design: multi-replica scheduling for singleton sources (aka hot standby)

[aljoscha]

Rendered: https://github.com/aljoscha/materialize/blob/design-multi-replica-singleton-sources/doc/developer/design/20250127_multi_replica_scheduling_singleton_sources.md

Motivation

Tips for reviewer

Checklist

• This PR has adequate test coverage / QA involvement has been duly considered. (trigger-ci for additional test/nightly runs)
• This PR has an associated up-to-date design doc, is a design doc (template), or is sufficiently small to not require a design.
• If this PR evolves an existing $T ⇔ Proto$T mapping (possibly in a backwards-incompatible way), then it is tagged with a T-proto label.
• If this PR will require changes to cloud orchestration or tests, there is a companion cloud PR to account for those changes that is tagged with the release-blocker label (example).
• If this PR includes major user-facing behavior changes, I have pinged the relevant PM to schedule a changelog post.

[benesch]

All makes sense to me!

[benesch]

👍🏽👍🏽👍🏽

I'm very in favor of explicitly excluding "fault tolerance" to keep the scope as limited as possible.

[teskje]

This seems reasonable to me. Stepping away from the assumption that all replicas receive the same commands will add a bunch of complexity in the controller, but it doesn't look like we have a choice. At least I don't think the alternative will turn out any simpler.

[teskje]

Nit: This might be me being dumb but I at first thought this was describing some form of ALTER SOURCE. It's describing what we usually call "graceful cluster reconfiguration", so maybe it would be helpful to mention that term here?

[aljoscha]

adding a clarification!

[teskje]

Suggested change

	is only one active ingestion dataflow. We need this for correctness in the fact
	is only one active ingestion dataflow. We need this for correctness in the face