refactor(registry): Replace event-driven GC with a lease-based lifecycle #1476

LukeAVanDrie · 2025-08-27T01:38:25Z

What type of PR is this?

/kind cleanup

What this PR does / why we need it:

This PR introduces a major architectural refactoring of the flow registry. It replaces the complex, event-driven, actor-model-based garbage collection with a simpler and more performant lease-based lifecycle model.

The primary motivation is to enhance correctness, improve performance by removing global lock contention, and provide a safer, leak-proof client API.

Architectural Changes:

This refactoring touches every part of the registry. To help with the review, here is a high-level overview of the "before" and "after" states:

Previous Architecture (Event-Driven Actor Model)

Lifecycle: Flows were manually registered via RegisterOrUpdateFlow. Their lifecycle was tracked via an eventually consistent cache (flowState) that was updated by asynchronous signals (BecameEmpty, BecameNonEmpty) sent from each managedQueue over a buffered channel.
Concurrency: A central Run loop acted as a serialized actor, processing all events to prevent race conditions in the control plane.
Garbage Collection: A generational "Trust but Verify" GC algorithm ran periodically. The "Verify" step required a "stop-the-world" pause, acquiring a write lock on all shards simultaneously to get a consistent view of queue lengths. This introduced global lock contention that would impact P99 latency at scale.

New Architecture (Lease-Based Lifecycle)

Lifecycle: The new WithConnection API is the sole entry point to the data path. It handles Just-In-Time (JIT) registration of flows and manages their lifecycle via a lease. A flow is considered "Active" as long as it has one or more active leases.
Concurrency: The complex actor model is gone. Concurrency is now managed with a multi-layered strategy:
1. A sync.Map for highly-concurrent lookups of flow states.
2. An atomic.Int64 (leaseCount) on each flow for lock-free reference counting.
3. A per-flow sync.RWMutex (gcLock) that provides surgical locking, arbitrating between active connections (read lock) and the garbage collector (write lock) for a single flow without impacting any other flows.
Garbage Collection: The GC is now a simple, periodic scanner. It identifies flows where leaseCount is zero and an idleness timer has expired. The "stop-the-world" pause is completely eliminated.

Key Benefits:

Performance: Eliminates the global "stop-the-world" GC pause, drastically reducing lock contention and improving scalability and P99 latency.
Correctness & Simplicity: Removes the complex, event-driven state machine, which was difficult to reason about and prone to subtle race conditions (e.g., dropped or out-of-order events). The new lease-counting model is simpler and more robust.
API Safety: The WithConnection callback pattern makes resource leaks impossible from the client's perspective, as the lease is guaranteed to be released.

Suggested Review Plan:

This is a large change, but it has been structured into a series of logical commits to make the review easier. I recommend reviewing this PR commit-by-commit:

refactor: Reorder methods for logical grouping
- This is a no-op commit that just reorganizes the code in registry.go for better readability. You can scan and approve this one quickly.
refactor: Simplify managedQueue to a decorator
- Focuses on the lowest-level component. You'll see the signaling logic is completely removed, simplifying its responsibility.
refactor: Adapt shard to to new managedQueue contract
- Shows the impact on the registryShard, which no longer needs to handle signals from its queues.
feat: Replace event lifecycle with leases
- This is the heart of the PR. It introduces the WithConnection API, the new flowState with its gcLock, and replaces the entire GC and administrative logic.
test: Overhaul tests for new lease-based design
- This final commit updates all tests to validate the new reality. You'll notice the tests are now simpler and more focused, especially for registry_test.go, which now uses a fake clock for deterministic lifecycle testing.

Which issue(s) this PR fixes:

Tracks #674

Does this PR introduce a user-facing change?:

NONE

Reorganizes the methods in `registry.go` to improve readability and group related functionality. Public API methods are placed first, followed by administrative helpers, GC logic, and finally callbacks and statistics propagation. This is to minimize the delta for subsequent changes. No logical changes are included in this commit.

Removes the complex, stateful signaling mechanism from the `managedQueue`. Its sole responsibility is now to decorate a `SafeQueue` with atomic, strictly consistent statistics tracking. This change is the foundational first step in moving the registry from a complex, event-driven lifecycle model to a simpler, lease-based one. The now-unused event and lifecycle types are also removed.

Updates the `registryShard` to work with the new, signal-free `managedQueue`. The shard's responsibility is simplified; it no longer needs to handle or propagate lifecycle signals from its queues. Its draining logic is now based on directly checking its aggregate length, removing the need for the `BecameDrained` signal.

Replaces the registry's core lifecycle management system. The complex, event-driven, actor-based model is removed in favor of a simpler and more performant lease-based lifecycle. This commit introduces: - A new `WithConnection` client API that provides a safe, leak-proof entry point for managing flow leases via reference counting. - A per-flow `RWMutex` to provide fine-grained locking, allowing the garbage collector to operate on one flow without blocking others. - A simplified GC that periodically scans for flows with a zero lease count. Simultaneously, this commit removes the old machinery: - The central event-processing loop (`Run` is now just for GC). - The `RegisterOrUpdateFlow` administrative method. - The entire signaling and event-handling subsystem.

Updates all tests in the registry package to align with the new lease-based API and simplified component responsibilities. - `managedqueue_test` is rewritten to focus on stats propagation and invariants, removing all signal testing. - `shard_test` is updated to reflect its simpler role and new draining logic. - `registry_test` is completely overhauled to test the `WithConnection` API, JIT registration, and the new lease-based GC logic, using a fake clock for deterministic lifecycle testing.

k8s-ci-robot · 2025-08-27T01:38:35Z

Hi @LukeAVanDrie. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

netlify · 2025-08-27T01:39:06Z

✅ Deploy Preview for gateway-api-inference-extension ready!

Name	Link
🔨 Latest commit	`da9490d`
🔍 Latest deploy log	https://app.netlify.com/projects/gateway-api-inference-extension/deploys/68ae6194a4bd010008255a29
😎 Deploy Preview	https://deploy-preview-1476--gateway-api-inference-extension.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

LukeAVanDrie · 2025-08-27T01:40:55Z

pkg/epp/flowcontrol/contracts/errors.go

 	// ErrInvalidShardCount indicates that an invalid shard count was provided (e.g., zero or negative).
 	ErrInvalidShardCount = errors.New("invalid shard count")
+
+	// ErrShardDraining indicates that an operation could not be completed because the target shard is in the process of


This becomes the responsibility of the controller.FlowController which distributes requests across workers.

LukeAVanDrie · 2025-08-27T01:42:57Z

pkg/epp/flowcontrol/registry/managedqueue.go

-	// mu protects all mutating operations (writes) on the queue. It ensures that the underlying queue's state and the
-	// atomic counters are updated atomically. Read operations (like `Peek`) do not acquire this lock.
-	mu sync.Mutex
+	// --- Immutable Identity & Dependencies (set at construction) ---


Simply regrouped to better align with the concurrency model. No major changes here except flattening/renaming onStatsDelta from the now removed managedQueueCallbacks and adding isDraining.

LukeAVanDrie · 2025-08-27T01:43:56Z

pkg/epp/flowcontrol/registry/shard.go

-	// It is stored as an `int32` for atomic operations.
-	status atomic.Int32 // `componentStatus`
+	// onStatsDelta is the callback used to propagate statistics changes up to the parent registry.
+	onStatsDelta propagateStatsDeltaFunc


Flattened (and renamed) from the now-removed parentCallbacks.

LukeAVanDrie · 2025-08-27T01:44:30Z

pkg/epp/flowcontrol/registry/shard.go


-	// mu protects the shard's internal maps (`priorityBands`).
+	// mu protects the shard's internal topology (`priorityBands`) and `config`.
+	// TODO: This is a priority inversion issue. Administrative operations (e.g., GC) for a low-priority flow block all


Will tackle this in a fast-followup PR once the flow control system is wired up and benchmarked.

A per band lock makes sense, but it is not clear to me if this should be a "fast" follow; once we have the system working end-to-end, I recommend listing all followup items and then prioritize them.

LukeAVanDrie · 2025-08-27T01:49:38Z

pkg/epp/flowcontrol/contracts/registry.go

+	//
+	// Errors returned by the callback `fn` are propagated up.
+	// Returns `ErrFlowIDEmpty` if the provided key has an empty ID.
+	WithConnection(key types.FlowKey, fn func(conn ActiveFlowConnection) error) error


The alternative here is:

FlowRegistryClient.Connect with a corresponding ActiveFlowConnection.Close. The functional approach is leak proof and more architecturally sound, but I am open to feedback here. Connect/Close also works just fine with the flow control synchronous blocking model.

e.g.,

FlowController.EnqueueAndWait(...) (...) { conn := fc.registryClient.Connect(req.FlowKey()) defer conn.Close() // ... rest of logic proceeds as normal }

Also, this method should eventually accept and respect caller context. I am not doing this in this PR as this will need to be done comprehensively across the flow control module contracts. As of right now, none of our function have unbounded blocking, so this is more for contract hardening and tracing than correctness at the moment.

I will do this in a separate PR.

LukeAVanDrie · 2025-08-27T01:51:06Z

pkg/epp/flowcontrol/registry/connection.go

This can simply be in registry.go, but I plan on expanding the set of functionality exposed from ActiveConnection, and I want to keep registry.go lean. I don't have a strong opinion here though. We should do whatever is best for readability / maintainability.

LukeAVanDrie · 2025-08-27T01:52:25Z

pkg/epp/flowcontrol/registry/doc.go

Dramatically shortened for doc maintainability (plus a lot of it became obsolete with the new lease-based model). Following principle of first disclosure by moving details closer to the relevant types.

LukeAVanDrie · 2025-08-27T01:53:26Z

pkg/epp/flowcontrol/registry/flowstate.go

Slightly modified and rolled into registry.go as it no longer has a role as an eventually consistent cache.

LukeAVanDrie · 2025-08-27T01:54:11Z