storage: allow kafka/loadgen sources on multi-replica clusters, gated by dyncfg

[aljoscha]

Version of #30003 with a dyncfg for enabling/disabling multi-replica sources

Motivation

Tips for reviewer

Checklist

• This PR has adequate test coverage / QA involvement has been duly considered. (trigger-ci for additional test/nightly runs)
• This PR has an associated up-to-date design doc, is a design doc (template), or is sufficiently small to not require a design.
• If this PR evolves an existing $T ⇔ Proto$T mapping (possibly in a backwards-incompatible way), then it is tagged with a T-proto label.
• If this PR will require changes to cloud orchestration or tests, there is a companion cloud PR to account for those changes that is tagged with the release-blocker label (example).
• If this PR includes major user-facing behavior changes, I have pinged the relevant PM to schedule a changelog post.

[ParkMyCar]

Woohoo!

[def-]

Test changes lgtm, I triggered a nightly run: https://buildkite.com/materialize/nightly/builds/11070

[def-]

I'm a bit confused by the data ingest error: https://buildkite.com/materialize/nightly/builds/11070#0194dc61-63a3-4e71-b78a-7dad5aa1bac1

psycopg.errors.InternalError_: cannot create source in cluster with more than one replica

I thought that shouldn't happen anymore since we enable multi-cluster replication now?

[aljoscha]

@def- This only enables multi-replica sources for Kafka sources, the other sources are still an open TODO after this. And yeah, sorry because the issue title is confusing.

Fwiw, here's the overall EPIC: https://github.com/MaterializeInc/database-issues/issues/5051

[def-]

Another nightly run: https://buildkite.com/materialize/nightly/builds/11102 Edit: I'm fixing up data ingest Edit2: New run just with data ingest: https://buildkite.com/materialize/nightly/builds/11104

I also want to write some more tests, but can do it after this is merged too.

[def-]

Something interesting seems to have happened in the data ingest test: https://buildkite.com/materialize/nightly/builds/11104#_

data-ingest-materialized-1     | 2025-02-10T18:41:59.892749Z  thread 'main' panicked at src/adapter/src/catalog/apply.rs:1024:33: PlanError(Unstructured("cannot create source in cluster with more than one replica")): invalid persisted SQL: CREATE SOURCE "materialize"."public"."kafka_table0" IN CLUSTER [u2] FROM KAFKA CONNECTION [u1 AS "materialize"."public"."kafka_conn"] (TOPIC = 'data-ingest-0') FORMAT AVRO USING CONFLUENT SCHEMA REGISTRY CONNECTION [u2 AS "materialize"."public"."csr_conn"] SEED KEY SCHEMA '{"type":"record","name":"key","fields":[{"name":"key0","type":"long"},{"name":"key1","type":"int"}]}' VALUE SCHEMA '{"type":"record","name":"value","fields":[{"name":"value0","type":"int"},{"name":"value1","type":"double"},{"name":"value2","type":"double"},{"name":"value3","type":"string"},{"name":"value4","type":"double"},{"name":"value5","type":"int"},{"name":"value6","type":"double"},{"name":"value7","type":"int"},{"name":"value8","type":"double"}]}' ENVELOPE UPSERT EXPOSE PROGRESS AS [u17 AS "materialize"."public"."kafka_table0_progress"]

[teskje]

Looks mostly good, but I'm suspicious that the active_copies tracking might not always be correct. At least I don't understand why we can unconditionally initialize the number of active copies to 1 when a collection is created, and I think we can leak CollectionState when a replica is dropped at the wrong moment.

[teskje]

I think that soft panic should stay? Since we're doing the active_copies tracking there isn't a reason we should ever get here, right?

[teskje]

Can we make this a soft panic instead? I'm wary of panics that could bring down envd, if it's not immediately obvious that we can't hit them. And I don't think that's obvious here.

[teskje]

How do we know that there is one active copy when a collection is created? Don't we need to look at the number of replicas for that?

[petrosagg]

If this ends up being an ingestion, then run_ingestions sets the active_copies to the number of instance replicas. Otherwise it is set to one for tables.

[teskje]

I see. Would be great to have that context in a comment too!

[teskje]

We might have to remove collection state if this value drops to zero. For example, consider the case where a source is dropped but before we receive the DroppedId response from the replica we drop the replica. With the current code I think we would just leak the CollectionState for the dropped collection.

This is tricky because we can't always drop a collection when this counter goes to zero. All replicas in a cluster can be dropped without the sources on the same cluster being dropped as well.

[aljoscha]

Looks mostly good, but I'm suspicious that the active_copies tracking might not always be correct. At least I don't understand why we can unconditionally initialize the number of active copies to 1 when a collection is created, and I think we can leak CollectionState when a replica is dropped at the wrong moment.

@petrosagg Could you please look at the questions about active_copies and the changes to reclock (basically all the questions above 😅)

[aljoscha]

@teskje and @petrosagg For some of the trickier questions around collection state, active_copies, concurrency, assertions, and leaking state, I think you already know my general stance 😅

[aljoscha]

@def- the nightly is failing with:

data-ingest-materialized-1     | 2025-02-10T18:41:59.892749Z  thread 'main' panicked at src/adapter/src/catalog/apply.rs:1024:33: PlanError(Unstructured("cannot create source in cluster with more than one replica")): invalid persisted SQL: CREATE SOURCE "materialize"."public"."kafka_table0" IN CLUSTER [u2] FROM KAFKA CONNECTION [u1 AS "materialize"."public"."kafka_conn"] (TOPIC = 'data-ingest-0') FORMAT AVRO USING CONFLUENT SCHEMA REGISTRY CONNECTION [u2 AS "materialize"."public"."csr_conn"] SEED KEY SCHEMA '{"type":"record","name":"key","fields":[{"name":"key0","type":"long"},{"name":"key1","type":"int"}]}' VALUE SCHEMA '{"type":"record","name":"value","fields":[{"name":"value0","type":"int"},{"name":"value1","type":"double"},{"name":"value2","type":"double"},{"name":"value3","type":"string"},{"name":"value4","type":"double"},{"name":"value5","type":"int"},{"name":"value6","type":"double"},{"name":"value7","type":"int"},{"name":"value8","type":"double"}]}' ENVELOPE UPSERT EXPOSE PROGRESS AS [u17 AS "materialize"."public"."kafka_table0_progress"]

Which happens when enable_multi_replica_sources=on is disabled but has been enabled before and there are multi-replica clusters with sources. We currently can't go back, because we would have to delete either replicas or sources to get back to a valid state with the flag disabled.

[aljoscha]

Rebased and fixed, @def- we still need to get to the bottom of ☝️ , are the tests flipping the dyncfg on and off?

[def-]

No, they are not. The dyncfg should always be on in the Data Ingest test.

[def-]

What might happen is that during bootstrapping we parse the SQL without respecting the dyncfg setting?

[aljoscha]

What might happen is that during bootstrapping we parse the SQL without respecting the dyncfg setting?

Good catch! I pushed a commit that should fix this.

[aljoscha]

@def- what about that remaining cloudtest failure here: https://buildkite.com/materialize/nightly/builds/11180?

[def-]

I have pushed a fix: 2e0132c @jubrad does this make sense?

[aljoscha]

I have pushed a fix: 2e0132c @jubrad does this make sense?

doh! tyty! 🙇‍♂️

[aljoscha]

@def- I pushed a2fe527 because this was yielding

error: expected error containing "creating cluster replica would violate max_replicas_per_cluster limit", got "unknown cluster replica size 2000"

[aljoscha]

@def- I think you pushed a commit that changes the expected error message, on top of mine which changes size to replication factor 😅

[def-]

Oops, didn't see your comment and just pushed something similar, sorry!

[aljoscha]

Oops, didn't see your comment and just pushed something similar, sorry!

No worries at all! ☺️