Skip to content

feat: switch core StatefulSet to in-place rolling updates#1179

Merged
keynslug merged 51 commits intomain-3.xfrom
feat/EMQX-15033/rolling-upgrade
Apr 8, 2026
Merged

feat: switch core StatefulSet to in-place rolling updates#1179
keynslug merged 51 commits intomain-3.xfrom
feat/EMQX-15033/rolling-upgrade

Conversation

@keynslug
Copy link
Copy Markdown
Contributor

@keynslug keynslug commented Apr 2, 2026
edited
Loading

Summary

This PR reworks how Operator manages set of EMQX core nodes.

  1. There's now single managed StatefulSet for core nodes (aka "core set").
  2. Rolling updates happen in-place, without migrations across 2 or more separate StatefulSets.
  3. Core template includes default PVC, strongly recommended against running with ephemeral volumes.
  4. EMQX CRD is now on v3alpha1 version.
  5. EMQX CR Status became slimmer: less duplication, less status conditions.
  6. EMQX CR Spec is slightly more conventional (e.g. minReadySeconds, consistent naming).
  7. No extra readiness gates, on-serving gate has been retired.
  8. Replicants are still updated in the blue-green manner (will be addressed in followup PRs).

See individual commits for details.

Core set rolling update

  • Core set employs underlying StatefulSet's OnDelete strategy.
  • As replicant require same-version core to function,
    • At least 1 core needs to be updated before spinning up new replicant set.
    • At least 1 old-version core node needs to be preserved until old replicants are migrated and scaled down.
    • There's now a strict requirement to have >1 cores in core-replicant clusters.

Important notes

  1. Should be considered WIP for the most part.
  2. There's no backward compatibility measures.
  3. Rebalance CRD is temporarily disabled.

keynslug added 30 commits April 2, 2026 15:04
@keynslug
feat: switch core StatefulSet to in-place rolling updates
a1ff02c 
Replace blue-green deployment (hash-suffixed StatefulSet per template change)
with a single deterministically-named StatefulSet using OnDelete update strategy.
The operator detects outdated pods by comparing controller-revision-hash against
StatefulSet.status.updateRevision, and deletes them one at a time (highest ordinal
first) after session evacuation.

Replicant multi-ReplicaSet pattern is intentionally retained.
@keynslug
refactor(api): make EMQX status and CRD surface slimmer
f4db418 
Remove fields that:
 * No longer relevant for single-core-set style operation.
 * Duplicate existing status fields from other resources.
@keynslug
chore(ds): return early when DS is inactive
117c47d
@keynslug
refactor(api): remove Replicas from EMQX CR status
6db23f0 
This field was duplicating spec fields verbatim. This commit drops
this field, making status slimmer and enforcing single source of
truth.
@keynslug
refactor(api): rename nodeEvacuationsStatus to nodeEvacuations
1dc2345 
This commit makes API field naming naming simpler and clearer.
@keynslug
chore: remove PDB compatibility shims for Kubernetes 1.21
cdfec98 
This Kubernetes version is unsupported for quite some time.
@keynslug
refactor: replace onServing with direct Evacuation API readiness probe
f96a391 
This commit simplifies operational model by removing extra readiness
gates.
1. No more `on-serving` readiness gate.
   Instead, container readiness probe points to "availability check"
   endpoint of Evacuation API directly. User still can override it
   but it's strongly recommended against.
2. As a result, `oldestCoreRequester()` now effectively does not
   consider nodes that are in the process of evacuation.
3. In turn, direct `forPod(...)` API is allowed to point to
   non-ready-but-running EMQX nodes.
@keynslug
fix: unblock core rolling update if DS replication site
2c9e2d2 
This commit ensures that core set rolling update can progress even
if an outdated core node is a DS replication site. Since such
rolling updates preserve persistent data, this should be safe.
@keynslug
refactor: streamline EMQX status conditions
f022f71 
This commit re-evaluates and significantly simplifies the set of
EMQX CR conditions, and makes condition descriptions more
informative.
1. Retires separate `Initialized`, `CoreNodesReady`,
   `ReplicantNodesReady`.
2. Conditions are evaluated independently, no more state machine
   transitions.
3. Reconcilers do not consult conditions anymore, prefer to use
   internal APIs instead.

Also stop ignoring errors in load state reconciler.
@keynslug
fix: drop core set leave-cluster preStop hook
277a4d4 
This commit fixes the issue with in-place rolling update when
core nodes constantly tried to leave and the rejoin the cluster.
This was needed for blue-green updates but does not make sense
for the new approach.
@keynslug
test: rework sync_pods_suite_test
907c322
@keynslug
fix(api): preserve zero-valued status counters in EMQX CR
a876bcc 
This makes EMQX CR status a bit more consistent and helps with
observability.
@keynslug
fix: require rest of cores are available before sync progress
4fa3752 
This commit corrects the "cores are available" criterion for core
pod removal safety: now all cores except for candidate are
accounted, and NumReplicas-1 is considered sufficient.
@keynslug
fix: skip evacuation for single-node clusters
84b8671 
This commit allows single-node core sets to complete rolling
updates successfully, instead of them becoming stuck on node
evacuation.
@keynslug
test(e2e): update "EMQX Cluster" scenario
9c8d9a7
@keynslug
test(e2e): update "EMQX Cluster / Botched Rolling Updates" scenario
6d16635
@keynslug
feat(api): forbid single core when replicants are configured
c0909f4 
This commit ensures that users are not allowed to create
non-rolling-updatable EMQX clusters.

Since replicants are still updated in a blue-green manner, during
updates involving EMQX version upgrade at least 1 older-version
core and 1 newer-version core need to be running in a cluster.
@keynslug
fix: ensure at least 1 new & 1 old core during replicant rollout
9421723 
This commit adds additional safeguards around cores and replicants
rolling update, to accomodate for "replicant connects to an exact
same version core" EMQX requirement:
1. Updated replicant sets are not allowed to spin up until at least
   1 core is rolling-updated.
2. Update of 1 last core is postponed until "current" replicant set
   is fully migrated.
@keynslug
fix: correct core set scale-down behavior
f4162ea 
This commit ensures that scale-down picks candidates statically and
deterministically.
@keynslug
fix: ensure outdated core pod list is empty if no updates
9a3ad81
@keynslug
fix: force requeue after core/replicant set added or updated
923e881 
This should give relevant controllers enough time to update
respective resource statuses, to make the rest of the reconcilers
chain rely on up-to-date information.
@keynslug
fix: run dsCleanupSites earlier in the reconciler chain
9d0abf0 
This commit also improves `dsCleanupSites` reconciler observability.
@keynslug
fix: rely on DS cluster state only to compute target replica sets
e8113d1 
This commit improves stability of `dsUpdateReplicaSets` reconciler.
It now avoids consulting both EMQX runtime cluster state and DS
cluster state (using instead only the latter) as the former can
sometimes fail to include nodes that are in the process of starting
or stopping, which can cause unwarranted target replica set changes.
@keynslug
feat: specify PVC for core pods by default
b91efbe 
This is an important prerequisite for in-place rolling updates:
persistent data is now expected to survive pods deletion.

Also enforce suitable PVC retention policy: PVs / PVCs should
survive regular pod deletions (as part of rolling updates) but
not parent StatefulSet scale-down or deletion.
@keynslug
test(e2e): test both scale-up and scale-down
b3c64ae
@keynslug
test(e2e): enrich diagnostic output on failures
66c90fd
@keynslug
fix: ensure syncCoreSet stops evacuation explicitly on pod update
16918c8 
This commit fixes the consequence of introducing volume persistence
to core set pods by default: node evacuation state survives pod
recreation, and thus needs to be stopped explicitly.
@keynslug
feat: add sync cluster membership reconciler
e17900c 
This new reconciler is responsible for force-leaving nodes out of
the EMQX cluster view, to keep it consistent with current core and
replicant sets.
@keynslug
test(e2e): verify EMQX cluster view during tests
f10e483
@keynslug
test(e2e): update "EMQX Core-Replicant DS-Enabled Cluster" scenario
431b20c
keynslug added 8 commits April 7, 2026 10:39
@keynslug
fix: allow reconcilers to ask for short-timeout requeue
5b7eb01 
This ensures that potentially not-entirely-complete reconciliations
have a chance to be retried earlier than in 30 seconds, in case
EMQX CR is considered Ready.
@keynslug
fix: simplify addService + refactor test suite
9582a67
@keynslug
feat(controller): trigger reconcile on EMQX CR spec changes only
c956d5a
@keynslug
fix: mark EMQX not ready when DS replication is unstable
5e0a504 
This ensures there's no special conditions for choosing between
shorter and longer requeue timeouts.
@keynslug
fix: use safer listeners Service selectors for pod targeting
9239813 
This commit ensures that listeners service targets correct set of
pod at all times: cores if no replicants, otherwise "update"
replicants if there's at least 1 ready, otherwise "current"
replicants if there's at lesst 1 ready.
@keynslug
fix: stop propagating core template label to PVC templates
967838d 
This is a workaround to allow label-only core set updates to
complete.
@keynslug
chore(handler): drop dead code
1e91ed5
@keynslug
fix: stop using core template labels for selectors
8e61017 
This commit ensures that label-only changes are applicable to
managed resources: without this, changing core template labels
was either ignored or might have caused controller to stuck in
a retry loop, because selector updates for StatefulSets are in
general prohibited.
@keynslug keynslug force-pushed the feat/EMQX-15033/rolling-upgrade branch from 2685270 to 966507e Compare April 7, 2026 09:38
@codecov
Copy link
Copy Markdown

codecov bot commented Apr 7, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 83.58663% with 162 lines in your changes missing coverage. Please review.
⚠️ Please upload report for BASE (main-3.x@a2885da). Learn more about missing BASE report.

Files with missing lines Patch % Lines
internal/controller/sync_core_set.go 79.18% 37 Missing and 14 partials ⚠️
internal/controller/load_state.go 61.53% 19 Missing and 11 partials ⚠️
internal/controller/add_replicant_set.go 84.21% 10 Missing and 2 partials ⚠️
internal/controller/ds_update_replica_sets.go 64.00% 6 Missing and 3 partials ⚠️
internal/controller/rebalance_controller.go 0.00% 8 Missing ⚠️
internal/controller/sync_emqx_config.go 61.11% 7 Missing ⚠️
internal/controller/update_emqx_status.go 96.47% 5 Missing and 1 partial ⚠️
internal/controller/util/pod.go 75.00% 4 Missing and 2 partials ⚠️
internal/controller/add_core_set.go 95.57% 3 Missing and 2 partials ⚠️
internal/emqx/api/evacuation.go 50.00% 4 Missing and 1 partial ⚠️
... and 11 more
Additional details and impacted files 
@@             Coverage Diff             @@
##             main-3.x    #1179   +/-   ##
===========================================
  Coverage            ?   74.17%           
===========================================
  Files               ?       48           
  Lines               ?     3667           
  Branches            ?        0           
===========================================
  Hits                ?     2720           
  Misses              ?      801           
  Partials            ?      146

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@keynslug keynslug force-pushed the feat/EMQX-15033/rolling-upgrade branch from 966507e to 62bd468 Compare April 7, 2026 11:27
keynslug added 6 commits April 7, 2026 13:41
@keynslug
fix: prefer EMQX 6.x to load DS cluster view
ba3f3ac 
This commit ensures that DS reconcilers prefer to work with the same
cluster view, preferably sourced from 6.x, primarily because EMQX
clusters running 6.1.0 and newer can have separate cluster views
different from 6.0.x and earlier.
@keynslug
test(e2e): update "EMQX Runtime-enabled DS Replication" scenario
1d43716
@keynslug
feat: promote EMQX CRD to v3alpha1 + turn Rebalance CRD off
e58f4ad
@keynslug
chore: define shared constants in api package
34071b7 
This commit eliminates few linter complaints.
@keynslug
chore: drop dead code
5b2726b
@keynslug
chore(helm): switch to 3.0.0 and drop compat measures
8a234d6
@keynslug keynslug force-pushed the feat/EMQX-15033/rolling-upgrade branch from 62bd468 to 8a234d6 Compare April 7, 2026 11:44
@keynslug keynslug marked this pull request as ready for review April 7, 2026 13:47
@zmstone
Copy link
Copy Markdown
Member

zmstone commented Apr 7, 2026

when would it be the good timing to change v3alpha1 to v3?

@keynslug
Copy link
Copy Markdown
Contributor Author

keynslug commented Apr 8, 2026

@zmstone The plan is to switch to v3beta1 once API looks reasonable, future-proof and is ready for release, and to v3 once the rest of Operator v3 features are in and it's not going to change anymore.

keynslug added 5 commits April 8, 2026 13:05
@keynslug
fix: sort outdated pods by ordinal numerically
1fa3208 
This commit fixes an uncommon issue where a core set having more
than 10 pods was rolling updated in an incorrect order.
@keynslug
fix: tolerate undefined "current" replicant set
8b55e6d
@keynslug
chore: leave comment on API conflict handling
ae46b62
@keynslug
fix: avoid deleting nil core pod candidate during scale down
888e597
@keynslug
chore: leave comment about syncCoreSet responsibilities
1f32248 
Specifically, this commit mentions how evacuations are managed and
what should be user expectations.
@keynslug keynslug merged commit 2abd471 into main-3.x Apr 8, 2026
14 checks passed
@keynslug keynslug deleted the feat/EMQX-15033/rolling-upgrade branch April 8, 2026 12:29
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@zmstone zmstone zmstone approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@keynslug @zmstone