[RayService] Rollback Support for Incremental Upgrades

[ryanaoleary]

Why are these changes needed?

Implement rollback support for the IncrementalUpgrade RayService feature.

Related issue number

#3209

Checks

• I've made sure the tests are passing.
• Testing Strategy
  • Unit tests
  • Manual tests
  • This PR is not tested :(

[ryanaoleary]

cc: @Future-Outlier the changes for full rollback support are just in this commit: f5d0243

[ryanaoleary]

cc: @Future-Outlier this is rebased on the latest changes now and should be good to review

[Future-Outlier]

cc @JiangJiaWei1103 to take a look too

[andrewsykim]

I had some nits about naming and terminology in the logs, but otherwise I think the logic seems fine. @Future-Outlier @rueian any concerns?

[andrewsykim]

I think the active / pending terminology will get confusing going forward, especially as we add rollback support. Do we use these terms in the APIs or only in the logs? If only in the logs we should consider changing the terminology in a future PR. Maybe next cluster and previous cluster might be easier to understand.

[ryanaoleary]

active and pending are used in the API in ActiveServiceStatus and PendingServiceStatus, so I used similar terminology when referring to the cluster that's being scaled for each service. Currently we only refer to the active/pending clusters in the comments/logs though so that should be fine to change to next cluster and previous cluster. Can follow-up in the next PR if needed

[andrewsykim]

cc @spencer-p for review as well since you've been thinking about Gateway integrations in KubeRay as well

[Future-Outlier]

1. I will come back to review this after kuberay 1.6 release
2. due to my personal bandwidth, I might don't have bandwidth review this now
3. if @andrewsykim and @rueian approve, I am ok to merge this
4. we will need to merge @JiangJiaWei1103 's e2e test for incremental upgrades before this get merged

[Future-Outlier]

We committed in the KubeRay community sync that the E2E tests must be merged before we can merge the incremental upgrade PR. I may not have communicated that clearly enough earlier. If Ryan and Jia-Wei’s E2E tests are not merged, I will revert this PR before the 1.6 release.

[Future-Outlier]

@codex review

[Future-Outlier]

@cursor review

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

[cursor]

Inconsistent default for active TrafficRoutedPercent causes potential deadlock

Medium Severity

During rollback, reconcileServeTargetCapacity defaults active TrafficRoutedPercent to 0 via ptr.Deref(..., 0), while calculateTrafficRoutedPercent defaults the same field to 100 via ptr.Deref(..., 100). If TrafficRoutedPercent is ever nil during rollback, the capacity reconciler sees activeTargetCapacity(100) != activeTrafficRoutedPercent(0) and defers, while the traffic calculator sees activeClusterWeight(100) == activeClusterTargetCapacity(100) and stops migration. Neither function makes progress, creating a deadlock where the rollback can never complete.

Additional Locations (1)

• ray-operator/controllers/ray/rayservice_controller.go#L734-L735

 

[Future-Outlier]

cc @ryanaoleary to take a look

[ryanaoleary]

I think the correct solution is to default it to TargetCapacity if it's ever nil, rather than 100 or 0 since either can result in deadlock (100 (capacity) != 0 (traffic) -> defer or 100 (traffic) == 100 (capacity) -> defer if we default when it becomes nil.

[ryanaoleary]

fixed in d02b7be and added unit tests for this case

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: b8b66d42a5

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Gate rollback traffic migration on active readiness

The rollback branch starts shifting HTTPRoute weight back to the active cluster whenever isRollbackInProgress is true, but it never checks whether the active cluster is actually ready to serve. In the case where the active cluster is unhealthy during an in-progress upgrade and the user changes spec (triggering rollback), this logic can still move traffic onto a non-ready backend and cause request failures; rollback traffic shifts should be conditioned on active-cluster readiness the same way forward migration is conditioned on pending readiness.

Useful? React with 👍 / 👎.

[Future-Outlier]

cc @ryanaoleary to take a look

[ryanaoleary]

done in 81ad0cf

[JiangJiaWei1103]

As a follow-up, we should also consider renaming this reason as discussed here.

I'd suggest renaming it to GoalClusterSpecChanged (or a clearer name). Here's the rationale:

1. Goal prefix: Consistent with the naming convention used across all log and error messages in the reconcileRollbackState method
2. SpecChanged suffix: More accurate, since this reflects a spec change (RayService.Spec.RayClusterSpec) rather than a target cluster switch
3. Avoids ambiguity: The term "target cluster" is already used in a different context, where the head and serve services point to the ready cluster (please see here), so reusing it here could be misleading.

Happy to take this on in a follow-up PR!

[andrewsykim]

"TargetCluster" or "DesireCluster" is more commonly used term in Kubernetes, so I suggest changing the logs or other naming conventions if possible while we're still in alpha. For 3) the "target cluster" is only used as a reference for a Go variable and not actually exposed to users, so not sure it matters in this case?

[JiangJiaWei1103]

Thanks so much for the context and guidance. Really helpful to understand the broader Kubernetes conventions here!

Aligning with idiomatic "Target" / "Desired" terminology makes a lot of sense. And fair enough on point 3 since the variable isn't user-facing, the ambiguity concern is less of an issue.

With that in mind, here's what I'm thinking for the follow-up:

• Rename rollback-related logs and local variables in reconcileRollbackState to use "Target" (or "Desired") consistently
• Update the condition reason to align with that same terminology (e.g. TargetClusterSpecChanged)

Do you have a preference between Target and Desired? Happy to consolidate everything into a single follow-up change once we land on the right term. Thanks!

[ryanaoleary]

+1 on changing the naming, DesiredClusterSpecChanged sounds good to me since we already use "desired" terminology in the API (

kuberay/ray-operator/apis/ray/v1/raycluster_types.go

Line 287 in 911c383

DesiredCPU resource.Quantity `json:"desiredCPU,omitempty"`

). We also already have TargetCapacity which refers to the Serve capacity to scale within a cluster. I think we should use "target" to refer to fields that the controller is changing, while "desired" more clearly refers to user-declared intent - like the spec that they submit.

[JiangJiaWei1103]

Thanks Ryan, the naming makes a lot of sense!