docs/rfcs: add RFC for fast tenant migration/failover

[jcsp]

Problem

Currently we don't have a way to migrate tenants from one pageserver to another without a risk of gap in availability.

Summary of changes

This follows on from #4919

Migrating tenants between pageservers is essential to operating a service
at scale, in several contexts:

1. Responding to a pageserver node failure by migrating tenants to other pageservers
2. Balancing load and capacity across pageservers, for example when a user expands their
   database and they need to migrate to a pageserver with more capacity.
3. Restarting pageservers for upgrades and maintenance

Currently, a tenant may migrated by attaching to a new node,
re-configuring endpoints to use the new node, and then later detaching from the old node. This is safe once generation numbers are implemented, but does meet
our seamless/fast/efficient goals:

Checklist before requesting a review

• I have performed a self-review of my code.
• If it is a core feature, I have added thorough tests.
• Do we need to implement analytics? if so did you add the relevant metrics to the dashboard?
• If this PR requires public announcement, mark it with /release-notes label and add several sentences in this section.

Checklist before merging

• Do not forget to reformat commit message to not include the above checklist

[github-actions]

2520 tests run: 2403 passed, 0 failed, 117 skipped (full report)

---

Flaky tests (1)

Postgres 16

• test_crafted_wal_end[last_wal_record_crossing_segment]: release

Code coverage (full report)

• functions: 52.9% (8019 of 15145 functions)
• lines: 81.2% (47016 of 57888 lines)

---

_{The comment gets automatically updated with the latest test results
1569446 at 2023-09-27T10:12:51.854Z :recycle:}

[problame]

Read up to but not including ### Database schema for locations.

I'm good with the high-level procedure.

My main worry design-wise is the AttachedStale state and how it will interact with eviction.

I'd love to see it removed from this RFC and added in a later RFC.

I'll create a stacked PR with some editorial fixes.

[problame]

Please pull in my editorial fixes from here: #5185

[koivunej]

Some quick comments

[jcsp]

Updates:

• Safety of AttachedMulti: note that the pageserver must bound the number of deletions it enqueues, in case it is left in this state too long.
• Safety of AttachedStale: add a behavior where the pageserver will un-block S3 writes for a tenant if it receives evict_layers calls that can only be satisfied by uploading.
• Scope: clarify in Non-Goals that the RFC does not aim to specify all possible tenant configuration transitions, but provides an API sufficient for whatever movements the control plane might like to do.
• Scope: clarify that defining different storage strategies for different tiers of service is not included in this RFC.
• Clarify that flushing to S3 includes flushing the heatmap.
• Clarify that the heatmap is advisory and secondaries may retain additional layers which are in the IndexPart but not the heatmap, if disk space permits.
• Disambiguate the location configuration API from the existing tenant config API
• Make the permutations on migration for node down, no secondary, and permanent migration more prominent with section headings.

[problame]

Sorry for the slew of comments. By and large, I'm good with this design though.

[problame]

Good to go!