feat(runtime): add virtual cluster lifecycle state tracking (kroxylicious#3640)

* Add virtual cluster lifecycle state model

Introduce VirtualClusterLifecycleState as a sealed interface with
records for each state (Initializing, Serving, Draining, Failed, Stopped).
Each state exposes typed transition methods enforcing the state machine
from proposal 016. Failed carries its cause, and Stopped retains the
prior failure cause for diagnostics.

VirtualClusterLifecycleManager wraps the state in an AtomicReference
for thread-safe transitions, with structured logging on each transition.

Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Sam Barker <sam@quadrocket.co.uk>

* Wire lifecycle manager into KafkaProxy startup and shutdown

Create a VirtualClusterLifecycleManager per virtual cluster during
startup, transitioning each to Serving on success. On shutdown,
beginShutdown() transitions serving clusters to Draining before the
Netty graceful shutdown, then completeShutdown() transitions them to
Stopped afterwards. Existing fail-fast behaviour is preserved.

Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Sam Barker <sam@quadrocket.co.uk>

* Address review feedback on lifecycle manager

- Remove beginShutdown/completeShutdown composite methods from
  VirtualClusterLifecycleManager; KafkaProxy now calls startDraining,
  drainComplete, and stop directly
- Call initializationFailed(cause) from KafkaProxy startup catch block
  so Failed state carries the real failure cause
- Fix race in transition(): use transitionFn.apply(previous) instead of
  state.get() to avoid observing another thread's update
- Log at DEBUG for most transitions, INFO only for initial and terminal
  states

Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Sam Barker <sam@quadrocket.co.uk>

* Remove unused toInitializing() transitions from Draining and Failed

These transitions are valid in the proposal's state machine but have no
callers today — reload/recovery is deferred. Removing to avoid premature
API commitment; they can be re-added when reload is implemented.

Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Sam Barker <sam@quadrocket.co.uk>

* Remove unnecessary throws declaration from test method

Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Sam Barker <sam@quadrocket.co.uk>

* Address review feedback: fix double-apply, log levels, and Initializing→Stopped

- Fix transition() to use get()+updateAndGet() instead of re-applying the
  transition function to derive the new state for logging
- Log all transitions at INFO, Failed transitions at WARN
- Support Initializing→Stopped transition so VCs are not orphaned if
  shutdown occurs during startup
- Assert failure cause on Stopped state in startup failure test

Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Sam Barker <sam@quadrocket.co.uk>

* Replace AtomicReference with synchronized in VirtualClusterLifecycleManager

The AtomicReference approach had a race between state.get() and
state.updateAndGet() where another thread could advance the state,
causing incorrect log messages. Using synchronized makes the
read-transition-log sequence atomic. This is sufficient for the
single-shot proxy lifecycle where contention is not a concern.

Also adjusts log levels: INFO for significant states (Serving, Failed,
Stopped), DEBUG for intermediate transitions (Draining).

Closes kroxylicious#3696

Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Sam Barker <sam@quadrocket.co.uk>

* refactor(runtime): extract VirtualClusterManager from KafkaProxy (#87)

* Add VirtualClusterManager with construction, accessors, and tests

Introduces VirtualClusterManager as the single source of truth for which
virtual clusters exist and their current lifecycle state. VCM owns the
cluster config tree and lifecycle managers but does not manage networking,
endpoint registration, or metrics — those remain with KafkaProxy.

The onVirtualClusterStopped callback notifies the owner when a VC reaches
terminal Stopped state, allowing proxy-level policy decisions.

Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Sam Barker <sam@quadrocket.co.uk>

* Add per-VC lifecycle transitions with callback

Adds initializationSucceeded(clusterName) and initializationFailed(clusterName, cause)
to VirtualClusterManager. On failure, the VC transitions immediately from Failed to
Stopped (no recovery path today) and fires the onVirtualClusterStopped callback with
the failure cause.

Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Sam Barker <sam@quadrocket.co.uk>

* Add bulk shutdown transitions and return value

Adds transitionAllToDraining() and transitionAllToStopped() to VirtualClusterManager.
transitionAllToStopped() returns boolean indicating whether all clusters are now stopped,
so KafkaProxy doesn't need to poll individual lifecycle managers.

Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Sam Barker <sam@quadrocket.co.uk>

* Wire VirtualClusterManager into KafkaProxy

KafkaProxy now delegates virtual cluster lifecycle management to
VirtualClusterManager instead of managing lifecycle managers directly.
Removes private transitionAllToDraining/transitionAllToStopped methods
and the lifecycleManagers map in favour of VCM.

Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Sam Barker <sam@quadrocket.co.uk>

* Make VirtualClusterManager non-nullable in KafkaProxy

Move VCM construction from startup() to the constructor so it can be
final and non-nullable, eliminating null guards throughout.

Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Sam Barker <sam@quadrocket.co.uk>

* Improve onVirtualClusterStopped callback logging

Log at WARN with a message that reflects the serve:none policy intent.
Add TODO noting the callback should eventually drive proxy shutdown
rather than relying on the caller.

Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Sam Barker <sam@quadrocket.co.uk>

---------

Signed-off-by: Sam Barker <sam@quadrocket.co.uk>

* Address review feedback: naming conventions, javadoc, and logging

- Rename getState()/getClusterName() to state()/clusterName() on
  VirtualClusterLifecycleManager per project accessor conventions
- Rename getVirtualClusterModels() to virtualClusterModels() on
  VirtualClusterManager
- Rename terse field 'vcm' to 'virtualClusterManager' in KafkaProxy
- Fix transitionAllToDraining() javadoc: clarify that Failed/Stopped
  clusters are skipped, not transitioned by this method
- Fix logging key from 'cause' to 'error' with Throwable::getMessage
  per logging conventions
- Add comment documenting the all-or-nothing startup assumption at
  the initializationFailed call site

Assisted-by: Claude claude-opus-4-6 <noreply@anthropic.com>
Signed-off-by: Sam Barker <sam@quadrocket.co.uk>

* Address review feedback: lazy logging, argumentSet, and javadoc fixes

Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Sam Barker <sam@quadrocket.co.uk>

* Rename transitionAllToStopped to completeDraining

The previous name implied all clusters would be transitioned, but the
method only completes the draining→stopped transition. The new name
better describes the actual behaviour.

Assisted-by: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Sam Barker <sam@quadrocket.co.uk>

---------

Signed-off-by: Sam Barker <sam@quadrocket.co.uk>

Author: SamBarker

kroxylicious-runtime/src/main/java/io/kroxylicious/proxy/KafkaProxy.java

@@ -57,6 +57,8 @@
 import io.kroxylicious.proxy.internal.KafkaProxyInitializer;
 import io.kroxylicious.proxy.internal.MeterRegistries;
 import io.kroxylicious.proxy.internal.PortConflictDetector;
+import io.kroxylicious.proxy.internal.VirtualClusterLifecycleManager;
+import io.kroxylicious.proxy.internal.VirtualClusterManager;
 import io.kroxylicious.proxy.internal.admin.ManagementInitializer;
 import io.kroxylicious.proxy.internal.config.Features;
 import io.kroxylicious.proxy.internal.net.DefaultNetworkBindingOperationProcessor;
@@ -149,6 +151,7 @@ private static int resolveThreadCount(Configuration configuration, Function<Netw
     private final NetworkBindingOperationProcessor bindingOperationProcessor = new DefaultNetworkBindingOperationProcessor();
     private final EndpointRegistry endpointRegistry = new EndpointRegistry(bindingOperationProcessor);
     private final PluginFactoryRegistry pfr;
+    private final VirtualClusterManager virtualClusterManager;
     private @Nullable MeterRegistries meterRegistries;
     private @Nullable FilterChainFactory filterChainFactory;
     private @Nullable EventGroupConfig managementEventGroup;
@@ -160,6 +163,10 @@ public KafkaProxy(PluginFactoryRegistry pfr, Configuration config, Features feat
         this.virtualClusterModels = config.virtualClusterModel();
         this.managementConfiguration = config.management();
         this.micrometerConfig = config.getMicrometer();
+        this.virtualClusterManager = new VirtualClusterManager(virtualClusterModels, (clusterName, cause) -> STARTUP_SHUTDOWN_LOGGER.atWarn()
+                .addKeyValue("virtualCluster", clusterName)
+                .addKeyValue("error", cause.map(Throwable::getMessage).orElse(null))
+                .log("Virtual cluster reached terminal stopped state, proxy shutdown required"));
     }
 
     @VisibleForTesting
@@ -216,6 +223,7 @@ public KafkaProxy startup() {
 
             STARTUP_SHUTDOWN_LOGGER.atInfo()
                     .log("Kroxylicious is starting");
+
             meterRegistries = new MeterRegistries(pfr, micrometerConfig);
             initVersionInfoMetric();
 
@@ -252,6 +260,8 @@ public KafkaProxy startup() {
                             .toArray(CompletableFuture[]::new))
                     .join();
 
+            virtualClusterModels.forEach(model -> virtualClusterManager.initializationSucceeded(model.getClusterName()));
+
             STARTUP_SHUTDOWN_LOGGER.atInfo()
                     .log("Kroxylicious is started");
             return this;
@@ -260,6 +270,11 @@ public KafkaProxy startup() {
             STARTUP_SHUTDOWN_LOGGER.atError()
                     .setCause(e)
                     .log("Exception during startup, shutting down");
+            // TODO: the onVirtualClusterStopped callback should drive the serve:none policy (triggering proxy shutdown)
+            // rather than relying on the caller to call shutdown() separately. Currently the callback only logs.
+            // All VCs are failed with the same exception because startup is all-or-nothing:
+            // initializationSucceeded is only called after all VCs register successfully (line 263).
+            virtualClusterModels.forEach(model -> virtualClusterManager.initializationFailed(model.getClusterName(), e));
             shutdown();
             throw new LifecycleException("Startup completed exceptionally", e);
         }
@@ -357,6 +372,7 @@ public void shutdown() {
         try {
             STARTUP_SHUTDOWN_LOGGER.atInfo()
                     .log("Shutting down");
+            virtualClusterManager.transitionAllToDraining();
             endpointRegistry.shutdown().handle((u, t) -> {
                 bindingOperationProcessor.close();
                 var closeFutures = new ArrayList<Future<?>>();
@@ -378,6 +394,7 @@ public void shutdown() {
                 }
                 return null;
             }).toCompletableFuture().join();
+            virtualClusterManager.completeDraining();
             if (meterRegistries != null) {
                 meterRegistries.close();
             }
@@ -394,6 +411,17 @@ public void shutdown() {
         }
     }
 
+    /**
+     * Returns the lifecycle manager for the given virtual cluster name.
+     * @param clusterName the virtual cluster name
+     * @return the lifecycle manager, or null if no cluster with that name exists
+     */
+    @VisibleForTesting
+    @Nullable
+    VirtualClusterLifecycleManager lifecycleManagerFor(String clusterName) {
+        return virtualClusterManager.lifecycleManagerFor(clusterName);
+    }
+
     @Override
     public void close() throws Exception {
         if (running.get()) {

kroxylicious-runtime/src/main/java/io/kroxylicious/proxy/internal/VirtualClusterLifecycleManager.java

@@ -0,0 +1,127 @@
+/*
+ * Copyright Kroxylicious Authors.
+ *
+ * Licensed under the Apache Software License version 2.0, available at http://www.apache.org/licenses/LICENSE-2.0
+ */
+
+package io.kroxylicious.proxy.internal;
+
+import java.util.Objects;
+import java.util.function.UnaryOperator;
+
+import org.slf4j.Logger;
+import org.slf4j.LoggerFactory;
+
+import io.kroxylicious.proxy.internal.VirtualClusterLifecycleState.Draining;
+import io.kroxylicious.proxy.internal.VirtualClusterLifecycleState.Failed;
+import io.kroxylicious.proxy.internal.VirtualClusterLifecycleState.Initializing;
+import io.kroxylicious.proxy.internal.VirtualClusterLifecycleState.Serving;
+import io.kroxylicious.proxy.internal.VirtualClusterLifecycleState.Stopped;
+
+/**
+ * Manages the lifecycle state of a single virtual cluster.
+ * <p>
+ * Thread-safe: state transitions are performed under synchronization so that the
+ * read-transition-log sequence is atomic. This is sufficient for the single-shot
+ * proxy lifecycle where contention is not a concern.
+ * </p>
+ */
+public class VirtualClusterLifecycleManager {
+
+    private static final Logger LOGGER = LoggerFactory.getLogger(VirtualClusterLifecycleManager.class);
+
+    private final String clusterName;
+    private VirtualClusterLifecycleState state = new Initializing();
+
+    public VirtualClusterLifecycleManager(String clusterName) {
+        this.clusterName = Objects.requireNonNull(clusterName);
+    }
+
+    /**
+     * Transitions from {@link Initializing} to {@link Serving}.
+     */
+    public void initializationSucceeded() {
+        transition(current -> {
+            if (current instanceof Initializing s) {
+                return s.toServing();
+            }
+            throw unexpectedState(current, "initializationSucceeded");
+        });
+    }
+
+    /**
+     * Transitions from {@link Initializing} to {@link Failed}, recording the cause.
+     */
+    public void initializationFailed(Throwable cause) {
+        Objects.requireNonNull(cause);
+        transition(current -> {
+            if (current instanceof Initializing s) {
+                return s.toFailed(cause);
+            }
+            throw unexpectedState(current, "initializationFailed");
+        });
+    }
+
+    /**
+     * Transitions from {@link Serving} to {@link Draining}.
+     */
+    public void startDraining() {
+        transition(current -> {
+            if (current instanceof Serving s) {
+                return s.toDraining();
+            }
+            throw unexpectedState(current, "startDraining");
+        });
+    }
+
+    /**
+     * Transitions from {@link Draining} to {@link Stopped}.
+     */
+    public void drainComplete() {
+        transition(current -> {
+            if (current instanceof Draining s) {
+                return s.toStopped();
+            }
+            throw unexpectedState(current, "drainComplete");
+        });
+    }
+
+    /**
+     * Transitions to {@link Stopped} from {@link Failed} or {@link Initializing}.
+     */
+    public void stop() {
+        transition(current -> {
+            if (current instanceof Failed s) {
+                return s.toStopped();
+            }
+            if (current instanceof Initializing s) {
+                return s.toStopped();
+            }
+            throw unexpectedState(current, "stop");
+        });
+    }
+
+    public synchronized VirtualClusterLifecycleState state() {
+        return state;
+    }
+
+    public String clusterName() {
+        return clusterName;
+    }
+
+    private synchronized void transition(UnaryOperator<VirtualClusterLifecycleState> transitionFn) {
+        VirtualClusterLifecycleState previous = state;
+        state = transitionFn.apply(state);
+        var logBuilder = (state instanceof Serving || state instanceof Failed || state instanceof Stopped) ? LOGGER.atInfo() : LOGGER.atDebug();
+        logBuilder
+                .addKeyValue("virtualCluster", clusterName)
+                .addKeyValue("from", () -> previous.getClass().getSimpleName())
+                .addKeyValue("to", () -> state.getClass().getSimpleName())
+                .log("Virtual cluster lifecycle transition");
+    }
+
+    private IllegalStateException unexpectedState(VirtualClusterLifecycleState current, String operation) {
+        return new IllegalStateException(
+                "Cannot " + operation + " for virtual cluster '" + clusterName + "' in state " + current.getClass().getSimpleName());
+    }
+}

kroxylicious-runtime/src/main/java/io/kroxylicious/proxy/internal/VirtualClusterLifecycleState.java

@@ -0,0 +1,96 @@
+/*
+ * Copyright Kroxylicious Authors.
+ *
+ * Licensed under the Apache Software License version 2.0, available at http://www.apache.org/licenses/LICENSE-2.0
+ */
+
+package io.kroxylicious.proxy.internal;
+
+import java.util.Objects;
+
+import edu.umd.cs.findbugs.annotations.Nullable;
+
+/**
+ * Lifecycle states for a virtual cluster.
+ * <p>
+ * Each virtual cluster has exactly one state at any time. States are immutable
+ * records; transitions produce a new state instance.
+ * </p>
+ *
+ * @see <a href="https://github.com/kroxylicious/design/blob/main/proposals/016-virtual-cluster-lifecycle.md">Proposal 016</a>
+ */
+public sealed interface VirtualClusterLifecycleState {
+
+    /** The cluster is being set up. Not yet serving traffic. */
+    record Initializing() implements VirtualClusterLifecycleState {
+
+        /**
+         * Configuration applied successfully.
+         * @return the new serving state
+         */
+        public Serving toServing() {
+            return new Serving();
+        }
+
+        /**
+         * Configuration could not be applied.
+         * @param cause the failure reason
+         * @return the new failed state
+         */
+        public Failed toFailed(Throwable cause) {
+            return new Failed(cause);
+        }
+
+        /**
+         * Cluster removed before initialization completed (e.g. proxy shutdown during startup).
+         * @return the new stopped state
+         */
+        public Stopped toStopped() {
+            return new Stopped(null);
+        }
+    }
+
+    /** The proxy has completed setup and is serving traffic for this cluster. */
+    record Serving() implements VirtualClusterLifecycleState {
+
+        /**
+         * The cluster is being shut down or reconfigured.
+         * @return the new draining state
+         */
+        public Draining toDraining() {
+            return new Draining();
+        }
+    }
+
+    /** New connections are rejected. Existing in-flight requests are completing. */
+    record Draining() implements VirtualClusterLifecycleState {
+
+        /**
+         * Drain complete, cluster permanently removed.
+         * @return the new stopped state
+         */
+        public Stopped toStopped() {
+            return new Stopped(null);
+        }
+
+    }
+
+    /** Configuration was not viable. All resources have been released. */
+    record Failed(Throwable cause) implements VirtualClusterLifecycleState {
+
+        public Failed {
+            Objects.requireNonNull(cause);
+        }
+
+        /**
+         * The cluster is being permanently removed.
+         * @return the new stopped state, retaining the failure cause for diagnostics
+         */
+        public Stopped toStopped() {
+            return new Stopped(cause);
+        }
+    }
+
+    /** Terminal state. The cluster has been permanently removed. */
+    record Stopped(@Nullable Throwable priorFailureCause) implements VirtualClusterLifecycleState {}
+}