clean up orphans on scale-out

If a droplet is created by the autoscaler, but it fails to
register with nomad as a client, it should be considered
an orphan and deleted.

Add a configuration setting to control this behaviour. Only
droplets with the "name" tag which were not recently created
will be considered for deletion.

Author: nicois

README.md

@@ -35,6 +35,7 @@ check "hashistack-allocated-cpu" {
   # ...
   target "do-droplets" {
     create_reserved_addresses                    = "true"
+    init_grace_period                            = "10m"
     ipv6                                         = "true"
     name                                         = "hashi-worker"
     node_class                                   = "hashistack"
@@ -56,6 +57,8 @@ check "hashistack-allocated-cpu" {
 
 - `name` `(string: <required>)` - A logical name of a Droplet "group". Every managed Droplet will be tagged with this value and its name is this value with a random suffix
 
+- `init_grace_period` `(duration: "0m")` Any droplets tagged with the `name` value which are older than this duration and still not recognised as a nomad client are considered to be orphans, and will be deleted at a subsequent scale-in event. Setting this to zero will disable this feature.
+
 - `region` `(string: <required>)` - The region to start in.
 
 - `vpc_uuid` `(string: <required>)` - The ID of the VPC where the Droplet will be located.

demo/jobs/templates/autoscaler.nomad

@@ -11,7 +11,7 @@ job "autoscaler" {
       driver = "docker"
 
       artifact {
-        source      = "https://github.com/Aiven-Open/nomad-droplets-autoscaler/releases/download/v0.0.25/nomad-droplets-autoscaler_Linux_x86_64.tar.gz"
+        source      = "https://github.com/Aiven-Open/nomad-droplets-autoscaler/releases/download/v0.1.9/nomad-droplets-autoscaler_Linux_x86_64.tar.gz"
         destination = "local/plugins/"
       }
 
@@ -87,21 +87,20 @@ scaling "batch" {
     }
 
     target "do-droplets" {
-      name = "hashi-batch"
-      region = "${region}"
-      size = "s-1vcpu-1gb"
-      snapshot_id = ${snapshot_id}
-      user_data = "local/batch-startup.sh"
-      tags = "hashi-stack"
-
-      datacenter             = "batch_workers"
-      node_drain_deadline    = "1h"
-      node_selector_strategy = "empty_ignore_system"
-
-      reserve_ipv4_addresses = "false"
-      reserve_ipv6_addresses = "false"
-      ipv6 = "true"
       create_reserved_addresses = "false"
+      datacenter                = "batch_workers"
+      init_grace_period         = "10m"
+      ipv6                      = "true"
+      name                      = "hashi-batch"
+      node_drain_deadline       = "1h"
+      node_selector_strategy    = "empty_ignore_system"
+      region                    = "${region}"
+      reserve_ipv4_addresses    = "false"
+      reserve_ipv6_addresses    = "false"
+      size                      = "s-1vcpu-1gb"
+      snapshot_id               = ${snapshot_id}
+      tags                      = "hashi-stack"
+      user_data                 = "local/batch-startup.sh"
     }
   }
 }
@@ -157,6 +156,8 @@ server:
   http_listen_port: {{ env "NOMAD_PORT_promtail" }}
   grpc_listen_port: 0
 
+log_level: "DEBUG"
+
 positions:
   filename: /tmp/positions.yaml
 

go.mod

@@ -8,6 +8,7 @@ require (
 	github.com/goccy/go-yaml v1.18.0
 	github.com/google/uuid v1.6.0
 	github.com/hashicorp/go-hclog v1.6.3
+	github.com/hashicorp/golang-lru/v2 v2.0.7
 	github.com/hashicorp/nomad-autoscaler v0.4.7
 	github.com/hashicorp/nomad/api v0.0.0-20250721135329-36b4aa79df33
 	github.com/hashicorp/vault-client-go v0.4.3

go.sum

@@ -58,6 +58,8 @@ github.com/hashicorp/go-rootcerts v1.0.2 h1:jzhAVGtqPKbwpyCPELlgNWhE1znq+qwJtW5O
 github.com/hashicorp/go-rootcerts v1.0.2/go.mod h1:pqUvnprVnM5bf7AOirdbb01K4ccR319Vf4pU3K5EGc8=
 github.com/hashicorp/go-secure-stdlib/strutil v0.1.2 h1:kes8mmyCpxJsI7FTwtzRqEy9CdjCtrXrXGuOpxEA7Ts=
 github.com/hashicorp/go-secure-stdlib/strutil v0.1.2/go.mod h1:Gou2R9+il93BqX25LAKCLuM+y9U2T4hlwvT1yprcna4=
+github.com/hashicorp/golang-lru/v2 v2.0.7 h1:a+bsQ5rvGLjzHuww6tVxozPZFVghXaHOwFs4luLUK2k=
+github.com/hashicorp/golang-lru/v2 v2.0.7/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=
 github.com/hashicorp/hcl/v2 v2.23.0 h1:Fphj1/gCylPxHutVSEOf2fBOh1VE4AuLV7+kbJf3qos=
 github.com/hashicorp/hcl/v2 v2.23.0/go.mod h1:62ZYHrXgPoX8xBnzl8QzbWq4dyDsDtfCRgIq1rbJEvA=
 github.com/hashicorp/nomad-autoscaler v0.4.7 h1:rjWGNeTdVJBo/iSrf+Oc4ecbFRas7vZrYl5CJ68X2lw=

plugin/digitalocean.go

@@ -14,6 +14,7 @@ import (
 	"github.com/digitalocean/godo"
 	"github.com/google/uuid"
 	"github.com/hashicorp/go-hclog"
+	"github.com/hashicorp/nomad-autoscaler/sdk/helper/nomad"
 	"github.com/hashicorp/nomad/api"
 )
 
@@ -24,6 +25,7 @@ const (
 
 type dropletTemplate struct {
 	createReservedAddresses     bool
+	initGracePeriod             time.Duration
 	ipv6                        bool
 	name                        string
 	region                      string
@@ -42,6 +44,8 @@ type dropletTemplate struct {
 	vpc                         string
 }
 
+type DropletIDs map[int]struct{}
+
 func (t *TargetPlugin) scaleOut(
 	ctx context.Context,
 	desired, diff int64,
@@ -52,8 +56,6 @@ func (t *TargetPlugin) scaleOut(
 
 	log.Debug("creating DigitalOcean droplets", "template", fmt.Sprintf("%+v", template))
 
-	ctx, cancel := context.WithCancelCause(ctx)
-	defer cancel(nil)
 	wg := &sync.WaitGroup{}
 	var prereservedIPV4s []string
 	var prereservedIPV6s []string
@@ -189,10 +191,22 @@ func (t *TargetPlugin) scaleOut(
 		wg.Wait()
 		close(errorChannel)
 	}()
+
 	errorList := make([]error, 0)
 	for err := range errorChannel {
 		errorList = append(errorList, err)
 	}
+
+	// Regardless of whether there were failures, schedule an orphaned-droplet check
+	if template.initGracePeriod > time.Second {
+		// Wait until enough time has passed so that if the newly-created droplet(s) are not yet
+		// participating in the nomad cluster, they will be considered orphaned.
+		// Add a minute to the grace period to allow for minor time disparities between
+		// the autoscaler clock and the droplets' creation times.
+		delay := template.initGracePeriod + time.Minute
+		go deleteOrphanedDroplets(ctx, t.logger, t.client.Droplets(), t.getReadyNomadClients, template, delay)
+	}
+
 	if len(errorList) > 0 {
 		return errors.Join(errorList...)
 	}
@@ -208,6 +222,119 @@ func (t *TargetPlugin) scaleOut(
 	return nil
 }
 
+// deleteOrphanedDroplets will destroy any droplets which are not whitelisted,
+// but only if they have the tag shared by all droplets managed by the autoscaler,
+// and which were not recently created.
+// whitelistGenerator: provides a set of droplet IDs which are expected; any other
+// droplets will be assessed and potentially deleted.
+// delay: the time to wait before looking for orphans
+func deleteOrphanedDroplets(ctx context.Context,
+	logger hclog.Logger,
+	dropletsService Droplets,
+	whitelistGenerator func(ctx context.Context) (DropletIDs, error),
+	template *dropletTemplate,
+	delay time.Duration,
+) {
+	if err := Sleep(ctx, delay); err != nil {
+		logger.Info("context was cancelled, so not checking for orphaned droplets")
+		return
+	}
+
+	whitelist, err := whitelistGenerator(ctx)
+	if err != nil {
+		logger.Error("cannot determine which droplets are whitelisted: %w", err)
+		return
+	}
+	logger.Info("checking for orphaned droplets", "whitelist size", len(whitelist))
+	for droplet, err := range Unpaginate(ctx, Unarg(dropletsService.ListByTag, template.name), godo.ListOptions{}) {
+		if err != nil {
+			logger.Error("cannot retrieve droplets", "error", err)
+			return
+		}
+		// This could be done in parallel, but shouldn't be necessary
+		if _, exists := whitelist[droplet.ID]; exists {
+			logger.Debug("droplet is a nomad client, so not considering an orphan", "droplet ID", droplet.ID)
+		} else {
+			dt, err := time.Parse(time.RFC3339, droplet.Created)
+			if err != nil {
+				logger.Error("cannot parse droplet creation time. Not treating as an orphan", "error", err, "droplet ID", droplet.ID)
+				continue
+			}
+			if time.Since(dt) < template.initGracePeriod {
+				logger.Debug("Droplet was very recently created. Not treating as an orphan", "droplet ID", droplet.ID)
+				continue
+			}
+
+			if _, err := dropletsService.Delete(ctx, droplet.ID); err == nil {
+				logger.Info("deleted orphaned droplet", "droplet ID", droplet.ID)
+			} else {
+				logger.Error("cannot delete droplet", "error", err, "droplet ID", droplet.ID)
+			}
+		}
+	}
+	logger.Debug("finished checking for orphaned droplets")
+}
+
+// getReadyNomadClients returns a set of droplet IDs
+// where the nomad client is running and has "ready" status.
+func (t *TargetPlugin) getReadyNomadClients(ctx context.Context) (DropletIDs, error) {
+	result := make(DropletIDs)
+	cfg := nomad.ConfigFromNamespacedMap(t.config)
+	client, err := api.NewClient(cfg)
+	if err != nil {
+		return nil, fmt.Errorf("failed to instantiate Nomad client: %v", err)
+	}
+	nodes, _, err := client.Nodes().List(&api.QueryOptions{Params: map[string]string{"resources": "true"}})
+	if err != nil {
+		return nil, fmt.Errorf("failed to list Nomad nodes from API: %v", err)
+	}
+
+	q := api.QueryOptions{
+		AllowStale: true,
+	}
+	for _, node := range nodes {
+		// TODO: filter out nodes which are not part of our node pool.
+		// This is just an optimisation, as it's only droplets which aren't in any node pool
+		// which are susceptible to being considered orphans.
+
+		t.logger.Debug("found node",
+			"node_id", node.ID, "datacenter", node.Datacenter, "node_class", node.NodeClass, "node_pool", node.NodePool,
+			"status", node.Status, "eligibility", node.SchedulingEligibility, "draining", node.Drain, "all", fmt.Sprintf("%+v", node),
+		)
+		if node.Status != "ready" {
+			t.logger.Info("node is known as a nomad client but its status is not ready", "node ID", node.ID, "status", node.Status)
+			continue
+		}
+
+		if dropletID, exists := t.dropletMapping.Get(node.ID); exists {
+			// this node's droplet ID is already known, so include it
+			result[dropletID] = struct{}{}
+			continue
+		}
+
+		// The summary daa returned by client.Nodes() does not contain sufficient metadaa to determine
+		// the droplet ID; a follow-up call to `Info()` is required.
+		node, _, err := client.Nodes().Info(node.ID, &q)
+		if err != nil {
+			t.logger.Warn("cannot get node info", "node ID", node.ID, "err", err)
+			continue
+		}
+		dropletID, ok := node.Attributes["unique.platform.digitalocean.id"]
+		if !ok || dropletID == "" {
+			t.logger.Warn("cannot find droplet ID", "NodeID", node.ID, "attributes", node.Attributes, "node", fmt.Sprintf("%+v", node), "err", err)
+			continue
+		}
+		t.logger.Debug("Found droplet ID for node", "NodeID", node.ID, "droplet ID", dropletID)
+		numericID, err := strconv.Atoi(dropletID)
+		if err != nil {
+			return nil, fmt.Errorf("cannot convert %v to an integer: %w", dropletID, err)
+		}
+		result[numericID] = struct{}{}
+		t.dropletMapping.Add(node.ID, numericID)
+	}
+	return result, nil
+}
+
 func (t *TargetPlugin) scaleIn(
 	ctx context.Context,
 	desired, diff int64,
@@ -319,7 +446,7 @@ func (t *TargetPlugin) ensureDropletsAreStable(
 				cancel(err)
 				return err
 			} else {
-				return errors.New("waiting for droplets to become stable")
+				return fmt.Errorf("waiting for droplets to become stable. desired:%v active:%v", desired, active)
 			}
 		},
 	)

plugin/digitalocean_test.go

@@ -2,15 +2,54 @@ package plugin
 
 import (
 	"context"
+	"fmt"
 	"strings"
 	"testing"
 	"time"
 
+	"github.com/digitalocean/godo"
 	"github.com/google/uuid"
 	"github.com/hashicorp/go-hclog"
 	"github.com/stretchr/testify/require"
 )
 
+func TestDeleteDropletsWhenFailedToJoinNomadCluster(t *testing.T) {
+	ctx, cancel := context.WithTimeout(t.Context(), time.Second*5)
+	defer cancel()
+	mock := createMockGodo()
+
+	whitelist := make(DropletIDs)
+	dt := &dropletTemplate{name: "banana", initGracePeriod: 10 * time.Minute}
+
+	testCases := []struct {
+		age          time.Duration
+		whitelisted  bool
+		expectDelete bool
+	}{
+		{age: time.Second, whitelisted: false, expectDelete: false},
+		{age: time.Hour, whitelisted: true, expectDelete: false},
+		{age: time.Hour, whitelisted: false, expectDelete: true},
+	}
+
+	for _, tc := range testCases {
+		t.Run(fmt.Sprintf("%+v", tc), func(t *testing.T) {
+			droplet, _, err := mock.Droplets().Create(ctx, &godo.DropletCreateRequest{Region: "foo", Tags: []string{"banana"}})
+			require.NoError(t, err)
+			require.Contains(t, mock.droplets, droplet.ID)
+			droplet.Created = time.Now().Add(-tc.age).Format(time.RFC3339)
+			if tc.whitelisted {
+				whitelist[droplet.ID] = struct{}{}
+			}
+			deleteOrphanedDroplets(ctx, hclog.Default(), mock.Droplets(), func(ctx context.Context) (DropletIDs, error) { return whitelist, nil }, dt, 0)
+			if tc.expectDelete {
+				require.NotContains(t, mock.droplets, droplet.ID)
+			} else {
+				require.Contains(t, mock.droplets, droplet.ID)
+			}
+		})
+	}
+}
+
 func TestScaleOut(t *testing.T) {
 	ctx, cancel := context.WithTimeout(t.Context(), time.Second*5)
 	defer cancel()

plugin/godo_mock.go

@@ -196,6 +196,7 @@ func (m *mockDroplets) Create(
 		Tags:     req.Tags,
 		Status:   "active",
 		Networks: networks,
+		Created:  time.Now().Format(time.RFC3339),
 	}
 	m.mock.dropletUserData[droplet.ID] = req.UserData
 	m.mock.droplets[droplet.ID] = droplet