feat: add leader election for Discovery and Engine components

[thunguo]

Please provide a description of this PR:
Add leader election for Discovery and Engine components.
Issue #1425

To help us figure out who should review this PR, please put an X in all the areas that this PR affects.

• Docs
• Installation
• User Experience
• Dubboctl
• Console
• Core Component

Please check any characteristics that apply to this pull request.

[Copilot]

Pull request overview

Adds a DB-backed leader election mechanism so that, in multi-replica deployments, only the elected leader runs Discovery/Engine “business logic” (e.g., list-watch and DB writes), improving consistency (Issue #1425).

Changes:

• Introduces pkg/core/leader with a GORM leader_leases model and a LeaderElection loop (plus unit tests).
• Wires leader election into Discovery and Engine components (conditional on non-memory store).
• Exposes DB access plumbing from the Store component (and adds a Pool() accessor on GormStore) to support leader-election DB usage.

Reviewed changes

Copilot reviewed 9 out of 10 changed files in this pull request and generated 10 comments.

Show a summary per file

File	Description
pkg/store/dbcommon/gorm_store.go	Adds Pool() accessor intended to expose the shared DB connection pool.
pkg/core/store/component.go	Adds a leader.DBSource implementation to expose a shared *gorm.DB from the store layer.
pkg/core/leader/model.go	Adds the LeaderLease GORM model for leader_leases.
pkg/core/leader/leader.go	Implements DB-based leader election (acquire/renew/release + run loop).
pkg/core/leader/db_source.go	Adds DBSource interface for components that can provide a *gorm.DB.
pkg/core/leader/leader_test.go	Adds unit tests for leader election behavior using in-memory SQLite.
pkg/core/engine/component.go	Integrates leader election into Engine startup flow.
pkg/core/discovery/component.go	Integrates leader election into Discovery startup flow; fixes a log message typo.
go.mod / go.sum	Dependency graph changes (tidy/reclassification + zookeeper direct dep).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

You can also share your feedback on Copilot code review. Take the survey.

[Copilot]

The struct/doc comment says the Version field is used for optimistic locking to ensure atomic leader elections, but TryAcquire does not include version in its acquisition UPDATE predicate (it only uses it for Renew). Either update the documentation to match the actual behavior, or extend acquisition to use Version as part of the atomicity guarantee.

[Copilot]

RunLeaderElection waits for the first ticker.C before the initial TryAcquire, which can delay leader startup by up to acquireRetry (default 5s). Consider attempting TryAcquire once before starting the ticker loop so a leader can start work immediately on boot.

[Copilot]

poolProvider is defined as Pool() interface{}, but GormStore.Pool() returns *ConnectionPool. Go method return types are not covariant, so store.(poolProvider) will never succeed and GetDB() will always return (nil, false), effectively disabling leader election for DB stores. Consider exposing a small, import-cycle-safe interface on DB-backed stores (e.g. a GetDB() *gorm.DB method on the store itself) or adjust the Pool() signature to exactly match the interface and then type-assert to a GetDB() *gorm.DB interface instead of using reflection.

[Copilot]

GetDB() relies on the poolProvider type assertion + reflection. Given the current poolProvider signature mismatch, this loop will never find a DB and leader election will never be initialized. Even after fixing the signature, prefer a direct type assertion to a minimal interface (e.g. interface{ GetDB() *gorm.DB }) instead of reflection to avoid runtime surprises and make this easier to test.

[Copilot]

When leadership is acquired, startBusinessLogic(ch) starts informers using the global stop channel ch, but on leadership loss the onStopLeading callback only logs. This means informers/subscribers will continue running (and can be started multiple times on leadership flaps), violating the follower contract and potentially duplicating list-watch + DB writes. Use a per-leadership stop channel/context for informers, and in onStopLeading close it and Unsubscribe any subscribers (or otherwise ensure business logic is idempotent and fully stops on leadership loss).

[Copilot]

Same issue as engine: startBusinessLogic(ch) launches informers with the global stop channel, but onStopLeading doesn’t stop them or unsubscribe, so a node that loses leadership will keep running leader-only behavior and repeated elections can start duplicate goroutines / duplicate subscription attempts. Use a dedicated stop channel/context per leadership term and stop/unsubscribe in onStopLeading to ensure followers do not execute list-watch or writes.

[Copilot]

TryAcquire treats any Create error as a benign race ("probably created by another replica") and logs it at debug level. That will also hide real DB failures (connectivity, permission, schema issues) and can leave the component stuck as follower without a visible signal. Consider checking specifically for unique-constraint violations and logging/handling other errors as warnings (or returning an error).

[Copilot]

LeaderElection has a stopCh field that is never used (the stop channel is passed into RunLeaderElection instead). Removing the unused field will simplify the struct and avoid confusion about which stop mechanism is authoritative.

Suggested change

stopCh chan struct{}

[Copilot]

This new Pool() accessor returns *ConnectionPool, but the only consumer (storeComponent.GetDB) currently looks for a Pool() interface{} method, so GormStore will not satisfy that interface and the accessor won’t be used. Align the method signature with the consumer approach (or replace this with a GetDB() *gorm.DB method on GormStore to avoid exposing the pool at all).

Suggested change

	func (gs *GormStore) Pool() *ConnectionPool {
	func (gs *GormStore) Pool() interface{} {

[Copilot]

renewTicker is created but not defer-stopped on all exit paths (only stopped in some state transitions). If the function returns while renewTicker is active, the ticker goroutine can leak. Add defer renewTicker.Stop() right after creation (similar to ticker).

Suggested change

	renewTicker := time.NewTicker(le.renewInterval)
	renewTicker := time.NewTicker(le.renewInterval)
	defer renewTicker.Stop()

[robocanic]

Great Work! I left some comments and hope you can discuss it with me.

[robocanic]

Great Work! The logic of LeaderElection is perfect! There's another component Counter which is also needs to do leader election. Please add leader election for Counter(pkg/console/counter/component.go)

[Copilot]

Pull request overview

Copilot reviewed 9 out of 10 changed files in this pull request and generated 6 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This new Pool() accessor returns a concrete *ConnectionPool, but the consumer in pkg/core/store currently uses an interface-based type assertion to avoid importing dbcommon. As implemented, the signatures don't match, so DB discovery fails. Consider returning a minimal interface type (e.g., an interface that only has GetDB() *gorm.DB) so core/store can depend on that interface without importing dbcommon, and avoid reflection there.

[Copilot]

With leader election enabled, Start blocks inside RunLeaderElection and only returns when the process is stopping. The runtime logs "component started successfully" only after Start returns (see pkg/core/runtime/runtime.go), so this component will never be reported as started during normal operation, and startup errors from startBusinessLogic can no longer be surfaced via the Start return value. Consider running the leader-election loop in a goroutine and returning from Start after successful initialization, while still respecting ch for shutdown.

[Copilot]

startBusinessLogic is invoked every time leadership is acquired, but it (1) calls Subscribe again without unsubscribing on leadership loss (EventBus rejects duplicate subscriber names), and (2) attempts to Run the same informer instances again. The informer implementation explicitly disallows restarting an informer once it has been stopped (HasStarted() check in pkg/core/controller/informer.go), so after the first leadership loss/failover the new leader term will not actually restart list-watch. To support leader failover, unsubscribe subscribers on onStopLeading and recreate new informer instances (and list-watchers) for each leadership term, or refactor to keep a single informer instance but gate event processing without stopping it.

[Copilot]

With leader election enabled, Start blocks inside RunLeaderElection and only returns when the process is stopping. The runtime reports components as started only after Start returns (see pkg/core/runtime/runtime.go), so this component won't be marked started during normal operation, and failures in startBusinessLogic are only logged (not returned). Consider running the election loop asynchronously and returning from Start once setup is complete, while still stopping the loop when ch is closed.

Suggested change

	defer cancel()
	go func() {
	<-ch
	cancel()
	}()
	var leaderStopCh chan struct{}
	d.leaderElection.RunLeaderElection(ctx, ch,
	func() { // onStartLeading: create a fresh stopCh for this leadership term
	leaderStopCh = make(chan struct{})
	logger.Infof("discovery: became leader, starting business logic")
	if err := d.startBusinessLogic(leaderStopCh); err != nil {
	logger.Errorf("discovery: failed to start business logic: %v", err)
	}
	},
	func() { // onStopLeading: stop informers from the current term
	logger.Warnf("discovery: lost leadership, stopping business logic")
	if leaderStopCh != nil {
	close(leaderStopCh)
	leaderStopCh = nil
	}
	},
	)
	// Tie the leader election context to the component's stop channel.
	go func() {
	<-ch
	cancel()
	}()
	// Run the leader election loop asynchronously so that Start can return
	// and the runtime can mark this component as started.
	go func() {
	var leaderStopCh chan struct{}
	d.leaderElection.RunLeaderElection(ctx, ch,
	func() { // onStartLeading: create a fresh stopCh for this leadership term
	leaderStopCh = make(chan struct{})
	logger.Infof("discovery: became leader, starting business logic")
	if err := d.startBusinessLogic(leaderStopCh); err != nil {
	logger.Errorf("discovery: failed to start business logic: %v", err)
	}
	},
	func() { // onStopLeading: stop informers from the current term
	logger.Warnf("discovery: lost leadership, stopping business logic")
	if leaderStopCh != nil {
	close(leaderStopCh)
	leaderStopCh = nil
	}
	},
	)
	}()

[Copilot]

startBusinessLogic is called on every leadership acquisition, but it re-subscribes all subscribers without unsubscribing on leadership loss (EventBus enforces unique subscriber names) and it tries to restart the same informer instances. The informer implementation does not allow restarting once stopped (HasStarted() guard in pkg/core/controller/informer.go), so after a leader failover the new leader term will not restart list-watch and business logic will be partially/fully disabled. Unsubscribe subscribers in onStopLeading and recreate informers per leadership term (or redesign to keep informers running but prevent follower-side writes).

[Copilot]

TryAcquire falls back to Create whenever the expired-lease UPDATE affects 0 rows. That includes the common case where a non-expired lease already exists, which will trigger a unique constraint error on every retry interval and produce avoidable DB work/log noise. Consider first checking whether a lease row exists (and is unexpired) and returning false early, or use an upsert/"insert ... on conflict do nothing" pattern and treat conflict as a normal non-leader outcome without logging it as an error.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud