tso: prevent dual writers when upgrading from PD service mode

[YuhaoZhang00]

What problem does this PR solve?

Issue Number: ref #10329

When upgrading from PD service mode (isKeyspaceGroupEnabled=false) to API service mode with a TSO microservice, there is a window where both the PD leader and the TSO microservice could write to the same TSO timestamp key, causing dual writers and potential timestamp regression.

What is changed and how does it work?

In PD service mode, SaveTimestamp now atomically checks for an existing TSO microservice primary before writing the timestamp window. If a TSO primary is detected, the write is rejected, causing the allocator to reset and resign PD leadership. This allows a PD in API service mode to take over and proxy TSO requests, preventing dual writers during rolling upgrades.

Also remove TestMixedTSODeployment which tested seamless coexistence of PD service mode and TSO microservice — a scenario not supported by the official upgrade procedure (PD restart is required).

Key changes:

• Add checkTSOPrimary parameter to SaveTimestamp that atomically loads the TSO primary election key (/ms/{cluster_id}/tso/00000/primary) within the same etcd transaction before writing the timestamp window. When a TSO primary is detected, the write is rejected.
• checkTSOPrimary is only true in PD service mode (!isKeyspaceGroupEnabled). In API service mode, PD uses the existing checkTSOService stop/start mechanism instead.
• Remove TestMixedTSODeployment - seamless coexistence of PD service mode and TSO microservice is not a supported upgrade path.

Check List

Tests

• Unit test
• Integration test

Code changes

None.

Side effects

None.

Related changes

None.

Release note

None.

Summary by CodeRabbit

• Bug Fixes

  • Prevents dual timestamp writers by adding an optional primary-election check that blocks timestamp writes when a TSO microservice primary is present.
  • Fixed logging variable naming.

• Tests

  • Added tests covering the primary-election guard and its failure/success cases.
  • Removed an obsolete mixed-deployment integration test and added a new integration verifying prevention of dual writers.

[ti-chi-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign okjiang for approval. For more information see the Code Review Process.
Please ensure that each of them provides their approval before proceeding.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ti-chi-bot]

Hi @YuhaoZhang00. Thanks for your PR.

I'm waiting for a tikv member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 8d6a83d2-7890-4c7d-bc41-9365bfce8302

📥 Commits

Reviewing files that changed from the base of the PR and between 05fcb12 and f00fdf2.

📒 Files selected for processing (1)

• tests/integrations/tso/client_test.go

🚧 Files skipped from review as they are similar to previous changes (1)

• tests/integrations/tso/client_test.go

---

📝 Walkthrough

Walkthrough

This PR adds a checkTSOPrimary boolean through the TSO pipeline: server -> allocator -> timestampOracle -> storage. When enabled, storage reads the TSO microservice primary election key and rejects timestamp writes if that key is set. Tests updated/added and a TSO integration test removed; a logging variable was renamed.

Changes

Cohort / File(s)	Summary
TSO Storage Interface and Implementation pkg/storage/endpoint/tso.go	Added checkTSOPrimary bool to TSOStorage.SaveTimestamp and (*StorageEndpoint).SaveTimestamp; when true, perform transactional read of TSO primary election key and reject writes if non-empty. Renamed logging var logFilds → logFields.
Allocator and Oracle wiring pkg/tso/allocator.go, pkg/tso/tso.go, pkg/tso/keyspace_group_manager.go	NewAllocator gains checkTSOPrimary param and wires it into timestampOracle; saveTimestamp now forwards the flag to storage. Call site in keyspace group manager passes false.
Server initialization server/server.go	Server now passes !s.isKeyspaceGroupEnabled into tso.NewAllocator to enable TSO-primary checking in PD service mode.
Unit tests pkg/storage/storage_tso_test.go	Updated all SaveTimestamp calls to include new boolean arg (false) and added TestSaveTimestampCheckTSOPrimary covering behavior when TSO primary key is absent/present.
Integration tests tests/integrations/tso/client_test.go	Removed TestMixedTSODeployment and associated usages; added TestDualWriterPrevention to validate PD yields TSO when a TSO microservice starts.

Sequence Diagram(s)

sequenceDiagram
    participant Server
    participant Allocator
    participant TimestampOracle
    participant StorageEndpoint
    participant Database

    Server->>Allocator: NewAllocator(..., checkTSOPrimary)
    Allocator->>TimestampOracle: initialize(checkTSOPrimary)

    Note over TimestampOracle: generate/prepare timestamp
    TimestampOracle->>StorageEndpoint: SaveTimestamp(ts, checkTSOPrimary)

    alt checkTSOPrimary == true
        StorageEndpoint->>Database: TX read TSO primary election key
        Database-->>StorageEndpoint: key value
        alt key non-empty
            StorageEndpoint-->>TimestampOracle: return error (reject write)
        else key empty
            StorageEndpoint->>Database: TX save timestamp
            Database-->>StorageEndpoint: success
            StorageEndpoint-->>TimestampOracle: success
        end
    else checkTSOPrimary == false
        StorageEndpoint->>Database: TX save timestamp
        Database-->>StorageEndpoint: success
        StorageEndpoint-->>TimestampOracle: success
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

Suggested labels

size/XL

Suggested reviewers

• JmPotato
• liyishuai
• okJiang

Poem

🐰 I hop from server down to store,
A tiny flag I ask for more—
If another primary claims the light,
I pause my pen and hold it tight.
With checks in place the timestamps stay,
A careful hop keeps bugs away.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main change: preventing dual writers when upgrading from PD service mode, which aligns with the core objective of this PR.
Description check	✅ Passed	The description includes the required issue reference (ref #10329), explains the problem and solution clearly, lists key changes, and documents tests. However, it deviates from the template structure by not explicitly filling all expected sections.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[YuhaoZhang00]

/cc @JmPotato PTAL

[ti-chi-bot]

@YuhaoZhang00: GitHub didn't allow me to request PR reviews from the following users: PTAL.

Note that only tikv members and repo collaborators can review this PR, and authors cannot review their own PRs.

Details

In response to this:

/cc @JmPotato PTAL

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@pkg/storage/endpoint/tso.go`:
- Around line 113-115: The error string returned in the conditional checking
tsoPrimary (the return in the if tsoPrimary != "" branch that calls
errors.Errorf) uses capitalized "PD" and a trailing punctuation; change the
message to be all lowercase with no trailing punctuation (e.g., use "pd
microservice primary exists, pd in pd service mode must yield" or a concise
lowercase variant) so it follows the repository's error-string convention.

In `@server/server.go`:
- Around line 511-514: The current approach lets the PD-service-mode etcd leader
re-acquire PD leadership after allocator yields because allocatorUpdater calls
Reset(true) (which only resigns PD leadership) while leaderLoop will re-campaign
from the current etcd leader; update the yield path so that when s.tsoAllocator
(created in s.tsoAllocator) detects an existing TSO primary and allocatorUpdater
calls Reset(true), you also either (a) prevent leaderLoop from re-campaigning
for that member by setting/clearing a "yielded" flag on the server (e.g., on s)
that leaderLoop checks before starting a new campaign, or (b) perform an etcd
leadership transfer of s.member to another peer before calling Reset(true) so
the yielding node cannot immediately win; implement the chosen approach in the
allocatorUpdater/Reset invocation and ensure leaderLoop observes the yielded
flag (or verify transfer completion) to stop immediate re-campaigns.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: dcc0a32a-3ca6-4e86-b375-6cc94420454b

📥 Commits

Reviewing files that changed from the base of the PR and between 19fed4b and 291f1dc.

📒 Files selected for processing (8)

• pkg/storage/endpoint/tso.go
• pkg/storage/storage_tso_test.go
• pkg/tso/allocator.go
• pkg/tso/keyspace_group_manager.go
• pkg/tso/tso.go
• pkg/utils/keypath/absolute_key_path.go
• server/server.go
• tests/integrations/tso/client_test.go

💤 Files with no reviewable changes (1)

• tests/integrations/tso/client_test.go

[coderabbitai]

⚠️ Potential issue | 🟡 Minor

Keep the new error string lowercase.

Line 114 introduces capitalized PD, which breaks the repo's error-string convention.

As per coding guidelines, "Error strings must be lowercase with no trailing punctuation".

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@pkg/storage/endpoint/tso.go` around lines 113 - 115, The error string
returned in the conditional checking tsoPrimary (the return in the if tsoPrimary
!= "" branch that calls errors.Errorf) uses capitalized "PD" and a trailing
punctuation; change the message to be all lowercase with no trailing punctuation
(e.g., use "pd microservice primary exists, pd in pd service mode must yield" or
a concise lowercase variant) so it follows the repository's error-string
convention.

[JmPotato]

Maybe resue ElectionPath rather than adding a new one?

[JmPotato]

Prefer using len cause it also checks the nil case.

Suggested change

	if tsoPrimary != "" {
	if len(tsoPrimary) == 0 {

[JmPotato]

Why remove this test?

[YuhaoZhang00]

This test asserts that PD (in PD service mode) and the TSO microservice can serve TSO concurrently as dual writers - which is exactly the unsafe behavior this PR prevents.

Anyway, I should not have removed this test case; it should be FIXED rather than removed. Will address this in follow-up commits.

[YuhaoZhang00]

Please check the fixed test case :)