Skip to content

feat: add the EtcdMirror replication engine library (pkg/mirroragent)#407

Open
xrl wants to merge 5 commits into
etcd-io:mainfrom
xrl:pr/etcdmirror-mirror-agent-lib
Open

feat: add the EtcdMirror replication engine library (pkg/mirroragent)#407
xrl wants to merge 5 commits into
etcd-io:mainfrom
xrl:pr/etcdmirror-mirror-agent-lib

Conversation

@xrl

@xrl xrl commented Jul 7, 2026

Copy link
Copy Markdown

Adds pkg/mirroragent: the EtcdMirror replication engine as a standalone library with zero Kubernetes dependency — pure etcd clientv3 against a Config, consumed by the agent binary and controller in the next PRs of the series. Builds on the EtcdMirror API PR (types only); this PR adds no controller or workload wiring.

Depends on: #406 (EtcdMirror CRD/API types — the previous rung of this series).

Architecture

Unpinned chunked scan + watch-replay from R0 (the reflector pattern), rather than mirror.Syncer. Why mid-scan compaction cannot wedge the engine:

  1. At scan start one linearizable Get (WithCountOnly) returns Header.Revision = R0 and the total count in a single RPC.
  2. The watch opens at R0+1 before any scan page is read. R0 was observed this instant by a linearizable read, so it cannot already be compacted.
  3. Every scan page is an unpinned Get (no WithRev). ErrCompacted is a property of reads pinned below the compact revision; an unpinned read is immune by construction, at every point during the scan, regardless of concurrent compactions. The failure class is removed, not detected-and-retried.
  4. The only remaining compaction hazard is the watch stream itself going quiet long enough that a re-Watch(WithRev(watermark+1)) lands below the compact revision — identical in shape during InitialSync and steady state, handled by one mechanism: forced resync with a mandatory mark-and-sweep prune (durable across crashes via a prune-pending flag in the checkpoint).

Scan and watch are not sequential phases with a handoff race: the watch is live for the entire scan, and scan writes may interleave with replayed watch writes because both write the same idempotent final value for a given key — convergence to the last-write value; a duplicate Put of identical content is a correctness no-op.

Fence protocol

The checkpoint/watermark is stored in the target etcd at a reserved key (\x00-after-prefix convention; exact-match excluded from scans, counts, prune and RequireEmpty), written in the same Txn as each applied batch. All safety rests on one discipline, identical on every write path (apply, reconcile repair, prune delete, cutover role-flip):

If(Compare(ModRevision(fenceKey), "=", observedModRev)).
Then(dataOps..., Put(fenceKey, next))
// on !Succeeded: re-read, recompute, retry — never blind re-Commit

etcd's Compare has no JSON-field predicates, so linkUID/epoch/role are payload for humans and the engine's state machine, never comparison predicates. Cutover safety falls out for free: the role-flip Txn bumps the fence's ModRevision, so any writer holding a pre-flip observedModRev fails its next compare loudly — no special role-check code. An undecodable checkpoint fails closed (permanent, operator inspects and deletes the reserved key): a corrupt fence proves nothing about ownership, so no write — least of all a resync's prune — is provably safe.

Retry ownership: clientv3 auto-retries Gets only on codes.Unavailable; Txn/Put/Delete are write-at-most-once. The engine owns 100% of write-path retry/backoff, and a fenced-Txn retry after an ambiguous timeout re-reads the fence first (the Txn's own success bumped the fence ModRevision).

Bounded memory, batching, error taxonomy

  • Pull-based single-page scan with byte-bounded pages (adaptive per-page limit — the Range API has no byte-limit primitive); watch replay buffer bounded by watchBufferBytes, on overflow the scan restarts from a fresh R0 (a bounded retry, not unbounded growth).
  • Batches flush only at source-revision boundaries (whole revisions coalesced, never split); one MaxTxnOps slot reserved for the checkpoint write.
  • codes.ResourceExhausted is disambiguated three ways — ErrNoSpace → quota (park until operator acts), ErrTooManyRequests → throttle (distinct backoff curve), client send-cap → permanent — never classified by gRPC code alone. Keys surfaced in errors are redacted (spec-public prefix + sha256 stub); values never surface. An N-consecutive-forced-resync livelock detector catches retention-vs-throughput misconfiguration (ResyncLoopDetected).
  • Liveness: watermark-derived progress via WithProgressNotify + WithRequireLeader + client-driven RequestProgress, gRPC keepalives on both clients, per-unary-RPC deadlines (watch excluded). A version probe at connect enforces the ≥3.4 source floor and gates progress-notify trust on 3.4.25/3.5.8.

Tests

Unit tests per module (fence encode/decode + corruption fail-closed, error classification table incl. the three-way ResourceExhausted split, batch revision-boundary/flush accounting, rewrite formula, config validation, backoff curve mapping, key redaction) plus an embedded-etcd integration suite: cold start, live tail, mid-scan compaction, restart resume, fence overlap between two agents, role-flip cutover fencing, oversized revisions, all three initialSync modes, drain, target quota exhaustion, watch-buffer overflow restart, prune-pending crash-resume, cluster-ID-mismatch re-arm, resync-loop detection, excluded prefixes, corrupt/future-version checkpoints, version floor, progress-notify metadata regression, and idempotent replay.

Verified with make test and make verify.


PR series — operability fixes, TLS & EtcdMirror

Small single-purpose PRs from live kind-cluster testing of the operator. Each stands alone unless an After is listed. → = this PR.

PR Lands After
Reviewable now — small, any order
🟢 #374 Requeue instead of swallowing the client-cert provisioning error
🟢 #391 Grant events.k8s.io RBAC so operator Events are actually recorded
🟢 #392 Correlate members[]/leaderID from one health snapshot (consistent leader)
🟢 #393 Propagate user-supplied altNames.ipAddresses into certificates
🟢 #394 Accept day-suffix validityDuration (365d, 100d12h) as documented
🟢 #395 Surface early reconcile errors as a Degraded condition (was empty status)
🟢 #379 Configurable reconcile worker pool (--max-concurrent-reconciles)
🟢 #369 kind-based stress/scale e2e harness (1/3/7 members, churn, quorum watcher)
🟢 #398 podTemplate.spec scheduling fields: topologySpread, resources, priorityClass, schedulerName
🟢 #397 First-class Helm chart covering the full config/ surface
🟢 #399 Quorum-aware PodDisruptionBudget per EtcdCluster
🟢 #400 Scale-in removes the right member and transfers leadership first
🟢 #401 Backend quota + auto-compaction spec fields, NOSPACE alarm surfacing
🟢 #402 Reconcile-loop gates replace the blocking StatefulSet-ready wait
🟢 #403 Quorum-gated one-pod-at-a-time version upgrades via OnDelete
TLS stack — in order
🟢 #376 Independent spec.tls.{peer,client} surfaces (breaking alpha API)
#377 TLSReady condition + TLS lifecycle Events #376
#378 Multi-member TLS quorum e2e + PeerCANotShared #377
EtcdMirror — in order
🟢 #406 EtcdMirror CRD: one-way cross-cluster replication API (types + CEL)
🟢→ #407 pkg/mirroragent replication engine (fenced checkpoint-in-target) #406
🟢 #408 Periodic reconciliation pass wired into the engine's steady-state loop #407
🟢 #412 mirror-agent binary: config/TLS-reload/statusz/metrics + kind e2e #408
🟢 #413 EtcdMirror controller: Deployment rendering, statusz-driven conditions, guards, fenced finalizer #412
🟢 #414 CRD/sample/editor+viewer-role kustomize wiring #413
🟢 #415 Controller-side phase/condition gauges, shipped PrometheusRule + dashboard #414
🟢 #416 Full-lifecycle kind e2e: fence overlap, compaction+prune, restart resume, cert rotation, cutover/reversal #415
Parked as drafts pending #363
#382 Per-cluster domain metrics on the operator /metrics endpoint
#384 EtcdCluster admission webhooks (consolidating with #328) #363
#386 EtcdBackup CR → object storage (S3/GCS) #363
#387 Automatic quorum-loss disaster recovery (bootstrap-latch guarded) #363

🟢 ready · ⚪ draft

xrl and others added 3 commits July 1, 2026 12:30
Introduces the EtcdMirror CRD (schema only, no controller/agent) that
will describe a continuous one-way key-range sync from a source etcd
cluster to a target etcd cluster. Adds EtcdMirrorSpec/Status, the
EtcdMirrorEndpoint/TLS/Auth/Sync/Checkpoint/Reconciliation sub-specs,
phase and condition constants (including TargetThrottled and
ReplicationLagExceeded), printer columns, and CEL XValidation rules
for the destPrefix/noDestPrefix mutual exclusion, the
endpointList/serviceRef oneOf, and the insecureSkipVerify/
insecureSkipVerifyAcknowledgeRisk companion-field requirement.

Registers EtcdMirror/EtcdMirrorList in the scheme, regenerates
zz_generated.deepcopy.go and the CRD manifest via controller-gen, and
adds a realistic sample CR. CEL rules are covered by a table-driven
envtest suite in etcdmirror_cel_test.go, following the
tls_cel_test.go pattern, exercised against a real envtest apiserver.

The design's Metrics field (reusing EtcdClusterSpec's MetricsSpec) is
intentionally omitted: MetricsSpec does not exist on this branch yet
and will land with pr/domain-metrics; it will be added in a later PR
once that type is importable.

No controller or agent logic in this PR -- types, generated code, and
CRD schema only.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Signed-off-by: Xavier Lange <xrlange@gmail.com>
Reshape the EtcdMirror API for the Design-3 engine (checkpoint stored in
the target etcd, stateless agent) per the 48-finding cross-cloud review.

Deletions:
- checkpoint.storageSpec (no PVC; checkpoint lives in the target at a
  reserved fenced key)
- expectEmptyPrefix (superseded by initialSync.mode)
- noDestPrefix (redundant; one anchored rewrite formula
  key' = target.prefix + destPrefix + TrimPrefix(key, source.prefix))
- syncInterval

Additions/renames:
- spec.mode: Sync|Drain; status.cutover{drainTargetRevision,
  drainedRevision, verifiedTime, counts, leasedKeyCount}
- initialSync.mode: RequireEmpty|Overwrite|OverwriteAndPrune,
  startRevision
- sync: requestTimeout, excludePrefixes, pageKeyLimit,
  watchBufferBytes; batching flushes only at source-revision boundaries
- TLS: secretRef pointerized (nil = system trust roots), caBundleRef
- pod resources; configurable reserved checkpoint key
- watermark-derived lag/liveness semantics; frozen condition vocabulary
  (TargetQuotaExhausted, ResyncLoopDetected, CutoverReady,
  InvariantsHeld, LearnerEndpoint, Prefix/DirectionConflict) and Event
  Reason constants as API contract
- status: source/target versions and cluster IDs, leaseBackedKeyCount,
  always-on source/target key counts, initialSyncTotalKeyCount
- CEL: scheme-vs-TLS rules, prefix/rewrite immutability
- docs/etcdmirror.md (fidelity caveats, one-way contract) and
  regenerated API reference

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Signed-off-by: Xavier Lange <xrlange@gmail.com>
Purpose-built replication engine, zero k8s dependency; replaces the
clientv3 mirror.Syncer plan.

Architecture: unpinned chunked scan + watch-replay from R0 (reflector
pattern) — the watch starts at the revision observed before the scan
and events are buffered/replayed over the scanned base, eliminating
mid-scan compaction as a failure class. Pull-based single-page scan
with byte-bounded pages keeps agent memory bounded; the source watch
is cancelled on sustained target backoff and resumed from checkpoint.

Fence protocol: checkpoint/watermark stored in the target etcd at a
reserved key (\x00-after-prefix convention, exact-match excluded from
scans/counts/prune/RequireEmpty), written in the same Txn as each
applied batch and guarded by a mod_revision compare on every write
path (applies, reconciliation repairs, prune deletes). Fence value
carries {linkUID, epoch, role}; role flips to Primary at cutover so
straggler applies fail their compare loudly. Undecodable checkpoints
fail closed; prune-pending is durable across restarts.

Batching: flush only at source-revision boundaries (whole revisions
coalesced, never split), ~1MiB byte watermark, one MaxTxnOps slot
reserved for the checkpoint write.

Error taxonomy: ErrCompacted classified distinctly;
rpctypes.ErrNoSpace -> TargetQuotaExhausted (permanent until operator
acts); oversized-Txn InvalidArgument and >2MiB client send-cap
ResourceExhausted both permanent with the offending key surfaced
redacted; throttle-distinct backoff; N-consecutive-forced-resync
livelock detector.

Liveness: watermark-derived progress via WithProgressNotify +
WithRequireLeader, client-driven RequestProgress, gRPC keepalives on
both clients, per-unary-RPC deadlines (watch excluded). Version probe
at connect enforces the >=3.4 source floor and gates progress-notify
trust on 3.4.25/3.5.8. Anchored prefix rewrite via the single
documented formula. Lease-backed keys detected and counted
(kv.Lease != 0).

Tests: unit coverage per module plus an embedded-etcd integration
suite covering scan/tail convergence, fence overlap and epoch/role
rejection, compaction during scan and drain, forced-resync
mark-and-sweep, checkpoint resume, prune, and error classification.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Signed-off-by: Xavier Lange <xrlange@gmail.com>
@kubernetes-prow

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: xrl
Once this PR has been reviewed and has the lgtm label, please assign ivanvc for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kubernetes-prow

Copy link
Copy Markdown

Hi @xrl. Thanks for your PR.

I'm waiting for a etcd-io member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

This was referenced Jul 7, 2026
A single post-heal put can race the recovery attempt's restart backoff
and land below the scan's R0: the scan applies it, the live tail has
nothing to deliver, and no live apply ever clears the latch. Write a
fresh key per poll tick so one is guaranteed to arrive via the tail.

Signed-off-by: Xavier Lange <xrlange@gmail.com>
Data convergence and the checkpoint write that clears PrunePending are
separate Txns; a one-shot fence read can land between them under load.

Signed-off-by: Xavier Lange <xrlange@gmail.com>
(cherry picked from commit e9d2e9f2e7327a355e09f0eadafb2ce03e8b834f)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant