Wait until topology annotation gets added on supervisor PVCs while adding node affinity rules on PVs in guest cluster (#3588)

vdkotkar · web-flow · commit 3b896ffb500c · 2025-09-30T17:14:16.000-07:00
diff --git a/pkg/syncer/pvcsi_fullsync.go b/pkg/syncer/pvcsi_fullsync.go
@@ -19,6 +19,7 @@ package syncer
 import (
 	"context"
 	"encoding/json"
+	"errors"
 	"fmt"
 	"reflect"
 	"time"
@@ -42,6 +43,12 @@ import (
 	"sigs.k8s.io/vsphere-csi-driver/v3/pkg/csi/service/logger"
 )
 
+var (
+	cnsconfigGetSupervisorNamespace = cnsconfig.GetSupervisorNamespace
+	k8sNewClient                    = k8s.NewClient
+	timeoutAddNodeAffinityOnPVs     = 300 * time.Second
+)
+
 // PvcsiFullSync reconciles PV/PVC/Pod metadata on the guest cluster with
 // cnsvolumemetadata objects on the supervisor cluster for the guest cluster.
 func PvcsiFullSync(ctx context.Context, metadataSyncer *metadataSyncInformer) error {
@@ -61,7 +68,7 @@ func PvcsiFullSync(ctx context.Context, metadataSyncer *metadataSyncInformer) er
 	isWorkloadDomainIsolationEnabledInPVCSI := metadataSyncer.coCommonInterface.IsFSSEnabled(
 		ctx, common.WorkloadDomainIsolationFSS)
 	if isWorkloadDomainIsolationEnabledInPVCSI {
-		AddNodeAffinityRulesOnPV(ctx, metadataSyncer)
+		go AddNodeAffinityRulesOnPV(ctx, metadataSyncer)
 	}
 	// guestCnsVolumeMetadataList is an in-memory list of cnsvolumemetadata
 	// objects that represents PV/PVC/Pod objects in the guest cluster API server.
@@ -310,36 +317,47 @@ func AddNodeAffinityRulesOnPV(ctx context.Context, metadataSyncer *metadataSyncI
 		return
 	}
 	// Get the supervisor namespace in which the guest cluster is deployed.
-	supervisorNamespace, err := cnsconfig.GetSupervisorNamespace(ctx)
+	supervisorNamespace, err := cnsconfigGetSupervisorNamespace(ctx)
 	if err != nil {
 		log.Errorf("FullSync: could not get supervisor namespace in which guest cluster was deployed. Err: %v", err)
 		return
 	}
 
 	// Create the kubernetes client from config.
-	k8sClient, err := k8s.NewClient(ctx)
+	k8sClient, err := k8sNewClient(ctx)
 	if err != nil {
 		log.Errorf("creating Kubernetes client failed. Err: %v", err)
 		return
 	}
 
-	for _, pv := range pvList {
+	pvsWithoutSupervisorPvcTopologyAnnotation := make(map[string]*v1.PersistentVolume)
+	addNodeAffinityOnPVInternal := func(pv *v1.PersistentVolume) error {
 		if pv.Spec.NodeAffinity == nil {
 			supervisorPVClaim, err := metadataSyncer.supervisorClient.CoreV1().
 				PersistentVolumeClaims(supervisorNamespace).Get(ctx, pv.Spec.CSI.VolumeHandle, metav1.GetOptions{})
 			if err != nil {
 				log.Errorf("AddNodeAffinityRulesOnPV: failed to get supervisor PVC: %v "+
 					"for the TKG PV %v in the supervisor namespace: %v. Err: %v",
 					pv.Spec.CSI.VolumeHandle, pv.Name, supervisorNamespace, err)
-				continue
+				return err
+			}
+			// If volume accessible topology annotation is not yet available on the supervisor PVC, then add
+			// this PV to the pvsWithoutSupervisorPvcTopologyAnnotation map and we will check again after some
+			// time if annotation gets added.
+			if supervisorPVClaim.Annotations[common.AnnVolumeAccessibleTopology] == "" {
+				errstr := fmt.Sprintf("Annotation %q is not set on the PVC: %q, namespace: %q",
+					common.AnnVolumeAccessibleTopology, supervisorPVClaim.Name, supervisorPVClaim.Namespace)
+				log.Errorf(errstr)
+				pvsWithoutSupervisorPvcTopologyAnnotation[pv.Name] = pv
+				return errors.New(errstr)
 			}
 			accessibleTopologies, err := generateVolumeAccessibleTopologyFromPVCAnnotation(supervisorPVClaim)
 			if err != nil {
 				log.Errorf("failed to generate volume accessibleTopologies "+
-					"from supervisor PVC: %v for csi.vsphere.volume-accessible-topology annoation: %v "+
+					"from supervisor PVC: %v for csi.vsphere.volume-accessible-topology annoation: %v, "+
 					"Err: %v", supervisorPVClaim.Name,
-					supervisorPVClaim.Annotations["csi.vsphere.volume-accessible-topology"], err)
-				continue
+					supervisorPVClaim.Annotations[common.AnnVolumeAccessibleTopology], err)
+				return err
 			}
 			var csiAccessibleTopology []*csi.Topology
 			for _, topoSegments := range accessibleTopologies {
@@ -351,29 +369,62 @@ func AddNodeAffinityRulesOnPV(ctx context.Context, metadataSyncer *metadataSyncI
 			oldData, err := json.Marshal(pv)
 			if err != nil {
 				log.Errorf("failed to marshal pv: %v, Error: %v", pv, err)
-				continue
+				return err
 			}
 			newPV := pv.DeepCopy()
 			newPV.Spec.NodeAffinity = GenerateVolumeNodeAffinity(csiAccessibleTopology)
 			newData, err := json.Marshal(newPV)
 			if err != nil {
 				log.Errorf("failed to marshal updated PV with node affinity rules: %v, Error: %v", newPV, err)
-				continue
+				return err
 			}
 
 			patchBytes, err := strategicpatch.CreateTwoWayMergePatch(oldData, newData, pv)
 			if err != nil {
 				log.Errorf("error Creating two way merge patch for PV %q with error : %v", pv.Name, err)
-				continue
+				return err
 			}
 			_, err = k8sClient.CoreV1().PersistentVolumes().Patch(
 				context.TODO(), pv.Name, types.StrategicMergePatchType, patchBytes, metav1.PatchOptions{})
 			if err != nil {
 				log.Errorf("error patching PV %q error : %v", pv.Name, err)
-				continue
+				return err
 			}
 			log.Infof("patched PV: %v with node affinity %v", pv.Name, newPV.Spec.NodeAffinity)
 		}
+		return nil
+	}
+
+	for _, pv := range pvList {
+		_ = addNodeAffinityOnPVInternal(pv)
+	}
+
+	// Check if there are any PVs on which we didn't add node affinity rules yet, as topology annotation
+	// was missing from associated supervisor PVC. We will iterate over all such PVs again and will check if
+	// PVC annotation is added now. We will retry this until all PVs get node affinity rules added or until
+	// timeout of 5 minutes is reached.
+	timeoutCtx, cancel := context.WithTimeout(context.Background(), timeoutAddNodeAffinityOnPVs)
+	defer cancel()
+	for len(pvsWithoutSupervisorPvcTopologyAnnotation) != 0 {
+		select {
+		case <-timeoutCtx.Done():
+			log.Infof("Timeout exceeded for adding node affinity rules on PVs. Waited 5 minutes to get " +
+				"volume accessibility topology annotation added on supervisor PVCs.")
+			// Make pvsWithoutSupervisorPvcTopologyAnnotation nil once timeout is hit
+			// to exit from the outer for loop
+			pvsWithoutSupervisorPvcTopologyAnnotation = nil
+		default:
+			for pvName, pv := range pvsWithoutSupervisorPvcTopologyAnnotation {
+				err := addNodeAffinityOnPVInternal(pv)
+				if err == nil {
+					delete(pvsWithoutSupervisorPvcTopologyAnnotation, pvName)
+				}
+			}
+			if len(pvsWithoutSupervisorPvcTopologyAnnotation) != 0 {
+				// Sleep for some time before retrying
+				time.Sleep(10 * time.Second)
+			}
+		}
 	}
 	log.Info("AddNodeAffinityRulesOnPV End.")
 }
diff --git a/pkg/syncer/pvcsi_fullsync_test.go b/pkg/syncer/pvcsi_fullsync_test.go
@@ -17,11 +17,18 @@ limitations under the License.
 package syncer
 
 import (
+	"context"
 	"testing"
+	"time"
 
 	"github.com/container-storage-interface/spec/lib/go/csi"
 	"github.com/stretchr/testify/assert"
 	v1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	clientset "k8s.io/client-go/kubernetes"
+	k8sfake "k8s.io/client-go/kubernetes/fake"
+	cnsconfig "sigs.k8s.io/vsphere-csi-driver/v3/pkg/common/config"
+	"sigs.k8s.io/vsphere-csi-driver/v3/pkg/csi/service/common"
 )
 
 func TestGenerateVolumeNodeAffinity(t *testing.T) {
@@ -107,3 +114,178 @@ func TestGenerateVolumeNodeAffinity(t *testing.T) {
 		})
 	}
 }
+
+func TestAddNodeAffinityRulesOnPVTopologyAnnotationPresent(t *testing.T) {
+	ctx := context.Background()
+
+	// Create supervisor PVC with topology annotation
+	supPVC := &v1.PersistentVolumeClaim{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "volume-1",
+			Namespace: "sv-namespace",
+			Annotations: map[string]string{
+				common.AnnVolumeAccessibleTopology: `[{"zone":"zone-a"}]`,
+			},
+		},
+	}
+	// Create guest PV without node affinity
+	guestPV := &v1.PersistentVolume{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "pv-1",
+		},
+		Spec: v1.PersistentVolumeSpec{
+			PersistentVolumeSource: v1.PersistentVolumeSource{
+				CSI: &v1.CSIPersistentVolumeSource{
+					VolumeHandle: "volume-1",
+				},
+			},
+		},
+	}
+
+	// Setup supervisor client with PVC
+	supervisorClient := k8sfake.NewSimpleClientset(supPVC)
+	// Setup guest client with PV
+	guestClient := k8sfake.NewSimpleClientset(guestPV)
+
+	// Setup metadataSyncer
+	metadataSyncer := &metadataSyncInformer{
+		supervisorClient: supervisorClient,
+	}
+	metadataSyncer.configInfo = &cnsconfig.ConfigurationInfo{
+		Cfg: &cnsconfig.Config{
+			GC: cnsconfig.GCConfig{
+				Endpoint: "endpoint",
+				Port:     "443",
+			},
+		},
+	}
+
+	// Patch k8sNewClient to return our guestClient
+	origK8sClient := k8sNewClient
+	defer func() {
+		k8sNewClient = origK8sClient
+	}()
+	k8sNewClient = func(ctx context.Context) (clientset.Interface, error) {
+		return guestClient, nil
+	}
+
+	// Patch getPVsInBoundAvailableOrReleased to return our PV
+	origGetPVs := getPVsInBoundAvailableOrReleased
+	defer func() {
+		getPVsInBoundAvailableOrReleased = origGetPVs
+	}()
+	getPVsInBoundAvailableOrReleased = func(ctx context.Context,
+		syncer *metadataSyncInformer) ([]*v1.PersistentVolume, error) {
+		return []*v1.PersistentVolume{guestPV}, nil
+	}
+
+	// Patch cnsconfig.GetSupervisorNamespace to return our namespace
+	origGetSuperNS := cnsconfigGetSupervisorNamespace
+	defer func() {
+		cnsconfigGetSupervisorNamespace = origGetSuperNS
+	}()
+	cnsconfigGetSupervisorNamespace = func(ctx context.Context) (string, error) {
+		return "sv-namespace", nil
+	}
+
+	// Run function
+	AddNodeAffinityRulesOnPV(ctx, metadataSyncer)
+
+	// Verify node affinity added
+	gotPV, err := guestClient.CoreV1().PersistentVolumes().Get(ctx, "pv-1", metav1.GetOptions{})
+	if err != nil {
+		t.Fatalf("PV not found: %v", err)
+	}
+	if gotPV.Spec.NodeAffinity == nil || len(gotPV.Spec.NodeAffinity.Required.NodeSelectorTerms) == 0 {
+		t.Errorf("Expected node affinity to be set on PV when supervisor PVC has topology annotation")
+	}
+}
+
+func TestAddNodeAffinityRulesOnPVTopologyAnnotationAbsent(t *testing.T) {
+	ctx := context.Background()
+
+	// Create supervisor PVC without annotation
+	supPVC := &v1.PersistentVolumeClaim{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:        "volume-2",
+			Namespace:   "sv-namespace",
+			Annotations: map[string]string{},
+		},
+	}
+	// Create guest PV without node affinity
+	guestPV := &v1.PersistentVolume{
+		ObjectMeta: metav1.ObjectMeta{
+			Name: "pv-2",
+		},
+		Spec: v1.PersistentVolumeSpec{
+			PersistentVolumeSource: v1.PersistentVolumeSource{
+				CSI: &v1.CSIPersistentVolumeSource{
+					VolumeHandle: "volume-2",
+				},
+			},
+		},
+	}
+
+	supervisorClient := k8sfake.NewSimpleClientset(supPVC)
+	guestClient := k8sfake.NewSimpleClientset(guestPV)
+
+	// Setup metadataSyncer
+	metadataSyncer := &metadataSyncInformer{
+		supervisorClient: supervisorClient,
+	}
+	metadataSyncer.configInfo = &cnsconfig.ConfigurationInfo{
+		Cfg: &cnsconfig.Config{
+			GC: cnsconfig.GCConfig{
+				Endpoint: "endpoint",
+				Port:     "443",
+			},
+		},
+	}
+
+	// Patch k8sNewClient to return our guestClient
+	origK8sClient := k8sNewClient
+	defer func() {
+		k8sNewClient = origK8sClient
+	}()
+	k8sNewClient = func(ctx context.Context) (clientset.Interface, error) {
+		return guestClient, nil
+	}
+
+	// Patch getPVsInBoundAvailableOrReleased to return our PV
+	origGetPVs := getPVsInBoundAvailableOrReleased
+	defer func() {
+		getPVsInBoundAvailableOrReleased = origGetPVs
+	}()
+	getPVsInBoundAvailableOrReleased = func(ctx context.Context,
+		syncer *metadataSyncInformer) ([]*v1.PersistentVolume, error) {
+		return []*v1.PersistentVolume{guestPV}, nil
+	}
+
+	// Patch cnsconfig.GetSupervisorNamespace to return our namespace
+	origGetSuperNS := cnsconfigGetSupervisorNamespace
+	defer func() {
+		cnsconfigGetSupervisorNamespace = origGetSuperNS
+	}()
+	cnsconfigGetSupervisorNamespace = func(ctx context.Context) (string, error) {
+		return "sv-namespace", nil
+	}
+
+	// Reduce timeout value used in code for testing
+	origTimeout := timeoutAddNodeAffinityOnPVs
+	defer func() {
+		timeoutAddNodeAffinityOnPVs = origTimeout
+	}()
+	timeoutAddNodeAffinityOnPVs = 15 * time.Second
+
+	// Run function
+	AddNodeAffinityRulesOnPV(ctx, metadataSyncer)
+
+	// Verify node affinity NOT added as supervisor PVC doesn't have topology annotation
+	gotPV, err := guestClient.CoreV1().PersistentVolumes().Get(ctx, "pv-2", metav1.GetOptions{})
+	if err != nil {
+		t.Fatalf("PV not found: %v", err)
+	}
+	if gotPV.Spec.NodeAffinity != nil {
+		t.Errorf("Expected node affinity NOT to be set on PV when supervisor PVC has no topology annotation")
+	}
+}
diff --git a/pkg/syncer/util.go b/pkg/syncer/util.go
@@ -55,7 +55,7 @@ const (
 
 // getPVsInBoundAvailableOrReleased return PVs in Bound, Available or Released
 // state.
-func getPVsInBoundAvailableOrReleased(ctx context.Context,
+var getPVsInBoundAvailableOrReleased = func(ctx context.Context,
 	metadataSyncer *metadataSyncInformer) ([]*v1.PersistentVolume, error) {
 	log := logger.GetLogger(ctx)
 	var pvsInDesiredState []*v1.PersistentVolume
@@ -961,10 +961,6 @@ func hasClusterDistributionSet(ctx context.Context, volume cnstypes.CnsVolume,
 func generateVolumeAccessibleTopologyFromPVCAnnotation(claim *v1.PersistentVolumeClaim) (
 	[]map[string]string, error) {
 	volumeAccessibleTopology := claim.Annotations[common.AnnVolumeAccessibleTopology]
-	if volumeAccessibleTopology == "" {
-		return nil, fmt.Errorf("annotation %q is not set for the claim: %q, namespace: %q",
-			common.AnnVolumeAccessibleTopology, claim.Name, claim.Namespace)
-	}
 	volumeAccessibleTopologyArray := make([]map[string]string, 0)
 	err := json.Unmarshal([]byte(volumeAccessibleTopology), &volumeAccessibleTopologyArray)
 	if err != nil {
