feat: EventSource and Sensor HA without extra RBAC

[whynowy]

Signed-off-by: Derek Wang whynowy@gmail.com

A new approach to do Active-Passive HA for Sensors and some of the EventSources, which does not require configuring extra RBAC. It utilizes raft leader election algorithm implemented over NATS.

See https://github.com/nats-io/graft.

Checklist:

• My organization is added to USERS.md.

[whynowy]

We don't need this any more, with leader election, all the event source deployments can run with rolling update strategy.

[whynowy]

With leader election, sensor deployments can also run with rolling update strategy.

[whynowy]

Event sources like webhook should not run with leader election.

[whynowy]

Watch logs from multiple Pods.

[alexec]

I'm in two minds about this.

Leadership-election is a core cloud-native feature that is well understood by the Argo Team and community in general. We're replacing it with something that makes us more reliant on NATS. Given that a user needs to make changes to use the feature either way, would it be better to make using leadership elections straight forward?

[whynowy]

I'm in two minds about this.

Leadership-election is a core cloud-native feature that is well understood by the Argo Team and community in general. We're replacing it with something that makes us more reliant on NATS. Given that a user needs to make changes to use the feature either way, would it be better to make using leadership elections straight forward?

I'm in two minds about this.

Leadership-election is a core cloud-native feature that is well understood by the Argo Team and community in general. We're replacing it with something that makes us more reliant on NATS. Given that a user needs to make changes to use the feature either way, would it be better to make using leadership elections straight forward?

If we don't have NATS existing in the architecture, or the HA is for controllers, there's no doubt k8s leader election is the first choice. However the HA is for a dynamic service (EventSource or Sensor), and it so happened NATS is already there, I think we should utilize it, because that benefits much - it saves lots of extra configuration.

This approach requires the minimal spec change - only needs to specify spec.replicas. However using k8s leader elections, besides the replicas, user need to make series of RBAC changes:

1. Service Account
2. Role and RoleBinding
3. Specify spec.template.serviceAccountName

And these extra changes are required at least per namespace, if the user has a strong sense of security, he probably will specify resourceName in the Role definition (which limits the service account used by the EventSource/Sensor only can operate on the Lease object dedicated for it), this makes the RBAC settings even per EventSource (or Sensor).

I understand the concern of reliability of using leader election implemented over NATS, even I have done all kinds of testing upon it without seeing any issue, I still can not say it's reliable enough. How about this, we can defer using leader election when replicas = 1, and let's see the feedback from the community, and then make a decision if we use it by default (even when replicas=1)?

@alexec

[alexec]

I think we should go with NATS now. It's a big ask on our users to add a lot of extra RBAC, which people struggle with.

[alexec]

normally defer a cancel?

[whynowy]

When current node is changed from leader to non-leader (line 128-133), cancel() need to be called to terminate the running service, and re-initiate a cctx and cancel. Not quite sure if defer cancel() still works in that case, let me do more testing.

[whynowy]

Using defer works, updated.

[alexec]

minor - maybe just call this tmp

[whynowy]

done.