[clusteragent/autoscaling] Impose 100 DatadogPodAutoscaler limit in cluster agent

[jennchenn]

What does this PR do?

This PR introduces a max heap to keep track of DatadogPodAutoscaler objects that have been seen by the cluster agent, ordered by timestamp. When more than 100 DatadogPodAutoscaler objects are created, we set an error status to let the user know they have exceeded this limit.

Motivation

We only ingest the first 100 created DatadogPodAutoscaler objects. To make it clearer for the user why they are not seeing updates to their autoscaler object, this update sets an error status on the object.

Additional Notes

This limit is enforced in the backend already; this change just makes it clearer to the user why a DPA is not producing any scaling actions.

Possible Drawbacks / Trade-offs

Objects are added to max heap when there is a store update. To check if it is a valid DPA, we check that it exists inside the max heap. There can be delay in the error status update when:

• A new remote DatadogPodAutoscaler is created (it won't be added to the heap until creation timestamp is updated)
• We have 100 DPAs, and one is deleted -> the newly valid DPA will still report an error state until it is processed again

Describe how to test/QA your changes

Local

1. Create enough DPAs to hit the limit (default 100)
2. Create a new DPA; check that it gets updated with an error status: Autoscaler disabled as maximum number per cluster reached (100)
3. Delete one of the original 100 DPAs
4. Check that the new DPA gets updated to not be in error state

Remote
Repeat above steps, but create DPAs through the UI instead.

[agent-platform-auto-pr]

[Fast Unit Tests Report]

On pipeline 45778940 (CI Visibility). The following jobs did not run any unit tests:

Jobs:

• tests_flavor_dogstatsd_deb-x64
• tests_flavor_heroku_deb-x64
• tests_flavor_iot_deb-x64

If you modified Go files and expected unit tests to run in these jobs, please double check the job logs. If you think tests should have been executed reach out to #agent-devx-help

[pr-commenter]

Regression Detector

Regression Detector Results

Run ID: eb9049cb-460b-4911-80fe-0ced12c57bfe Metrics dashboard Target profiles

Baseline: 0123bf2
Comparison: 4a317d5

Performance changes are noted in the perf column of each table:

• ✅ = significantly better comparison variant performance
• ❌ = significantly worse comparison variant performance
• ➖ = no significant change in performance

No significant changes in experiment optimization goals

Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%

There were no significant changes in experiment optimization goals at this confidence level and effect size tolerance.

Fine details of change detection per experiment

perf	experiment	goal	Δ mean %	Δ mean % CI	trials	links
➖	idle_all_features	memory utilization	+0.50	[+0.43, +0.56]	1	Logs
➖	otel_to_otel_logs	ingress throughput	+0.49	[-0.32, +1.31]	1	Logs
➖	tcp_dd_logs_filter_exclude	ingress throughput	+0.00	[-0.01, +0.01]	1	Logs
➖	uds_dogstatsd_to_api	ingress throughput	-0.01	[-0.10, +0.08]	1	Logs
➖	tcp_syslog_to_blackhole	ingress throughput	-0.29	[-0.34, -0.24]	1	Logs
➖	file_tree	memory utilization	-0.30	[-0.38, -0.21]	1	Logs
➖	uds_dogstatsd_to_api_cpu	% cpu utilization	-0.53	[-1.27, +0.20]	1	Logs
➖	idle	memory utilization	-0.98	[-1.02, -0.94]	1	Logs
➖	basic_py_check	% cpu utilization	-1.02	[-3.70, +1.65]	1	Logs
➖	pycheck_lots_of_tags	% cpu utilization	-1.24	[-3.69, +1.21]	1	Logs

Bounds Checks

perf	experiment	bounds_check_name	replicates_passed
✅	idle	memory_usage	10/10

Explanation

A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".

For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:

1. Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.

2. Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.

3. Its configuration does not mark it "erratic".

[pr-commenter]

Test changes on VM

Use this command from test-infra-definitions to manually test this PR changes on a VM:

inv create-vm --pipeline-id=45778940 --os-family=ubuntu

Note: This applies to commit 4a317d5

[vboulineau]

That's not something generic to any controller, should not be part of the generic Controller. Generally speaking, it's an internal part of the controller and there's no probably no reason to take is as creation parameter.

[vboulineau]

Instead of having to track changes to Store, could be it registered as an observer?

[vboulineau]

HashHeap is currently not thread safe, which could become necessary if we have multiple workers or if we move the store to object locking.

[vboulineau]

I think we need to be a bit more explicit. You also don't need to put the key in the error message as it's already attached to the object itself.
Something like Autoscaler disabled as maximum number per cluster reached (100).

[vboulineau]

It'd be nice to not have the main logic in an else though it would require a to change a bit the code structure.

[jennchenn]

Makes sense, I can wait for the changes from #28723

datadog-agent/pkg/clusteragent/autoscaling/workload/controller.go

Lines 413 to 427 in f35a065

	func (c *Controller) updateAutoscalerStatusAndUnlock(ctx context.Context, key, ns, name string, err error, podAutoscalerInternal model.PodAutoscalerInternal, podAutoscaler *datadoghq.DatadogPodAutoscaler) error {
	// Update status based on latest state
	statusErr := c.updatePodAutoscalerStatus(ctx, podAutoscalerInternal, podAutoscaler)
	if statusErr != nil {
	log.Errorf("Failed to update status for PodAutoscaler: %s/%s, err: %v", ns, name, statusErr)
	// We want to return the status error if none to count in the requeue retries.
	if err == nil {
	err = statusErr
	}
	}
	c.store.UnlockSet(key, podAutoscalerInternal, c.ID)
	return err
	}

to be merged so I can make a status update and return early here

[vboulineau]

What happens when you passe zero time value? I believe it should not be inserted

[vboulineau]

You can add multiple objects with a single append:

f.InformerObjects = append(f.InformerObjects, dpa, dpa1)
f.Objects = append(f.Objects, dpaTyped, dpaTyped1)

[vboulineau]

The test is named CreateDelete but I don't see a test on the delete part? For instance removing dpa-1 should make dpa-2 eligible.

[vboulineau]

You also need a test on remote owner, which should have zero CreationTimestamp value first and then be created in Kubernetes and then get updated with Kubernetes creation timestamp

[vboulineau]

There's code missing to handle updating internal PodAutoscaler with creation timestamp from Kubernetes once the object has been created in Kubernetes.

[vboulineau]

nit: Is this change necessary?

[vboulineau]

nit: The variable name should match usage, in that probably something like limitHeap or countHeap.
Also the variable is more linked to the store and perhaps should be in the block just below store

[vboulineau]

It's not possible to pass obj in because it means you could modify an object silently, without holding the lock.

[vboulineau]

I suspect that you put that inside if podAutoscalerInternal.Generation() != podAutoscaler.Generation {, as we're interested in getting the creation timestamp only once (it won't be only once, but when there's a .Spec change, which should not happen frequently)

[vboulineau]

Thinking about this (not exactly related to this PR), I don't think we want to Error all DPA if we cannot get self pod name, we should probably just skip.

[vboulineau]

podAutoscalerInternal should have everything you need in a single object.

[vboulineau]

nit: It's more something like TestPodAutoscalerObjectsLimit than testing the heap itself.

[vboulineau]

Is there any reason why we requeue here? I'd not expect it to be necessary (similar to the Generation update).
nit: I'd move this code close the SetGeneration for consistency.

[jennchenn]

originally set it to requeue to trigger a store update earlier, and minimize the amount of time that a status may show an error state incorrectly (i.e. when the limit is not exceeded but the key hasn't yet been added to the heap because it had a zero creation timestamp). moved this and removed the requeue for now as well!

[vboulineau]

Good find! We need to check all usage of ObjectHash to make sure we do not have other issues.

[vboulineau]

Is it possible to reach this point while have a zero CreationTimestamp?

[jennchenn]

good point! i can update it to check if the value in the store is 0 if necessary but removed for now

[vboulineau]

nit: avoid duplication and set in dpa if gen > 0 (0 is not a valid value in existing object IIRC).

if gen > 0 {
  dpa.UID = ...
  dpa.Generation = gen
  dpa.CreationTimestamp = ...
}

[jennchenn]

/merge

[dd-devflow]

🚂 MergeQueue: pull request added to the queue

The median merge time in main is 24m.

Use /merge -c to cancel this operation!