[controller] Add DegradedModeRecoveryService, metrics, and E2E test

[mynameborat]

Problem Statement

After a degraded DC is unmarked, stores with PARTIALLY_ONLINE versions need to be recovered (data re-replicated to the recovering DC). Without automation, operators must manually trigger data recovery for each affected store — tedious and error-prone in large clusters. Additionally, there is no observability into degraded mode operations (push auto-conversions, incremental push blocks, recovery progress, DC degradation duration).

This is part of the degraded-mode batch push feature (PRs #2681, #2741, #2732 already merged).

Solution

DegradedModeRecoveryService

• 2-phase recovery orchestrator: Phase 1 initiates data recovery for all PARTIALLY_ONLINE stores in parallel (prepare → poll readiness → initiate). Phase 2 monitors child DC completion and transitions version status from PARTIALLY_ONLINE → ONLINE.
• Orphan detection: Periodic monitor detects PARTIALLY_ONLINE versions with no active recovery (e.g., after controller leader failover) and re-triggers recovery. The recovery flow is idempotent.
• Configurable concurrency: Bounded thread pools for recovery and monitoring, configurable via degraded.mode.recovery.thread.pool.size.
• Retry with exponential backoff: Failed store recoveries are retried up to 3 times.
• Version supersession handling: If a newer version becomes current during recovery polling, the old version is treated as successfully healed.

DegradedModeStats (9 OTel metrics + latency histogram)

• recovery.store_success_count / recovery.store_failure_count
• recovery.version_transitioned_count
• recovery.progress (gauge, 0.0-1.0)
• push.auto_converted_count / push.blocked_incremental_count
• dc.active_count / dc.duration_minutes
• recovery.store_duration_ms (avg/max)

REST API

• GET /get_recovery_progress?cluster=X&datacenter_name=Y — returns recovery status, progress fraction, store counts.

E2E Integration Test

• Full lifecycle: enable degraded mode → mark DC → batch push (auto-converted) → verify data in healthy DCs only → unmark DC → verify recovery.
• Incremental push blocking test.
• Idempotent double-unmark test.
• Feature-disabled rejection test.

Code changes

• Added new code behind a config: degraded.mode.auto.recovery.enabled (default: false), degraded.mode.recovery.thread.pool.size (default: 5)
• Introduced new log lines.
  • Confirmed logs are not in hot paths; recovery is infrequent.

Concurrency-Specific Checks

• Code has no race conditions — activeRecoveries uses ConcurrentHashMap.compute() for atomic check-and-replace.
• Proper synchronization mechanisms — RecoveryProgress uses AtomicInteger and volatile boolean for thread-safe progress tracking. initiatedStores uses Collections.synchronizedList.
• No blocking calls inside critical sections — recovery runs on dedicated daemon thread pools.
• Verified thread-safe collections — VeniceConcurrentHashMap for active recoveries, Collections.synchronizedList for initiated stores.
• Validated proper exception handling — all thread pool tasks catch exceptions to avoid silent termination.

How was this PR tested?

• New unit tests added: TestDegradedModeRecoveryService (17 tests covering happy path, retries, failures, orphan detection, version supersession, leader failover, re-trigger after completion)
• New integration tests added: DegradedModeBatchPushTest (4 E2E tests)
• New OTel metrics tests: DegradedModeStatsOtelTest (12 tests)
• Modified or extended existing tests: existing auto-convert and skipConsumption tests still pass.

Does this PR introduce any user-facing or breaking changes?

• No. Recovery service is opt-in (degraded.mode.auto.recovery.enabled=false by default). New REST endpoint is additive. Metrics are new counters/gauges.

[misyel]

Is it possible for us to incorrectly recover a PARTIALLY_ONLINE version since DeferredVersionSwapService will also mark versions as PARTIALLY_ONLINE and roll backs will also mark versions as PARTIALLY_ONLINE?

[misyel]

Can we use a redundant log filter instead so we log every x minutes over every x poll attempts?

[misyel]

Should we rate limit this log? The monitor runs every 60s and if it is over the timeout limit, it will log every minute

[misyel]

Can we use TimeUnit.MINUTES.toMillis(1) instead of 60_000.0?

[misyel]

Can we also verify that after recovery is triggered, the version and data exists in dc-1?

[misyel]

Can we also do awaitTermination for degradedDcMonitor?

[misyel]

Interrupted sleep in pollUntilVersionCurrent is swallowed. InterruptedException propagates into the caller's generic catch (Exception e) and only logs; the version stays PARTIALLY_ONLINE indefinitely with no alerting.

[misyel]

Progress counters drift on skipped stores. When recoverSingleStore finds the version is no longer PARTIALLY_ONLINE, it returns without incrementing recovered or failed. totalStores is fixed earlier, so progressFraction never reaches 1.0 for those stores even after complete=true.

[misyel]

There's no override for this function in VeniceParentHelixAdmin or VeniceHelixAdmin so it will automatically throw an exception when it is called in the recovery service. Is this expected?

[misyel]

Code review

Found 1 issue:

1. unmarkDatacenterDegraded triggers auto-recovery and updates the active-DC metric even when the underlying call was a no-op. VeniceHelixAdmin.unmarkDatacenterDegraded early-returns with LOGGER.warn(\"...nothing to unmark\") when the DC is not currently in the degraded set, but the parent wrapper unconditionally records the metric and calls degradedModeRecoveryService.triggerRecovery(...) afterward. Calling unmark on an already-non-degraded DC will fire a phantom recovery cycle. Suggest gating both the metric record and the trigger on a real state transition (e.g. precheck getDegradedDcStates(clusterName).isDatacenterDegraded(datacenterName) or have the inner call return a boolean).

venice/services/venice-controller/src/main/java/com/linkedin/venice/controller/VeniceParentHelixAdmin.java

Lines 3570 to 3594 in 42cb92c

	degradedModeStats
	.recordDegradedDcActiveCount(getDegradedDcStates(clusterName).getDegradedDatacenterNames().size());
	}
	// Trigger auto-recovery if enabled
	VeniceControllerClusterConfig config = multiClusterConfigs.getControllerConfig(clusterName);
	if (config.isDegradedModeAutoRecoveryEnabled()) {
	LOGGER.info(
	"Auto-recovery enabled. Triggering recovery for datacenter: {} in cluster: {}",
	datacenterName,
	clusterName);
	degradedModeRecoveryService.triggerRecovery(clusterName, datacenterName);
	} else {
	LOGGER.info(
	"Auto-recovery disabled for cluster: {}. Skipping recovery for datacenter: {}",
	clusterName,
	datacenterName);
	}
	}
	@Override
	public boolean isDegradedModeEnabled(String clusterName) {
	return getVeniceHelixAdmin().isDegradedModeEnabled(clusterName);
	}
	@Override

🤖 Generated with Claude Code

_{- If this code review was useful, please react with 👍. Otherwise, react with 👎.}