fix: improve error handling for retryable operations and add tests (#2342)

This change adds retry logic for handling transient errors in Kubernetes operations (update, create, and patch). It properly retries operations when encountering conflict errors, server timeouts, too many requests, and service unavailability errors. Non-retryable errors are properly propagated. Tests are added to verify the retry behavior.

Signed-off-by: Karthik babu Manam <[email protected]>
Co-authored-by: Charles-Edouard Brétéché <[email protected]>

Author: karthikmanam

pkg/engine/operations/create/operation.go

@@ -86,8 +86,32 @@ func (o *operation) execute(ctx context.Context, bindings apis.Bindings, obj uns
 	var outputs outputs.Outputs
 	err := wait.PollUntilContextCancel(ctx, client.PollInterval, false, func(ctx context.Context) (bool, error) {
 		outputs, lastErr = o.tryCreateResource(ctx, bindings, obj)
-		// TODO: determine if the error can be retried
-		return lastErr == nil, nil
+		// Check if the error is retryable
+		if lastErr != nil {
+			// Conflict errors should be retried
+			if kerrors.IsConflict(lastErr) {
+				return false, nil
+			}
+			// Server timeout errors should be retried
+			if kerrors.IsServerTimeout(lastErr) {
+				return false, nil
+			}
+			// Too many requests errors should be retried
+			if kerrors.IsTooManyRequests(lastErr) {
+				return false, nil
+			}
+			// Service unavailable errors should be retried
+			if kerrors.IsServiceUnavailable(lastErr) {
+				return false, nil
+			}
+			// AlreadyExists error should not be retried as it's a permanent condition
+			if kerrors.IsAlreadyExists(lastErr) {
+				return false, lastErr
+			}
+			// Non-retryable error
+			return false, lastErr
+		}
+		return true, nil
 	})
 	if err == nil {
 		return outputs, nil
@@ -98,26 +122,45 @@ func (o *operation) execute(ctx context.Context, bindings apis.Bindings, obj uns
 	return outputs, err
 }
 
-// TODO: could be replaced by checking the already exists error
 func (o *operation) tryCreateResource(ctx context.Context, bindings apis.Bindings, obj unstructured.Unstructured) (outputs.Outputs, error) {
-	var actual unstructured.Unstructured
-	actual.SetGroupVersionKind(obj.GetObjectKind().GroupVersionKind())
-	err := o.client.Get(ctx, client.Key(&obj), &actual)
-	if err == nil {
+	// First check if the resource exists
+	key := client.Key(&obj)
+	var existing unstructured.Unstructured
+	existing.SetGroupVersionKind(obj.GetObjectKind().GroupVersionKind())
+
+	err := o.client.Get(ctx, key, &existing)
+	if err != nil {
+		// If there was an error other than NotFound, propagate it
+		if !kerrors.IsNotFound(err) {
+			return nil, err
+		}
+
+		// Resource doesn't exist, try to create it
+		createErr := o.client.Create(ctx, &obj)
+		if createErr == nil {
+			// Resource created successfully
+			if o.cleaner != nil {
+				o.cleaner.Add(o.client, &obj)
+			}
+			return o.handleCheck(ctx, bindings, obj, nil)
+		}
+
+		// Check if the error matches any expectations
+		if len(o.expect) > 0 {
+			return o.handleCheck(ctx, bindings, obj, createErr)
+		}
+
+		// If the error is not AlreadyExists, propagate it
+		if !kerrors.IsAlreadyExists(createErr) {
+			return nil, createErr
+		}
+
+		// Resource already exists (race condition)
 		return nil, errors.New("the resource already exists in the cluster")
 	}
-	if kerrors.IsNotFound(err) {
-		return o.createResource(ctx, bindings, obj)
-	}
-	return nil, err
-}
 
-func (o *operation) createResource(ctx context.Context, bindings apis.Bindings, obj unstructured.Unstructured) (outputs.Outputs, error) {
-	err := o.client.Create(ctx, &obj)
-	if err == nil && o.cleaner != nil {
-		o.cleaner.Add(o.client, &obj)
-	}
-	return o.handleCheck(ctx, bindings, obj, err)
+	// Resource already exists
+	return nil, errors.New("the resource already exists in the cluster")
 }
 
 func (o *operation) handleCheck(ctx context.Context, bindings apis.Bindings, obj unstructured.Unstructured, err error) (_outputs outputs.Outputs, _err error) {

pkg/engine/operations/create/operation_test.go

@@ -16,6 +16,7 @@ import (
 	"github.com/stretchr/testify/assert"
 	kerrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/utils/ptr"
 )
 
@@ -52,6 +53,12 @@ func Test_create(t *testing.T) {
 				*obj.(*unstructured.Unstructured) = pod
 				return nil
 			},
+			CreateFn: func(_ context.Context, _ int, _ client.Object, _ ...client.CreateOption) error {
+				return kerrors.NewAlreadyExists(
+					schema.GroupResource{Group: "", Resource: "pods"},
+					"test-pod",
+				)
+			},
 		},
 		expect:      nil,
 		expectedErr: errors.New("the resource already exists in the cluster"),
@@ -63,6 +70,12 @@ func Test_create(t *testing.T) {
 				*obj.(*unstructured.Unstructured) = pod
 				return nil
 			},
+			CreateFn: func(_ context.Context, _ int, _ client.Object, _ ...client.CreateOption) error {
+				return kerrors.NewAlreadyExists(
+					schema.GroupResource{Group: "", Resource: "pods"},
+					"test-pod",
+				)
+			},
 		},
 		expect:      nil,
 		expectedErr: errors.New("the resource already exists in the cluster"),
@@ -99,6 +112,9 @@ func Test_create(t *testing.T) {
 			GetFn: func(ctx context.Context, _ int, _ client.ObjectKey, _ client.Object, opts ...client.GetOption) error {
 				return errors.New("some arbitrary error")
 			},
+			CreateFn: func(_ context.Context, _ int, _ client.Object, _ ...client.CreateOption) error {
+				return errors.New("unexpected create call")
+			},
 		},
 		expect:      nil,
 		expectedErr: errors.New("some arbitrary error"),
@@ -238,3 +254,170 @@ func Test_create(t *testing.T) {
 		})
 	}
 }
+
+func Test_retry_logic(t *testing.T) {
+	pod := unstructured.Unstructured{
+		Object: map[string]any{
+			"apiVersion": "v1",
+			"kind":       "Pod",
+			"metadata": map[string]any{
+				"name": "test-pod",
+			},
+			"spec": map[string]any{
+				"containers": []any{
+					map[string]any{
+						"name":  "test-container",
+						"image": "test-image:v1",
+					},
+				},
+			},
+		},
+	}
+
+	tests := []struct {
+		name        string
+		object      unstructured.Unstructured
+		client      *tclient.FakeClient
+		cleaner     cleaner.Cleaner
+		expect      []v1alpha1.Expectation
+		expectedErr error
+	}{
+		{
+			name:   "conflict error should be retried and eventually succeed",
+			object: pod,
+			client: &tclient.FakeClient{
+				GetFn: func(ctx context.Context, call int, key client.ObjectKey, obj client.Object, _ ...client.GetOption) error {
+					return kerrors.NewNotFound(obj.GetObjectKind().GroupVersionKind().GroupVersion().WithResource("pod").GroupResource(), key.Name)
+				},
+				CreateFn: func(_ context.Context, call int, _ client.Object, _ ...client.CreateOption) error {
+					if call < 2 {
+						return kerrors.NewConflict(
+							schema.GroupResource{Group: "", Resource: "pods"},
+							"test-pod",
+							errors.New("conflict error"),
+						)
+					}
+					return nil
+				},
+			},
+			expect:      nil,
+			expectedErr: nil,
+		},
+		{
+			name:   "server timeout error should be retried and eventually succeed",
+			object: pod,
+			client: &tclient.FakeClient{
+				GetFn: func(ctx context.Context, call int, key client.ObjectKey, obj client.Object, _ ...client.GetOption) error {
+					return kerrors.NewNotFound(obj.GetObjectKind().GroupVersionKind().GroupVersion().WithResource("pod").GroupResource(), key.Name)
+				},
+				CreateFn: func(_ context.Context, call int, _ client.Object, _ ...client.CreateOption) error {
+					if call < 2 {
+						return kerrors.NewServerTimeout(
+							schema.GroupResource{Group: "", Resource: "pods"},
+							"create",
+							10,
+						)
+					}
+					return nil
+				},
+			},
+			expect:      nil,
+			expectedErr: nil,
+		},
+		{
+			name:   "too many requests error should be retried and eventually succeed",
+			object: pod,
+			client: &tclient.FakeClient{
+				GetFn: func(ctx context.Context, call int, key client.ObjectKey, obj client.Object, _ ...client.GetOption) error {
+					return kerrors.NewNotFound(obj.GetObjectKind().GroupVersionKind().GroupVersion().WithResource("pod").GroupResource(), key.Name)
+				},
+				CreateFn: func(_ context.Context, call int, _ client.Object, _ ...client.CreateOption) error {
+					if call < 2 {
+						return kerrors.NewTooManyRequests(
+							"too many requests",
+							10,
+						)
+					}
+					return nil
+				},
+			},
+			expect:      nil,
+			expectedErr: nil,
+		},
+		{
+			name:   "service unavailable error should be retried and eventually succeed",
+			object: pod,
+			client: &tclient.FakeClient{
+				GetFn: func(ctx context.Context, call int, key client.ObjectKey, obj client.Object, _ ...client.GetOption) error {
+					return kerrors.NewNotFound(obj.GetObjectKind().GroupVersionKind().GroupVersion().WithResource("pod").GroupResource(), key.Name)
+				},
+				CreateFn: func(_ context.Context, call int, _ client.Object, _ ...client.CreateOption) error {
+					if call < 2 {
+						return kerrors.NewServiceUnavailable("service unavailable")
+					}
+					return nil
+				},
+			},
+			expect:      nil,
+			expectedErr: nil,
+		},
+		{
+			name:   "already exists error should not be retried",
+			object: pod,
+			client: &tclient.FakeClient{
+				GetFn: func(ctx context.Context, call int, key client.ObjectKey, obj client.Object, _ ...client.GetOption) error {
+					return kerrors.NewNotFound(obj.GetObjectKind().GroupVersionKind().GroupVersion().WithResource("pod").GroupResource(), key.Name)
+				},
+				CreateFn: func(_ context.Context, call int, _ client.Object, _ ...client.CreateOption) error {
+					return kerrors.NewAlreadyExists(
+						schema.GroupResource{Group: "", Resource: "pods"},
+						"test-pod",
+					)
+				},
+			},
+			expect:      nil,
+			expectedErr: errors.New("the resource already exists in the cluster"),
+		},
+		{
+			name:   "permanent error should not be retried",
+			object: pod,
+			client: &tclient.FakeClient{
+				GetFn: func(ctx context.Context, call int, key client.ObjectKey, obj client.Object, _ ...client.GetOption) error {
+					return kerrors.NewNotFound(obj.GetObjectKind().GroupVersionKind().GroupVersion().WithResource("pod").GroupResource(), key.Name)
+				},
+				CreateFn: func(_ context.Context, call int, _ client.Object, _ ...client.CreateOption) error {
+					return kerrors.NewBadRequest("bad request error")
+				},
+			},
+			expect:      nil,
+			expectedErr: errors.New("bad request error"),
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			logger := &mocks.Logger{}
+			ctx := logging.WithLogger(context.TODO(), logger)
+			toCtx, cancel := context.WithTimeout(ctx, 5*time.Second)
+			defer cancel()
+			ctx = toCtx
+			operation := New(
+				apis.DefaultCompilers,
+				tt.client,
+				tt.object,
+				nil,
+				nil,
+				false,
+				tt.expect,
+				nil,
+			)
+			outputs, err := operation.Exec(ctx, nil)
+			assert.Nil(t, outputs)
+			if tt.expectedErr != nil {
+				assert.EqualError(t, err, tt.expectedErr.Error())
+			} else {
+				assert.NoError(t, err)
+			}
+		})
+	}
+}

pkg/engine/operations/patch/operation.go

@@ -16,6 +16,7 @@ import (
 	"github.com/kyverno/chainsaw/pkg/engine/templating"
 	"github.com/kyverno/chainsaw/pkg/logging"
 	"github.com/kyverno/kyverno-json/pkg/core/compilers"
+	kerrors "k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/types"
 	"k8s.io/apimachinery/pkg/util/json"
@@ -83,8 +84,32 @@ func (o *operation) execute(ctx context.Context, bindings apis.Bindings, obj uns
 	var outputs outputs.Outputs
 	err := wait.PollUntilContextCancel(ctx, client.PollInterval, false, func(ctx context.Context) (bool, error) {
 		outputs, lastErr = o.tryPatchResource(ctx, bindings, obj)
-		// TODO: determine if the error can be retried
-		return lastErr == nil, nil
+		// Check if the error is retryable
+		if lastErr != nil {
+			// Conflict errors should be retried
+			if kerrors.IsConflict(lastErr) {
+				return false, nil
+			}
+			// Server timeout errors should be retried
+			if kerrors.IsServerTimeout(lastErr) {
+				return false, nil
+			}
+			// Too many requests errors should be retried
+			if kerrors.IsTooManyRequests(lastErr) {
+				return false, nil
+			}
+			// Service unavailable errors should be retried
+			if kerrors.IsServiceUnavailable(lastErr) {
+				return false, nil
+			}
+			// Resource not found errors should not be retried
+			if kerrors.IsNotFound(lastErr) {
+				return false, lastErr
+			}
+			// Non-retryable error
+			return false, lastErr
+		}
+		return true, nil
 	})
 	if err == nil {
 		return outputs, nil