controller: extend flow lease scope to fix orphaned queues #1982

[LukeAVanDrie]

What type of PR is this?
/kind bug

What this PR does / why we need it:

This PR fixes a race condition (Issue #1982) where the Flow Registry Garbage Collector could delete a Flow while it still had active requests waiting in a queue.

The Bug

Previously, EnqueueAndWait only acquired a Registry lease during the distribution phase (selecting a shard). Once the request was submitted to a shard's queue, the lease was released. In scenarios like "Scale from Zero," where requests sit in queues for longer than FlowGCTimeout without new incoming traffic, the Registry would see the flow as "Idle" (0 leases) and delete it. This orphaned the queues, causing requests to time out silently.

The Fix

We now extend the scope of WithConnection to cover the entire request lifecycle, from distribution until finalization (dispatch or timeout).

• The flow remains "pinned" in memory as long as at least one request is active or queued.
• The GC will correctly skip these flows during its sweep phase.

Safety Note
This change is only safe because of PR #2127 (Optimistic Concurrency).

• Old Behavior (Mutex): Holding a lease for minutes would have blocked the GC's Write Lock, which would have blocked all subsequent Read Locks, causing a total DoS on the system.
• New Behavior (Atomic): We can hold the lease indefinitely. The GC simply sees leaseCount > 0 via an atomic load and skips the flow without blocking.

Which issue(s) this PR fixes:
Fixes #1982

Reviewer Notes:

• This PR must not be merged until PR registry: switch to fine-grained leasing for flow lifecycle #2127 is merged.
• Interface Change: Added FlowKey() to the ActiveFlowConnection contract. While not strictly necessary, this allows us to pass just the connection object down the stack, enforcing encapsulation.
• Testing: Added Regression_LeaseHeldDuringQueueing to controller_test.go, which uses channels to deterministically prove the lease is not released while the processor is blocked.

Does this PR introduce a user-facing change?:

Fixed a bug where flows could be garbage collected while requests were still queued during long wait times with no new traffic (e.g., scale-from-zero).

/hold
Waiting for PR #2127

[k8s-ci-robot]

Hi @LukeAVanDrie. Thanks for your PR.

I'm waiting for a kubernetes-sigs member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[netlify]

✅ Deploy Preview for gateway-api-inference-extension ready!

Name	Link
🔨 Latest commit	583dc10
🔍 Latest deploy log	https://app.netlify.com/projects/gateway-api-inference-extension/deploys/696ac3a629c6f60008018572
😎 Deploy Preview	https://deploy-preview-2131--gateway-api-inference-extension.netlify.app
📱 Preview on mobile	Toggle QR Code... Use your smartphone camera to open QR code link.

---

To edit notification comments on pull requests, go to your Netlify project configuration.

[LukeAVanDrie]

The diff for EnqueueAndWait looks massive, but this is mostly due to indentation changes. I wrapped the existing distribution loop inside the WithConnection closure to extend the lease scope. Would recommend reviewing this with "Hide Whitespace" enabled.

[LukeAVanDrie]

/cc @aishukamal

[k8s-ci-robot]

@LukeAVanDrie: GitHub didn't allow me to request PR reviews from the following users: aishukamal.

Note that only kubernetes-sigs members and repo collaborators can review this PR, and authors cannot review their own PRs.

Details

In response to this:

/cc @aishukamal

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[ahg-g]

/ok-to-test

[LukeAVanDrie]

@ahg-g These test will probably fail (deadlock) until #2127 is merged. That's expected as #2127 is a prerequisite (just with no conflicting code overlap).

[LukeAVanDrie]

@ahg-g These test will probably fail (deadlock) until #2127 is merged. That's expected as #2127 is a prerequisite (just with no conflicting code overlap).

This is ready for review now that #2127 is merged.

[LukeAVanDrie]

/remove-hold

[ahg-g]

Should we initialize this?

[LukeAVanDrie]

It initializes by default (it's an iota) to the semantically correct value, so this should be safe.

// QueueOutcome represents the high-level final state of a request's lifecycle within the `controller.FlowController`.
//
// It is returned by `FlowController.EnqueueAndWait()` along with a corresponding error. This enum is designed to be a
// low-cardinality label ideal for metrics, while the error provides fine-grained details for non-dispatched outcomes.
type QueueOutcome int

const (
	// QueueOutcomeNotYetFinalized indicates the request has not yet been finalized by the `controller.FlowController`.
	// This is an internal default value and should never be returned by `FlowController.EnqueueAndWait()`.
	QueueOutcomeNotYetFinalized QueueOutcome = iota
	...
)
...

[ahg-g]

/lgtm
/approve

[k8s-ci-robot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ahg-g, LukeAVanDrie

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [ahg-g]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment