c *DiscoveryChain) Get(args *structs.DiscoveryChainRequest, reply *structs
 			// Then we compile it into something useful.
 			chain, err := discoverychain.Compile(discoverychain.CompileRequest{
 				ServiceName:            args.Name,
-				CurrentNamespace:       evalNS,
-				CurrentDatacenter:      evalDC,
+				EvaluateInNamespace:    evalNS,
+				EvaluateInDatacenter:   evalDC,
+				UseInDatacenter:        c.srv.config.Datacenter,
 				OverrideMeshGateway:    args.OverrideMeshGateway,
 				OverrideProtocol:       args.OverrideProtocol,
 				OverrideConnectTimeout: args.OverrideConnectTimeout,

agent/consul/discoverychain/compile.go

@@ -11,9 +11,10 @@ import (
 )
 
 type CompileRequest struct {
-	ServiceName       string
-	CurrentNamespace  string
-	CurrentDatacenter string
+	ServiceName          string
+	EvaluateInNamespace  string
+	EvaluateInDatacenter string
+	UseInDatacenter      string // where the results will be used from
 
 	// OverrideMeshGateway allows for the setting to be overridden for any
 	// resolver in the compiled chain.
@@ -52,28 +53,33 @@ type CompileRequest struct {
 // valid.
 func Compile(req CompileRequest) (*structs.CompiledDiscoveryChain, error) {
 	var (
-		serviceName       = req.ServiceName
-		currentNamespace  = req.CurrentNamespace
-		currentDatacenter = req.CurrentDatacenter
-		entries           = req.Entries
+		serviceName          = req.ServiceName
+		evaluateInNamespace  = req.EvaluateInNamespace
+		evaluateInDatacenter = req.EvaluateInDatacenter
+		useInDatacenter      = req.UseInDatacenter
+		entries              = req.Entries
 	)
 	if serviceName == "" {
 		return nil, fmt.Errorf("serviceName is required")
 	}
-	if currentNamespace == "" {
-		return nil, fmt.Errorf("currentNamespace is required")
+	if evaluateInNamespace == "" {
+		return nil, fmt.Errorf("evaluateInNamespace is required")
 	}
-	if currentDatacenter == "" {
-		return nil, fmt.Errorf("currentDatacenter is required")
+	if evaluateInDatacenter == "" {
+		return nil, fmt.Errorf("evaluateInDatacenter is required")
+	}
+	if useInDatacenter == "" {
+		return nil, fmt.Errorf("useInDatacenter is required")
 	}
 	if entries == nil {
 		return nil, fmt.Errorf("entries is required")
 	}
 
 	c := &compiler{
 		serviceName:            serviceName,
-		currentNamespace:       currentNamespace,
-		currentDatacenter:      currentDatacenter,
+		evaluateInNamespace:    evaluateInNamespace,
+		evaluateInDatacenter:   evaluateInDatacenter,
+		useInDatacenter:        useInDatacenter,
 		overrideMeshGateway:    req.OverrideMeshGateway,
 		overrideProtocol:       req.OverrideProtocol,
 		overrideConnectTimeout: req.OverrideConnectTimeout,
@@ -106,8 +112,9 @@ func Compile(req CompileRequest) (*structs.CompiledDiscoveryChain, error) {
 // for assembling a discovery chain from raw config entries.
 type compiler struct {
 	serviceName            string
-	currentNamespace       string
-	currentDatacenter      string
+	evaluateInNamespace    string
+	evaluateInDatacenter   string
+	useInDatacenter        string
 	overrideMeshGateway    structs.MeshGatewayConfig
 	overrideProtocol       string
 	overrideConnectTimeout time.Duration
@@ -298,8 +305,8 @@ func (c *compiler) compile() (*structs.CompiledDiscoveryChain, error) {
 
 	return &structs.CompiledDiscoveryChain{
 		ServiceName:       c.serviceName,
-		Namespace:         c.currentNamespace,
-		Datacenter:        c.currentDatacenter,
+		Namespace:         c.evaluateInNamespace,
+		Datacenter:        c.evaluateInDatacenter,
 		CustomizationHash: customizationHash,
 		Protocol:          c.protocol,
 		StartNode:         c.startNode,
@@ -590,8 +597,8 @@ func (c *compiler) newTarget(service, serviceSubset, namespace, datacenter strin
 	t := structs.NewDiscoveryTarget(
 		service,
 		serviceSubset,
-		defaultIfEmpty(namespace, c.currentNamespace),
-		defaultIfEmpty(datacenter, c.currentDatacenter),
+		defaultIfEmpty(namespace, c.evaluateInNamespace),
+		defaultIfEmpty(datacenter, c.evaluateInDatacenter),
 	)
 
 	prev, ok := c.loadedTargets[t.ID]
@@ -806,19 +813,24 @@ RESOLVE_AGAIN:
 
 	target.Subset = resolver.Subsets[target.ServiceSubset]
 
-	// Default mesh gateway settings
-	if serviceDefault := c.entries.GetService(target.Service); serviceDefault != nil {
-		target.MeshGateway = serviceDefault.MeshGateway
-	}
+	// TODO (mesh-gateway)- maybe allow using a gateway within a datacenter at some point
+	if target.Datacenter == c.useInDatacenter {
+		target.MeshGateway.Mode = structs.MeshGatewayModeDefault
+	} else {
+		// Default mesh gateway settings
+		if serviceDefault := c.entries.GetService(target.Service); serviceDefault != nil {
+			target.MeshGateway = serviceDefault.MeshGateway
+		}
 
-	if c.entries.GlobalProxy != nil && target.MeshGateway.Mode == structs.MeshGatewayModeDefault {
-		target.MeshGateway.Mode = c.entries.GlobalProxy.MeshGateway.Mode
-	}
+		if c.entries.GlobalProxy != nil && target.MeshGateway.Mode == structs.MeshGatewayModeDefault {
+			target.MeshGateway.Mode = c.entries.GlobalProxy.MeshGateway.Mode
+		}
 
-	if c.overrideMeshGateway.Mode != structs.MeshGatewayModeDefault {
-		if target.MeshGateway.Mode != c.overrideMeshGateway.Mode {
-			target.MeshGateway.Mode = c.overrideMeshGateway.Mode
-			c.customizedBy.MeshGateway = true
+		if c.overrideMeshGateway.Mode != structs.MeshGatewayModeDefault {
+			if target.MeshGateway.Mode != c.overrideMeshGateway.Mode {
+				target.MeshGateway.Mode = c.overrideMeshGateway.Mode
+				c.customizedBy.MeshGateway = true
+			}
 		}
 	}
 

agent/consul/discoverychain/compile_test.go

@@ -37,12 +37,13 @@ func TestCompile(t *testing.T) {
 		"service redirect":                                 testcase_ServiceRedirect(),
 		"service and subset redirect":                      testcase_ServiceAndSubsetRedirect(),
 		"datacenter redirect":                              testcase_DatacenterRedirect(),
+		"datacenter redirect with mesh gateways":           testcase_DatacenterRedirect_WithMeshGateways(),
 		"service failover":                                 testcase_ServiceFailover(),
 		"service failover through redirect":                testcase_ServiceFailoverThroughRedirect(),
 		"circular resolver failover":                       testcase_Resolver_CircularFailover(),
 		"service and subset failover":                      testcase_ServiceAndSubsetFailover(),
 		"datacenter failover":                              testcase_DatacenterFailover(),
-		"service failover with mesh gateways":              testcase_ServiceFailover_WithMeshGateways(),
+		"datacenter failover with mesh gateways":           testcase_DatacenterFailover_WithMeshGateways(),
 		"noop split to resolver with default subset":       testcase_NoopSplit_WithDefaultSubset(),
 		"resolver with default subset":                     testcase_Resolve_WithDefaultSubset(),
 		"resolver with no entries and inferring defaults":  testcase_DefaultResolver(),
@@ -91,10 +92,11 @@ func TestCompile(t *testing.T) {
 			}
 
 			req := CompileRequest{
-				ServiceName:       "main",
-				CurrentNamespace:  "default",
-				CurrentDatacenter: "dc1",
-				Entries:           tc.entries,
+				ServiceName:          "main",
+				EvaluateInNamespace:  "default",
+				EvaluateInDatacenter: "dc1",
+				UseInDatacenter:      "dc1",
+				Entries:              tc.entries,
 			}
 			if tc.setup != nil {
 				tc.setup(&req)
@@ -941,6 +943,49 @@ func testcase_DatacenterRedirect() compileTestCase {
 	return compileTestCase{entries: entries, expect: expect}
 }
 
+func testcase_DatacenterRedirect_WithMeshGateways() compileTestCase {
+	entries := newEntries()
+	entries.GlobalProxy = &structs.ProxyConfigEntry{
+		Kind: structs.ProxyDefaults,
+		Name: structs.ProxyConfigGlobal,
+		MeshGateway: structs.MeshGatewayConfig{
+			Mode: structs.MeshGatewayModeRemote,
+		},
+	}
+	entries.AddResolvers(
+		&structs.ServiceResolverConfigEntry{
+			Kind: "service-resolver",
+			Name: "main",
+			Redirect: &structs.ServiceResolverRedirect{
+				Datacenter: "dc9",
+			},
+		},
+	)
+
+	expect := &structs.CompiledDiscoveryChain{
+		Protocol:  "tcp",
+		StartNode: "resolver:main.default.dc9",
+		Nodes: map[string]*structs.DiscoveryGraphNode{
+			"resolver:main.default.dc9": &structs.DiscoveryGraphNode{
+				Type: structs.DiscoveryGraphNodeTypeResolver,
+				Name: "main.default.dc9",
+				Resolver: &structs.DiscoveryResolver{
+					ConnectTimeout: 5 * time.Second,
+					Target:         "main.default.dc9",
+				},
+			},
+		},
+		Targets: map[string]*structs.DiscoveryTarget{
+			"main.default.dc9": newTarget("main", "", "default", "dc9", func(t *structs.DiscoveryTarget) {
+				t.MeshGateway = structs.MeshGatewayConfig{
+					Mode: structs.MeshGatewayModeRemote,
+				}
+			}),
+		},
+	}
+	return compileTestCase{entries: entries, expect: expect}
+}
+
 func testcase_ServiceFailover() compileTestCase {
 	entries := newEntries()
 	entries.AddResolvers(
@@ -1145,7 +1190,7 @@ func testcase_DatacenterFailover() compileTestCase {
 	return compileTestCase{entries: entries, expect: expect}
 }
 
-func testcase_ServiceFailover_WithMeshGateways() compileTestCase {
+func testcase_DatacenterFailover_WithMeshGateways() compileTestCase {
 	entries := newEntries()
 	entries.GlobalProxy = &structs.ProxyConfigEntry{
 		Kind: structs.ProxyDefaults,
@@ -1159,7 +1204,7 @@ func testcase_ServiceFailover_WithMeshGateways() compileTestCase {
 			Kind: "service-resolver",
 			Name: "main",
 			Failover: map[string]structs.ServiceResolverFailover{
-				"*": {Service: "backup"},
+				"*": {Datacenters: []string{"dc2", "dc4"}},
 			},
 		},
 	)
@@ -1175,18 +1220,22 @@ func testcase_ServiceFailover_WithMeshGateways() compileTestCase {
 					ConnectTimeout: 5 * time.Second,
 					Target:         "main.default.dc1",
 					Failover: &structs.DiscoveryFailover{
-						Targets: []string{"backup.default.dc1"},
+						Targets: []string{
+							"main.default.dc2",
+							"main.default.dc4",
+						},
 					},
 				},
 			},
 		},
 		Targets: map[string]*structs.DiscoveryTarget{
-			"main.default.dc1": newTarget("main", "", "default", "dc1", func(t *structs.DiscoveryTarget) {
+			"main.default.dc1": newTarget("main", "", "default", "dc1", nil),
+			"main.default.dc2": newTarget("main", "", "default", "dc2", func(t *structs.DiscoveryTarget) {
 				t.MeshGateway = structs.MeshGatewayConfig{
 					Mode: structs.MeshGatewayModeRemote,
 				}
 			}),
-			"backup.default.dc1": newTarget("backup", "", "default", "dc1", func(t *structs.DiscoveryTarget) {
+			"main.default.dc4": newTarget("main", "", "default", "dc4", func(t *structs.DiscoveryTarget) {
 				t.MeshGateway = structs.MeshGatewayConfig{
 					Mode: structs.MeshGatewayModeRemote,
 				}
@@ -1308,11 +1357,7 @@ func testcase_DefaultResolver_WithProxyDefaults() compileTestCase {
 			},
 		},
 		Targets: map[string]*structs.DiscoveryTarget{
-			"main.default.dc1": newTarget("main", "", "default", "dc1", func(t *structs.DiscoveryTarget) {
-				t.MeshGateway = structs.MeshGatewayConfig{
-					Mode: structs.MeshGatewayModeRemote,
-				}
-			}),
+			"main.default.dc1": newTarget("main", "", "default", "dc1", nil),
 		},
 	}
 	return compileTestCase{entries: entries, expect: expect, expectIsDefault: true}

agent/consul/discoverychain/testing.go

@@ -9,8 +9,9 @@ import (
 func TestCompileConfigEntries(
 	t testing.T,
 	serviceName string,
-	currentNamespace string,
-	currentDatacenter string,
+	evaluateInNamespace string,
+	evaluateInDatacenter string,
+	useInDatacenter string,
 	setup func(req *CompileRequest),
 	entries ...structs.ConfigEntry,
 ) *structs.CompiledDiscoveryChain {
@@ -19,10 +20,11 @@ func TestCompileConfigEntries(
 	set.AddEntries(entries...)
 
 	req := CompileRequest{
-		ServiceName:       serviceName,
-		CurrentNamespace:  currentNamespace,
-		CurrentDatacenter: currentDatacenter,
-		Entries:           set,
+		ServiceName:          serviceName,
+		EvaluateInNamespace:  evaluateInNamespace,
+		EvaluateInDatacenter: evaluateInDatacenter,
+		UseInDatacenter:      useInDatacenter,
+		Entries:              set,
 	}
 	if setup != nil {
 		setup(&req)

agent/consul/state/config_entry.go

@@ -444,11 +444,14 @@ func (s *Store) testCompileDiscoveryChain(
 
 	// Note we use an arbitrary namespace and datacenter as those would not
 	// currently affect the graph compilation in ways that matter here.
+	//
+	// TODO(rb): we should thread a better value than "dc1" down here as that is going to sometimes show up in user facing errors
 	req := discoverychain.CompileRequest{
-		ServiceName:       chainName,
-		CurrentNamespace:  "default",
-		CurrentDatacenter: "dc1",
-		Entries:           speculativeEntries,
+		ServiceName:          chainName,
+		EvaluateInNamespace:  "default",
+		EvaluateInDatacenter: "dc1",
+		UseInDatacenter:      "dc1",
+		Entries:              speculativeEntries,
 	}
 	_, err = discoverychain.Compile(req)
 	return err