Skip to content

feat: add the mirror-agent binary for EtcdMirror (config, TLS reload, statusz/metrics, kind e2e)#412

Open
xrl wants to merge 10 commits into
etcd-io:mainfrom
xrl:pr/etcdmirror-mirror-agent-bin
Open

feat: add the mirror-agent binary for EtcdMirror (config, TLS reload, statusz/metrics, kind e2e)#412
xrl wants to merge 10 commits into
etcd-io:mainfrom
xrl:pr/etcdmirror-mirror-agent-bin

Conversation

@xrl

@xrl xrl commented Jul 7, 2026

Copy link
Copy Markdown

Adds cmd/mirror-agent: the standalone binary that wires the pkg/mirroragent replication engine (#407) to real configuration, TLS, and auth, and exposes the agent's observability surface. The EtcdMirror controller (next PR in the series) renders a Deployment running this binary; its flag surface is that contract. Zero Kubernetes API dependency — the binary never talks to the apiserver.

Depends on: #408 (periodic reconciliation — previous rung of this series).

Configuration

Flags only, matching the repo's manager-binary conventions; secrets arrive as mounted-file paths (--source-username-file, --source-cert-file, …), never as flag values or env. Flag semantics mirror the CRD field docs exactly: endpoint scheme normalization follows the same rules as the API's CEL validation, --watch-buffer-bytes stays in lockstep with the engine default, and --reconcile-enabled without an interval translates to the documented 1h default. Empty credential files fail startup rather than silently disabling auth, and setting any TLS material flag without --<side>-tls is a startup error rather than a silent cleartext downgrade.

TLS and auth

Client TLS is built from file paths via go.etcd.io/etcd/client/pkg/v3/transport.TLSInfo, so the leaf cert/key are re-read from the mount on every handshake — the rotation contract pinned in the API docs ("rotation requires no pod restart"). A separate --<side>-ca-bundle-file takes precedence over the identity secret's ca.crt (mirroring tls.caBundleRef); an empty TLS config means server-auth against system roots. Username/password auth is per side; when both a token identity and a client-cert CN are present the token identity wins, matching the documented CRD contract.

Observability

  • /statusz — the engine Snapshot serialized through its JSON tags; this is the wire contract the controller decodes (same Go type, no shadow struct to drift). Includes watermark, per-side cluster IDs (string-encoded — uint64s don't survive float64 JSON consumers) and versions, initial-sync progress with denominator, keysAppliedTotal, forced-resync counts by reason, key counts, the cutover block, and the last scan-restart cause.
  • /metrics — a standalone Prometheus registry (the agent is not a controller-runtime manager): watermark/lag/progress gauges, keys_applied_total, forced_resync_total{reason} (every known reason pre-seeded at 0 so increase() catches the first resync), drift gauges, and tls_cert_expiry_timestamp_seconds{side,kind} read from the cert files on a refresh ticker.
  • /healthz (process liveness) and /readyz (past Connecting and not Failed; Degraded and Drained both count as ready — Degraded is backoff, not death, and a drained agent must keep serving its terminal status).
  • On a terminal state the process lingers serving /statusz so the controller can observe the terminal snapshot; exit codes distinguish clean shutdown, transient-loop exit, and permanent failure. A second SIGTERM/SIGINT breaks a wedged shutdown.

Packaging

Both binaries ship in the existing single image (ENTRYPOINT stays /manager; the Deployment sets command: ["/mirror-agent"]). make build produces bin/mirror-agent alongside bin/manager.

Tests

Unit tests cover config translation/validation (quantities, endpoint normalization, reconcile translation, repeatable exclude-prefix), TLS wiring (per-handshake reload, bundle precedence, material-without-tls rejection), auth file handling, /statusz//readyz semantics per phase, the metrics collector (including conditional series absence), and cert-expiry gauges with generated certs; a live test drives the real run() wiring against two embedded etcds.

A kind e2e (TestMirrorAgent) runs the shipped image in-cluster: two size-1 EtcdClusters plus a mirror-agent pod; 10 keys written to the source are readable from the target in ~330ms, a delete propagates in ~330ms, and /statusz+/metrics are asserted to advance (keysAppliedTotal ≥ writes, watermark movement, phase Syncing). The suite's go test timeout is raised to 30m to keep worst-case waits inside the binary timeout.

Verified with make test, make verify, make build, and the kind e2e run.


PR series — operability fixes, TLS & EtcdMirror

Small single-purpose PRs from live kind-cluster testing of the operator. Each stands alone unless an After is listed. → = this PR.

PR Lands After
Reviewable now — small, any order
🟢 #374 Requeue instead of swallowing the client-cert provisioning error
🟢 #391 Grant events.k8s.io RBAC so operator Events are actually recorded
🟢 #392 Correlate members[]/leaderID from one health snapshot (consistent leader)
🟢 #393 Propagate user-supplied altNames.ipAddresses into certificates
🟢 #394 Accept day-suffix validityDuration (365d, 100d12h) as documented
🟢 #395 Surface early reconcile errors as a Degraded condition (was empty status)
🟢 #379 Configurable reconcile worker pool (--max-concurrent-reconciles)
🟢 #369 kind-based stress/scale e2e harness (1/3/7 members, churn, quorum watcher)
🟢 #398 podTemplate.spec scheduling fields: topologySpread, resources, priorityClass, schedulerName
🟢 #397 First-class Helm chart covering the full config/ surface
🟢 #399 Quorum-aware PodDisruptionBudget per EtcdCluster
🟢 #400 Scale-in removes the right member and transfers leadership first
🟢 #401 Backend quota + auto-compaction spec fields, NOSPACE alarm surfacing
🟢 #402 Reconcile-loop gates replace the blocking StatefulSet-ready wait
🟢 #403 Quorum-gated one-pod-at-a-time version upgrades via OnDelete
TLS stack — in order
🟢 #376 Independent spec.tls.{peer,client} surfaces (breaking alpha API)
#377 TLSReady condition + TLS lifecycle Events #376
#378 Multi-member TLS quorum e2e + PeerCANotShared #377
EtcdMirror — in order
🟢 #406 EtcdMirror CRD: one-way cross-cluster replication API (types + CEL)
🟢 #407 pkg/mirroragent replication engine (fenced checkpoint-in-target) #406
🟢 #408 Periodic reconciliation pass wired into the engine's steady-state loop #407
🟢→ #412 mirror-agent binary: config/TLS-reload/statusz/metrics + kind e2e #408
🟢 #413 EtcdMirror controller: Deployment rendering, statusz-driven conditions, guards, fenced finalizer #412
🟢 #414 CRD/sample/editor+viewer-role kustomize wiring #413
🟢 #415 Controller-side phase/condition gauges, shipped PrometheusRule + dashboard #414
🟢 #416 Full-lifecycle kind e2e: fence overlap, compaction+prune, restart resume, cert rotation, cutover/reversal #415
Parked as drafts pending #363
#382 Per-cluster domain metrics on the operator /metrics endpoint
#384 EtcdCluster admission webhooks (consolidating with #328) #363
#386 EtcdBackup CR → object storage (S3/GCS) #363
#387 Automatic quorum-loss disaster recovery (bootstrap-latch guarded) #363

🟢 ready · ⚪ draft

xrl and others added 10 commits July 1, 2026 12:30
Introduces the EtcdMirror CRD (schema only, no controller/agent) that
will describe a continuous one-way key-range sync from a source etcd
cluster to a target etcd cluster. Adds EtcdMirrorSpec/Status, the
EtcdMirrorEndpoint/TLS/Auth/Sync/Checkpoint/Reconciliation sub-specs,
phase and condition constants (including TargetThrottled and
ReplicationLagExceeded), printer columns, and CEL XValidation rules
for the destPrefix/noDestPrefix mutual exclusion, the
endpointList/serviceRef oneOf, and the insecureSkipVerify/
insecureSkipVerifyAcknowledgeRisk companion-field requirement.

Registers EtcdMirror/EtcdMirrorList in the scheme, regenerates
zz_generated.deepcopy.go and the CRD manifest via controller-gen, and
adds a realistic sample CR. CEL rules are covered by a table-driven
envtest suite in etcdmirror_cel_test.go, following the
tls_cel_test.go pattern, exercised against a real envtest apiserver.

The design's Metrics field (reusing EtcdClusterSpec's MetricsSpec) is
intentionally omitted: MetricsSpec does not exist on this branch yet
and will land with pr/domain-metrics; it will be added in a later PR
once that type is importable.

No controller or agent logic in this PR -- types, generated code, and
CRD schema only.

Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Signed-off-by: Xavier Lange <xrlange@gmail.com>
Reshape the EtcdMirror API for the Design-3 engine (checkpoint stored in
the target etcd, stateless agent) per the 48-finding cross-cloud review.

Deletions:
- checkpoint.storageSpec (no PVC; checkpoint lives in the target at a
  reserved fenced key)
- expectEmptyPrefix (superseded by initialSync.mode)
- noDestPrefix (redundant; one anchored rewrite formula
  key' = target.prefix + destPrefix + TrimPrefix(key, source.prefix))
- syncInterval

Additions/renames:
- spec.mode: Sync|Drain; status.cutover{drainTargetRevision,
  drainedRevision, verifiedTime, counts, leasedKeyCount}
- initialSync.mode: RequireEmpty|Overwrite|OverwriteAndPrune,
  startRevision
- sync: requestTimeout, excludePrefixes, pageKeyLimit,
  watchBufferBytes; batching flushes only at source-revision boundaries
- TLS: secretRef pointerized (nil = system trust roots), caBundleRef
- pod resources; configurable reserved checkpoint key
- watermark-derived lag/liveness semantics; frozen condition vocabulary
  (TargetQuotaExhausted, ResyncLoopDetected, CutoverReady,
  InvariantsHeld, LearnerEndpoint, Prefix/DirectionConflict) and Event
  Reason constants as API contract
- status: source/target versions and cluster IDs, leaseBackedKeyCount,
  always-on source/target key counts, initialSyncTotalKeyCount
- CEL: scheme-vs-TLS rules, prefix/rewrite immutability
- docs/etcdmirror.md (fidelity caveats, one-way contract) and
  regenerated API reference

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Signed-off-by: Xavier Lange <xrlange@gmail.com>
Purpose-built replication engine, zero k8s dependency; replaces the
clientv3 mirror.Syncer plan.

Architecture: unpinned chunked scan + watch-replay from R0 (reflector
pattern) — the watch starts at the revision observed before the scan
and events are buffered/replayed over the scanned base, eliminating
mid-scan compaction as a failure class. Pull-based single-page scan
with byte-bounded pages keeps agent memory bounded; the source watch
is cancelled on sustained target backoff and resumed from checkpoint.

Fence protocol: checkpoint/watermark stored in the target etcd at a
reserved key (\x00-after-prefix convention, exact-match excluded from
scans/counts/prune/RequireEmpty), written in the same Txn as each
applied batch and guarded by a mod_revision compare on every write
path (applies, reconciliation repairs, prune deletes). Fence value
carries {linkUID, epoch, role}; role flips to Primary at cutover so
straggler applies fail their compare loudly. Undecodable checkpoints
fail closed; prune-pending is durable across restarts.

Batching: flush only at source-revision boundaries (whole revisions
coalesced, never split), ~1MiB byte watermark, one MaxTxnOps slot
reserved for the checkpoint write.

Error taxonomy: ErrCompacted classified distinctly;
rpctypes.ErrNoSpace -> TargetQuotaExhausted (permanent until operator
acts); oversized-Txn InvalidArgument and >2MiB client send-cap
ResourceExhausted both permanent with the offending key surfaced
redacted; throttle-distinct backoff; N-consecutive-forced-resync
livelock detector.

Liveness: watermark-derived progress via WithProgressNotify +
WithRequireLeader, client-driven RequestProgress, gRPC keepalives on
both clients, per-unary-RPC deadlines (watch excluded). Version probe
at connect enforces the >=3.4 source floor and gates progress-notify
trust on 3.4.25/3.5.8. Anchored prefix rewrite via the single
documented formula. Lease-backed keys detected and counted
(kv.Lease != 0).

Tests: unit coverage per module plus an embedded-etcd integration
suite covering scan/tail convergence, fence overlap and epoch/role
rejection, compaction during scan and drain, forced-resync
mark-and-sweep, checkpoint resume, prune, and error classification.

Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Signed-off-by: Xavier Lange <xrlange@gmail.com>
A single post-heal put can race the recovery attempt's restart backoff
and land below the scan's R0: the scan applies it, the live tail has
nothing to deliver, and no live apply ever clears the latch. Write a
fresh key per poll tick so one is guaranteed to arrive via the tail.

Signed-off-by: Xavier Lange <xrlange@gmail.com>
Deadline-driven pass on the steady-state tail loop: consume arms a timer
from a Run-goroutine-owned deadline and runs the diff-and-repair pass
inline, so it can never overlap the genesis scan, a forced-resync sweep
(which re-arms the deadline — it just produced the same signal), a drain
(whose own verification supersedes it), or itself. The drain repair
branch now records its drift, recordKeyCounts stamps the pass-completion
time on every counts-producing pass — including the count-only drain
verify — keeping the always-on counts contract behind InvariantsHeld,
and Validate rejects negative intervals.

Signed-off-by: Xavier Lange <xrlange@gmail.com>
- publish counts, pass timestamp, and drift in one Snapshot update inside
  reconcilePass; drop the torn caller-side recordDrift
- cancel the live source watch once a periodic/drain repair pass queues
  more than a few seconds of MaxOpsPerSecond pacing, bounding clientv3's
  unbounded per-watcher buffer during a long healthy pass
- correct the ReconcileInterval re-arm, key-count population, and
  maybeReconcile error-flow comments to match actual behavior
- damage the target atomically (single Txn) in the drift test so a pass
  boundary cannot split the damages across two drifts

Signed-off-by: Xavier Lange <xrlange@gmail.com>
…pshot

JSON-tag Snapshot/CutoverStatus/Drift (lowerCamel, omitzero on times) as
the /statusz wire contract, and add two additive fields the agent
binary's metrics need: KeysAppliedTotal (data ops committed in fenced
Txns) and ForcedResyncCountByReason (labeled-counter split of
ForcedResyncCount). No engine semantics change; no field renames.

Signed-off-by: Xavier Lange <xrlange@gmail.com>
cmd/mirror-agent wires pkg/mirroragent to real config, TLS and auth:

- Flags-only config (operator convention); secrets arrive as mounted-file
  paths, never flag values or env. Quantities parse as resource.Quantity;
  zero/unset selects engine defaults; the reconciliation enabled+interval
  -> ReconcileInterval translation (1h default) lands here as assigned.
- TLS per side via transport.TLSInfo file paths: the client leaf pair is
  re-read on every handshake, so certificate rotation needs no restart;
  --<side>-ca-bundle-file wins over --<side>-ca-file (caBundleRef
  precedence). Schemeless endpoints get the scheme implied by
  --<side>-tls; a contradicting scheme is an error (the CEL rules'
  binary mirror). RBAC auth reads username/password files once; the
  token identity wins over the certificate CN.
- One listener serves /statusz (JSON of the tagged mirroragent.Snapshot
  - the wire contract the controller decodes), /healthz (always 200),
  /readyz (ready = past Connecting and not Failed; Degraded and Drained
  are ready), /metrics (standalone Prometheus registry;
  etcd_mirror_agent_* incl. tls_cert_expiry_timestamp_seconds{side,kind}
  refreshed from the mounted files every 5m).
- On terminal engine states (drained / permanent failure) the process
  lingers serving status instead of exiting: a crashloop would hide the
  terminal state and re-run genesis under the same epoch. Exit 0 = clean
  signal shutdown, 1 = startup or permanent engine failure.
- Packaging: both binaries in the one existing image (ENTRYPOINT stays
  /manager; the rendered Deployment overrides command).

Signed-off-by: Xavier Lange <xrlange@gmail.com>
- Pre-initialize forced_resync_total at 0 for every known reason so
  rate()/increase() can see the first resync (a counter's first sample
  yields no delta); unknown future reasons still pass through.
- Serialize Snapshot cluster IDs as JSON strings: random uint64s exceed
  2^53 and round through float64-based consumers (jq, JavaScript),
  matching the checkpoint's existing convention.
- Reject TLS material flags (cert/key/ca/bundle/server-name/
  insecure-skip-verify) without --<side>-tls instead of silently
  dialing cleartext; gate the cert-expiry gauge on tls too.
- Fail startup on empty credential files: clientv3 silently skips
  authentication unless both username and password are non-empty.
- Don't log "engine failed permanently" (or linger) when Run's return
  raced a shutdown signal; classify cancellation once in one place.
- Restore default signal disposition after the first signal so a
  second SIGINT/SIGTERM kills a wedged shutdown, like the manager's
  ctrl.SetupSignalHandler.
- Make the live test's timeout diagnostic read the snapshot after
  polling (require.Eventually copies msgAndArgs before it).
- Drop PR-ladder "rung" vocabulary from doc comments.

Signed-off-by: Xavier Lange <xrlange@gmail.com>
Two size-1 EtcdClusters plus a mirror-agent pod wired source->target
in a dedicated namespace. Proves put/delete replication within a
polled 10s ceiling (250ms interval, convergence time logged) and that
/statusz (keysAppliedTotal, watermark, lastProgressTime) and the
/metrics keys_applied_total counter advance past baseline. The agent
image is distroless, so statusz/metrics are reached via the
API-server pod proxy.

Signed-off-by: Xavier Lange <xrlange@gmail.com>
@kubernetes-prow

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: xrl
Once this PR has been reviewed and has the lgtm label, please assign jmhbnz for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@kubernetes-prow

Copy link
Copy Markdown

Hi @xrl. Thanks for your PR.

I'm waiting for a etcd-io member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant