Envoy crashes if CDS response has two clusters with the same name

[ramaraochavali]

When Envoy has initialized it self with a set of clusters, if a CDS update comes that has two clusters with the same name, it crashes. If the duplicate comes in the as part of the initial CDS response, it works correctly.

It crashes at this line

 if (existing_active_cluster != active_clusters_.end() ||
      existing_warming_cluster != warming_clusters_.end()) {
    // The following init manager remove call is a NOP in the case we are already initialized. It's
    // just kept here to avoid additional logic.
    init_helper_.removeCluster(*existing_active_cluster->second->cluster_);
    cm_stats_.cluster_modified_.inc();
  } else {
    cm_stats_.cluster_added_.inc();

It passes through if the condition because it has add the cluster with the same name to warming_clusters and hence it enters the if loop but since the cluster with name does not existing in the active_clusters, *existing_active_cluster->second crashes.

We could guard this removeCluster call with if (existing_active_cluster != active_clusters_.end()) to prevent this crash. This is simpler solution which I tried and it works.
Since cluster name is supposed to be unique, ideally should we validate the resource list at onConfigUpdate method of cdsapi and check for duplicates? If we introduce the validation what should be the behaviour? should we reject the entire cds response ? or simplify overwrite with the latest cluster?

[ramaraochavali]

On further thinking, since we override the cluster definition across CDS calls, we could as well do the same with in the same CDS response and let the last definition win instead of complicating the validation. So the guard condition I added should be sufficient. LMK what you guys think?

[mattklein123]

IMO we should check this at the config update layer. I think duplicate clusters/resources is a management server bug and we should catch it and probably fail the update. (I suppose we could also do something like last wins as you propose, but IMO that is pretty confusing and we should inform the management server it has a bug w/ a failed update).

[ramaraochavali]

@mattklein123 I agree that it would be confusing to silently make the last one win. However, since we already do that in the initial update (we just overwrite the latest cluster in the initial response), if we introduce this validation and fail (Which may be the right thing to do), may break some management server implementations. This upgrade may be unsafe to such folks with out changing their management server/underlying duplication. Instead can we log a warning when we detect that a duplicate cluster is there and the fact that we are overwriting? Also we could document this behaviour. I am thinking this may be safer fix at least in short term.
I am actually torn between the two with slight preference to the later for the unsafe upgrade reason.
LMK what you think? I can submit a PR to fix this accordingly.

[mattklein123]

I think we should fix it in both cases and fail both during initial load and during updates. People should be able to catch this during canary if their management server is broken. Also, can we check also that the same bug doesn't exist for LDS and the other xDS? @htuch any thoughts?

[htuch]

Yeah, I think fail early and reject for duplicate resources in xDS makes sense. I think we're not going to be bug-for-bug compatible with past behavior and the last-wins in initial update was not documented behavior, so anyone relying on it did so at their own risk.

[ramaraochavali]

@mattklein123 @htuch I submitted the PR for CDS. I think LDS also has the same issue. Will fix it once CDS is merged. I could not think of any other xDS having this problem - I may be wrong. Let me know, I will check.

[kyessenov]

Unfortunately, istio did this...
/cc @PiotrSikora @rshriram

[gdoctor]

@kyessenov is Istio just using upstream Envoy? So then we could assume they are handling as described above. We ran into a DNS issue that caused our service routing to break when two clusters had the same name. This was because the FQDNs all resolved to the same thing ie appname.default.svc.cluster.local even though they resided on different clusters.

Edit: I realized this issue is actually completely unrelated to the cluster name; rather, it is due to CoreDNS providing the same service sub-domain to each cluster. Since our pods directly communicate across clusters, we were unable to resolve hosts correctly.

[kyessenov]

Yes, it's mostly vanilla+ build. We fixed this in master of istio for obvious cases (TCP/UDP sharing the port), and added a check I think to remove duplicates. (cc @rshriram )