catalog: Catalog backend migration design

[jkosh44]

This commit adds a design doc for how to migrate user environments from
using the stash to persist as a backing store for the catalog. It uses
a single tombstone values.

Works towards resolving MaterializeInc/database-issues#6762

Motivation

This PR adds a known-desirable feature.

Checklist

• This PR has adequate test coverage / QA involvement has been duly considered.
• This PR has an associated up-to-date design doc, is a design doc (template), or is sufficiently small to not require a design.
• If this PR evolves an existing $T ⇔ Proto$T mapping (possibly in a backwards-incompatible way), then it is tagged with a T-proto label.
• If this PR will require changes to cloud orchestration or tests, there is a companion cloud PR to account for those changes that is tagged with the release-blocker label (example).
• This PR includes the following user-facing behavior changes:
  • There are no user-facing behavior changes.

[danhhz]

Approach makes sense to me!

[danhhz]

What is the "persist epoch"? Is it the same as this one "The catalog durably stores a fencing token called the epoch."?

[jkosh44]

Oops, copy and paste error, just fixed this.

[danhhz]

I also prefer the proposed design over this alternative because I like having a single place to check for which one to use

[danhhz]

I also think no. Reducing complexity and the potential for bugs here is more important than minor startup time optimizations

[maddyblue]

Do we care about the previous state of the persist catalog? Must it be empty? Should be written down.

[jkosh44]

Just pushed an update, we should replace whatever the previous state was with the new snapshot.

[maddyblue]

Same question: do we need to assert anything about the state of the stash?

[maddyblue]

What happens if there is a crash between steps 5 and 6? If this data was from step 5 above, then the persist tombstone will be empty or false (since the stash to persist migration is done at step 3 if it is true). That seems ok? Was trying to think through if steps 5 and 6 here and maybe above MUST be done as a single transaction, but seems like that does not need to be the case.

[jkosh44]

Yeah, if we crash between steps 5 and 6 we should be fine. When writing this I actually tried to add a specific section on that scenario, but couldn't figure out the right words.

The idea is that at all times one of the backing stores is the "source of truth", i.e. contains correct data, and the other backing store can be treated as having complete garbage. It might have stale data, it might have no data, it might even have the correct up to date data, but we just treat it as complete garbage. So after step 5, both the stash and persist have the exact same correct data. However, since we haven't flipped the tombstone flag, we treat the stash data as the source of truth and the persist data as garbage. If we crash here, we have the start the whole process over, as if we had never copied the data into persist, even if we end up making no real changes. The same idea applies if another writer fences us out in-between step 5 and 6, they have to start from the beginning and treat the persist data as garbage and the stash as the source of truth.