fix(controller): Deterministically select master pod

[xuekat]

Deterministically select the next master pod. Context: we were hitting an issue where the operator was failing to reconcile because there was a race condition where multiple pods were not finding a healthy master, then getting promoted to master simultaneously and trying to mark each other as replicas.

see my recent comment

[Abhra303]

Looks good, Thanks!

[Copilot]

Pull request overview

This pull request addresses a race condition in the Dragonfly operator where multiple pods could simultaneously be promoted to master. The fix introduces deterministic master pod selection to ensure only one pod becomes master at a time.

• Adds selectMasterCandidate function to deterministically select the lowest-ordinal ready pod as master
• Implements role verification to detect and fix labeled masters running as replicas
• Introduces PhaseConfiguring state with recovery logic to prevent stuck configurations

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 6 comments.

File	Description
internal/controller/util.go	Adds getOrdinal and selectMasterCandidate functions for deterministic master selection
internal/controller/dragonfly_pod_lifecycle_controller.go	Updates master selection logic to use selectMasterCandidate, adds role verification for labeled masters, and enables recovery from PhaseConfiguring state
internal/controller/dragonfly_instance.go	Modifies checkAndConfigureReplicas to return configuration status, adds getRedisRole function, and updates phase transition logic
e2e/dragonfly_pod_lifecycle_controller_test.go	Adds test to verify recovery from stuck PhaseConfiguring phase

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Returning -1 on error could lead to unexpected behavior in selectMasterCandidate. A pod with a parsing error would be treated as having ordinal -1, which would always be less than valid ordinals (0, 1, 2, etc.), potentially selecting an invalid pod as the master candidate. Consider returning a larger sentinel value like math.MaxInt or handling the error more explicitly in the caller.

[Abhra303]

either check that getOrdinal is not -1 before using in selectMasterCandidate or return MaxInt as suggested here.

[Abhra303]

I am concerned with this logic and I think this is redundant - we already handle this in checkAndConfigureReplicas function. I don't see any reason to put it here. Why do you think the checkAndConfigureReplicas function is not enough?

[xuekat]

I think the checkAndConfigureReplicas function only handles if the replica pods are configured correctly (not rogue, connected to the right master). But this logic checks if the master is unintentionally running as a replica, so it accounts for issues with the master pod that checkAndConfigureReplicas doesn't check.

[xuekat]

Made a few more changes to ensure no race conditions @Abhra303 if you could review again. Summary of changes:

• Deterministically select master node by ordinal value
• defer PhaseReady until all replicas are configured. this is because the original code set PhaseReady prematurely before replicas were configured. this caused race conditions where rolling updates could start before replication was fully established.
• handle isReplicationError as these changes increased reconciliation frequency (due to Requeue: true when not all configured). this caused concurrent SLAVE OF commands to the same pod. DragonflyDB returns "ERR replication cancelled" for concurrent replication attempts. without handling this, it created an infinite retry loop.
• allow reconciliation in PhaseConfiguring phase. this is because we deferred PhaseReady, so the controller needs to continue reconciling during PhaseConfiguring to finish setting up replicas.
• use Patch instead of Update, as Patch is safer than Update in concurrent environments.

[xuekat]

hey @Abhra303 would appreciate another review here 🙏

[xuekat]

gentle bump @Abhra303

[ashotland]

Thanks for this PR, sorry to take it a step back, please see some comments

[ashotland]

what do you getMaster again ?

also seem to call dfi.replicaOfNoOne(ctx, master) below

can we just consistently use the master variable from line 77?

[xuekat]

changed masterPod, err := dfi.getMaster(ctx) to use the existing master variable consistently

[ashotland]

I still see masterPod, err := dfi.getMaster(ctx)

why can't you use master ?

[ashotland]

should we use patch here too ?

[xuekat]

updated

[ashotland]

!isTerminating is now redundant ?

[xuekat]

thanks, removed

[ashotland]

but seems we check isReady right after calling this function

also, IIUC, in case pod 0 will be slow to become ready we'll keep requeuing while there might be other ready pods, which is a considerable deviation from current behaviour.

can we do something like the following instead :

func selectMasterCandidate(pods []corev1.Pod, isReady func(*corev1.Pod) bool) *corev1.Pod {
    var best *corev1.Pod

    for i := range pods {
        p := &pods[i]
        if !isReady(p) {
            continue
        }
        if best == nil || getOrdinal(p.Name) < getOrdinal(best.Name) {
            best = p
        }
    }
    return best
}

[xuekat]

makes sense, updated as per this

[ashotland]

I believe this check is redundant as the master Candidate must be ready

[xuekat]

thanks, removed

[ashotland]

I still see masterPod, err := dfi.getMaster(ctx)

why can't you use master ?

[ashotland]

this seems like a behaviour change that doesn't seems related to the goal of this pr

currently we move to ready once master is configured and serving and I am not sure we should change this

generally it'd be great to limit the scope to changes that are required to achieve the purpose of the PR.

[xuekat]

this was to deal with the test DF Pod Lifecycle Reconciler Fail Over is working which needs something that handles a pod-event while in PhaseConfiguring before it transitions to PhaseReady. but i've reverted this change in favor of adding PhaseConfiguring back to the gate condition, and after checkAndConfigureReplicas succeeds, transition from PhaseConfiguring to PhaseReady.

[ashotland]

Thanks but you still moved dfiStatus.Phase = PhaseReady to later

which is why I think you added changes in DfPodLifeCycleReconciler to handle 'stuck' PhaseConfiguring

I still don't understand why this is needed for the purpose of this pr and why we can't we keep dfiStatus.Phase = PhaseReady in it's original state

[ashotland]

not sure I understand why we need this change

also once we revert back to PahseReady on master is configured dfi.getStatus().Phase == PhaseConfiguring
below become dead code

[xuekat]

check my comment here, but reverted this logic

[ashotland]

Thanks but you still moved dfiStatus.Phase = PhaseReady to later

which is why I think you added changes in DfPodLifeCycleReconciler to handle 'stuck' PhaseConfiguring

I still don't understand why this is needed for the purpose of this pr and why we can't we keep dfiStatus.Phase = PhaseReady in it's original state

[ashotland]

given the other comments this test may no longer be required

[xuekat]

yup, removed

[ashotland]

how about a unit test for this function ?

[xuekat]

added a unit test

[xuekat]

Thanks but you still moved dfiStatus.Phase = PhaseReady to later

which is why I think you added changes in DfPodLifeCycleReconciler to handle 'stuck' PhaseConfiguring

I still don't understand why this is needed for the purpose of this pr and why we can't we keep dfiStatus.Phase = PhaseReady in it's original state

right, it's not needed anymore, so I've moved it back to its original place, thanks.

[ashotland]

thanks a lot looks good now, please just update the branch and resolve conflicts

[Abhra303]

LGTM, please check my comment. Should be ready to merge after this.

[Abhra303]

Can you please use else if role != resources.Master. Some dragonfly versions returns slave instead of replica as the role.

[xuekat]

done