feat: support configuring nodeSelectors and tolerations for tunnel re…

…sources (#98) * feat: implement nodeSelector and tolerations to tunnel.spec * gen: kubebuilder auto-generated changes * fix: remove unnecessary log line * fix: build with controller-gen v0.7.0
adyanth · Jun 13, 2024 · 8a21cb2 · 8a21cb2
1 parent e01ecd2
commit 8a21cb2
Show file tree

Hide file tree

Showing 5 changed files with 129 additions and 4 deletions.
diff --git a/api/v1alpha1/tunnel_types.go b/api/v1alpha1/tunnel_types.go
@@ -17,6 +17,7 @@ limitations under the License.
 package v1alpha1
 
 import (
+	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
@@ -104,6 +105,14 @@ type TunnelSpec struct {
 	// OriginCaPool speficies the secret with tls.crt (and other certs as needed to be referred in the service annotation) of the Root CA to be trusted when sending traffic to HTTPS endpoints
 	OriginCaPool string `json:"originCaPool,omitempty"`
 
+	//+kubebuilder:validation:Optional
+	// NodeSelectors specifies the nodeSelectors to apply to the cloudflared tunnel deployment
+	NodeSelectors map[string]string `json:"nodeSelectors,omitempty"`
+
+	//+kubebuilder:validation:Optional
+	// Tolerations specifies the tolerations to apply to the cloudflared tunnel deployment
+	Tolerations []corev1.Toleration `json:"tolerations,omitempty"`
+
 	//+kubebuilder:validation:Optional
 	//+kubebuilder:default:="http_status:404"
 	// FallbackTarget speficies the target for requests that do not match an ingress. Defaults to http_status:404

diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/networking.cfargotunnel.com_clustertunnels.yaml b/config/crd/bases/networking.cfargotunnel.com_clustertunnels.yaml
@@ -124,6 +124,12 @@ spec:
                 description: NoTlsVerify disables origin TLS certificate checks when
                   the endpoint is HTTPS.
                 type: boolean
+              nodeSelectors:
+                additionalProperties:
+                  type: string
+                description: NodeSelectors specifies the nodeSelectors to apply to
+                  the cloudflared tunnel deployment
+                type: object
               originCaPool:
                 description: OriginCaPool speficies the secret with tls.crt (and other
                   certs as needed to be referred in the service annotation) of the
@@ -136,6 +142,47 @@ spec:
                 format: int32
                 minimum: 0
                 type: integer
+              tolerations:
+                description: Tolerations specifies the tolerations to apply to the
+                  cloudflared tunnel deployment
+                items:
+                  description: The pod this Toleration is attached to tolerates any
+                    taint that matches the triple <key,value,effect> using the matching
+                    operator <operator>.
+                  properties:
+                    effect:
+                      description: Effect indicates the taint effect to match. Empty
+                        means match all taint effects. When specified, allowed values
+                        are NoSchedule, PreferNoSchedule and NoExecute.
+                      type: string
+                    key:
+                      description: Key is the taint key that the toleration applies
+                        to. Empty means match all taint keys. If the key is empty,
+                        operator must be Exists; this combination means to match all
+                        values and all keys.
+                      type: string
+                    operator:
+                      description: Operator represents a key's relationship to the
+                        value. Valid operators are Exists and Equal. Defaults to Equal.
+                        Exists is equivalent to wildcard for value, so that a pod
+                        can tolerate all taints of a particular category.
+                      type: string
+                    tolerationSeconds:
+                      description: TolerationSeconds represents the period of time
+                        the toleration (which must be of effect NoExecute, otherwise
+                        this field is ignored) tolerates the taint. By default, it
+                        is not set, which means tolerate the taint forever (do not
+                        evict). Zero and negative values will be treated as 0 (evict
+                        immediately) by the system.
+                      format: int64
+                      type: integer
+                    value:
+                      description: Value is the taint value the toleration matches
+                        to. If the operator is Exists, the value should be empty,
+                        otherwise just a regular string.
+                      type: string
+                  type: object
+                type: array
             type: object
           status:
             description: TunnelStatus defines the observed state of Tunnel

diff --git a/config/crd/bases/networking.cfargotunnel.com_tunnels.yaml b/config/crd/bases/networking.cfargotunnel.com_tunnels.yaml
@@ -124,6 +124,12 @@ spec:
                 description: NoTlsVerify disables origin TLS certificate checks when
                   the endpoint is HTTPS.
                 type: boolean
+              nodeSelectors:
+                additionalProperties:
+                  type: string
+                description: NodeSelectors specifies the nodeSelectors to apply to
+                  the cloudflared tunnel deployment
+                type: object
               originCaPool:
                 description: OriginCaPool speficies the secret with tls.crt (and other
                   certs as needed to be referred in the service annotation) of the
@@ -136,6 +142,47 @@ spec:
                 format: int32
                 minimum: 0
                 type: integer
+              tolerations:
+                description: Tolerations specifies the tolerations to apply to the
+                  cloudflared tunnel deployment
+                items:
+                  description: The pod this Toleration is attached to tolerates any
+                    taint that matches the triple <key,value,effect> using the matching
+                    operator <operator>.
+                  properties:
+                    effect:
+                      description: Effect indicates the taint effect to match. Empty
+                        means match all taint effects. When specified, allowed values
+                        are NoSchedule, PreferNoSchedule and NoExecute.
+                      type: string
+                    key:
+                      description: Key is the taint key that the toleration applies
+                        to. Empty means match all taint keys. If the key is empty,
+                        operator must be Exists; this combination means to match all
+                        values and all keys.
+                      type: string
+                    operator:
+                      description: Operator represents a key's relationship to the
+                        value. Valid operators are Exists and Equal. Defaults to Equal.
+                        Exists is equivalent to wildcard for value, so that a pod
+                        can tolerate all taints of a particular category.
+                      type: string
+                    tolerationSeconds:
+                      description: TolerationSeconds represents the period of time
+                        the toleration (which must be of effect NoExecute, otherwise
+                        this field is ignored) tolerates the taint. By default, it
+                        is not set, which means tolerate the taint forever (do not
+                        evict). Zero and negative values will be treated as 0 (evict
+                        immediately) by the system.
+                      format: int64
+                      type: integer
+                    value:
+                      description: Value is the taint value the toleration matches
+                        to. If the operator is Exists, the value should be empty,
+                        otherwise just a regular string.
+                      type: string
+                  type: object
+                type: array
             type: object
           status:
             description: TunnelStatus defines the observed state of Tunnel

diff --git a/controllers/reconciler.go b/controllers/reconciler.go
@@ -49,6 +49,10 @@ func labelsForTunnel(cf Tunnel) map[string]string {
 	}
 }
 
+func nodeSelectorsForTunnel(cf Tunnel) map[string]string {
+	return cf.GetSpec().NodeSelectors
+}
+
 func setupTunnel(r GenericTunnelReconciler) (ctrl.Result, bool, error) {
 	okNewTunnel := r.GetTunnel().GetSpec().NewTunnel != networkingv1alpha1.NewTunnel{}
 	okExistingTunnel := r.GetTunnel().GetSpec().ExistingTunnel != networkingv1alpha1.ExistingTunnel{}
@@ -405,6 +409,8 @@ func secretForTunnel(r GenericTunnelReconciler) *corev1.Secret {
 func deploymentForTunnel(r GenericTunnelReconciler) *appsv1.Deployment {
 	ls := labelsForTunnel(r.GetTunnel())
 	replicas := r.GetTunnel().GetSpec().Size
+	nodeSelector := nodeSelectorsForTunnel(r.GetTunnel())
+	tolerations := r.GetTunnel().GetSpec().Tolerations
 
 	args := []string{"tunnel", "--config", "/etc/cloudflared/config/config.yaml", "--metrics", "0.0.0.0:2000", "run"}
 	volumes := []corev1.Volume{{
@@ -491,7 +497,9 @@ func deploymentForTunnel(r GenericTunnelReconciler) *appsv1.Deployment {
 							Limits:   corev1.ResourceList{"memory": resource.MustParse("256Mi"), "cpu": resource.MustParse("500m")},
 						},
 					}},
-					Volumes: volumes,
+					Volumes:      volumes,
+					NodeSelector: nodeSelector,
+					Tolerations:  tolerations,
 				},
 			},
 		},