Add support for broker demotion

[kyguy]

Related problem

When preparing to remove or decommission brokers from a Kafka cluster there is currently no built-in way to ensure those brokers are first demoted (no longer eligible to act as partition leaders). This can result in partitions becoming temporarily unavailable or degraded when those brokers are taken offline, especially in clusters with uneven leadership distribution. Having a mechanism to programmatically demote brokers would allow for safer, more predictable operations during maintenance or scaling events.

Suggested solution

This feature would extend the KafkaRebalance resource to leverage Cruise Control’s /kafkacruisecontrol/demote_broker endpoint [1], allowing users to specify a list of brokers to be demoted. This would trigger the migration of partition leadership away from those brokers in preparation for decommissioning or maintenance.

Addresses issue discussed here [2]

[1] https://github.com/linkedin/cruise-control/wiki/REST-APIs#demote-a-list-of-brokers-from-the-kafka-cluster
[2] strimzi/strimzi-kafka-operator#11907

[see-quick]

Thanks for the proposal, I think it looks good, just a few nits/questions...

Out of curiosity, I didn't find it in the proposal but what happens when demotion is in progress but target broker fails in the middle of operation?

[kyguy]

Thanks for the review @see-quick

Out of curiosity, I didn't find it in the proposal but what happens when demotion is in progress but target broker fails in the middle of operation?

I just added this note to the Validation and constraints section of the proposal:

"If a target broker fails while leadership is being transferred to it, all demotion operations involving that broker are aborted, and the source brokers remain the leaders for the affected partitions.
In this case, the overall demotion request continues on a best-effort with the proposed operations, transferring the leadership on brokers that are available."

[fvaleri]

Thanks @kyguy. I left some comments.

I think it is also important to document that broker demotion does NOT prevent new partition leaders to be scheduled on the selected broker.

[tinaselenge]

Thanks for the proposal. Overall, it looks good to me. I left a few comments to clarify.

[tinaselenge]

what does demoting follower replicas mean?

[kyguy]

It moves the ids of the demoted brokers to the end of the replica lists.

[tinaselenge]

Does the request completes successfully when only some of the leadership were transferred?

[kyguy]

Yes

[scholzj]

How does this work? I get it that it removes them from partition leadership. But how does it ensure they are not eligible to become leaders again?

[kyguy]

Cruise Control has the broker ids marked as ineligible in memory and moves the broker ids to the end of the replica lists, then triggers a leadership election. Since leadership election prioritizes choosing the first broker id of the replica list (the preferred leader) as the leader, the demoted brokers are less likely to be elected as leaders.

But how does it ensure they are not eligible to become leaders again?

If a rebalance or demotion request is made the broker ids marked as ineligible in memory are excluded from having partitions moved to them or being listed first in the replica lists.

[Frawless]

What happens when CC pod is restarted (upgrade, migration to different node, etc).? User will have to trigger "rebalance" proposal and approval to refresh in-memory data?

[kyguy]

At this time yes, to refresh the in-memory demotion data after Cruise Control pod restart, a user would have to trigger another KafkaRebalance demotion request.

[scholzj]

How does this work? Where is the information about the demotion work?

[kyguy]

Cruise Control stores the demotion information in memory (yes this is far from ideal). Cruise Control will make sure the ids of the demoted brokers are in the end of the replica lists and will exclude the brokers from being considered for partition movement when generating optimization proposals.

[scholzj]

Will it be validated only in the broker code or also with CEL?

[kyguy]

Was originally planning on validating the field in the operator code but this may change depending on the proposal surrounding the API changes discussed #191 (comment).

I'll link the separate proposal here when I have a draft ready and we can pick this up once that proposal and its implementation is sorted.

[kyguy]

Thanks everyone for the reviews! I am putting this proposal on hold temporarily as we address some of the API concerns raised in the thread here: #191 (comment). We need devise a better path forward for the parameters that are used in conjunction with mode field of the KafkaRebalance resource, maybe by consolidating primitive fields into a generic config section to ensure the API can support future modes cleanly.

I am going to draft a separate proposal for those API changes and link it here. Once that proposal and its implementation is complete, we can continue this broker demotion proposal with a cleaner, more maintainable foundation.

[ppatierno]

I am not sure about this use case, isn't the auto-rebalancing (we support) already doing something like this? It's moving partitions but not demoting brokers.

[kyguy]

From what I understand, auto-rebalancing and the add-brokers modes will move partition replicas onto the added brokers but not necessarily transfer partition leadership.

The use case I have in mind is one where a user wants to gradually transfer traffic to a new set of brokers and eventually remove the old brokers but is not ready to decommission them yet. The user can first rebalance the existing load onto the new brokers using add-brokers mode and then demote the old brokers using demote-brokers mode to shift the bulk of the traffic (the leadership) to the new brokers while still relying on the old brokers to host follower replicas.

Does that make sense?

[ppatierno]

Yes It does, thanks.

[ppatierno]

Yes It does, thanks.