outlier detection: distinguish upstream from internal errors.

[htuch]

Today, the outlier detector doesn't distinguish between a 5xx from the backend or generated internally inside Envoy due to backend unreachability. We would like to be able to only eject hosts when they are unreachable, but not if they explicitly 5xx. Opening this issue to track.

[stale]

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or other activity occurs. Thank you for your contributions.

[stale]

This issue has been automatically closed because it has not had activity in the last 37 days. If this issue is still valid, please ping a maintainer and ask them to label it as "help wanted". Thank you for your contributions.

[cpakulski]

@htuch, @ggreenway I can look at this issue.

[cpakulski]

@htuch. Would you mind explaining why

We would like to be able to only eject hosts when they are unreachable, but not if they explicitly 5xx. ?

outlierDetector has a specific handler for 5xx: https://github.com/envoyproxy/envoy/blob/master/source/common/upstream/outlier_detection_impl.cc#L70. This is called directly when upstream host returns 5xx.

But router also calls outlier detector with its internal code https://github.com/envoyproxy/envoy/blob/master/source/common/router/router.cc#L464-L466 which is mapped to 503 and eventually is handled by the same handler as for HTTP 5xx.

As you noted both cases are handled without distinction. What is exact logic you had in mind?

[htuch]

If the error comes from router.cc, then it should count towards outlier detection. If it comes from the backend, it should be ignored for this purpose.

The use case is when you only want to exclude those backends that have network connectivity issues, but where 5xx might be a normal part of their behavior that we don't want to be opinionated on.

[cpakulski]

@htuch Thanks, I assume that another handler for connectivity errors is needed plus configuration item, let us call it "consecutive_connection_failure", so you can distinguish those two cases and switch them on/off separately, correct?

[mattklein123]

@htuch @cpakulski the intention is to make this change configurable, right? I can see a scenario in which the user wants to configure this but I also think that the current behavior is a more sensible default for the way most users intend to use outlier detection?