feat(chart): add node affinity for operator pod configuration

Author: lockwobr

chart/templates/deployment.yaml

@@ -24,6 +24,9 @@ spec:
       annotations:
         kubectl.kubernetes.io/default-container: manager
     spec:
+      {{- if and .Values.controllerManager.selectors .Values.controllerManager.nodeAffinity.matchExpressions }}
+      {{- fail "Error: Cannot specify both controllerManager.selectors and controllerManager.nodeAffinity.matchExpressions. Use nodeAffinity.matchExpressions for complex node selection or selectors for simple key-value matching." }}
+      {{- end }}
       affinity:
         nodeAffinity:
           requiredDuringSchedulingIgnoredDuringExecution:
@@ -38,6 +41,16 @@ spec:
                 operator: In
                 values:
                 - linux
+              {{- range .Values.controllerManager.nodeAffinity.matchExpressions }}
+              - key: {{ .key }}
+                operator: {{ .operator }}
+                {{- if .values }}
+                values:
+                {{- range .values }}
+                - {{ . }}
+                {{- end }}
+                {{- end }}
+              {{- end }}
       {{- with .Values.controllerManager.tolerations }}
       tolerations: 
         {{- toYaml . | nindent 6 }}

chart/values.yaml

@@ -7,11 +7,27 @@ controllerManager:
   #   value: system-cpu
   #   effect: NoSchedule
   tolerations: []
-  ## selectors: add node selectors to the controller manager pod
+  ## selectors: add simple node selectors to the controller manager pod
   ## Example below is for a system-workload node selector
+  ## NOTE: Cannot be used together with nodeAffinity.matchExpressions
   # selectors:
   #   dedicated: system-workload
   selectors: {}
+  ## nodeAffinity: add advanced node affinity expressions to the controller manager pod
+  ## This allows for more complex node selection than simple selectors
+  ## NOTE: Cannot be used together with selectors - choose one approach
+  ## Example below shows how to select nodes with specific labels using expressions
+  # nodeAffinity:
+  #   matchExpressions:
+  #   - key: node-role.kubernetes.io/control-plane
+  #     operator: DoesNotExist
+  #   - key: dedicated
+  #     operator: In
+  #     values:
+  #     - system-workload
+  #     - gpu-workload
+  nodeAffinity:
+    matchExpressions: []
   ## config for kube-rbac-proxy used for webhooks
   kubeRbacProxy:
     args:

k8s-tests/chainsaw/helm/helm-node-affinity-test/README.md

@@ -0,0 +1,104 @@
+# Node Affinity Test
+
+This test validates the node affinity configuration feature for the Skyhook Operator Helm chart.
+
+## Test Overview
+
+The test demonstrates that the `controllerManager.nodeAffinity.matchExpressions` configuration in the Helm chart works correctly by:
+
+1. **Phase 1**: Installing the operator with node affinity expressions that target non-existent labels
+   - Uses `values-no-match.yaml` with expressions targeting `skyhook.nvidia.com/test-node=fooboar` 
+   - Verifies that pods remain in `Pending` state and cannot be scheduled
+   - Validates the affinity expressions are correctly applied to the pod spec
+
+2. **Phase 2**: Adding the required labels to nodes and updating the configuration
+   - Adds `skyhook.nvidia.com/test-node=skyhooke2e` label to all nodes
+   - Updates the deployment to use `values-match.yaml` with expressions targeting the existing label
+   - Verifies that pods are now scheduled and running successfully
+
+## Files
+
+- `chainsaw-test.yaml` - The main test configuration
+- `values-no-match.yaml` - Helm values with node affinity targeting non-existent labels
+- `values-match.yaml` - Helm values with node affinity targeting existing labels
+- `assert-no-schedule.yaml` - Assertion to verify pods are not scheduled
+- `assert-scheduled.yaml` - Assertion to verify pods are scheduled and running
+
+## Node Affinity Configuration
+
+The test uses the following node affinity expressions:
+
+```yaml
+controllerManager:
+  nodeAffinity:
+    matchExpressions:
+    - key: node-role.kubernetes.io/control-plane
+      operator: DoesNotExist
+    - key: skyhook.nvidia.com/test-node
+      operator: In
+      values:
+      - skyhooke2e
+```
+
+## Running the Test
+
+This test is designed to be run with Chainsaw in a Kind cluster. It will:
+
+1. Create a Kind cluster (if not already present)
+2. Run the test scenarios
+3. Clean up labels and resources
+
+The test validates that the Helm chart correctly translates the `nodeAffinity.matchExpressions` configuration into proper Kubernetes node affinity rules in the deployment template.
+
+## Handling Selectors vs NodeAffinity
+
+The Helm chart enforces a clear separation between simple selectors and advanced node affinity:
+
+### Validation Behavior
+- **Cannot use both** `selectors` and `nodeAffinity.matchExpressions` together
+- The chart will fail with an error if both are defined
+- This prevents conflicting or confusing node selection rules
+
+### Error Message
+```
+Error: Cannot specify both controllerManager.selectors and controllerManager.nodeAffinity.matchExpressions. 
+Use nodeAffinity.matchExpressions for complex node selection or selectors for simple key-value matching.
+```
+
+### Examples
+
+**Simple selector (uses nodeSelector):**
+```yaml
+controllerManager:
+  selectors:
+    dedicated: system-workload
+```
+
+**Advanced node affinity (uses nodeAffinity):**
+```yaml
+controllerManager:
+  nodeAffinity:
+    matchExpressions:
+    - key: node-role.kubernetes.io/control-plane
+      operator: DoesNotExist
+    - key: skyhook.nvidia.com/test-node
+      operator: In
+      values:
+      - skyhooke2e
+```
+
+**Invalid (will cause error):**
+```yaml
+controllerManager:
+  selectors:
+    dedicated: system-workload
+  nodeAffinity:
+    matchExpressions:
+    - key: node-role.kubernetes.io/control-plane
+      operator: DoesNotExist
+```
+
+### Usage Recommendations
+- Use `selectors` for simple key-value node selection
+- Use `nodeAffinity.matchExpressions` for complex node selection with operators like `In`, `NotIn`, `Exists`, `DoesNotExist`
+- Choose one approach - they cannot be mixed 

k8s-tests/chainsaw/helm/helm-node-affinity-test/assert-no-schedule.yaml

@@ -0,0 +1,64 @@
+# 
+# LICENSE START
+#
+#    Copyright (c) NVIDIA CORPORATION.  All rights reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License");
+#    you may not use this file except in compliance with the License.
+#    You may obtain a copy of the License at
+#
+#        http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS,
+#    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#    See the License for the specific language governing permissions and
+#    limitations under the License.
+#
+# LICENSE END
+# 
+
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    kubectl.kubernetes.io/default-container: manager
+  labels:
+    app: node-affinity-test-skyhook-operator-controller-manager
+    app.kubernetes.io/instance: node-affinity-test
+    app.kubernetes.io/name: skyhook-operator
+    control-plane: controller-manager
+  namespace: skyhook
+  ownerReferences:
+  - apiVersion: apps/v1
+    blockOwnerDeletion: true
+    controller: true
+    kind: ReplicaSet
+spec:
+  affinity:
+    nodeAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+        nodeSelectorTerms:
+        - matchExpressions:
+          - key: kubernetes.io/arch
+            operator: In
+            values:
+            - amd64
+            - arm64
+          - key: kubernetes.io/os
+            operator: In
+            values:
+            - linux
+          - key: skyhook.nvidia.com/test-node
+            operator: In
+            values:
+            - fooboar
+          - key: node-role.kubernetes.io/control-plane
+            operator: DoesNotExist
+status:
+  conditions:
+  - lastProbeTime: null
+    reason: Unschedulable
+    status: "False"
+    type: PodScheduled
+  phase: Pending 

k8s-tests/chainsaw/helm/helm-node-affinity-test/assert-scheduled.yaml

@@ -0,0 +1,65 @@
+# 
+# LICENSE START
+#
+#    Copyright (c) NVIDIA CORPORATION.  All rights reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License");
+#    you may not use this file except in compliance with the License.
+#    You may obtain a copy of the License at
+#
+#        http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS,
+#    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#    See the License for the specific language governing permissions and
+#    limitations under the License.
+#
+# LICENSE END
+# 
+
+apiVersion: v1
+kind: Pod
+metadata:
+  annotations:
+    kubectl.kubernetes.io/default-container: manager
+  labels:
+    app: node-affinity-test-skyhook-operator-controller-manager
+    app.kubernetes.io/instance: node-affinity-test
+    app.kubernetes.io/name: skyhook-operator
+    control-plane: controller-manager
+  namespace: skyhook
+  ownerReferences:
+  - apiVersion: apps/v1
+    blockOwnerDeletion: true
+    controller: true
+    kind: ReplicaSet
+spec:
+  affinity:
+    nodeAffinity:
+      requiredDuringSchedulingIgnoredDuringExecution:
+        nodeSelectorTerms:
+        - matchExpressions:
+          - key: kubernetes.io/arch
+            operator: In
+            values:
+            - amd64
+            - arm64
+          - key: kubernetes.io/os
+            operator: In
+            values:
+            - linux
+          - key: node-role.kubernetes.io/control-plane
+            operator: DoesNotExist
+          - key: skyhook.nvidia.com/test-node
+            operator: In
+            values:
+            - skyhooke2e
+status:
+  (conditions[?type == 'Ready']):
+  - status: 'True'
+  (conditions[?type == 'PodScheduled']):
+  - status: 'True'
+  (conditions[?type == 'ContainersReady']):
+  - status: 'True'
+  phase: Running 

k8s-tests/chainsaw/helm/helm-node-affinity-test/chainsaw-test.yaml

@@ -0,0 +1,64 @@
+# 
+# LICENSE START
+#
+#    Copyright (c) NVIDIA CORPORATION.  All rights reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License");
+#    you may not use this file except in compliance with the License.
+#    You may obtain a copy of the License at
+#
+#        http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS,
+#    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#    See the License for the specific language governing permissions and
+#    limitations under the License.
+#
+# LICENSE END
+# 
+
+# yaml-language-server: $schema=https://raw.githubusercontent.com/kyverno/chainsaw/main/.schemas/json/test-chainsaw-v1alpha1.json
+apiVersion: chainsaw.kyverno.io/v1alpha1
+kind: Test
+metadata:
+  name: helm-node-affinity
+spec:
+  description: This test asserts that the helm chart correctly applies node affinity expressions 
+    from the values file. It validates that the controller manager pods are scheduled only on 
+    nodes matching the configured node affinity expressions.
+  concurrent: false
+  timeouts:
+    assert: 240s
+    exec: 240s
+  steps:
+  - try:
+    - script:
+        content: |
+          ## Install helm chart with node affinity configuration targeting non-existent labels
+          ## This should cause pods to NOT schedule
+          ../install-helm-chart.sh node-affinity-test values-no-match.yaml
+    - assert:
+        file: assert-no-schedule.yaml
+  - try:
+    - script:
+        content: |
+          ## Upgrade helm chart to use values that match the node labels
+          ../install-helm-chart.sh node-affinity-test values-match.yaml
+    - assert:
+        file: assert-scheduled.yaml
+  - try:
+    - script:
+        content: |
+          ## Upgrade helm chart to use values that match the node labels
+          ../install-helm-chart.sh node-affinity-test values-conflict-test.yaml
+          error=$?
+          if [ $error -eq 0 ]; then
+            echo "✗ Helm chart installed successfully - this should not happen!"
+            exit 1
+          fi
+    finally:
+    - script:
+        content: |
+          ## Remove helm chart
+          ../uninstall-helm-chart.sh node-affinity-test 

k8s-tests/chainsaw/helm/helm-node-affinity-test/values-conflict-test.yaml

@@ -0,0 +1,36 @@
+# 
+# LICENSE START
+#
+#    Copyright (c) NVIDIA CORPORATION.  All rights reserved.
+#
+#    Licensed under the Apache License, Version 2.0 (the "License");
+#    you may not use this file except in compliance with the License.
+#    You may obtain a copy of the License at
+#
+#        http://www.apache.org/licenses/LICENSE-2.0
+#
+#    Unless required by applicable law or agreed to in writing, software
+#    distributed under the License is distributed on an "AS IS" BASIS,
+#    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+#    See the License for the specific language governing permissions and
+#    limitations under the License.
+#
+# LICENSE END
+# 
+
+controllerManager:
+  # This should trigger the validation error since both are defined
+  selectors:
+    dedicated: system-workload
+  nodeAffinity:
+    matchExpressions:
+    - key: skyhook.nvidia.com/test-node
+      operator: In
+      values:
+      - skyhooke2e
+  manager:
+    image:
+      repository: ghcr.io/nvidia/skyhook/operator
+      tag: latest
+webhook:
+  enable: false