Add ordered fallback provisioning for GCE capacity errors

[suchitrak]

Summary

When provisioning a GCE agent fails with a retryable capacity error (e.g. ZONE_RESOURCE_POOL_EXHAUSTED), the plugin now iterates through an ordered list of fallback candidates defined per InstanceConfiguration.

• Each fallback candidate can override zone, machine type, and/or instance template
• Non-retryable errors (quota, permission, config) fail immediately without attempting fallback
• Failed instances are cleaned up before trying the next candidate
• Detailed provisioning logging shows candidate progression (N/M, zone, template, outcome)
• Fallback list capped at 10 entries to bound provisioner thread time
• Unknown GCP error codes are treated as non-retryable (conservative policy)

New classes

• FallbackCandidate — data class for a single fallback option (zone, machineType, region, subnetwork, template) with:
  • Input validation via doCheckZone/doCheckMachineType/doCheckRegion in DescriptorImpl
  • Region auto-derivation from zone name (e.g. us-west1-a → us-west1)
  • MAX_FALLBACK_CANDIDATES = 10 cap
  • Full CasC/UI support with help files
• ProvisioningErrorClassifier — classifies GCP operation errors as retryable vs non-retryable
  • Documents GCP error code reference URLs for maintainability
  • Covers ZONE_RESOURCE_POOL_EXHAUSTED, STOCKOUT, RESOURCE_NOT_READY
  • Unknown codes → non-retryable (explicitly documented policy)

Changes to existing code

• InstanceConfiguration.provision() — refactored to loop through primary + fallback candidates, retrying on classified-retryable errors
• config.jelly — UI section for configuring fallback candidates per instance configuration

Commit structure

1. FallbackCandidate data class with validation and CasC/UI support
2. ProvisioningErrorClassifier with documented error policies
3. InstanceConfiguration fallback provisioning logic
4. Unit tests for all new functionality

Test plan

• Unit tests: InstanceConfigurationFallbackTest (fallback logic, ordering, non-retryable short-circuit, all-exhausted, OperationException)
• Unit tests: ProvisioningErrorClassifierTest (retryable codes, unknown-code policy, quota exclusion, case insensitivity)
• CasC round-trip test in ConfigAsCodeTest
• E2E validated on a live Jenkins HA controller with a 3-zone fallback chain (us-west1-b → us-west1-c → us-west1-a) under real GCP capacity pressure, confirmed via GCE metadata server and GCP audit logs
• CI on this PR

Motivation

GCE zones frequently experience ZONE_RESOURCE_POOL_EXHAUSTED for specific machine types. Without fallback, builds queue indefinitely. This feature allows administrators to define ordered alternatives so provisioning can succeed in a different zone/template when the primary is stocked out — similar to how AWS EC2 plugin handles multiple AZs.

Design decisions

Decision	Choice	Rationale
Unknown error codes	Non-retryable	Conservative — avoids masking real bugs behind retries
Fallback cap	10 candidates max	Bounds worst-case provisioner thread hold time
Region handling	Auto-derived from zone when blank	GCE zone names encode region; explicit override available for edge cases
Machine type w/o template	Required	Without a template, machine type must be specified for the GCE insert
Machine type w/ template	Optional	Template provides it

[suchitrak]

Author's walkthrough for reviewers

I've added inline comments on every meaningful change to make this easy to review. Suggested reading order:

1. FallbackCandidate.java (new) — the per-candidate data model (zone/machineType/region/subnetwork/template), validation, and the 10-candidate cap.
2. ProvisioningErrorClassifier.java (new) — the policy that decides which errors trigger fallback (capacity = retry, everything else = abort; unknown = abort).
3. InstanceConfiguration.java (only existing prod file changed) — the provision() refactor that loops through [primary, ...fallbacks]. Start at provision(), then buildProvisioningAttempts(), then provisionAttempt().
4. Tests — InstanceConfigurationFallbackTest, ProvisioningErrorClassifierTest, ConfigAsCodeTest.

Two things to keep in mind while reviewing

• Backward compatibility: fallbackCandidates is @Nullable/defaults null. With no candidates configured, provision() runs the original single-attempt fast path unchanged. No migration needed. This is fully backward compatible. Existing users are not impacted.
• The one design tradeoff (flagged inline at the operation wait): when fallback is configured, the GCE operation wait moves from the launcher's Future into provision(), so it briefly blocks the provisioner thread. Bounded by the 10-candidate cap × per-attempt launchTimeout. Happy to move it into the PlannedNode future instead if preferred.

[suchitrak]

New field — the backbone of backward compatibility. @Nullable and defaults to null, so any existing config.xml/CasC saved before this feature deserializes unchanged. When null/empty, provisioning behaves exactly as it did before this PR.

[suchitrak]

Provisioning entry point. buildProvisioningAttempts() returns an ordered list [primary, fallback1, fallback2, ...]. fallbackEnabled is true only when at least one fallback exists. The loop below tries each attempt in order: on a retryable (capacity) failure it logs and advances to the next candidate; on success it returns the node; if every candidate fails it throws IOException wrapping the last error.

Key: when fallbackEnabled == false (no fallbacks configured) the loop runs once and provisionAttempt(..., false) takes the original fast path — zero behavior change for existing users.

[suchitrak]

Builds the ordered attempt list. Primary first (this config's zone/machineType/template), then each FallbackCandidate with any blank field inherited from the primary via firstNonEmpty(...). Two safety rails: candidates with a blank zone are skipped with a warning, and the list is capped at MAX_FALLBACK_CANDIDATES (10) to bound how long the provisioner thread can be held.

[suchitrak]

Provisions a single attempt. The fallbackEnabled flag switches behavior:

• false → original fast path: submit the insert and return immediately; the launcher waits on the operation (as it always has).
• true → wait inline for the operation so async capacity errors surface here and can drive the fallback decision.

This dual-mode is intentional so non-fallback users get the exact pre-PR code path.

[suchitrak]

⭐ This is the heart of the feature. GCE's insertInstance returns immediately with a pending Operation — capacity errors like ZONE_RESOURCE_POOL_EXHAUSTED only appear when the zone Operation reaches DONE. So when fallback is enabled we block here on waitForOperationCompletion, then classify:

• retryable (capacity) → RetryableProvisioningException → caller tries the next candidate
• non-retryable (quota / permission / bad config) → IOException → abort, no fallback

Reviewer note (the main design tradeoff): this wait runs on the provision() thread (the NodeProvisioner/spare-checker thread). For non-fallback configs it is skipped entirely and the launcher waits as before. The launcher later waits on the same op again — a harmless no-op since it's already DONE.

[suchitrak]

Hard cap on candidates per config. Bounds the worst-case provisioner-thread hold time (≤ 10 × launchTimeout).

[suchitrak]

Region is optional in the UI. When blank it's derived from the zone name (us-west1-a → us-west1), since GCE zone names encode their region. An explicit override is still available for edge cases.

[suchitrak]

Single source of truth for the fallback decision. Capacity-type errors are classified retryable (worth trying another zone); everything else (quota, permission, bad config) is non-retryable.

[suchitrak]

The retryable allow-list: ZONE_RESOURCE_POOL_EXHAUSTED, STOCKOUT, RESOURCE_NOT_READY. To support a new capacity code, add it here after confirming against the GCP docs linked in the class Javadoc.

[suchitrak]

Conservative unknown-code policy. An unrecognized/unlisted code returns false (non-retryable). This avoids masking genuine bugs behind endless zone-churning retries — a misconfiguration fails fast instead of silently cycling candidates.