Handling exceptions on watcher reload

[sakurai-youhei]

Exceptions during watcher reload, such as those during loading watches, may not start the trigger service, making the watcher stop triggering anything. Coupled with the behavior that the reload does not occur unless the routing table changes, the current exception handling can leave the watcher unfunctional for some time.

This PR improves the exception handling to allow the reload to occur again even if the routing table stays identical.

Closes #69842

[elasticsearchmachine]

Pinging @elastic/es-data-management (Team:Data Management)

[elasticsearchmachine]

Hi @sakurai-youhei, I've created a changelog YAML for you.

[masseyke]

Thanks @sakurai-youhei. This seems like a good thing to do. A couple of questions though:
Do you think it would be difficult to put this into an integration test? It would be great to have one that has a failure during reload, and see that it does try again.
Also I notice that if I revert your change but leave the tests, 2 out of the 3 tests still pass. Was that intentional?

[sakurai-youhei]

@masseyke Thank you for your reviewing this PR.

[1]

Do you think it would be difficult to put this into an integration test? It would be great to have one that has a failure during reload, and see that it does try again.

TBH, it's hard to cause the retry intentionally because it requires an exception at the part before triggerService.start(watches) HERE. #69842 shows the exception was rooted in refreshing the watcher index HERE, but I don't think it's reasonably reproducible.

One way would be to make the refresh timeout, which is currently fixed in 5 seconds, configurable to reproduce the timeout easily, but I'm afraid that this kind of extra change would be an unfavorable scope extension. If you have other ideas, please let me know, and I will explore the options.

Btw, the retry is compromisely checked with RuntimeException forcibly thrown in one of the unit test cases. (Sorry, I mixed up test cases; the retry itself is not confirmed using any exceptions as of now.)

[2]

Also I notice that if I revert your change but leave the tests, 2 out of the 3 tests still pass. Was that intentional?

Yes. Those passing tests declare prerequisite behaviors causing #69842 that require a change in this PR. If either one of them changes in the future, the change introduced through this PR may also need to be reconsidered, so I included the cases.

[sakurai-youhei]

@masseyke Can I get your help to release this change? The issue #69842 harms reliability of watcher executions in some circumstances, and I want to eliminate such troubles with this PR.

[masseyke]

I've got a lot going on, but I will try to take a look at this later this week.

[masseyke]

Do we need to also set the state to WatcherState.STARTING here on exception when we clear the allocation ids? It's been a couple of years since i've been in here, so I'm not sure what bad things might happen if the state is STARTED but watcher is actually unavailable.

[sakurai-youhei]

@masseyke I understand the point but I don't think so. If the state changed to STARTING here, the watcher service would no longer be reloaded, which is the problematic state that was also reported in #44981. Since there are only four states, STARTED (but it's rather DEGRADED actually) would be affordable, in my opinion.

[masseyke]

OK that makes sense. And it's not going to be worse than the current situation (having it in STARTED state, but not doing anything).

[masseyke]

Looks like a good change to me.

[elasticsearchmachine]

💚 Backport successful

Status	Branch	Result
✅	7.17
✅	8.13