feature

(fluid-webhook): support to update check-mount.sh configmap on demand

Signed-off-by: 玖宇 <guotongyu.gty@alibaba-inc.com>

Author: 玖宇

pkg/application/inject/fuse/mount_point_script.go

@@ -23,10 +23,12 @@ import (
 
 	"github.com/fluid-cloudnative/fluid/pkg/application/inject/fuse/mutator"
 	"github.com/fluid-cloudnative/fluid/pkg/application/inject/fuse/poststart"
+	"github.com/fluid-cloudnative/fluid/pkg/common"
 	"github.com/fluid-cloudnative/fluid/pkg/ddc/base"
 	"github.com/fluid-cloudnative/fluid/pkg/utils"
 	"github.com/fluid-cloudnative/fluid/pkg/utils/kubeclient"
 	corev1 "k8s.io/api/core/v1"
+	"k8s.io/client-go/util/retry"
 )
 
 func (s *Injector) injectCheckMountReadyScript(podSpecs *mutator.MutatingPodSpecs, runtimeInfos map[string]base.RuntimeInfoInterface) error {
@@ -131,24 +133,56 @@ func (s *Injector) ensureScriptConfigMapExists(namespace string) (*poststart.Scr
 	appScriptGen := poststart.NewScriptGeneratorForApp(namespace)
 
 	cm := appScriptGen.BuildConfigmap()
-	cmFound, err := kubeclient.IsConfigMapExist(s.client, cm.Name, cm.Namespace)
+	cmKey := fmt.Sprintf("%s/%s", cm.Namespace, cm.Name)
+
+	existingCM, err := kubeclient.GetConfigmapByName(s.client, cm.Name, cm.Namespace)
 	if err != nil {
-		s.log.Error(err, "error when checking configMap's existence", "cm.Name", cm.Name, "cm.Namespace", cm.Namespace)
+		s.log.Error(err, "error when getting configMap", "cm.Name", cm.Name, "cm.Namespace", cm.Namespace)
 		return nil, err
 	}
 
-	cmKey := fmt.Sprintf("%s/%s", cm.Namespace, cm.Name)
-	s.log.V(1).Info("after check configMap existence", "configMap", cmKey, "existence", cmFound)
-	if !cmFound {
+	if existingCM == nil {
+		// ConfigMap does not exist, create it
+		s.log.V(1).Info("configMap not found, creating", "configMap", cmKey)
 		err = s.client.Create(context.TODO(), cm)
 		if err != nil {
 			if otherErr := utils.IgnoreAlreadyExists(err); otherErr != nil {
 				s.log.Error(err, "error when creating new configMap", "cm.Name", cm.Name, "cm.Namespace", cm.Namespace)
 				return nil, err
-			} else {
-				s.log.V(1).Info("configmap already exists, skip", "configMap", cmKey)
 			}
+			s.log.V(1).Info("configmap already exists (concurrent creation), skip", "configMap", cmKey)
+		}
+		return appScriptGen, nil
+	}
+
+	// ConfigMap exists, check if the script SHA256 annotation matches; update with retry on conflict.
+	latestSHA256 := appScriptGen.GetScriptSHA256()
+	if err = retry.RetryOnConflict(retry.DefaultBackoff, func() error {
+		current, getErr := kubeclient.GetConfigmapByName(s.client, cm.Name, cm.Namespace)
+		if getErr != nil {
+			return getErr
+		}
+		if current == nil {
+			// Deleted between Get calls; recreate
+			return s.client.Create(context.TODO(), cm)
+		}
+		if current.Annotations != nil {
+			if annotationSHA256, ok := current.Annotations[common.AnnotationCheckMountScriptSHA256]; ok && annotationSHA256 == latestSHA256 {
+				s.log.V(1).Info("configmap script is up-to-date, skip update", "configMap", cmKey)
+				return nil
+			}
+		}
+		// SHA256 mismatch or annotation missing: update the ConfigMap with latest script and SHA256
+		s.log.Info("configmap script SHA256 mismatch or annotation missing, updating", "configMap", cmKey, "expectedSHA256", latestSHA256)
+		current.Data = cm.Data
+		if current.Annotations == nil {
+			current.Annotations = map[string]string{}
 		}
+		current.Annotations[common.AnnotationCheckMountScriptSHA256] = latestSHA256
+		return s.client.Update(context.TODO(), current)
+	}); err != nil {
+		s.log.Error(err, "error when ensuring configMap is up-to-date", "cm.Name", cm.Name, "cm.Namespace", cm.Namespace)
+		return nil, err
 	}
 
 	return appScriptGen, nil

pkg/application/inject/fuse/mount_point_script_test.go

@@ -21,6 +21,7 @@ import (
 
 	"github.com/fluid-cloudnative/fluid/pkg/application/inject/fuse/mutator"
 	"github.com/fluid-cloudnative/fluid/pkg/application/inject/fuse/poststart"
+	"github.com/fluid-cloudnative/fluid/pkg/common"
 	"github.com/fluid-cloudnative/fluid/pkg/ddc/base"
 	"github.com/go-logr/logr"
 	. "github.com/onsi/ginkgo/v2"
@@ -266,17 +267,64 @@ var _ = Describe("Fuse Injector", func() {
 			})
 		})
 
-		Context("when configmap already exists", func() {
-			It("should not return an error", func() {
-				// Create configmap first
+		Context("when configmap already exists with matching SHA256 annotation", func() {
+			It("should skip update and return without error", func() {
 				appScriptGen := poststart.NewScriptGeneratorForApp(namespace)
 				cm := appScriptGen.BuildConfigmap()
 				err := fakeClient.Create(context.TODO(), cm)
 				Expect(err).To(BeNil())
 
-				// Try to ensure it exists again
 				_, err = injector.ensureScriptConfigMapExists(namespace)
 				Expect(err).To(BeNil())
+
+				// Verify configmap is unchanged (no extra update)
+				retrievedCM := &corev1.ConfigMap{}
+				err = fakeClient.Get(context.TODO(), client.ObjectKey{Name: cm.Name, Namespace: cm.Namespace}, retrievedCM)
+				Expect(err).To(BeNil())
+				Expect(retrievedCM.Annotations).To(HaveKey(common.AnnotationCheckMountScriptSHA256))
+				Expect(retrievedCM.Annotations[common.AnnotationCheckMountScriptSHA256]).To(Equal(appScriptGen.GetScriptSHA256()))
+			})
+		})
+
+		Context("when configmap already exists with stale SHA256 annotation", func() {
+			It("should update the configmap with the latest script and annotation", func() {
+				appScriptGen := poststart.NewScriptGeneratorForApp(namespace)
+				cm := appScriptGen.BuildConfigmap()
+				// Tamper the annotation to simulate an outdated configmap
+				cm.Annotations[common.AnnotationCheckMountScriptSHA256] = "stale-sha256"
+				cm.Data["check-fluid-mount-ready.sh"] = "old script content"
+				err := fakeClient.Create(context.TODO(), cm)
+				Expect(err).To(BeNil())
+
+				_, err = injector.ensureScriptConfigMapExists(namespace)
+				Expect(err).To(BeNil())
+
+				// Verify configmap was updated
+				retrievedCM := &corev1.ConfigMap{}
+				err = fakeClient.Get(context.TODO(), client.ObjectKey{Name: cm.Name, Namespace: cm.Namespace}, retrievedCM)
+				Expect(err).To(BeNil())
+				Expect(retrievedCM.Annotations[common.AnnotationCheckMountScriptSHA256]).To(Equal(appScriptGen.GetScriptSHA256()))
+				Expect(retrievedCM.Data["check-fluid-mount-ready.sh"]).NotTo(Equal("old script content"))
+			})
+		})
+
+		Context("when configmap already exists without SHA256 annotation", func() {
+			It("should update the configmap to add the annotation", func() {
+				appScriptGen := poststart.NewScriptGeneratorForApp(namespace)
+				cm := appScriptGen.BuildConfigmap()
+				// Remove the annotation to simulate a legacy configmap
+				delete(cm.Annotations, common.AnnotationCheckMountScriptSHA256)
+				err := fakeClient.Create(context.TODO(), cm)
+				Expect(err).To(BeNil())
+
+				_, err = injector.ensureScriptConfigMapExists(namespace)
+				Expect(err).To(BeNil())
+
+				retrievedCM := &corev1.ConfigMap{}
+				err = fakeClient.Get(context.TODO(), client.ObjectKey{Name: cm.Name, Namespace: cm.Namespace}, retrievedCM)
+				Expect(err).To(BeNil())
+				Expect(retrievedCM.Annotations).To(HaveKey(common.AnnotationCheckMountScriptSHA256))
+				Expect(retrievedCM.Annotations[common.AnnotationCheckMountScriptSHA256]).To(Equal(appScriptGen.GetScriptSHA256()))
 			})
 		})
 	})

pkg/application/inject/fuse/mutator/mutator_default.go

@@ -22,20 +22,24 @@ import (
 	"encoding/hex"
 	"fmt"
 	"path/filepath"
+	"reflect"
 	"strings"
 	"time"
 
 	"github.com/go-logr/logr"
 	"github.com/pkg/errors"
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/util/retry"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/fluid-cloudnative/fluid/pkg/application/inject/fuse/poststart"
 	"github.com/fluid-cloudnative/fluid/pkg/common"
 	"github.com/fluid-cloudnative/fluid/pkg/ddc/base"
 	"github.com/fluid-cloudnative/fluid/pkg/utils"
 	"github.com/fluid-cloudnative/fluid/pkg/utils/kubeclient"
+
+	datav1alpha1 "github.com/fluid-cloudnative/fluid/api/v1alpha1"
 )
 
 var (
@@ -321,20 +325,9 @@ func prepareFuseContainerPostStartScript(helper *helperData) error {
 	// Fluid assumes pvc name is the same with runtime's name
 	gen := poststart.NewDefaultPostStartScriptGenerator()
 	cmKey := gen.GetNamespacedConfigMapKey(types.NamespacedName{Namespace: datasetNamespace, Name: datasetName}, template.FuseMountInfo.FsType)
-	found, err := kubeclient.IsConfigMapExist(helper.client, cmKey.Name, cmKey.Namespace)
-	if err != nil {
-		return err
-	}
 
-	if !found {
-		cm := gen.BuildConfigMap(dataset, cmKey)
-		err = helper.client.Create(context.TODO(), cm)
-		if err != nil {
-			// If ConfigMap creation succeeds concurrently, continue to mutate
-			if otherErr := utils.IgnoreAlreadyExists(err); otherErr != nil {
-				return err
-			}
-		}
+	if err = ensurePostStartConfigMap(helper.client, gen, dataset, cmKey); err != nil {
+		return err
 	}
 
 	template.FuseContainer.VolumeMounts = append(template.FuseContainer.VolumeMounts, gen.GetVolumeMount())
@@ -347,6 +340,63 @@ func prepareFuseContainerPostStartScript(helper *helperData) error {
 	return nil
 }
 
+// ensurePostStartConfigMap creates the ConfigMap if it does not exist, or updates it when the
+// script content has changed (detected via SHA256 annotation).
+func ensurePostStartConfigMap(c client.Client, gen poststart.ScriptGenerator, dataset *datav1alpha1.Dataset, cmKey types.NamespacedName) error {
+	existingCM, err := kubeclient.GetConfigmapByName(c, cmKey.Name, cmKey.Namespace)
+	if err != nil {
+		return err
+	}
+
+	if existingCM == nil {
+		cm := gen.BuildConfigMap(dataset, cmKey)
+		if createErr := c.Create(context.TODO(), cm); createErr != nil {
+			// If ConfigMap creation succeeds concurrently, continue to mutate
+			return utils.IgnoreAlreadyExists(createErr)
+		}
+		return nil
+	}
+
+	// ConfigMap exists; update with retry on conflict to handle concurrent webhook mutations.
+	return retry.RetryOnConflict(retry.DefaultBackoff, func() error {
+		return updateConfigMapIfStale(c, gen, dataset, cmKey)
+	})
+}
+
+// updateConfigMapIfStale fetches the current ConfigMap from the cluster and updates it when the
+// SHA256 annotation does not match the latest script. It is designed to be called inside a
+// RetryOnConflict loop.
+func updateConfigMapIfStale(c client.Client, gen poststart.ScriptGenerator, dataset *datav1alpha1.Dataset, cmKey types.NamespacedName) error {
+	current, err := kubeclient.GetConfigmapByName(c, cmKey.Name, cmKey.Namespace)
+	if err != nil {
+		return err
+	}
+	if current == nil {
+		// Deleted between Get calls; recreate
+		return c.Create(context.TODO(), gen.BuildConfigMap(dataset, cmKey))
+	}
+
+	if isConfigMapUpToDate(current, gen.GetScriptSHA256()) {
+		return nil
+	}
+
+	latest := gen.RefreshConfigMapContents(dataset, cmKey, current.DeepCopy())
+	if reflect.DeepEqual(current, latest) {
+		return nil
+	}
+	return c.Update(context.TODO(), latest)
+}
+
+// isConfigMapUpToDate returns true when the annotations already carry the expected SHA256,
+// meaning no update is needed.
+func isConfigMapUpToDate(cm *corev1.ConfigMap, expectedSHA256 string) bool {
+	if cm == nil || cm.Annotations == nil {
+		return false
+	}
+	sha, ok := cm.Annotations[common.AnnotationCheckMountScriptSHA256]
+	return ok && sha == expectedSHA256
+}
+
 func transformTemplateWithCacheDirDisabled(helper *helperData) {
 	template := helper.template
 	template.FuseContainer.VolumeMounts = utils.TrimVolumeMounts(template.FuseContainer.VolumeMounts, cacheDirNames)