Support for endpoint lease ( How long endpoints should be used)

[vishalpowar]

This is following up on previously closed Issue (#5347).
This one specifically targets to address just the stale Endpoints issue.

---

Title: Add support for specifying how long endpoints should be used

Description:
When disconnected from the Management Server, envoy would end up using last known information from the Mgmt server. This is probably good for a lot of usecases/deployment, but there are situations where this might actually be harmful for overall system.

*Stale Endpoints:
For a deployment where Management Server does load balancing and sends the endpoints with weights to the envoys. If a envoy is disconnected from the management server for significant period, it will continue to use the stale weights and endpoints. Although the envoy will route the traffic to endpoints, we might end have

• Some servers move to different ip:port causing less number of endpoints being usable. Which eventually results in server overload.
• Servers getting overloaded as the weights assigned are stale.

Proposal:

As we are specifically looking to identify stale information having this lease associated per Endpoints is an overkill.
There are two levels where this control signal can be added.

Envoy level (Config)
As part of the CDS response. This is applied to all the resources returned in CDS response, and only changes when there is new CDS response.
e.g.

message OutlierDetection { 
.   .   .
  // The max time for which an endpoint can be used after it was received as part of EDS/CDS
  // Defaults to 0 which means never.
  google.protobuf.Duration  endpoint_stale_after = 12 [(validate.rules).duration.gt.seconds = 0];
}

Cluster level (EDS resources)
Associate per ClusterLoadAssignment, and is associated per assignment (every EDS response).

message ClusterLoadAssignment {
   // The max time for which an endpoint of this cluster can be used after this assignment was received.
   // Defaults to 0 which means never.
  google.protobuf.Duration  endpoint_stale_after = 5 [(validate.rules).duration.gt.seconds = 0];
}

Either of the above approach extends easily to Incremental xDS as what we are really tracking is how long has it been since the Mgmt Server sent us endpoints.

[snowp]

Few questions:

1. What is the difference between the CDS and CLA option? If it's just to differentiate between EDS and non-EDS, I'd say sticking to the CLA option would be sufficient since the non-EDS clusters also use that proto to declare hosts (through the load_assignment field).
2. What is the intended behavior when a host is removed? Should it be marked as unhealthy (similar to how outlier detection works) or completely removed?

I'll note that this would possibly interact surprisingly with panic mode if implemented as a health change - once the endpoints expire they would all go unhealthy, triggering panic mode and treating all endpoints as healthy again. That said, panic mode can be disabled so this isn't a blocker.

[vishalpowar]

What is the difference between the CDS and CLA option?

Just the granularity of control. For CLA it is per cluster. While for CDS it is for all the clusters that form part of the response. I am not sure which level this control should be fed at (to the envoy).
Having it as CLA also means it can be modified per assignment. Which can be good or bad based on how to look at it.

What is the intended behavior when a host is removed?

Setting it unhealthy seems right to me.
If I understand correctly, removing the endpoint completely might trigger unexpected behavior for Incremental xDS.

[mattklein123]

Some servers move to different ip:port causing less number of endpoints being usable. Which eventually results in server overload.

Servers getting overloaded as the weights assigned are stale.

I'm confused how leases are going to fix this. If we delete the hosts or mark them unhealthy and we don't get new ones, won't you have the same situation? Why not just use active/passive HC to deal with this?

[vishalpowar]

I'm confused how leases are going to fix this. If we delete the hosts or mark them unhealthy and we
don't get new ones, won't you have the same situation? Why not just use active/passive HC to deal
with this?

The proposal is to mark all the endpoints unhealthy after the lease expires (which also means the client is not getting new assignments from mgmt server).
For that client (envoy) it would mean that cluster (all clusters) becomes unavailable. This localizes the problem to that client.

Instead of the current behavior where if we will continue using the remaining healthy endpoints. We might end up overloading these endpoints and bringing them down.
This can potentially impact other connected/well-behaving clients and lead to wider/global service degradation.

[mattklein123]

@vishalpowar but active/passive health check does the same thing, right? I'm unclear what the benefit is of adding this feature.

[vishalpowar]

Please correct me if my understanding of envoy behavior is not accurate .

active/passive health check does the same thing, right ?

From what I can tell both active/passive health checks are based on responses from the endpoint (deriving the 'state' of the endpoint from that response).
This means the endpoint is already degraded and all other envoys/clients are affected.
The lease is intended to be a preventive mechanism, when today a single(subset) of envoy/client not being able to talk to MgmtServer for extended duration will eventually result in endpoint/service degradation.

Reading more about passive health check. Lease as proposed here probably fits the requirement of a new 'detection type' (with max_ejection_percentage=100 and base_ejection_time='forever')

I'm unclear what the benefit is of adding this feature.

For obvious failure (not connected to mgmt server) we can allow for configuration of preventive mechanism to avoid impacting other clients/envoys proactively.

[mattklein123]

See https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/health_checking for details on active and passing health checking.

I still don't understand how a lease helps you avoid errors. If the host goes away before the lease expires you get errors, or if you expire too early, you have no hosts. Wouldn't it be better to stabilize and rely on health checking to tell you which hosts are bad?

[htuch]

@mattklein123 WDYT about the argument around stale LB assignments. Let's see you have some Envoys disconnected from the control plane for an extended time. They have weighting 50% to endpoint A and 50% to endpoint B. After some time expires, endpoint A is now in overload. They continue to dump non-trivial load on A, because they aren't receiving updated control plane signal.

Possibly the HC failures would kick in, but maybe we're hovering just below overload and shouldn't be pushing A into overload. Etc.

[mattklein123]

@htuch I'm not sure I fully follow the case above. Are you saying there are cases in which a host would pass health check but you still want it to be dropped via a lease time?

[vishalpowar]

I still don't understand how a lease helps you avoid errors.

Lease does not help in avoiding errors on envoy which are disconnected from the MgmtServer. It protects the service and ensures that other envoys are not affected due to endpoint/service failures caused by the envoy using stale LB assignments.

Wouldn't it be better to stabilize and rely on health checking to tell you which hosts are bad?

Not in all the cases. We do not want a single failure (one envoy not able to talk to MgmtServer), trigger a cascading failure for all the other envoys in the system

Are you saying there are cases in which a host would pass health check but you
still want it to be dropped via a lease time?

yes. I understand that not all deployments might need this. But in some deployments it would be better to fail at a single client rather than impact all the other clients.

[mattklein123]

yes. I understand that not all deployments might need this. But in some deployments it would be better to fail at a single client rather than impact all the other clients.

Yup OK makes sense now for this use case. SGTM. Thanks for the detailed back and forth.

[vishalpowar]

Thanks,
@mattklein123, @snowp based on all the discussion.
Do you have a feel if this is should be made a part of OutlierDetection (as a Detection Type) or its something that makes more sense with ClusterLoadAssignment.

[mattklein123]

@vishalpowar IMO I think if we add a lease time I would probably do it as part of cluster load assignment. @snowp @htuch WDYT?