Avoid crashing on startup if Elasticsearch is not available

[jsoriano]

What is the problem this PR solves?

Keep Fleet Server process running if Elasticsearch is not available on startup.

How does this PR solve the problem?

• Initial Info request is removed, so the client can be eventually used even if during startup Elasticsearch is not available.
• Subsystems that need initialization keep retrying if they fail.
• Standalone monitor keeps running once the service is healthy. If it loses connection with Elasticsearch, it goes to degraded state.

How to test this PR locally

• An e2e is added that uses toxiproxy to simulate connectivity loss.
• In general, this can be tested by:
  • Starting Fleet Server without connectivity with Elasticsearch (or with Elasticsearch down), it should still start, but without reaching the healthy state.
  • Start Fleet Server, and once it is healthy, interrupt connectivity with Elasticsearch.

Locally I have simulated connectivity interruptions with iptables.

Design Checklist

• I have ensured my design is stateless and will work when multiple fleet-server instances are behind a load balancer.
• I have or intend to scale test my changes, ensuring it will work reliably with 100K+ agents connected.
• I have included fail safe mechanisms to limit the load on fleet-server: rate limiting, circuit breakers, caching, load shedding, etc.

Checklist

• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• I have made corresponding change to the default configuration files
• I have added tests that prove my fix is effective or that my feature works
• I have added an entry in ./changelog/fragments using the changelog tool

Related issues

• Fixes Fleet Server should not crash on startup if connection to Elasticsearch timeouts #2683

[elasticmachine]

💚 Build Succeeded

the below badges are clickable and redirect to their specific view in the CI or DOCS

Expand to view the summary

Build stats

• Start Time: 2023-07-06T16:19:14.121+0000

• Duration: 41 min 18 sec

Test stats 🧪

Test	Results
Failed	0
Passed	745
Skipped	1
Total	746

💚 Flaky test report

Tests succeeded.

🤖 GitHub comments

Expand to view the GitHub comments

To re-run your PR in the CI, just comment with:

• /test : Re-trigger the build.

[mergify]

This pull request is now in conflicts. Could you fix it @jsoriano? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b retry-connections-startup upstream/retry-connections-startup
git merge upstream/main
git push upstream retry-connections-startup

[michel-laterman]

Can you add a changelog fragment?

Also I think with these changes we should have a discussion about health vs readiness endpoints for the fleet-server

[michel-laterman]

👍

[michel-laterman]

The coordinator and monitors get started separate goroutines ( in server/fleet.go) so I don't think anything should go wrong with these changes.
The only difference should be that the API is "available", but should return a 503 in a non-status endpoint (like enroll) is called. Can you add that as an e2e test?

[jsoriano]

The only difference should be that the API is "available", but should return a 503 in a non-status endpoint (like enroll) is called. Can you add that as an e2e test?

Added a middleware that makes any non-status endpoint to return a 503 when the service is not available. And some assertions in the test to check this. Let me know what you think.

[jsoriano]

And removed after #2693 (comment) and the discussion about health checks.

Not sure then if there is an E2E test that we can add here, maybe in the controllers that use it?

[jsoriano]

Not sure if I like to have this difference in behaviour, but I think we may need it, we don't have the same healthcheck needings when running as standalone and when running inside agent.

[michel-laterman]

I think our alternative is to create a health endpoint and have the platform direct traffic if to fleet-server once ES is healthy. What do you think?

[jsoriano]

Yeah, once we have healthchecks in place, the platform won't send traffic to us when we cannot reach ES. Should I remove this?
I started adding this after this comment about returning 503s when the healthcheck fails. But I see now that maybe you were referring to the platform and not directly here?

[jsoriano]

I am removing the middleware I added, and we will rely on readiness probes.

[joshdover]

Also I think with these changes we should have a discussion about health vs readiness endpoints for the fleet-server

Did we have this discussion? I think we need readiness not to be successful until Fleet Server can accept traffic (so it's connection to ES is working), while liveness should still pass to avoid unnecessary container restarts.

[jsoriano]

Also I think with these changes we should have a discussion about health vs readiness endpoints for the fleet-server

Did we have this discussion? I think we need readiness not to be successful until Fleet Server can accept traffic (so it's connection to ES is working), while liveness should still pass to avoid unnecessary container restarts.

Not really, thanks for the heads-up on this.

TLDR; I would add a healthcheck script to the docker image to check readiness based on current status endpoint, and I wouldn't add a liveness probe at least at the moment.

For readiness, we can check now if the status is healthy. We would need a command probe for this.
If we want to use a simpler HTTP probe, and rely only on the status code, we would need to modify the current handler, because it returns 200 now when it is in degraded state, or to define a new /healthz endpoint that returns 200 only when healthy.

So three options:

• Use a command probe that uses the status endpoint to check if the service is healthy. We could add a healthcheck.sh script to the image for this.
• Modify current status endpoint to return 200 only when the service is healthy. This is potentially a breaking change.
• Add a new /healthz endpoint that returns 200 only when the service is healthy.

I will go for the first option by now so we don't need to modify or extend our APIs.

Regarding liveness, I don't think we need to add a probe for this at the moment. I would add it if we know that the Fleet Server can reach some unrecoverable unhealthy state, that afaik is not the case. If we add a liveness probe now, it will be always succeeding unless the pod crashes, what is no different to not having any probe.

@michel-laterman @joshdover wdyt?

[joshdover]

Modify current status endpoint to return 200 only when the service is healthy. This is potentially a breaking change.

I lean towards this option as I see it more of a bug fix than a breaking change, but also open to start with a command probe for now as we experiment and only make the change on the existing endpoint once we have it working the way we want.

Regarding liveness, I don't think we need to add a probe for this at the moment. I would add it if we know that the Fleet Server can reach some unrecoverable unhealthy state, that afaik is not the case. If we add a liveness probe now, it will be always succeeding unless the pod crashes, what is no different to not having any probe.

Makes sense to me 👍

[jsoriano]

Modify current status endpoint to return 200 only when the service is healthy. This is potentially a breaking change.

I lean towards this option as I see it more of a bug fix than a breaking change, but also open to start with a command probe for now as we experiment and only make the change on the existing endpoint once we have it working the way we want.

Ok, I will give this a try before adding the script.

[jsoriano]

@michel-laterman should it be actually healthy if the policies index hasn't been created yet? Would requests succeed if Fleet Server cannot use this index? 🤔

[michel-laterman]

IMO it should be unhealthy if the index does not exist, that way the fleet-controller/k8s can use it for health checks/traffic routing. What do you think @nchaulet?
This PR also changes the status endpoint to return 200 only on a healthy status

[nchaulet]

IMO it should be unhealthy if the index does not exist, that way the fleet-controller/k8s can use it for health checks/traffic routing. What do you think @nchaulet?

Not sure the index while not exists if the user do not create any agent policy, so it probably should be healthy even if the index do not exists

[michel-laterman]

Sounds good, let's add the behaviour to the description in the openapi doc

[jsoriano]

Description updated in https://github.com/elastic/fleet-server/pull/2693/files#diff-5ad174233c27653aa08c5ce213ddfc13cbf7bcfc10cdf724a547da655e5743c0R830, let me know if this is fine.

[michel-laterman]

Sounds good, let's add the behaviour to the description in the openapi doc

[jlind23]

Looks like the buildkite failure comes from

go: cloud.google.com/go/pubsublite@v1.7.0: verifying go.mod: cloud.google.com/go/pubsublite@v1.7.0/go.mod: reading https://sum.golang.org/tile/8/1/252: 404 Not Found

[joshdover]

Ran a rebuild and it seemed to get past that step 👍

[jlind23]

🚢

[jsoriano]

/test