feat: cross Backend failover/fallback and retry support

[mathetake]

Commit Message

This commit is a relatively large refactoring of internals to make Envoy AI Gateawy's API more aligned with Envoy Gateway's BackendTrafficPolicy as well as HTTPRoute. Specifically, the main objective here to allow failover and retires to work well across multiple AIServiceBackend.

One of the most notable changes in this commit is that we split the extproc's logic into two phases; one is executed at the normal router level that selects a route (as opposed to the backend selection previously) and the other as the upstream filter that performs auth and transformation. In other words, Envoy AI Gateway configures two external processing filters.

As a result, users are now able to configure failover as well as the retry/fallback using Envoy Gateway's BackendTrafficPolicy attached to HTTPRoute generated by the Envoy AI Gateway. For example, this allows us to support the case where primary cluster is an Azure OpenAI and when it's failing, the AI Gateway fallbacks to AWS Bedrock with the standard Envoy Gateway configuration.

Background
At the Envoy configuration level, Envoy Gateway translates multiple backends in a single HTTPRoute's Rule into a single Envoy cluster whose endpoints consists of multiple Endpoint set (called LocalityLbEndpoints in Envoy API [1]) and each set corresponds to a Backend with priority configured. For example, very roughly speaking, the following pseudo HTTPRoute

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata
  name: provider-fallback
spec:
  rules:
  - backendRefs:
    - group: gateway.envoyproxy.io
      kind: Backend
      name: primary-backend
    - group: gateway.envoyproxy.io
      kind: Backend
      name: secondary-backend
    matches:
    - path:
        type: PathPrefix
        value: /

will be translated as, when secondary-backend is marked as fallback: true in its Backend definition ([2]):

- cluster:
  '@type': type.googleapis.com/envoy.config.cluster.v3.Cluster
  loadAssignment:
    clusterName: httproute/default/provider-fallback/rule/0
    endpoints:
    - lbEndpoints:
      - endpoint:
          address:
            socketAddress:
              address: primary.com
              portValue: 443
      priority: 0
    - lbEndpoints:
      - endpoint:
          address:
            socketAddress:
              address: secondary.com
              portValue: 443
      priority: 1

where priority is configured 0 and 1 for each primary and secondary backend. When retry or passive health check is configured, Envoy will retry or fallback into the secondary cluster.

In our API, transformation as well as upstream authentication must be performed per Backend so these logic must be inserted after this endpoint set (or LocalityLbEndpoints to be precise) is chosen by Envoy. For example, primary.com and secondary.com might have different API schema, authentication etc. Since Envoy has a specific HTTP filter chain that will be executed at this stage, which is called "upstream filters", if we insert the extproc that performs these logic, we can properly do authn/z and transformation in response to the retry attempts by Envoy natively.

From the upstream filter level external processor's perspective, it needs to know which exactly backend is chosen by the Envoy's cluster load balancing logic. We add some additional metadata information into the endpoint with EG's extension server so that the extproc can retrieve these information. We also use the extension server to insert the upstream extproc filter since currently it's not supported by EG. These logic in our extension server can be eliminated when the corresponding functionality become available in EG ([3],[4]).

Caveats

• Due to the limitation of EG's extension server API, AIBackendService that references k8s Service cannot be supported so we have to drop the support for it. Since there's a workaround for it, it should be fine plus EG can be fixed easily so the version after the next release should be able to revive the support.
• aigw run temporarily disabled until [5] is resolved
• Infernce Extension support temporarily disabled but will be revived before the next release.

[1] https://www.envoyproxy.io/docs/envoy/latest/api-v3/config/endpoint/v3/endpoint_components.proto
[2] https://gateway.envoyproxy.io/latest/api/extension_types/#backendspec
[3] envoyproxy/gateway#5523
[4] envoyproxy/gateway#5351
[5] envoyproxy/gateway#5918

Related Issues/PRs (if applicable)

Partially resolves the provider level fallbacks for #34

[mathetake]

note to self: TODOs after this PR:

• Change weight to the optional int32; non-breaking change
• Add timeout at the rule level to match HTTPRoute; deprecate the AIServiceBackend level timeout
• Fix aigw run by running the extension server in the standalone mode
• Fix and Redo Inference Extension support
• Document that BackendRef must NOT be Service; not breaking change (there's a workaround)

[mathetake]

finally passed all tests.....

[yuzisun]

Not sure if I understand correctly, is the idea here is to match the route name which is the HTTPRoute resource, each AIGatewayRoute rule creates a corresponding HTTPRoute ?

[mathetake]

well, not really. AIGatewayRoute: HTTPRoute is one-to-one and each rule in AIGatewayRoute will also one-to-one correspond to HTTRoute's rule. The route level extproc's only responsibility is to choose the matching rule (as opposed to the backend before). And then Envoy will route the requests to the chosen rule (== cluster binding multiple backends).

[yuzisun]

This means that we are dropping the capability of making the routing decision in extproc from a list of backend refs if I understand correctly. For example if we want to implement latency aware routing, we will no longer be able to do that in extproc and have to rely on envoy endpoint picker ?

 apiVersion: aigateway.envoyproxy.io/v1alpha1
 kind: AIGatewayRoute
 metadata:
   name: latency-aware-routing
   namespace: default
 spec:
   schema:
     name: OpenAI
   targetRefs:
     - name: latency-aware-routing
       kind: Gateway
       group: gateway.networking.k8s.io
   rules:
     - matches:
         - headers:
             - type: Exact
               name: x-ai-eg-model
               value: us.meta.llama3-2-1b-instruct-v1:0
       loadBalancer: latency
       backendRefs:
         - name: provider-aws-llama
         - name: provider-gcp-llama

[mathetake]

we are dropping the capability of making the routing decision in extproc from a list of backend refs if I understand correctly.

Not really. If we want to implement loadBalancer: latency something like this after this PR, we can still translate it by adding a specific cluster and then set a specific backend in the header from the ext proc to that cluster. it should be doable.

[yuzisun]

is the assumption here that AIGatewayRoute is now split to individual ones like we planned for HTTPRoute ?

[mathetake]

It won't split into multiple HTTPRoutes as I commented above. The size limit thingy can be fixed with the support for multiple AIGatewayRoutes per Gateway as we discussed in the slack with Yao and others. Keeping AIGatewayRoute: HTTPRoute = 1: 1 is much simpler from UX perspective as well since you can create the retry/fallback policy for the generated one HTTPRoute as in the example 3549245

[kerthcet]

I think still possible with #588 (comment) here?

[mathetake]

yeah it still should be possible even after this PR, just that the backends moved to the top level here vs under Rules before.

[yuzisun]

On retry the model name could also change, "same model" but they can have different name in different provider. I can create a separate to support his after this PR is in.

[yuzisun]

Awesome work !!!

[kerthcet]

Sorry, How we map the Backends with the headers now? Seems they're separated, no obvisous relationship between them.

[mathetake]

oh you are right. that's necessary for #588 right? we need to store the route->backends info somewhere in here. would you mind sending a patch?

[kerthcet]

Yeah, I can take a look.