config: supervised replicaset is now anon aware

Filter out anonymous replicas when choosing a bootstrap leader in
`replication.failover: supervised` mode. An anonymous replica can't be
in read-write mode, so it can't be a replicaset bootstrap leader.

Part of tarantool#9432

NO_DOC=It is bugfix. However, this detail is mentioned in the
       documentation request is in the last commit of the series just in
       case.

changelogs/unreleased/config-anonymous-replica.md

@@ -5,8 +5,6 @@
 
   There are caveats that are not resolved yet:
 
-  * An anonymous replica shouldn't be chosen as a bootstrap leader in
-    `replication.failover: supervised` mode.
   * An attempt to configure a replicaset where all instances are anonymous
     replicas should lead to an error on config validation, before configuration
     applying.

src/box/lua/config/applier/box_cfg.lua

@@ -431,7 +431,8 @@ local function apply(config)
         -- the following.
         --
         -- * Look over the peer names of the replicaset and choose
-        --   the minimal name (compare them lexicographically).
+        --   the minimal name across all non-anonymous instances
+        --   (compare them lexicographically).
         -- * The instance with the minimal name starts in the RW
         --   mode to be able to bootstrap the replicaset if there
         --   is no local snapshot. Otherwise, it starts as usual,

src/box/lua/config/configdata.lua

@@ -568,7 +568,18 @@ local function new(iconfig, cconfig, instance_name)
                 found.replicaset_name), 0)
         end
         assert(bootstrap_leader == nil)
-        bootstrap_leader_name = peer_names[1]
+
+        -- Choose first non-anonymous instance.
+        for _, peer_name in ipairs(peer_names) do
+            assert(peers[peer_name] ~= nil)
+            local iconfig_def = peers[peer_name].iconfig_def
+            local is_anon = instance_config:get(iconfig_def, 'replication.anon')
+            if not is_anon then
+                bootstrap_leader_name = peer_name
+                break
+            end
+        end
+        assert(bootstrap_leader_name ~= nil)
     end
 
     -- Names and UUIDs are always validated: during instance start

test/config-luatest/anonymous_replica_test.lua

@@ -115,3 +115,45 @@ g.test_no_anonymous_upstream = function(g)
         end)
     end)
 end
+
+-- Verify that anonymous replicas are skipped when choosing a
+-- bootstrap leader in the `failover: supervised` mode.
+g.test_supervised_mode_bootstrap_leader_not_anon = function(g)
+    -- `failover: supervised` assigns a first non-anonymous
+    -- instance as a bootstrap leader. The order is alphabetical.
+    local config = cbuilder.new()
+        :set_replicaset_option('replication.failover', 'supervised')
+        :add_instance('instance-001', {
+            replication = {
+                anon = true,
+            },
+        })
+        :add_instance('instance-002', {})
+        :add_instance('instance-003', {})
+        :add_instance('instance-004', {})
+        :add_instance('instance-005', {
+            replication = {
+                anon = true,
+            },
+        })
+        :config()
+
+    local replicaset = replicaset.new(g, config)
+    replicaset:start()
+
+    -- Verify that instance-001 (anonymous replica) is
+    -- successfully started. An attempt to make it writable (to
+    -- use as a bootstrap leader) would lead to a startup error.
+    t.helpers.retrying({timeout = 60}, function()
+        replicaset['instance-001']:exec(function()
+            t.assert_equals(box.info.status, 'running')
+        end)
+    end)
+
+    -- Verify that instance-002 is the bootstrap leader.
+    --
+    -- NB: An instance with box.info.id = 1 is a bootstrap leader.
+    replicaset['instance-002']:exec(function()
+        t.assert_equals(box.info.id, 1)
+    end)
+end