Bound CSI recover retries and deduplicate events on persistent mount failures

[mrhapile]

Fixes #5661

This PR improves the stability and observability of the CSI recovery loop by
introducing bounded retry behavior and suppressing duplicate recovery events
under persistent mount failure scenarios.

Problem

The CSI recover loop currently retries failed mount recoveries at a fixed
interval and emits Kubernetes events on every iteration. When a mount cannot
be recovered for an extended period, this can result in:

• Unbounded retry attempts
• Excessive, duplicate Kubernetes events
• Unnecessary API server and etcd load

What this PR does

• Introduces a per-mount RecoverStateTracker to track recovery state
• Applies exponential backoff on consecutive recovery failures (capped)
• Deduplicates recovery events, emitting only on state transitions
• Resets backoff and failure state immediately on successful recovery

Design highlights

• Per-mount state tracking (no global coupling)
• Thread-safe and suitable for long-running CSI daemonsets
• No public API changes
• No behavior change on successful recoveries

Tests

• Added unit tests for RecoverStateTracker covering:
  • Backoff progression and capping
  • Event deduplication behavior
  • State reset on success
• Existing mount-dependent recovery tests are guarded to run only on Linux,
  as k8s.io/utils/mount is not supported on non-Linux platforms (e.g. macOS)

Verification

go test ./pkg/csi/recover/... -v

[fluid-e2e-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign yangyuliufeng for approval by writing /assign @yangyuliufeng in a comment. For more information see:The Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[fluid-e2e-bot]

Hi @mrhapile. Thanks for your PR.

I'm waiting for a fluid-cloudnative member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work. Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[gemini-code-assist]

Summary of Changes

Hello @mrhapile, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the stability and observability of the CSI recovery loop by addressing issues of unbounded retries and excessive event generation during persistent mount failures. By introducing a per-mount state tracker, the system now applies exponential backoff to failed recovery attempts and intelligently deduplicates Kubernetes events, only emitting them when a mount's recovery state genuinely changes. This reduces unnecessary load on the API server and etcd, provides clearer operational signals, and ensures more efficient resource utilization without altering behavior for successful recoveries.

Highlights

• Bounded CSI Recovery Retries: Implemented an exponential backoff mechanism for CSI mount recovery attempts, capping retries to prevent unbounded loops and reduce resource consumption during persistent failures.
• Deduplicated Kubernetes Events: Introduced logic to deduplicate Kubernetes events related to CSI mount recovery, ensuring events are only emitted on state transitions (e.g., from healthy to failed, or failed to recovered) rather than on every retry attempt. This reduces API server and etcd load.
• Per-Mount State Tracking: A new RecoverStateTracker is used to manage the recovery state for each individual mount point, allowing for independent backoff and event deduplication without global coupling.
• State Reset on Success: The recovery state, including consecutive failure counts and backoff, is immediately reset upon successful mount recovery, ensuring quick re-attempts if a new failure occurs.
• New Unit Tests: Comprehensive unit tests have been added for the RecoverStateTracker to validate its backoff progression, capping, event deduplication, and state reset behaviors. Existing mount-dependent recovery tests are now guarded to run only on Linux.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Changelog

• pkg/controllers/runtime_controller_test.go
  • Added new unit tests for the RuntimeReconciler to cover scenarios such as adding owner references, adding finalizers, handling engine creation errors, and managing runtime deletion. This file appears to be a general addition to the controller test suite and not directly related to the CSI recovery logic described in the PR title.
• pkg/csi/recover/recover.go
  • Integrated the new RecoverStateTracker to manage recovery state for each mount point.
  • Modified the doRecover function to check ShouldAttemptRecovery before proceeding, implementing the exponential backoff.
  • Updated event emission logic to use ShouldEmitEvent for deduplication, preventing repeated events for the same failure reason.
  • Added calls to RecordFailure and RecordSuccess to update the mount's recovery state based on recovery outcomes.
  • Added RemoveState call when a mount point is cleaned up.
• pkg/csi/recover/recover_test.go
  • Imported the runtime package.
  • Updated existing FuseRecover test setups to initialize the new stateTracker.
  • Added Skip directives to mount-dependent tests to ensure they only run on Linux, aligning with the k8s.io/utils/mount utility's platform support.
• pkg/csi/recover/state.go
  • Introduced MountState struct to track individual mount recovery status, including LastFailureTime, ConsecutiveFailures, LastEventReason, CurrentBackoff, and IsHealthy.
  • Defined RecoverStateTracker with a thread-safe map to manage MountState for multiple mount paths.
  • Implemented NewRecoverStateTracker for initialization.
  • Added GetOrCreateState to retrieve or initialize state for a given mount path.
  • Implemented RemoveState to clean up state for unmounted paths.
  • Provided ShouldAttemptRecovery to determine if a recovery attempt should be made, respecting exponential backoff.
  • Developed RecordFailure to update state on failure, incrementing failures and exponentially increasing backoff up to a cap.
  • Created RecordSuccess to reset failure counts and backoff on successful recovery.
  • Implemented ShouldEmitEvent to deduplicate Kubernetes events by only allowing emission on state transitions.
  • Added GetBackoffInfo for observability of current backoff state.
  • Defined constants for initialBackoff, maxBackoff, and backoffMultiplier.
• pkg/csi/recover/state_test.go
  • Added a new unit test file for RecoverStateTracker.
  • Included tests for NewRecoverStateTracker, GetOrCreateState, RemoveState, ShouldAttemptRecovery, RecordFailure, RecordSuccess, and ShouldEmitEvent.
  • Verified exponential backoff progression and capping.
  • Confirmed event deduplication behavior and state resets.

Activity

• The pull request introduces new unit tests for the RecoverStateTracker and guards existing mount-dependent recovery tests to run only on Linux, indicating thorough testing of the new functionality and platform compatibility considerations.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[sonarqubecloud]

Quality Gate passed

Issues
12 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
5.6% Duplication on New Code

See analysis details on SonarQube Cloud

[gemini-code-assist]

Code Review

This pull request introduces a RecoverStateTracker to improve the handling of persistent CSI mount failures. By adding exponential backoff for recovery retries and deduplicating Kubernetes events, it effectively addresses the issue of excessive retries and event spam, which can overload the API server. The new logic is well-encapsulated and comes with comprehensive unit tests. The changes are a significant improvement for the stability and observability of the CSI recovery process. I have one minor suggestion to improve an assertion in a new test file.

[gemini-code-assist]

The error assertion logic here is confusing. The if condition checks if the error is not one of the expected strings, and then t.Logf just logs a message without failing the test. This should be a proper assertion that fails the test if the error is not what's expected.

expectedErr := "Failed to create: induced engine creation failure"
if err.Error() != expectedErr {
	t.Errorf("Expected error '%s', but got '%s'", expectedErr, err.Error())
}

[Copilot]

Pull request overview

This PR addresses issue #5661 by introducing bounded retry behavior and event deduplication for the CSI recovery loop to prevent API server overload during persistent mount failures.

Changes:

• Adds RecoverStateTracker to manage per-mount recovery state with exponential backoff (capped at 5 minutes)
• Implements event deduplication to emit Kubernetes events only on state transitions
• Guards mount-dependent tests to run only on Linux platforms
• Includes comprehensive unit tests for the new state tracking functionality

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
pkg/csi/recover/state.go	New state tracker implementing exponential backoff and event deduplication logic
pkg/csi/recover/state_test.go	Comprehensive unit tests for state tracker functionality
pkg/csi/recover/recover.go	Integrates state tracker into recovery loop with backoff checks and conditional event emission
pkg/csi/recover/recover_test.go	Updates existing tests to initialize state tracker and adds platform guards
pkg/controllers/runtime_controller_test.go	New tests for runtime controller (unrelated to CSI recovery)

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

This error handling relies on recoverBrokenMount returning an error when the mount operation fails. However, there's a pre-existing bug in recoverBrokenMount (lines 174-186) where it shadows the named return value err with := assignment, causing it to always return nil even when Mount fails.

This means the backoff and event emission logic here will never be triggered for actual mount failures, undermining the primary purpose of this PR. The bug in recoverBrokenMount should be fixed by changing line 182 from if err := r.Mount(...) to if err = r.Mount(...) or by explicitly returning the error.

[Copilot]

This file appears to be unrelated to the CSI recovery retry and event deduplication changes described in the PR. It adds tests for the runtime controller which has no connection to the CSI recover functionality being modified in this PR.

Consider moving these tests to a separate PR focused on improving test coverage for the runtime controller, as mixing unrelated changes makes the PR harder to review and could complicate rollbacks if issues arise with either set of changes.

[Copilot]

The GetOrCreateState method returns a pointer to the internal MountState, which is then accessed outside the lock. This creates a data race because the returned state can be modified by other goroutines (e.g., via RecordFailure, RecordSuccess, ShouldEmitEvent) while this code reads the IsHealthy field.

To fix this, consider either:

1. Add a method like IsHealthy(mountPath string) bool that reads the field under lock protection, or
2. Have RecordSuccess return a boolean indicating whether the state transitioned from unhealthy to healthy.

[codecov]

Codecov Report

❌ Patch coverage is 84.49612% with 20 lines in your changes missing coverage. Please review.
✅ Project coverage is 59.43%. Comparing base (ff0e62d) to head (50399d2).
⚠️ Report is 2 commits behind head on master.

Files with missing lines	Patch %	Lines
pkg/csi/recover/recover.go	54.28%	14 Missing and 2 partials ⚠️
pkg/csi/recover/state.go	95.74%	3 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #5662      +/-   ##
==========================================
+ Coverage   59.32%   59.43%   +0.10%     
==========================================
  Files         444      445       +1     
  Lines       30540    30664     +124     
==========================================
+ Hits        18119    18225     +106     
- Misses      10917    10932      +15     
- Partials     1504     1507       +3     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.