Allow flipping healthy panic scenario behavior

[csssuf]

Title: Allow changing healthy panic scenarios to failing all requests instead of routing to any host.

Description:
Currently, the only behavior possible when a cluster enters a panic state is that requests are routed to any host in the cluster regardless of the host's health. This behavior should be configurable to instead disallow requests completely, even with remaining healthy hosts in the cluster. This is useful in scenarios where it is more desirable to allow a failing service to recover, rather than attempt to allow even a small percentage of traffic to succeed.

I also have a draft patch which switches the behavior unconditionally and would be willing to work on adapting it to be configurable.

Relevant Links:
https://www.envoyproxy.io/docs/envoy/latest/intro/arch_overview/upstream/load_balancing/panic_threshold.html

[mattklein123]

@snowp any thoughts here?

[snowp]

Seems like a reasonable request for very specific failure modes (e.g. if health checks are failing from the server being overloaded), so I can see the argument for adding this.

I'm a bit unsure how it would interact with per priority panic (would you ever want to fail requests if another priority is not in panic?), but maybe we could have this only kick in on global panic?

[stale]

This issue has been automatically marked as stale because it has not had activity in the last 30 days. It will be closed in the next 7 days unless it is tagged "help wanted" or other activity occurs. Thank you for your contributions.

[csssuf]

I would still love to see this feature. Anything I can do to help move it forward?