Add node affinity

[bmsiegel]

• Node affinity will tell the kubernetes scheduler which types of nodes this installation "prefers" to be installed on. In this case, all we care about is that the nodes are Linux and either arm or x86. This will prevent the scheduler from attempting to install the controller on a Windows node.

Issue # (if applicable)

Reason for this change

Previously users with Windows nodes would have a percentage chance of attempting to install this plugin on a Windows node, causing failures because we do not support Windows nodes

Description of changes

Adds affinity to linux arm/x86

Describe any new or updated permissions being added

Description of how you validated changes

Spun up cluster with new values file and validated the deployment configuration

spec:
  progressDeadlineSeconds: 600
  replicas: 2
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      app.kubernetes.io/instance: issuer
      app.kubernetes.io/name: aws-privateca-issuer
  strategy:
    rollingUpdate:
      maxSurge: 25%
      maxUnavailable: 1
    type: RollingUpdate
  template:
    metadata:
      creationTimestamp: null
      labels:
        app.kubernetes.io/instance: issuer
        app.kubernetes.io/name: aws-privateca-issuer
    spec:
      affinity:
        nodeAffinity:
          requiredDuringSchedulingIgnoredDuringExecution:
            nodeSelectorTerms:
            - matchExpressions:
              - key: kubernetes.io/os
                operator: In
                values:
                - linux
              - key: kubernetes.io/arch
                operator: In
                values:
                - amd64
                - arm64
        podAntiAffinity:
          preferredDuringSchedulingIgnoredDuringExecution:
          - podAffinityTerm:
              labelSelector:
                matchExpressions:
                - key: app.kubernetes.io/name
                  operator: In
                  values:
                  - aws-privateca-issuer
              topologyKey: kubernetes.io/hostname
            weight: 100

...

[divyansh-gupta]

Windows machines and macs can be amd64 based, how does this interact with those machines?

[shankara-n]

since it's also matching linux expression above, mac should not be an issue, right?

[divyansh-gupta]

Ah I read the conditions as an "OR" not an "AND"

[shankara-n]

oh, i see, my bad, i broady assumed it was AND, dig some digging and found that matchExpressions are evaluated using an AND condition within each nodeSelectorTerms. If a pod's affinity defines multiple matchExpressions for a single nodeSelectorTerms, all of those matchExpressions must be satisfied for a node to be considered eligible. However, different nodeSelectorTerms are evaluated using an OR condition.

What we have right now is AND, something like below would be OR

affinity:
  nodeAffinity:
    requiredDuringSchedulingIgnoredDuringExecution: # Or preferredDuringSchedulingIgnoredDuringExecution
      nodeSelectorTerms:
        - matchExpressions: # First term (OR condition 1)
            - key: kubernetes.io/os
              operator: In
              values:
                - linux
        - matchExpressions: # Second term (OR condition 2)
            - key: kubernetes.io/arch
              operator: In
              values:
                - amd64
                - arm64

[divyansh-gupta]

TIL 😄

[cert-manager-prow]

[APPROVALNOTIFIER] This PR is APPROVED

Approval requirements bypassed by manually added approval.

This pull-request has been approved by: shankara-n

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment