InstaNode-dev
diff --git a/‎internal/backend/redis/k8s.go‎
Lines changed: 73 additions & 10 deletions b/‎internal/backend/redis/k8s.go‎
Lines changed: 73 additions & 10 deletions
diff --git a/‎internal/backend/redis/k8s_test.go‎
Lines changed: 180 additions & 16 deletions b/‎internal/backend/redis/k8s_test.go‎
Lines changed: 180 additions & 16 deletions
@@ -73,6 +73,30 @@ const (
 	redisK8sReadyTO   = 3 * time.Minute
 	redisK8sReadyPoll = 3 * time.Second
 
+	// redisK8sProvisionCeiling is the hard server-side ceiling on the whole
+	// Provision sequence (namespace → netpol → quota → secret → PVC → deployment
+	// → service → waitPodReady). It is a SAFETY CEILING, not the primary timeout:
+	// provisionCtx (see provisionContext) derives from the incoming gRPC ctx so
+	// the caller's deadline/cancellation propagates first.
+	//
+	// THE PRO-PROVISION-HANG BUG (fix/redis-pro-provision-hang):
+	// Pro/Team Redis uses a real PVC (pvcMi=10240 → 10Gi block storage); the
+	// anonymous tier uses an emptyDir (pvcMi=0) and skips the 5-10s DOKS volume
+	// attach entirely. When a Pro pod's PVC binding or block-storage attach stalls
+	// (CSI stuck, quota exhausted, slow attach), waitPodReady would poll for the
+	// full redisK8sReadyTO. The old code derived provCtx from context.Background()
+	// — DISCARDING the caller's deadline — so even after the api gRPC call timed
+	// out (e.g. 60s), the provisioner kept blocking the handler for up to 5
+	// minutes. From the api's side that is an unbounded hang. The anonymous path
+	// never hit it because emptyDir pods go Ready in seconds.
+	//
+	// The fix (provisionContext): derive from the caller's ctx so api cancellation
+	// returns the handler promptly with a clean error (mapped to a retryable gRPC
+	// status → api soft-deletes + 503s). This ceiling still bounds the worst case
+	// when the caller passes no deadline at all (e.g. an internal background call),
+	// so a wedged attach can never pin a goroutine forever.
+	redisK8sProvisionCeiling = 5 * time.Minute
+
 	// redisMaxmemoryPolicyCapped is the maxmemory-policy for capped (non-unlimited)
 	// dedicated Redis tiers. "noeviction" makes writes fail loudly with an OOM
 	// error at the memory cap so the agent/customer sees it and can upgrade —
@@ -404,6 +428,30 @@ func (b *K8sBackend) podExecor() PodExecor {
 	return b.execor
 }
 
+// provisionContext derives the context used for the whole Provision sequence.
+//
+// It bounds the provision in two layers so the call can NEVER hang the gRPC
+// handler indefinitely (the pro-provision-hang bug):
+//
+//  1. It derives from the incoming gRPC ctx (NOT context.Background()), so when
+//     the api caller's deadline fires or it cancels the RPC, the derived context
+//     is cancelled and every k8s call / waitPodReady poll returns promptly. This
+//     is what guarantees the api never observes an unbounded hang: the moment the
+//     api gives up, the provisioner stops blocking and returns an error.
+//  2. It applies redisK8sProvisionCeiling as a hard upper bound. context.WithTimeout
+//     uses min(parent deadline, ceiling), so a caller with a generous (or no)
+//     deadline still can't pin a goroutine on a wedged PVC attach past the ceiling.
+//
+// The teamID context value is carried forward so applyNamespace can label the
+// namespace with instant.dev/owner-team (pentest 2026-05-16 fix).
+func provisionContext(ctx context.Context) (context.Context, context.CancelFunc) {
+	provCtx, cancel := context.WithTimeout(ctx, redisK8sProvisionCeiling)
+	if teamID, ok := ctx.Value(ctxkeys.TeamIDKey).(string); ok && teamID != "" {
+		provCtx = context.WithValue(provCtx, ctxkeys.TeamIDKey, teamID)
+	}
+	return provCtx, cancel
+}
+
 // Provision creates a dedicated Redis instance. The pod is started with --requirepass
 // and --maxclients injected via the container command. No post-start init step needed
 // (unlike Postgres).
@@ -416,19 +464,24 @@ func (b *K8sBackend) Provision(ctx context.Context, token, tier string) (*Creden
 
 	rollback := func(step string, cause error) error {
 		slog.Error("k8s.redis.provision.rollback", "step", step, "namespace", ns, "error", cause)
-		_ = b.cs.CoreV1().Namespaces().Delete(context.Background(), ns, metav1.DeleteOptions{})
+		// Rollback deletion uses a fresh background context with its own short
+		// timeout: the incoming ctx may already be cancelled (that is often WHY
+		// we are rolling back), but the namespace cleanup must still run so a
+		// failed provision does not leak a half-built namespace.
+		delCtx, delCancel := context.WithTimeout(context.Background(), 30*time.Second)
+		defer delCancel()
+		_ = b.cs.CoreV1().Namespaces().Delete(delCtx, ns, metav1.DeleteOptions{})
 		return fmt.Errorf("k8s redis: %s: %w", step, cause)
 	}
 
-	// Use a fresh background context — pod startup can take minutes, far exceeding
-	// any gRPC request deadline on the incoming ctx.
-	// Carry the teamID value forward so applyNamespace can label the namespace
-	// with instant.dev/owner-team (pentest 2026-05-16 fix).
-	provCtx, provCancel := context.WithTimeout(context.Background(), 5*time.Minute)
+	// provCtx is bounded by BOTH the caller's deadline/cancellation and a hard
+	// server-side ceiling (see provisionContext + redisK8sProvisionCeiling). This
+	// is the core of the pro-provision-hang fix: the old code used
+	// context.WithTimeout(context.Background(), 5m), which ignored the caller's
+	// deadline and let a stalled Pro-tier PVC attach block the handler for the
+	// full 5 minutes even after the api had given up.
+	provCtx, provCancel := provisionContext(ctx)
 	defer provCancel()
-	if teamID, ok := ctx.Value(ctxkeys.TeamIDKey).(string); ok && teamID != "" {
-		provCtx = context.WithValue(provCtx, ctxkeys.TeamIDKey, teamID)
-	}
 
 	sz := sizingForTier(tier)
 
@@ -1193,6 +1246,16 @@ func (b *K8sBackend) applyService(ctx context.Context, ns string) (*corev1.Servi
 func (b *K8sBackend) waitPodReady(ctx context.Context, ns, labelSelector string) error {
 	deadline := time.Now().Add(redisK8sReadyTO)
 	for time.Now().Before(deadline) {
+		// Check the caller's context FIRST. When the api's gRPC deadline fires
+		// (the pro-provision-hang case: a stalled PVC attach keeps the Pro pod
+		// out of Ready), ctx is cancelled and we must return immediately with a
+		// retryable error rather than issue one more Pods.List or sleep another
+		// poll interval. This is what lets the provisioner fail FAST and clean
+		// (mapError → retryable gRPC status → api soft-deletes + 503s) instead
+		// of pinning the handler until the local 3-minute deadline.
+		if err := ctx.Err(); err != nil {
+			return fmt.Errorf("redis pod not ready (caller cancelled/timed out): %w", err)
+		}
 		pods, err := b.cs.CoreV1().Pods(ns).List(ctx, metav1.ListOptions{LabelSelector: labelSelector})
 		if err != nil {
 			return err
@@ -1206,7 +1269,7 @@ func (b *K8sBackend) waitPodReady(ctx context.Context, ns, labelSelector string)
 		}
 		select {
 		case <-ctx.Done():
-			return ctx.Err()
+			return fmt.Errorf("redis pod not ready (caller cancelled/timed out): %w", ctx.Err())
 		case <-time.After(redisK8sReadyPoll):
 		}
 	}
 
@@ -34,6 +34,7 @@ package redis
 import (
 	"bytes"
 	"context"
+	"errors"
 	"fmt"
 	"strings"
 	"testing"
@@ -46,6 +47,8 @@ import (
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/client-go/kubernetes/fake"
 	ktesting "k8s.io/client-go/testing"
+
+	"instant.dev/provisioner/internal/ctxkeys"
 )
 
 // ─── Tier sizing regression guards ──────────────────────────────────────────
@@ -59,17 +62,17 @@ func TestSizingForTier_MaxmemoryMB_MatchesPlansYAML(t *testing.T) {
 		wantMB      int  // expected maxmemoryMB (mirrors plans.yaml redis_memory_mb)
 		expectLimit bool // true if --maxmemory flag should be applied
 	}{
-		{"anonymous", 5, true},   // plans.yaml: anonymous redis_memory_mb = 5
-		{"hobby", 50, true},      // plans.yaml: hobby redis_memory_mb = 50
-		{"hobby_yearly", 50, true}, // plans.yaml: hobby_yearly mirrors hobby
-		{"hobby_plus", 50, true}, // plans.yaml: hobby_plus redis_memory_mb = 50
+		{"anonymous", 5, true},          // plans.yaml: anonymous redis_memory_mb = 5
+		{"hobby", 50, true},             // plans.yaml: hobby redis_memory_mb = 50
+		{"hobby_yearly", 50, true},      // plans.yaml: hobby_yearly mirrors hobby
+		{"hobby_plus", 50, true},        // plans.yaml: hobby_plus redis_memory_mb = 50
 		{"hobby_plus_yearly", 50, true}, // plans.yaml: hobby_plus_yearly mirrors hobby_plus
-		{"pro", 512, true},       // plans.yaml: pro redis_memory_mb = 512
-		{"pro_yearly", 512, true},// plans.yaml: pro_yearly mirrors pro
-		{"team", -1, false},      // "no cap" pod-start default — flag omitted; Regrade reconciles to registry (team=1536, finite post strict-80)
-		{"team_yearly", -1, false}, // team_yearly mirrors team's pod-start sizing default
-		{"growth", 1024, true},   // plans.yaml: growth redis_memory_mb = 1024
-		{"unknown", 50, true},    // unknown → hobby fallback
+		{"pro", 512, true},              // plans.yaml: pro redis_memory_mb = 512
+		{"pro_yearly", 512, true},       // plans.yaml: pro_yearly mirrors pro
+		{"team", -1, false},             // "no cap" pod-start default — flag omitted; Regrade reconciles to registry (team=1536, finite post strict-80)
+		{"team_yearly", -1, false},      // team_yearly mirrors team's pod-start sizing default
+		{"growth", 1024, true},          // plans.yaml: growth redis_memory_mb = 1024
+		{"unknown", 50, true},           // unknown → hobby fallback
 	}
 	for _, tc := range cases {
 		t.Run(tc.tier, func(t *testing.T) {
@@ -188,7 +191,7 @@ func TestRouteKeyTTLForTier_PaidTiersNeverExpire(t *testing.T) {
 		{"pro", persistRouteKey},
 		{"growth", persistRouteKey},
 		{"team", persistRouteKey},
-		{"", persistRouteKey},        // empty/unknown → fail safe to persistent
+		{"", persistRouteKey}, // empty/unknown → fail safe to persistent
 		{"some_future_tier", persistRouteKey},
 	}
 	for _, tc := range cases {
@@ -355,17 +358,17 @@ func (f *fakeExecor) ExecInPod(_ context.Context, namespace, podName, containerN
 //     at the cap instead of silently evicting customer keys).
 func TestExecCommandConstruction(t *testing.T) {
 	cases := []struct {
-		tier           string
-		targetMB       int
+		tier            string
+		targetMB        int
 		wantTargetBytes int64
-		wantPolicy     string
-		wantMaxmem     string // expected substring in the CONFIG SET maxmemory command
+		wantPolicy      string
+		wantMaxmem      string // expected substring in the CONFIG SET maxmemory command
 	}{
 		{"anonymous", 5, 5 * 1024 * 1024, "noeviction", "5242880"},
 		{"hobby", 50, 50 * 1024 * 1024, "noeviction", "52428800"},
 		{"pro", 512, 512 * 1024 * 1024, "noeviction", "536870912"},
 		{"growth", 1024, 1024 * 1024 * 1024, "noeviction", "1073741824"},
-		{"team", -1, 0, "noeviction", "maxmemory 0"},  // unlimited — check full "maxmemory 0" substring
+		{"team", -1, 0, "noeviction", "maxmemory 0"}, // unlimited — check full "maxmemory 0" substring
 	}
 
 	for _, tc := range cases {
@@ -804,6 +807,167 @@ func TestRegrade_TeamTier_Unlimited(t *testing.T) {
 	}
 }
 
+// ─── Provision caller-deadline / fast-fail guards (pro-provision-hang fix) ───
+
+// TestProvision_ProTier_HonoursCallerDeadline is the core regression guard for
+// fix/redis-pro-provision-hang.
+//
+// THE BUG: provisioning a Redis cache for a Pro/Team team HUNG (>60s, never
+// returned) while the anonymous provision returned in ~6s. The Pro tier uses a
+// real 10Gi PVC (pvcMi=10240); when the block-storage attach stalls, the Redis
+// pod never reaches Ready and waitPodReady polled for the full redisK8sReadyTO
+// (3 minutes). The old code derived the provisioning context from
+// context.Background() with a hardcoded 5-minute timeout, so it IGNORED the
+// caller's deadline entirely: even after the api gRPC call timed out, the
+// provisioner kept blocking the handler. The anonymous path never hit this
+// because emptyDir pods (pvcMi=0) go Ready in seconds.
+//
+// THE FIX: provisionContext derives from the caller's ctx, so the moment the api
+// gives up, Provision returns promptly with a (wrapped) context error.
+//
+// This test uses a fake clientset whose Redis pod NEVER becomes Ready (no
+// scheduler in the fake → no PodReady condition is ever set), simulating the
+// stalled-PVC-attach condition. With a short caller deadline, Provision MUST
+// return well before redisK8sReadyTO — proving it honours the caller's deadline.
+// If a future change reverts to context.Background(), this test fails (times out
+// the t.Fatal guard / takes ~3 minutes).
+func TestProvision_ProTier_HonoursCallerDeadline(t *testing.T) {
+	cs := fake.NewClientset() // empty cluster: the redis pod never becomes Ready
+	b := &K8sBackend{cs: cs, storageClass: "standard", image: "redis:7-alpine"}
+
+	// Caller deadline far shorter than redisK8sReadyTO (3m) and the ceiling (5m).
+	ctx, cancel := context.WithTimeout(context.Background(), 300*time.Millisecond)
+	defer cancel()
+
+	start := time.Now()
+	_, err := b.Provision(ctx, "pro-token", "pro")
+	elapsed := time.Since(start)
+
+	if err == nil {
+		t.Fatal("Provision should fail when the Redis pod never becomes Ready; got nil error")
+	}
+	// MUST return promptly — bounded by the caller deadline, NOT redisK8sReadyTO.
+	// Allow generous slack for the fake-client round trips, but it must be far
+	// below the 3-minute pod-ready ceiling that the old (background-context) code
+	// would have blocked for.
+	if elapsed > 30*time.Second {
+		t.Fatalf("PRO-PROVISION-HANG REGRESSION: Provision took %s; it must honour the "+
+			"caller's deadline (~300ms) and fast-fail, not block for redisK8sReadyTO (%s). "+
+			"This means the provisioning context no longer derives from the caller's ctx.",
+			elapsed, redisK8sReadyTO)
+	}
+	// The error must be the caller-deadline error so mapError can classify it as
+	// a retryable gRPC status (api soft-deletes + 503s rather than a hard 500).
+	if !errors.Is(err, context.DeadlineExceeded) {
+		t.Errorf("Provision error should wrap context.DeadlineExceeded (got %v) so mapError "+
+			"surfaces a retryable status; a non-context error would map to Internal/500", err)
+	}
+}
+
+// TestProvision_AnonTier_HonoursCallerDeadline asserts the fast-fail is
+// tier-independent: even the anonymous path (which in prod is fast because it
+// uses emptyDir) returns promptly when the caller cancels. Under the fake
+// clientset the pod never goes Ready for any tier, so this verifies the
+// caller-deadline propagation rather than the emptyDir speedup.
+func TestProvision_AnonTier_HonoursCallerDeadline(t *testing.T) {
+	cs := fake.NewClientset()
+	b := &K8sBackend{cs: cs, storageClass: "standard", image: "redis:7-alpine"}
+
+	ctx, cancel := context.WithTimeout(context.Background(), 300*time.Millisecond)
+	defer cancel()
+
+	start := time.Now()
+	_, err := b.Provision(ctx, "anon-token", "anonymous")
+	elapsed := time.Since(start)
+
+	if err == nil {
+		t.Fatal("Provision should fail when the Redis pod never becomes Ready; got nil error")
+	}
+	if elapsed > 30*time.Second {
+		t.Fatalf("Provision took %s; must fast-fail on caller deadline, not block %s", elapsed, redisK8sReadyTO)
+	}
+	if !errors.Is(err, context.DeadlineExceeded) {
+		t.Errorf("Provision error should wrap context.DeadlineExceeded; got %v", err)
+	}
+}
+
+// TestProvision_CallerCancel_FastFails asserts that an explicit caller
+// cancellation (not just a deadline) also unblocks Provision promptly. This
+// covers the api-cancels-the-RPC case (e.g. the agent disconnected) — the
+// provisioner must stop blocking, not grind on for minutes.
+func TestProvision_CallerCancel_FastFails(t *testing.T) {
+	cs := fake.NewClientset()
+	b := &K8sBackend{cs: cs, storageClass: "standard", image: "redis:7-alpine"}
+
+	ctx, cancel := context.WithCancel(context.Background())
+	// Cancel shortly after the call starts so waitPodReady is mid-poll.
+	go func() {
+		time.Sleep(200 * time.Millisecond)
+		cancel()
+	}()
+
+	start := time.Now()
+	_, err := b.Provision(ctx, "cancel-token", "pro")
+	elapsed := time.Since(start)
+
+	if err == nil {
+		t.Fatal("Provision should fail when the caller cancels; got nil error")
+	}
+	if elapsed > 30*time.Second {
+		t.Fatalf("Provision took %s; caller cancellation must unblock it, not block %s", elapsed, redisK8sReadyTO)
+	}
+	if !errors.Is(err, context.Canceled) {
+		t.Errorf("Provision error should wrap context.Canceled; got %v", err)
+	}
+}
+
+// TestProvisionContext_HonoursCallerDeadline verifies provisionContext's two
+// bounding layers:
+//  1. When the caller's deadline is sooner than the ceiling, the derived
+//     context's deadline equals the caller's (caller wins).
+//  2. The teamID context value is carried forward (so applyNamespace can label
+//     the namespace with instant.dev/owner-team).
+func TestProvisionContext_HonoursCallerDeadline(t *testing.T) {
+	callerDeadline := time.Now().Add(2 * time.Second) // sooner than redisK8sProvisionCeiling (5m)
+	parent, cancel := context.WithDeadline(context.Background(), callerDeadline)
+	defer cancel()
+	parent = context.WithValue(parent, ctxkeys.TeamIDKey, "team-xyz")
+
+	provCtx, provCancel := provisionContext(parent)
+	defer provCancel()
+
+	dl, ok := provCtx.Deadline()
+	if !ok {
+		t.Fatal("provisionContext result must have a deadline")
+	}
+	// The caller's 2s deadline is sooner than the 5m ceiling, so it must win.
+	if dl.After(callerDeadline.Add(50 * time.Millisecond)) {
+		t.Errorf("provisionContext deadline = %v; caller's sooner deadline (%v) should win over the ceiling", dl, callerDeadline)
+	}
+	if got, _ := provCtx.Value(ctxkeys.TeamIDKey).(string); got != "team-xyz" {
+		t.Errorf("provisionContext should carry teamID forward; got %q want %q", got, "team-xyz")
+	}
+}
+
+// TestProvisionContext_CeilingBoundsNoDeadlineCaller verifies that when the
+// caller passes a context with NO deadline (e.g. an internal background call),
+// the ceiling still bounds the provision so a wedged attach can't pin a
+// goroutine forever.
+func TestProvisionContext_CeilingBoundsNoDeadlineCaller(t *testing.T) {
+	provCtx, provCancel := provisionContext(context.Background())
+	defer provCancel()
+
+	dl, ok := provCtx.Deadline()
+	if !ok {
+		t.Fatal("provisionContext must impose the ceiling deadline even when the caller has none")
+	}
+	// Deadline should be ~redisK8sProvisionCeiling from now.
+	until := time.Until(dl)
+	if until <= 0 || until > redisK8sProvisionCeiling+time.Second {
+		t.Errorf("provisionContext ceiling deadline = %s from now; want ~%s", until, redisK8sProvisionCeiling)
+	}
+}
+
 // ─── Helpers ─────────────────────────────────────────────────────────────────
 
 // runningPod creates a minimal Running pod for use in fake.Clientset.