xds: Consistency while handling CDS updates and EDS

[sschepens]

When a cluster is created or updated envoy it enters warming phase and needs a related ClusterLoadAssignement response to fully initialize.
During Envoy startup phase envoy sends requests for those resources to the management server and so the management servers knows it has to respond those.
But, when updating a Cluster via CDS, no EDS re-request is sent to the management server and management server doesn't really know it should send a ClusterLoadAssignement for that Cluster, even if the resource hasn't really changed.
This berhavior introduces subtle bugs in management servers, in our case, our resource versioning scheme somehow included the cluster version, yesterday we introduced a change to remove that, and that unexpectedly broke our cluster updates, leaving some clusters without traffic.

This should probably be handled by envoy, currently go-control-plane and java-control-plane don't really handle this since it's kind of hard to induce this behavior of always pushing an EDS update for a Cluster even if the resource hasn't really changed, and if not using ADS, envoy is possibly connected to multiple management servers which increases the difficulty.

@htuch suggested that envoy should probably unsubscribe from EDS for the updated cluster and immediately subscribe again, since this is what's actually happening inside envoy, a new Cluster is being created and it wants to subscribe to the resources, and the old one wants to unsubscribe. Some more thought should be done on this idea and the consecuences of the old cluster being unsubscribed from resources.

Some discussion already happened on Slack, opening this issue to continue discussion.

This issue also applies to LDS updates with RDS and probably SRDS with RDS.

[htuch]

CC @envoyproxy/api-shepherds

[markdroth]

But, when updating a Cluster via CDS, no EDS re-request is sent to the management server and management server doesn't really know it should send a ClusterLoadAssignement for that Cluster, even if the resource hasn't really changed.

Why would the management server need to send an update for the EDS resource that has not changed, just because the CDS resource that pointed to it has changed? This seems like a pretty clear Envoy bug: the CDS and EDS resources should be tracked independently from the perspective of the xDS client code, so that when a new Cluster object is created, it can just pick up the existing data for the EDS resource it wants.

In gRPC, the pattern we use here is to separate out the transport protocol logic from the data model logic. The transport protocol logic (which includes not just the wire communication but also the caching logic, since those two things are ultimately closely tied together) is implemented in a single XdsClient object. Its API allows callers to start watches for a given resource of a given type. When the first watch for a given resource is started, the XdsClient will send a request to the xDS server subscribing to that resource, and all updates from the xDS server will be sent to that watcher. It's fine for multiple callers to be watching the same resource: if a watch is started for a resource that is already subscribed to (because some other watch was already started), then the XdsClient will immediately send the already-cached data to the new watcher. When all watchers for a given resource are cancelled, the XdsClient will send a request to the xDS server unsubscribing from that resource.

One significant difference between Envoy and gRPC is that when a CDS resource is updated, gRPC can update the individual fields in the cluster instance rather than having to create a whole new cluster instance. But even if we did need to create a whole new cluster instance, it still would not pose a problem, because we'd keep the old instance around while the new instance warmed up. This would mean that when the new instance would start a watch for the EDS resource name, it would get the value that was already cached in the XdsClient, and the management server would not know or care that the cluster instance had been replaced.

@htuch suggested that envoy should probably unsubscribe from EDS for the updated cluster and immediately subscribe again, since this is what's actually happening inside envoy, a new Cluster is being created and it wants to subscribe to the resources, and the old one wants to unsubscribe. Some more thought should be done on this idea and the consecuences of the old cluster being unsubscribed from resources.

This seems sub-optimal, both because it will cause unnecessary network traffic and because it will make warming the new cluster instance take longer. I think it should be possible to avoid all of that by separating out the xDS client code into its own layer, as I described above.

That having been said, my concern here is less about Envoy having sub-optimal behavior and more about making sure that the protocol semantics are clear. I think that the protocol itself should not require clients to re-subscribe in this case, because I'd rather not change gRPC, which already handles this case correctly, to do something less optimal. And if Envoy does do the less optimal thing, I am concerned that it may introduce situations where management servers are built with Envoy-specific assumptions that make it hard for them to support gRPC later.

[htuch]

@markdroth I think this was a deliberate choice we made when designing CDS warming. The idea is that you might also be switching the endpoints when changing cluster config, e.g. upgrading from non-TLS to TLS cluster. You can see a pretty detailed discussion in #5168.

On clarifying protocol semantics, I think we have a PoR to move forward here with #11299. I'll be putting together a SoW draft for this during the week. This is probably the best way to get a formal and testable statement of intended semantics in these corner cases.

[markdroth]

Reading the discussion in #5168, the problem there actually seems like another symptom of the fact that Envoy's implementation does not cleanly separate the transport protocol layer (which by necessity includes caching) from the data model layer (in this case, the cluster instance). IMHO, these should be two different layers with a clear separation between them, so that implementation details in the data model layer (such as completely replacing a cluster instance whenever one field changes) do not affect the behavior of the transport protocol layer (such as caching).

To say that another way, I think that the existence of this issue is an indication that the existing solution to #5168 didn't really solve the problem. I think that if Envoy changed to cleanly separate these two layers, it would not only solve the immediate problem but also prevent future problems caused by this same underlying architectural problem.

In fact, it looks to me like you actually suggested something similar to this in #5168 (comment), and I don't see any follow-up discussion there saying why this should not work. I see that you said that it seems odd to do this in the gRPC mux impl, which I can understand, but I don't see why we can't wrap a fuller XdsClient abstraction around the gRPC mux impl.

[sschepens]

@htuch if one were to make something like change TLS without downtime, we now have transport_socket_matches and also, couldn't something be made with AggregateClusters?

[markdroth]

BTW, if you're interested in what the XdsClient API looks like in gRPC, the relevant part is here:

https://github.com/grpc/grpc/blob/139895d2c8a0e52540dfba323970f905a2d29df6/src/core/ext/xds/xds_client.h#L96

In our implementation, there's a separate watch API for each type of resource, mainly because we can't depend on the protobuf library and didn't want to make upb part of this API. But in Envoy, you could easily have a single watch API used for all resource types, simply by specifying the resource type as a parameter when you start the watch and having the data reported to the watcher be an Any.

[sschepens]

I'm with @markdroth here.

I think from a protocol standpoint it pretty crappy for mangement servers to have to resend a configuration change if nothing really changed. Furthermore, in Incremental, Envoy is subscribed to resource updates and should only get notifiend when those actually change.

In the case of updating clusters to TLS, if it's not doable with current mechanics, maybe we're in need of additional methods for transparently doing this sort of updates, but it would seem that transport_socket_matches and AggregateCluster are some of those mechanics.

[htuch]

As in the original CDS work, our constraints are not greenfield, to some extent we need to be backwards compatible with existing management servers. I don't think it would be particularly hard to add caching to Envoy's existing implementation, the question is really what is the correct behavior on the wire, given Envoy's existing behavior, xDS server implementations and our desired goals. We've been running with the "CDS updates implies warming, implies an EDS response" for some time. Can we design something that works for folks who are assuming that and migrate to a better model? Potentially, but I don't think we can sunset Envoy's cluster warming behavior overnight.

[markdroth]

If Envoy stops requiring management servers to proactively send an EDS response after a CDS update, then it's not harmful for management servers that continue to do that (the update will effectively be a no-op on the client if nothing has changed), but it means that new management servers don't need to send that unnecessary update.

[htuch]

One thing I'd like to point out, going all the way back to the top of this thread, is that in Envoy today, what is going on, is that a cluster is going away and a new one is arriving, which happens to share the same name. When you delete a resource, in CDS, you logically unsubscribe from the EDS resources. We could special case this to talk about what happens over an update, but keep in mind we're adding in an extra corner case to deal with in implementations.

I'm not opposed to any direction we take here. IMHO, the most logical thing would be for subscriptions to actually references the subscribing resource instance (e.g. via UUID), so that you could independently unsubscribe and resubscribe. But I don't think it's worth building that out just for this.

[htuch]

If Envoy stops requiring management servers to proactively send an EDS response after a CDS update, then it's not harmful for management servers that continue to do that (the update will effectively be a no-op on the client if nothing has changed), but it means that new management servers don't need to send that unnecessary update.

It's not as simple as this, since some Envoy users will be expecting the warming behavior and want to defer the cluster warming until endpoint update. See the TLS upgrade example, which is not a hypothetical but a valid use of Envoy's existing mechanisms.