fix: harden ingesting autoscalers around task-count boundaries

[Fly-Style]

This PR:

• fix lag-based autoscaler by using taskCount from ioConfig for scale action calculations instead of activeTaskGroups;
• hardens seekable-stream autoscalers when a supervisor is configured with a handwritten taskCount outside the allowed bounds. For both cost-based and lag-based autoscalers, if the current taskCount is below taskCountMin or above taskCountMax, the scaler now returns the nearest valid boundary instead of using the out-of-range value as the scaling baseline. This keeps supervisors within configured limits and avoids inconsistent scaling decisions.

This PR has:

• been self-reviewed.
• a release note entry in the PR description.
• added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.
• added unit tests or modified existing tests to cover new code paths, ensuring the threshold for code coverage is met.

[amaechler]

🐻

[Fly-Style]

cc @zhangyue19921010

[jtuglu1]

Do we want to respect this isScaleActionAllowed if we're violating min/max task count bounds?

[Fly-Style]

That's a tricky thing, but my take here is -- eventually we will scale (and by eventually I mean - within minTriggerScaleActionFrequencyMillis ms), and it might be harmful to scale immediately.

I don't have a strong opinion here, I am open to remove isScaleActionAllowed() from the condition.

[jtuglu1]

I think we can leave this as-is for now, maybe add a comment explaining the decision?

[jtuglu1]

nit: use currentTaskCount

[Fly-Style]

Good catch! It is cleaner.

[jtuglu1]

nit: Either mock computeOptimalTaskCount to return a value different from the clamped value (e.g. mock it to return -1 or taskCountMin - 1) and assert the boundary is returned, or use verify(autoScaler, never()).computeOptimalTaskCount(any()) to confirm the early-return path was taken.

[jtuglu1]

Let's mark with the proper @VisibleForTests annotation

[jtuglu1]

Don't we want to set: lastScaleActionTimeMillis = DateTimes.nowUtc().getMillis();?

[Fly-Style]

Sure!

[cryptoe]

We donot need to change this no?
We can still reference the activeTaskGroupCount and start clamping things below ?

[Fly-Style]

I am still sure that is the correct approach - autoscaler explicitly changes taskCount and operates with different task counts configurations.

Anyway, my aim of changing this was not only the change itself, but also to born discussion.
@jtuglu1 WDYT regarding changing that?

[jtuglu1]

I am still sure that is the correct approach - autoscaler explicitly changes taskCount and operates with different task counts configurations.

I'm fine with this switch.

I'm generally for using more static static configs when doing any kind of algorithm as it helps reduce chance of races, increases determinism/debuggability, etc. I would imagine in some cases there can be lots of skew between supervisor.getActiveTaskGroupsCount() and supervisor.getIoConfig().getTaskCount(), for example during roll-over. In other words, I'm fine with reading a potentially slightly stale value as long as it's generally consistent with the current world view.

[jtuglu1]

I think we should try and move this min/max hit emission logic out of a specific auto-scaler implementation, and into the generic DynamicScaleActionNotice logic. All an auto-scaler implementation should do is tell what task count it recommends for a given supervisor. The supervisor has min/max task count configs, and should IMO attempt to apply the auto-scaler recommendation. This way, we don't need to keep worrying about maintaining observability parity between the auto-scaler implementations.

[Fly-Style]

File an issue for that please, personally I do not have a time right now to resolve that issue, but that absolutely makes sense!

[jtuglu1]

In that case, can we emit metrics on the cost-based auto-scaler when we are capped by min/max? To keep consistent with lag-based auto-scaler? These metrics are useful for operators who may have automated mechanisms to go and, say, bump the max task count.

[Fly-Style]

Will do! Thanks!

[jtuglu1]

nit: Configs.valueOrDefault

[jtuglu1]

nit: let's include what we're scaling to. The other messages do.

[jtuglu1]

Do we want to make sure we are not bounding if task count count min, say, if we don't have metrics temporarily (return -1 in computeOptimalTaskCount). Right now, I think we can trigger this condition if we're not checking for a non-negative.

[Fly-Style]

Basically, in the code path when you're not having metrics you won't trigger it. See:

You compute final int optimalTaskCount = computeOptimalTaskCount(lastKnownMetrics);
and touch this value outside code path when
if (isScaleActionAllowed() && isTaskCountOutOfBounds) condition was checked.

If this ^^^ condition works, the rest of the code path includes returning taskCount from the method.

[jtuglu1]

Will we still emit metrics for hitting minimum in that case?

Consider optimalTaskCount == -1 (no metrics case) and we cannot scale due to isScaleActionAllowed() == false. Wouldn't we hit this line? IMO, it would be cleaner to handle the -1 case separately.

[Fly-Style]

Ah, fair, but why I did it: we're emitting min/max with scalingSkipReason dimension ... so it explicitly means 'no scaling was performed'.

[jtuglu1]

This is kind of the reason I want to move this min/max check stuff into the shared code at some point so implementors don't need to care about this stuff (just emit the task count and let supervisor logic handle it). But, for now, I think we can just handle this -1 case separately.

[jtuglu1]

Ah, fair, but why I did it: we're emitting min/max with scalingSkipReason dimension ... so it explicitly means 'no scaling was performed'.

Yes but the metric is a different meaning here. IMO, we should not be emitting a metric if we explicitly don't want to scale/don't want to make a decision on scaling. The metric being emitted means we wanted to scale up/down to some value that's outside the bounds of our spec. The value being -1 implies something else.

[Fly-Style]

The metric being emitted means we wanted to scale up/down to some value that's outside the bounds of our spec.

That won't happen in the case of CBA, the algorithm has hard limitation of picking potential values only within bounds.

[jtuglu1]

Ok, nevertheless, I'd still prefer to be defensive here and not assume anything about the future behavior of the algorithm or its outputs. IMO treating the scaling algorithm as a blackbox allows us to be more safe and provides a correctness layer against other bugs.

[jtuglu1]

LGTM after CI passes. I think the comments RE not making assumptions about what the algorithm will return will make it easier to port the min/max bounds checking + metric emission logic to a shared piece of code later on (as well as defend against bugs/incorrect assumptions). They also help with readability (either assumptions explicitly documented or logical guards against stuff like -1 help the reader understand the code).