feat: migrate to pull model with gRPC unary RPCs

[gfyrag]

Existing architecture and problems

The agent connects to membership via bidirectional gRPC streaming (Join RPC):

• A permanent stream must be maintained, with a ping/pong mechanism every 5-10s
• The agent receives orders (ExistingStack, DeletedStack, DisabledStack, EnabledStack) pushed via the stream
• K8s status changes are reported back via the same stream (StatusChanged, ModuleStatusChanged, etc.)
• Reconnection after a disconnection triggers a full sync of all stacks
• Bidirectional coupling makes debugging and resilience complex
• The code uses channels, worker pools (pond), and custom connection adapters with tracing

New architecture

Migration to a pull model with gRPC unary RPCs:

• Polling client: periodic poll of ListStacks with a paginated (updated_at, id) cursor
• Membership only returns stacks modified since the last cursor
• Full sync on startup (empty cursor) with K8s orphan cleanup (deletes stacks with label formance.com/created-by-agent=true not returned by membership)
• Status reporter: K8s informers call unary RPCs instead of Send() on a stream
• Heartbeat replaces ping/pong (every 30s)
• Auth metadata attached via UnaryClientInterceptor instead of stream connection

What we gain

• Resilience: every poll is a reconciliation, no event loss
• Simplicity: no stream, no channels, no connection adapter, no worker pool
• Debugging: idempotent requests, standard logs
• Orphan cleanup: automatic detection and deletion of orphaned K8s stacks on startup

Key changes

• New polling_client.go: cursor-based poll loop with orphan cleanup
• New membership_reporter.go: unary RPC wrapper for status reporting
• Informers adapted to use MembershipReporter instead of stream Send()
• Auth metadata via grpc.UnaryClientInterceptor
• Removed stream client, connection adapter, gRPC tracing wrappers
• New --poll-interval flag (default 10s)

Companion PR

Membership: formancehq/membership-api#755 — both PRs must be deployed together.

Test plan

• Build passes
• Unit tests (requires kubebuilder/etcd for K8s envtest)
• Integration tests in CI
• Deploy with updated membership simultaneously

Generated with Claude Code

[coderabbitai]

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: bb314437-5c02-4b44-a08e-daae53eb43c1

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/agent-pull-model

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[flemzord]

Review comments from Codex.

[flemzord]

reconcileStack cannot report failures, but SyncExistingStack can fail and return early after logging. This means the poll loop can still advance p.cursor and permanently skip a membership update that was not applied to Kubernetes. Return reconciliation errors and keep the cursor unchanged on failure, or add an explicit ack/retry path.

[flemzord]

The first full-sync cleanup depends on p.k8sClient.List, which is backed by the informer cache, but polling is started before informers are started/synced. If this one-shot cleanup sees an empty or stale cache, fullSyncDone is still set and orphan cleanup is skipped permanently. Make cleanup return an error and only set fullSyncDone after a successful list/delete pass, or wait for cache sync first.