CNTRLPLANE-3460: Refactor defrag controller to lower impact of defrag

[dusk125]

Summary

• Refactors the defrag controller to defrag one member per sync cycle instead of all members at once
• Members are sorted by fragmentation descending; the most fragmented member is defragged first
• The health check at the start of each sync ensures the previously defragged member recovered before the next one is defragged
• Removes the blocking wait.Poll recovery loop and leader-last ordering — with upstream etcd defrag improvements (openshift/etcd#378) reducing disruption from ~30s to ~100ms, the simpler one-per-sync approach is sufficient

Test plan

• Existing unit tests updated for multi-sync behavior and pass
• TestNewDefragControllerMultiSyncs validates degraded/recovery across sync cycles
• Manual verification in a test cluster with fragmented etcd members

🤖 Generated with Claude Code

Summary by CodeRabbit

• Improvements
  • Defragmentation now targets at most one fragmented member per sync cycle, prioritized by highest backend fragmentation.
  • Member selection skips learner and unstarted members; when no fragmentation is found, degraded-state tracking is cleared and failure counters reset.
  • Defragmentation now fails fast on the first encountered defrag error, updating degraded-state progress immediately.
• Tests
  • Updated controller tests to support repeated sync loops and adjusted expected success/error behavior.
  • Enhanced the fake client defragmentation behavior used by tests to better reflect status changes.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

DefragController's runDefrag method was refactored to process a single fragmented member per sync cycle. It now filters learners and unstarted members upfront, sorts endpoints by fragmentation percentage descending, and attempts defragmentation only on the first fragmented member. Defrag failures now immediately increment failure counters and trigger degraded state transitions. Wait/poll logic and multi-member aggregation were removed. Tests were updated to support multiple sync loops per scenario with adjusted error generation. The fake Etcd client's Defragment method now synchronizes stored status responses.

Changes

DefragController single-member refactor and test updates

Layer / File(s)	Summary
Imports, constants, and struct cleanup pkg/operator/defragcontroller/defragcontroller.go	Added cmp and slices imports for sorting; removed defrag wait/poll timing constants; removed defragWaitDuration field from DefragController struct.
runDefrag rewrite and member type addition pkg/operator/defragcontroller/defragcontroller.go	Introduced StatusMember struct pairing members with endpoint status. Rewrote runDefrag to filter learner/unstarted members, collect member+status pairs, sort by fragmentation percentage descending, and defragment only the first fragmented endpoint with immediate failure counting and degraded state transitions. Removed leader-last ordering, multi-member aggregation, and cluster stabilization polling.
Test scenario structure and execution updates pkg/operator/defragcontroller/defragcontroller_test.go	Added syncLoops field to test scenarios to control iteration count. Updated TestNewDefragController to invoke controller.sync in a loop per scenario loop count. Simplified defrag success event validation to count matching messages only, removing leader-last ordering check. Removed unused regexp import.
Multi-sync test scenario adjustments pkg/operator/defragcontroller/defragcontroller_test.go	Reduced fake defrag error generation counts in TestNewDefragControllerMultiSyncs; increased syncLoops for recovery scenario with corresponding error count adjustments; removed defragWaitDuration override from test controller configuration.
Fake Etcd client status response synchronization pkg/etcdcli/helpers.go	fakeEtcdClient.Defragment now updates the stored StatusResponse for the target member by copying DbSizeInUse into DbSize for the matching MemberId.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

🚥 Pre-merge checks | ✅ 13 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	⚠️ Warning	TestNewDefragControllerMultiSyncs has 4 assert.Equal() calls without meaningful failure messages, violating assertion quality requirement #4 and inconsistent with TestNewDefragController pattern.	Add message parameters to assert.Equal() calls in TestNewDefragControllerMultiSyncs to help diagnose failures (e.g., assert.Equal(t, expected, actual, "failed to match expected sync error loops")).

✅ Passed checks (13 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The PR title accurately and specifically describes the main change: refactoring the defrag controller to reduce the impact of defragmentation operations.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This PR contains only standard Go testing framework tests (testing.T with t.Run() subtests). The custom check requires Ginkgo test names to be stable and deterministic. Since this codebase uses sta...
Microshift Test Compatibility	✅ Passed	No Ginkgo e2e tests were added in this PR. Changes are to controller logic and standard Go unit tests only; the check does not apply.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	This PR modifies only standard Go unit tests in pkg/operator/defragcontroller and pkg/etcdcli, not Ginkgo e2e tests. The check for SNO compatibility only applies to new Ginkgo e2e tests; no such te...
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only controller business logic (defrag strategy) and tests, not deployment manifests or scheduling constraints. Existing topology-aware checks remain in place, disabling defrag on unsup...
Ote Binary Stdout Contract	✅ Passed	No stdout-writing patterns detected in modified files. All code changes are in regular functions (not init/main/suite setup), no fmt.Print/Println calls, and klog uses correct stderr default behavior.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This PR does not add any Ginkgo e2e tests. It modifies standard Go unit tests using testing.T framework, which are outside the scope of this IPv6/disconnected network check.
No-Weak-Crypto	✅ Passed	No weak cryptography (MD5, SHA1, DES, RC4, 3DES, Blowfish, ECB), custom crypto implementations, or non-constant-time secret comparisons were introduced in this PR.
Container-Privileges	✅ Passed	This PR modifies only Go source files (controller logic and tests), not container/K8s manifests. The privilege check is not applicable since no manifest files with privileged settings are changed.
No-Sensitive-Data-In-Logs	✅ Passed	PR contains no sensitive data (passwords, tokens, API keys, PII, session IDs, internal hostnames) in any logging statements. All logged data are operational metrics (member names, IDs, DB sizes, fr...

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign ingvagabund for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/operator/defragcontroller/defragcontroller_test.go`:
- Around line 464-468: The test uses a tiny non-zero defragBudget which can be
flaky; set the DefragController's defragBudget to 0 (or switch the controller to
use a controllable/test clock) so budget exhaustion is deterministic. Locate
where defragBudget is set in the test setup (the variable named defragBudget
used to construct the controller) and replace 1 * time.Nanosecond with 0 (or
adapt the controller constructor to accept a mock clock and use that in the
test) so calling controller.sync(context.TODO(),
factory.NewSyncContext("defrag-controller", eventRecorder)) always observes an
exhausted budget.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: e0de8aac-2c9a-42a2-9dee-693e18c04822

📥 Commits

Reviewing files that changed from the base of the PR and between c0614ca and 2c8da6e.

📒 Files selected for processing (2)

• pkg/operator/defragcontroller/defragcontroller.go
• pkg/operator/defragcontroller/defragcontroller_test.go

[openshift-ci-robot]

@dusk125: This pull request references CNTRLPLANE-3460 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the sub-task to target the "5.0.0" version, but no target version was set.

Details

In response to this:

Summary

• Adds a fixed 5-minute time budget per defrag controller reconciliation loop
• Before each member's defrag, the controller checks elapsed time; if the budget is exceeded, remaining members are skipped and deferred to the next sync cycle
• Budget-skipped members do not count toward the degraded failure threshold — only real defrag errors trigger degradation

Test plan

• Existing unit tests pass unchanged
• New TestDefragBudgetExceeded test verifies budget enforcement with a near-zero budget (1ns): no defrags occur, a DefragControllerBudgetExceeded event is recorded, and the controller does not degrade
• Manual verification in a test cluster with fragmented etcd members

🤖 Generated with Claude Code

Summary by CodeRabbit

• New Features

• Added a configurable time budget for defragmentation that stops further member processing when exceeded.

• Improvements

• Enhanced tracking to report attempted vs. successful defragmentations.

• Improved error accounting and more accurate partial-failure reporting when budget limits or mapping errors occur.

• Tests

• Added a test validating behavior when the defragmentation budget is immediately exhausted.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[atiratree]

this could be a hashmap

[atiratree]

we could schedule a next defrag if we know the remaining time here

[atiratree]

Could it be a problem that a member could exceed the fragmentation limit for 1h in high churn cluster, since this backfoff / cooldown is member agnostic?

[tjungblu]

hmm maybe we can frame this cooldown differently.... e.g after a defrag, the cluster must have no unhealthy members for at least 10m before defragmenting the next member

[atiratree]

This is not the best pattern for controllers. Could we just select a single member try to defrag it and use a queue for any backoff checks like checking the health?

I suppose the defrag is not that often so a 10m between each member defrag shouldn't be an issue?

[tjungblu]

line 144 already has that

if !etcdcli.IsClusterHealthy(memberHealth)

so we can have the backoff work through the sync loop for some period of time

[tjungblu]

you will have to persist this somewhere (operator conditions?), imagine you're restarting CEO within that hour.

[tjungblu]

if the defrag call came back, then the cluster should be in healthy state and respond. I think the polling is a bit misplaced here.

[coderabbitai]

🧹 Nitpick comments (1)

pkg/operator/defragcontroller/defragcontroller.go (1)

184-190: ⚡ Quick win

Error chain is lost by double-formatting.

The error is first formatted with %v into errMsg, then wrapped with fmt.Errorf("%s", errMsg). This loses the original error chain, preventing callers from using errors.Is/errors.As for inspection.

♻️ Suggested fix to preserve error chain

-		errMsg := fmt.Sprintf("failed defrag on member: %s, memberID: %x: %v", member.Name, member.ID, err)
-		recorder.Eventf("DefragControllerDefragmentFailed", errMsg)
+		recorder.Eventf("DefragControllerDefragmentFailed", "failed defrag on member: %s, memberID: %x: %v", member.Name, member.ID, err)
 		c.numDefragFailures++
 		if c.numDefragFailures >= maxDefragFailuresBeforeDegrade {
 			c.setDegraded(ctx, recorder)
 		}
-		return fmt.Errorf("%s", errMsg)
+		return fmt.Errorf("failed defrag on member: %s, memberID: %x: %w", member.Name, member.ID, err)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/operator/defragcontroller/defragcontroller.go` around lines 184 - 190,
The error is being double-formatted which loses the error chain: first with
fmt.Sprintf using %v into errMsg, then wrapped with fmt.Errorf("%s", errMsg).
This prevents callers from using errors.Is or errors.As for inspection. In the
return statement at the end of this block, replace fmt.Errorf("%s", errMsg) with
fmt.Errorf that includes the descriptive message prefix and wraps the original
err variable using the %w verb instead of %v, so the error chain is preserved
while maintaining the same log message for the recorder.Eventf call.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@pkg/operator/defragcontroller/defragcontroller.go`:
- Around line 184-190: The error is being double-formatted which loses the error
chain: first with fmt.Sprintf using %v into errMsg, then wrapped with
fmt.Errorf("%s", errMsg). This prevents callers from using errors.Is or
errors.As for inspection. In the return statement at the end of this block,
replace fmt.Errorf("%s", errMsg) with fmt.Errorf that includes the descriptive
message prefix and wraps the original err variable using the %w verb instead of
%v, so the error chain is preserved while maintaining the same log message for
the recorder.Eventf call.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: f3c9859e-40e4-4363-bee9-a4aff47a4ba3

📥 Commits

Reviewing files that changed from the base of the PR and between de3f881 and 28f0bd1.

📒 Files selected for processing (3)

• pkg/etcdcli/helpers.go
• pkg/operator/defragcontroller/defragcontroller.go
• pkg/operator/defragcontroller/defragcontroller_test.go

🚧 Files skipped from review as they are similar to previous changes (1)

• pkg/etcdcli/helpers.go

[dusk125]

With the improvements from openshift/etcd#378, the current implementation should be sufficient to lower the impact of defrag. The changes to etcd can take defrag disruption from 30s to 100ms. The current implementation of the changes to the defrag controller run a single defrag, on the most fragmented member, then check the member health on the next sync (once every 11 minutes) and only continue defragging if all members are healthy.

[coderabbitai]

Actionable comments posted: 1

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

pkg/operator/defragcontroller/defragcontroller.go (1)

264-268: ⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Guard against division by zero when ondisk is zero.

If DbSize is zero (unlikely but possible edge case), this function returns NaN (when inuse is also 0) or -Inf, which can cause unpredictable behavior in the sorting comparator at lines 168-173.

Proposed fix

 func checkFragmentationPercentage(ondisk, inuse int64) float64 {
+	if ondisk <= 0 {
+		return 0
+	}
 	diff := float64(ondisk - inuse)
 	fragmentedPercentage := (diff / float64(ondisk)) * 100
 	return math.Round(fragmentedPercentage*100) / 100
 }

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@pkg/operator/defragcontroller/defragcontroller.go` around lines 264 - 268,
The checkFragmentationPercentage function performs division by ondisk without
checking if it is zero, which results in NaN or Inf and causes unpredictable
behavior in the sorting comparator. Add a guard clause at the start of the
checkFragmentationPercentage function to check if ondisk is less than or equal
to zero, and return 0.0 in that case before performing the division calculation.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@pkg/operator/defragcontroller/defragcontroller.go`:
- Around line 156-158: The error message in the status nil check at the failing
condition does not identify which member had the validation failure. Modify the
fmt.Errorf call to include the member or endpoint identifier (such as a member
name, IP address, or other relevant context variable that should be available in
the surrounding scope) in addition to a descriptive message, so the error
clearly indicates which specific member's endpoint status validation failed.

---

Outside diff comments:
In `@pkg/operator/defragcontroller/defragcontroller.go`:
- Around line 264-268: The checkFragmentationPercentage function performs
division by ondisk without checking if it is zero, which results in NaN or Inf
and causes unpredictable behavior in the sorting comparator. Add a guard clause
at the start of the checkFragmentationPercentage function to check if ondisk is
less than or equal to zero, and return 0.0 in that case before performing the
division calculation.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: b38cd00a-ae65-4251-85d7-30bfeb973803

📥 Commits

Reviewing files that changed from the base of the PR and between 28f0bd1 and c92f5ae.

📒 Files selected for processing (1)

• pkg/operator/defragcontroller/defragcontroller.go

[dusk125]

/retest-required

[dusk125]

/retest-required

[dusk125]

/retest-required

[openshift-ci]

@dusk125: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
ci/prow/e2e-metal-ipi-ovn-ipv6	29119b9	link	true	/test e2e-metal-ipi-ovn-ipv6
ci/prow/e2e-gcp-operator-disruptive	29119b9	link	true	/test e2e-gcp-operator-disruptive
ci/prow/e2e-agnostic-ovn-upgrade	29119b9	link	true	/test e2e-agnostic-ovn-upgrade
ci/prow/configmap-scale	29119b9	link	false	/test configmap-scale
ci/prow/e2e-agnostic-ovn	29119b9	link	true	/test e2e-agnostic-ovn

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.