Failover only when there is a fully up to date candidate available

The virtual storage scoped election strategies failed over immediately when the primary became unhealthy. This was necessary as the primary was the same for all repositories. Failing over could make some repositories writable again, while some would remain in read-only mode.

With repository-specific primary nodes, this is not necessary. If the primary is unavailable, we can still serve reads from any of its up to date replicas. Failing over to an outdated replica makes no sense, given we still can't accept writes. If the old primary comes back up after failing over to an outdated primary, we'd have to wait for a replication job before we can accept writes. If we just kept the old primary, we'd be able to accept writes as soon as it comes back.

We should not failover until there is a fully up to date, assigned, healthy replica available to serve as the new primary. There's also no point demoting the current primary.

/cc @zj-gitlab @mjwood

Edited May 25, 2021 by Sami Hiltunen

To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information