hecate: harden emergency thresholds and bootstrap branch handling

2026-04-05 00:15:09 -03:00 · 2026-04-05 00:15:09 -03:00 · f020f77d2b
commit f020f77d2b
parent 4c03be1e9b
10 changed files with 241 additions and 18 deletions
--- a/README.md
+++ b/README.md
@ -92,8 +92,12 @@ UPS auto-shutdown trigger uses:
 - runtime threshold = `runtime_safety_factor * estimated_shutdown_budget`
 - default safety factor `1.25`
 - debounce across multiple polls to avoid noise
 - emergency trigger budget defaults to `shutdown.emergency_budget_seconds` and is learned from historical UPS-triggered shutdown runs once enough samples exist
 - UPS-triggered shutdown executes the emergency fast path by default (`shutdown.emergency_skip_drain: true`, `shutdown.emergency_skip_etcd_snapshot: true`)
-Estimated shutdown budget is derived from historical successful shutdown runs (`/var/lib/hecate/runs.json`) with default fallback from config.
+Estimated shutdown budgets are derived from historical successful shutdown runs (`/var/lib/hecate/runs.json`) with config fallbacks:
 - `estimated_shutdown_budget_seconds`: full/manual shutdown path
 - `estimated_emergency_shutdown_budget_seconds`: UPS/emergency path
 Power metrics:
 - Hecate exposes Prometheus metrics on `:9560/metrics` by default.
--- a/cmd/hecate/main.go
+++ b/cmd/hecate/main.go
@ -231,6 +231,7 @@ func runStatus(logger *log.Logger, args []string) error {
 	logger.Printf("expected_flux_branch=%s", cfg.ExpectedFluxBranch)
 	logger.Printf("control_planes=%v", cfg.ControlPlanes)
 	logger.Printf("estimated_shutdown_budget_seconds=%d", orch.EstimatedShutdownSeconds())
 	logger.Printf("estimated_emergency_shutdown_budget_seconds=%d", orch.EstimatedEmergencyShutdownSeconds())
 	intent, intentErr := state.ReadIntent(cfg.State.IntentPath)
 	if intentErr != nil {
 		logger.Printf("intent_read_error=%v", intentErr)
--- a/configs/hecate.example.yaml
+++ b/configs/hecate.example.yaml
@ -22,11 +22,14 @@ local_bootstrap_paths:
  - infrastructure/sources/helm
  - infrastructure/metallb
  - infrastructure/traefik
  - infrastructure/cert-manager
  - infrastructure/vault-csi
  - infrastructure/vault-injector
  - services/vault
  - infrastructure/postgres
  - services/gitea
  - services/keycloak
  - services/oauth2-proxy
 excluded_namespaces:
  - kube-system
  - kube-public
@ -50,6 +53,11 @@ startup:
  etcd_restore_control_plane: titan-0a
 shutdown:
  default_budget_seconds: 1380
  history_min_samples: 3
  emergency_budget_seconds: 420
  emergency_history_min_samples: 3
  emergency_skip_etcd_snapshot: true
  emergency_skip_drain: true
  skip_etcd_snapshot: false
  skip_drain: false
  drain_parallelism: 6
--- a/configs/hecate.tethys.yaml
+++ b/configs/hecate.tethys.yaml
@ -88,11 +88,14 @@ local_bootstrap_paths:
  - infrastructure/sources/helm
  - infrastructure/metallb
  - infrastructure/traefik
  - infrastructure/cert-manager
  - infrastructure/vault-csi
  - infrastructure/vault-injector
  - services/vault
  - infrastructure/postgres
  - services/gitea
  - services/keycloak
  - services/oauth2-proxy
 excluded_namespaces:
  - kube-system
  - kube-public
@ -116,6 +119,11 @@ startup:
  etcd_restore_control_plane: titan-0a
 shutdown:
  default_budget_seconds: 1380
  history_min_samples: 3
  emergency_budget_seconds: 420
  emergency_history_min_samples: 3
  emergency_skip_etcd_snapshot: true
  emergency_skip_drain: true
  skip_etcd_snapshot: false
  skip_drain: false
  drain_parallelism: 6
--- a/configs/hecate.titan-db.yaml
+++ b/configs/hecate.titan-db.yaml
@ -88,11 +88,14 @@ local_bootstrap_paths:
  - infrastructure/sources/helm
  - infrastructure/metallb
  - infrastructure/traefik
  - infrastructure/cert-manager
  - infrastructure/vault-csi
  - infrastructure/vault-injector
  - services/vault
  - infrastructure/postgres
  - services/gitea
  - services/keycloak
  - services/oauth2-proxy
 excluded_namespaces:
  - kube-system
  - kube-public
@ -116,6 +119,11 @@ startup:
  etcd_restore_control_plane: titan-0a
 shutdown:
  default_budget_seconds: 1380
  history_min_samples: 3
  emergency_budget_seconds: 420
  emergency_history_min_samples: 3
  emergency_skip_etcd_snapshot: true
  emergency_skip_drain: true
  skip_etcd_snapshot: false
  skip_drain: false
  drain_parallelism: 6
--- a/internal/cluster/orchestrator.go
+++ b/internal/cluster/orchestrator.go
@ -175,6 +175,14 @@ func (o *Orchestrator) Startup(ctx context.Context, opts StartupOptions) (err er
 		}
 	}
 	desiredFluxBranch := strings.TrimSpace(opts.ForceFluxBranch)
 	if desiredFluxBranch == "" {
 		desiredFluxBranch = strings.TrimSpace(o.cfg.ExpectedFluxBranch)
 	}
 	if err := o.ensureFluxBranch(ctx, desiredFluxBranch); err != nil {
 		return err
 	}
 	workers, err := o.effectiveWorkers(ctx)
 	if err != nil {
 		return err
@ -186,13 +194,6 @@ func (o *Orchestrator) Startup(ctx context.Context, opts StartupOptions) (err er
 	o.startWorkers(ctx, workers)
 	o.bestEffort("uncordon workers", func() error { return o.uncordonWorkers(ctx, workers) })
 	if opts.ForceFluxBranch != "" {
 		patch := fmt.Sprintf(`{"spec":{"ref":{"branch":"%s"}}}`, opts.ForceFluxBranch)
 		if _, err := o.kubectl(ctx, 20*time.Second, "-n", "flux-system", "patch", "gitrepository", "flux-system", "--type=merge", "-p", patch); err != nil {
 			return fmt.Errorf("force flux branch: %w", err)
 		}
 	}
 	needsLocalBootstrap := false
 	bootstrapReasons := []string{}
 	if !opts.SkipLocalBootstrap {
@ -393,7 +394,15 @@ func (o *Orchestrator) Shutdown(ctx context.Context, opts ShutdownOptions) (err
 }
 func (o *Orchestrator) EstimatedShutdownSeconds() int {
-	return o.store.ShutdownP95(o.cfg.Shutdown.DefaultBudgetSeconds)
+	return o.store.ShutdownP95WithMinSamples(o.cfg.Shutdown.DefaultBudgetSeconds, o.cfg.Shutdown.HistoryMinSamples)
 }
 func (o *Orchestrator) EstimatedEmergencyShutdownSeconds() int {
 	return o.store.ShutdownP95ByReasonPrefix(
 		o.cfg.Shutdown.EmergencyBudgetSec,
 		o.cfg.Shutdown.EmergencyMinSamples,
 		[]string{"ups-", "emergency-", "drill-emergency"},
 	)
 }
 func (o *Orchestrator) finalizeRecord(record *state.RunRecord, err *error) {
@ -1131,6 +1140,45 @@ func (o *Orchestrator) reportFluxSource(ctx context.Context, forceBranch string)
 	}
 }
 func (o *Orchestrator) ensureFluxBranch(ctx context.Context, branch string) error {
 	branch = strings.TrimSpace(branch)
 	if branch == "" {
 		return nil
 	}
 	out, err := o.kubectl(
 		ctx,
 		10*time.Second,
 		"-n", "flux-system",
 		"get", "gitrepository", "flux-system",
 		"-o", "jsonpath={.spec.ref.branch}",
 	)
 	if err != nil {
 		if isNotFoundErr(err) {
 			o.log.Printf("warning: flux gitrepository/flux-system not found while ensuring branch=%s", branch)
 			return nil
 		}
 		return fmt.Errorf("read flux source branch: %w", err)
 	}
 	current := strings.TrimSpace(out)
 	if current == branch {
 		return nil
 	}
 	patch := fmt.Sprintf(`{"spec":{"ref":{"branch":"%s"}}}`, branch)
 	if _, err := o.kubectl(
 		ctx,
 		20*time.Second,
 		"-n", "flux-system",
 		"patch", "gitrepository", "flux-system",
 		"--type=merge",
 		"-p", patch,
 	); err != nil {
 		return fmt.Errorf("set flux source branch %q (current %q): %w", branch, current, err)
 	}
 	o.log.Printf("updated flux source branch from %q to %q", current, branch)
 	return nil
 }
 func (o *Orchestrator) bootstrapLocal(ctx context.Context) error {
 	failures := 0
 	for _, rel := range o.cfg.LocalBootstrapPaths {
--- a/internal/config/config.go
+++ b/internal/config/config.go
@ -45,6 +45,11 @@ type Startup struct {
 type Shutdown struct {
 	DefaultBudgetSeconds int      `yaml:"default_budget_seconds"`
 	HistoryMinSamples    int      `yaml:"history_min_samples"`
 	EmergencyBudgetSec   int      `yaml:"emergency_budget_seconds"`
 	EmergencyMinSamples  int      `yaml:"emergency_history_min_samples"`
 	EmergencySkipEtcd    bool     `yaml:"emergency_skip_etcd_snapshot"`
 	EmergencySkipDrain   bool     `yaml:"emergency_skip_drain"`
 	SkipEtcdSnapshot     bool     `yaml:"skip_etcd_snapshot"`
 	SkipDrain            bool     `yaml:"skip_drain"`
 	DrainParallelism     int      `yaml:"drain_parallelism"`
@ -127,6 +132,15 @@ func (c Config) Validate() error {
 	if c.Shutdown.DefaultBudgetSeconds <= 0 {
 		return fmt.Errorf("config.shutdown.default_budget_seconds must be > 0")
 	}
 	if c.Shutdown.HistoryMinSamples <= 0 {
 		return fmt.Errorf("config.shutdown.history_min_samples must be > 0")
 	}
 	if c.Shutdown.EmergencyBudgetSec <= 0 {
 		return fmt.Errorf("config.shutdown.emergency_budget_seconds must be > 0")
 	}
 	if c.Shutdown.EmergencyMinSamples <= 0 {
 		return fmt.Errorf("config.shutdown.emergency_history_min_samples must be > 0")
 	}
 	if c.Shutdown.DrainParallelism <= 0 {
 		return fmt.Errorf("config.shutdown.drain_parallelism must be > 0")
 	}
@ -208,11 +222,14 @@ func defaults() Config {
 			"infrastructure/sources/helm",
 			"infrastructure/metallb",
 			"infrastructure/traefik",
 			"infrastructure/cert-manager",
 			"infrastructure/vault-csi",
 			"infrastructure/vault-injector",
 			"services/vault",
 			"infrastructure/postgres",
 			"services/gitea",
 			"services/keycloak",
 			"services/oauth2-proxy",
 		},
 		ExcludedNamespaces: []string{
 			"kube-system",
@ -239,6 +256,11 @@ func defaults() Config {
 		},
 		Shutdown: Shutdown{
 			DefaultBudgetSeconds: 1380,
 			HistoryMinSamples:    3,
 			EmergencyBudgetSec:   420,
 			EmergencyMinSamples:  3,
 			EmergencySkipEtcd:    true,
 			EmergencySkipDrain:   true,
 			DrainParallelism:     6,
 			ScaleParallelism:     8,
 			SSHParallelism:       8,
@ -306,6 +328,15 @@ func (c *Config) applyDefaults() {
 	if c.Shutdown.DefaultBudgetSeconds <= 0 {
 		c.Shutdown.DefaultBudgetSeconds = 1380
 	}
 	if c.Shutdown.HistoryMinSamples <= 0 {
 		c.Shutdown.HistoryMinSamples = 3
 	}
 	if c.Shutdown.EmergencyBudgetSec <= 0 {
 		c.Shutdown.EmergencyBudgetSec = 420
 	}
 	if c.Shutdown.EmergencyMinSamples <= 0 {
 		c.Shutdown.EmergencyMinSamples = 3
 	}
 	if c.Shutdown.DrainParallelism <= 0 {
 		c.Shutdown.DrainParallelism = 6
 	}
--- a/internal/service/daemon.go
+++ b/internal/service/daemon.go
@ -89,7 +89,7 @@ func (d *Daemon) Run(ctx context.Context) error {
 		case <-ctx.Done():
 			return ctx.Err()
 		case <-t.C:
-			budget := d.orch.EstimatedShutdownSeconds()
+			budget := d.orch.EstimatedEmergencyShutdownSeconds()
 			threshold := int(math.Ceil(float64(budget) * d.cfg.UPS.RuntimeSafetyFactor))
 			d.exporter.UpdateBudget(budget)
@ -177,7 +177,11 @@ func (d *Daemon) triggerShutdown(ctx context.Context, reason string) error {
 			d.log.Printf("warning: forward shutdown failed; falling back to local shutdown: %v", err)
 		}
 	}
-	if err := d.orch.Shutdown(ctx, cluster.ShutdownOptions{Reason: reason}); err != nil {
+	if err := d.orch.Shutdown(ctx, cluster.ShutdownOptions{
 		Reason:           reason,
 		SkipDrain:        d.cfg.Shutdown.EmergencySkipDrain,
 		SkipEtcdSnapshot: d.cfg.Shutdown.EmergencySkipEtcd,
 	}); err != nil {
 		return err
 	}
 	if setErr := state.MustWriteIntent(d.cfg.State.IntentPath, state.IntentShutdownComplete, reason, "daemon-local"); setErr != nil {
@ -194,11 +198,13 @@ func (d *Daemon) forwardShutdown(ctx context.Context, reason string) error {
 	runCtx, cancel := context.WithTimeout(ctx, timeout)
 	defer cancel()
-	remoteCmd := fmt.Sprintf(
+	remoteCmd := fmt.Sprintf("sudo /usr/local/bin/hecate shutdown --config %q --execute --reason %q", d.cfg.Coordination.ForwardShutdownConfig, reason)
-		"sudo /usr/local/bin/hecate shutdown --config %q --execute --reason %q",
+	if d.cfg.Shutdown.EmergencySkipEtcd {
-		d.cfg.Coordination.ForwardShutdownConfig,
+		remoteCmd += " --skip-etcd-snapshot"
-		reason,
+	}
-	)
+	if d.cfg.Shutdown.EmergencySkipDrain {
 		remoteCmd += " --skip-drain"
 	}
 	host := d.cfg.Coordination.ForwardShutdownHost
 	if mapped, ok := d.cfg.SSHNodeHosts[host]; ok && strings.TrimSpace(mapped) != "" {
 		host = strings.TrimSpace(mapped)
--- a/internal/state/store.go
+++ b/internal/state/store.go
@ -167,17 +167,51 @@ func (s *Store) loadUnlocked() ([]RunRecord, error) {
 }
 func (s *Store) ShutdownP95(defaultSeconds int) int {
 	return s.shutdownP95(defaultSeconds, 1, nil)
 }
 func (s *Store) ShutdownP95WithMinSamples(defaultSeconds int, minSamples int) int {
 	return s.shutdownP95(defaultSeconds, minSamples, nil)
 }
 func (s *Store) ShutdownP95ByReasonPrefix(defaultSeconds int, minSamples int, reasonPrefixes []string) int {
 	return s.shutdownP95(defaultSeconds, minSamples, reasonPrefixes)
 }
 func (s *Store) shutdownP95(defaultSeconds int, minSamples int, reasonPrefixes []string) int {
 	if minSamples <= 0 {
 		minSamples = 1
 	}
 	records, err := s.Load()
 	if err != nil {
 		return defaultSeconds
 	}
 	var d []int
 	filteredPrefixes := make([]string, 0, len(reasonPrefixes))
 	for _, prefix := range reasonPrefixes {
 		p := strings.ToLower(strings.TrimSpace(prefix))
 		if p != "" {
 			filteredPrefixes = append(filteredPrefixes, p)
 		}
 	}
 	matchesPrefix := func(reason string) bool {
 		if len(filteredPrefixes) == 0 {
 			return true
 		}
 		r := strings.ToLower(strings.TrimSpace(reason))
 		for _, prefix := range filteredPrefixes {
 			if strings.HasPrefix(r, prefix) {
 				return true
 			}
 		}
 		return false
 	}
 	for _, r := range records {
-		if r.Action == "shutdown" && r.Success && r.DurationSeconds > 0 {
+		if r.Action == "shutdown" && r.Success && r.DurationSeconds > 0 && matchesPrefix(r.Reason) {
 			d = append(d, r.DurationSeconds)
 		}
 	}
-	if len(d) == 0 {
+	if len(d) < minSamples {
 		return defaultSeconds
 	}
 	sort.Ints(d)
--- a/internal/state/store_test.go
+++ b/internal/state/store_test.go
@ -1,11 +1,13 @@
 package state
 import (
 	"encoding/json"
 	"os"
 	"path/filepath"
 	"strconv"
 	"strings"
 	"testing"
 	"time"
 )
 func TestAcquireLockLifecycle(t *testing.T) {
@ -85,3 +87,76 @@ func TestStoreLoadAutoHealsCorruptJSON(t *testing.T) {
 		t.Fatalf("expected 1 backup file, got %d (%v)", len(matches), matches)
 	}
 }
 func TestShutdownP95WithMinSamplesFallsBackWhenHistorySparse(t *testing.T) {
 	p := filepath.Join(t.TempDir(), "runs.json")
 	records := []RunRecord{
 		{
 			ID:              "shutdown-1",
 			Action:          "shutdown",
 			Reason:          "manual",
 			StartedAt:       time.Now().UTC(),
 			EndedAt:         time.Now().UTC(),
 			DurationSeconds: 45,
 			Success:         true,
 		},
 	}
 	b, err := json.Marshal(records)
 	if err != nil {
 		t.Fatalf("marshal records: %v", err)
 	}
 	if err := os.WriteFile(p, b, 0o640); err != nil {
 		t.Fatalf("write records: %v", err)
 	}
 	got := New(p).ShutdownP95WithMinSamples(300, 3)
 	if got != 300 {
 		t.Fatalf("expected fallback default 300 with sparse history, got %d", got)
 	}
 }
 func TestShutdownP95ByReasonPrefixFiltersSamples(t *testing.T) {
 	p := filepath.Join(t.TempDir(), "runs.json")
 	now := time.Now().UTC()
 	records := []RunRecord{
 		{
 			ID:              "shutdown-1",
 			Action:          "shutdown",
 			Reason:          "ups-threshold target=Pyrphoros",
 			StartedAt:       now,
 			EndedAt:         now,
 			DurationSeconds: 180,
 			Success:         true,
 		},
 		{
 			ID:              "shutdown-2",
 			Action:          "shutdown",
 			Reason:          "ups-threshold target=Pyrphoros",
 			StartedAt:       now,
 			EndedAt:         now,
 			DurationSeconds: 220,
 			Success:         true,
 		},
 		{
 			ID:              "shutdown-3",
 			Action:          "shutdown",
 			Reason:          "manual-maintenance",
 			StartedAt:       now,
 			EndedAt:         now,
 			DurationSeconds: 1200,
 			Success:         true,
 		},
 	}
 	b, err := json.Marshal(records)
 	if err != nil {
 		t.Fatalf("marshal records: %v", err)
 	}
 	if err := os.WriteFile(p, b, 0o640); err != nil {
 		t.Fatalf("write records: %v", err)
 	}
 	got := New(p).ShutdownP95ByReasonPrefix(420, 2, []string{"ups-"})
 	if got != 220 {
 		t.Fatalf("expected filtered p95 of 220, got %d", got)
 	}
 }