feature(fluid-webhook): support to update check-mount.sh configmap on demand

[Syspretor]

(fluid-webhook): support to update check-mount.sh configmap on demand
[WIP]

Ⅰ. Describe what this PR does

The check-mount script ConfigMap was only created when it did not exist. If the ConfigMap already existed, updates to the check-mount script would never be applied — there was no mechanism to detect or reconcile script changes at runtime.

This PR introduces a SHA256-based change detection mechanism for the check-mount script ConfigMap:

• SHA256 computation: Compute the SHA256 of the check-mount script content at package initialization (via init()) and store it in the fluid.io/check-mount-script-sha256 annotation on the ConfigMap.
• Change detection: When the ConfigMap already exists, compare its stored SHA256 annotation against the current script's SHA256. If they differ (or the annotation is missing), the ConfigMap is refreshed with the latest script content and annotation.
• Concurrent update safety: The update path is wrapped in retry.RetryOnConflict — each retry re-fetches the latest ConfigMap to get a fresh resourceVersion, avoiding 409 Conflict errors when multiple webhook requests are handled concurrently. A reflect.DeepEqual check guards the final Update call to avoid unnecessary writes.
• Refactoring: Extracted RefreshConfigMapContents() on the script generator to encapsulate the update logic, so callers don't need to know which fields (Data, Labels, Annotations) are managed by the generator. Future changes to BuildConfigMap automatically apply to the update path as well.

Ⅱ. Does this pull request fix one issue?

fixes #XXXX

Ⅲ. List the added test cases (unit test/integration test) if any, please explain if no tests are needed.

Ⅳ. Describe how to verify it

Ⅴ. Special notes for reviews

[fluid-e2e-bot]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign yangyuliufeng for approval by writing /assign @yangyuliufeng in a comment. For more information see:The Kubernetes Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[fluid-e2e-bot]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[gemini-code-assist]

Summary of Changes

Hello, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the fluid-webhook component by enabling dynamic updates of the check-mount.sh ConfigMap. By leveraging SHA256 hashes stored as Kubernetes labels, the system can now detect outdated script versions and apply necessary updates on demand, ensuring that applications consistently utilize the most current and correct mount-checking logic. This enhancement improves the robustness and maintainability of the FUSE injection process.

Highlights

• On-demand ConfigMap Updates: Implemented a mechanism to update the check-mount.sh ConfigMap on demand, ensuring that applications always use the latest version of the script.
• SHA256-based Content Verification: Introduced SHA256 hashing of script content to detect changes, allowing the system to determine if an existing ConfigMap needs updating.
• New Kubernetes Label for Version Tracking: Added a new Kubernetes label, fluid.io/check-mount-script-sha256, to ConfigMaps to store the SHA256 hash of the script content for efficient version tracking.
• Refactored ConfigMap Management Logic: Modified the ConfigMap creation and update logic to intelligently check for existing ConfigMaps and only apply updates if the script content, as indicated by the SHA256, has genuinely changed.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for GitHub and other Google products, sign up here.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces a mechanism to update the check-mount.sh ConfigMap on-demand by comparing a SHA256 hash of the script content. This is a valuable improvement. The overall logic is sound, but there are a couple of areas for improvement. First, the SHA256 hash is truncated to fit into a Kubernetes label, which is not ideal; using an annotation would be more appropriate. Second, there's some code duplication in the hash calculation logic. Finally, a comment for the new label constant is inconsistent. I've provided specific comments with suggestions to address these points.

[codecov]

Codecov Report

❌ Patch coverage is 66.66667% with 34 lines in your changes missing coverage. Please review.
✅ Project coverage is 61.40%. Comparing base (9fe8f29) to head (e981521).
⚠️ Report is 5 commits behind head on master.

Files with missing lines	Patch %	Lines
...application/inject/fuse/mutator/mutator_default.go	53.57%	10 Missing and 3 partials ⚠️
pkg/application/inject/fuse/mount_point_script.go	63.63%	10 Missing and 2 partials ⚠️
...ication/inject/fuse/poststart/script_gen_helper.go	73.33%	8 Missing ⚠️
...cation/inject/fuse/poststart/check_fuse_default.go	66.66%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #5697      +/-   ##
==========================================
+ Coverage   61.22%   61.40%   +0.17%     
==========================================
  Files         444      444              
  Lines       30557    30652      +95     
==========================================
+ Hits        18710    18822     +112     
+ Misses      10307    10285      -22     
- Partials     1540     1545       +5     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull request overview

This PR adds “update-on-demand” behavior for the check-mount script ConfigMaps created/used by the Fluid FUSE webhook injection path, by tracking script content via a SHA256 label and updating existing ConfigMaps when the script changes.

Changes:

• Introduces a new label key to store a truncated SHA256 of the check-mount script content.
• Computes and attaches the script SHA256 label when generating the sidecar and app check-mount ConfigMaps.
• Updates existing ConfigMaps during injection when the stored SHA256 label is missing or differs from the current script.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 8 comments.

Show a summary per file

File	Description
pkg/common/label.go	Adds a new label constant for storing the script SHA256 on ConfigMaps.
pkg/application/inject/fuse/poststart/script_gen_helper.go	Adds SHA256 computation helper and labels generated ConfigMaps with the script hash.
pkg/application/inject/fuse/poststart/check_fuse_default.go	Computes and stores the default sidecar script SHA256.
pkg/application/inject/fuse/poststart/check_fuse_app.go	Computes and stores the app script SHA256 and labels the app ConfigMap.
pkg/application/inject/fuse/mutator/mutator_default.go	Changes logic to update the sidecar ConfigMap when script hash differs.
pkg/application/inject/fuse/mount_point_script.go	Changes logic to update the app ConfigMap when script hash differs.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[sonarqubecloud]

Quality Gate passed

Issues
7 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
11.9% Duplication on New Code

See analysis details on SonarQube Cloud