feat: add NodeSelector to PodSpec (envoyproxy#2361)

* feat: add NodeSelector to PodSpec

Signed-off-by: Shahar Harari <shahar.harari@sap.com>

* add RL test

Signed-off-by: Shahar Harari <shahar.harari@sap.com>

---------

Signed-off-by: Shahar Harari <shahar.harari@sap.com>

api/v1alpha1/shared_types.go

@@ -125,6 +125,13 @@ type KubernetesPodSpec struct {
 	//
 	// +optional
 	ImagePullSecrets []corev1.LocalObjectReference `json:"imagePullSecrets,omitempty"`
+
+	// NodeSelector is a selector which must be true for the pod to fit on a node.
+	// Selector which must match a node's labels for the pod to be scheduled on that node.
+	// More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/
+	//
+	// +optional
+	NodeSelector map[string]string `json:"nodeSelector,omitempty"`
 }
 
 // KubernetesContainerSpec defines the desired state of the Kubernetes container resource.

charts/gateway-helm/crds/generated/gateway.envoyproxy.io_envoyproxies.yaml

@@ -3288,6 +3288,14 @@ spec:
                                   should be tagged to the pods. By default, no additional
                                   pod labels are tagged.
                                 type: object
+                              nodeSelector:
+                                additionalProperties:
+                                  type: string
+                                description: 'NodeSelector is a selector which must
+                                  be true for the pod to fit on a node. Selector which
+                                  must match a node''s labels for the pod to be scheduled
+                                  on that node. More info: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/'
+                                type: object
                               securityContext:
                                 description: 'SecurityContext holds pod-level security
                                   attributes and common container settings. Optional:

internal/infrastructure/kubernetes/proxy/resource_provider.go

@@ -240,6 +240,7 @@ func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) {
 					Tolerations:                   deploymentConfig.Pod.Tolerations,
 					Volumes:                       expectedDeploymentVolumes(r.infra.Name, deploymentConfig),
 					ImagePullSecrets:              deploymentConfig.Pod.ImagePullSecrets,
+					NodeSelector:                  deploymentConfig.Pod.NodeSelector,
 				},
 			},
 			RevisionHistoryLimit:    ptr.To[int32](10),

internal/infrastructure/kubernetes/proxy/resource_provider_test.go

@@ -391,6 +391,18 @@ func TestDeployment(t *testing.T) {
 				},
 			},
 		},
+		{
+			caseName: "with-node-selector",
+			infra:    newTestInfra(),
+			deploy: &egv1a1.KubernetesDeploymentSpec{
+				Pod: &egv1a1.KubernetesPodSpec{
+					NodeSelector: map[string]string{
+						"key1": "value1",
+						"key2": "value2",
+					},
+				},
+			},
+		},
 	}
 	for _, tc := range cases {
 		t.Run(tc.caseName, func(t *testing.T) {

internal/infrastructure/kubernetes/proxy/testdata/deployments/with-node-selector.yaml

@@ -0,0 +1,202 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/name: envoy
+    app.kubernetes.io/component: proxy
+    app.kubernetes.io/managed-by: envoy-gateway
+    gateway.envoyproxy.io/owning-gateway-name: default
+    gateway.envoyproxy.io/owning-gateway-namespace: default
+  name: envoy-default-37a8eec1
+  namespace: envoy-gateway-system
+spec:
+  replicas: 1
+  strategy:
+    type: RollingUpdate
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: envoy
+      app.kubernetes.io/component: proxy
+      app.kubernetes.io/managed-by: envoy-gateway
+      gateway.envoyproxy.io/owning-gateway-name: default
+      gateway.envoyproxy.io/owning-gateway-namespace: default
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: envoy
+        app.kubernetes.io/component: proxy
+        app.kubernetes.io/managed-by: envoy-gateway
+        gateway.envoyproxy.io/owning-gateway-name: default
+        gateway.envoyproxy.io/owning-gateway-namespace: default
+    spec:
+      automountServiceAccountToken: false
+      containers:
+        - args:
+            - --service-cluster default
+            - --service-node $(ENVOY_POD_NAME)
+            - |
+              --config-yaml admin:
+                access_log:
+                - name: envoy.access_loggers.file
+                  typed_config:
+                    "@type": type.googleapis.com/envoy.extensions.access_loggers.file.v3.FileAccessLog
+                    path: /dev/null
+                address:
+                  socket_address:
+                    address: 127.0.0.1
+                    port_value: 19000
+              dynamic_resources:
+                ads_config:
+                  api_type: DELTA_GRPC
+                  transport_api_version: V3
+                  grpc_services:
+                  - envoy_grpc:
+                      cluster_name: xds_cluster
+                  set_node_on_first_message_only: true
+                lds_config:
+                  ads: {}
+                  resource_api_version: V3
+                cds_config:
+                  ads: {}
+                  resource_api_version: V3
+              static_resources:
+                listeners:
+                - name: envoy-gateway-proxy-ready-0.0.0.0-19001
+                  address:
+                    socket_address:
+                      address: 0.0.0.0
+                      port_value: 19001
+                      protocol: TCP
+                  filter_chains:
+                  - filters:
+                    - name: envoy.filters.network.http_connection_manager
+                      typed_config:
+                        "@type": type.googleapis.com/envoy.extensions.filters.network.http_connection_manager.v3.HttpConnectionManager
+                        stat_prefix: eg-ready-http
+                        route_config:
+                          name: local_route
+                        http_filters:
+                        - name: envoy.filters.http.health_check
+                          typed_config:
+                            "@type": type.googleapis.com/envoy.extensions.filters.http.health_check.v3.HealthCheck
+                            pass_through_mode: false
+                            headers:
+                            - name: ":path"
+                              string_match:
+                                exact: /ready
+                        - name: envoy.filters.http.router
+                          typed_config:
+                            "@type": type.googleapis.com/envoy.extensions.filters.http.router.v3.Router
+                clusters:
+                - connect_timeout: 10s
+                  load_assignment:
+                    cluster_name: xds_cluster
+                    endpoints:
+                    - load_balancing_weight: 1
+                      lb_endpoints:
+                      - load_balancing_weight: 1
+                        endpoint:
+                          address:
+                            socket_address:
+                              address: envoy-gateway
+                              port_value: 18000
+                  typed_extension_protocol_options:
+                    envoy.extensions.upstreams.http.v3.HttpProtocolOptions:
+                      "@type": "type.googleapis.com/envoy.extensions.upstreams.http.v3.HttpProtocolOptions"
+                      explicit_http_config:
+                        http2_protocol_options:
+                          connection_keepalive:
+                            interval: 30s
+                            timeout: 5s
+                  name: xds_cluster
+                  type: STRICT_DNS
+                  transport_socket:
+                    name: envoy.transport_sockets.tls
+                    typed_config:
+                      "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
+                      common_tls_context:
+                        tls_params:
+                          tls_maximum_protocol_version: TLSv1_3
+                        tls_certificate_sds_secret_configs:
+                        - name: xds_certificate
+                          sds_config:
+                            path_config_source:
+                              path: "/sds/xds-certificate.json"
+                            resource_api_version: V3
+                        validation_context_sds_secret_config:
+                          name: xds_trusted_ca
+                          sds_config:
+                            path_config_source:
+                              path: "/sds/xds-trusted-ca.json"
+                            resource_api_version: V3
+            - --log-level warn
+            - --cpuset-threads
+          command:
+            - envoy
+          env:
+            - name: ENVOY_GATEWAY_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: metadata.namespace
+            - name: ENVOY_POD_NAME
+              valueFrom:
+                fieldRef:
+                  apiVersion: v1
+                  fieldPath: metadata.name
+          image: envoyproxy/envoy-dev:latest
+          imagePullPolicy: IfNotPresent
+          name: envoy
+          ports:
+            - containerPort: 8080
+              name: EnvoyH-d76a15e2
+              protocol: TCP
+            - containerPort: 8443
+              name: EnvoyH-6658f727
+              protocol: TCP
+          resources:
+            requests:
+              cpu: 100m
+              memory: 512Mi
+          readinessProbe:
+            httpGet:
+              path: /ready
+              port: 19001
+              scheme: HTTP
+            timeoutSeconds: 1
+            periodSeconds: 10
+            successThreshold: 1
+            failureThreshold: 3
+          terminationMessagePath: /dev/termination-log
+          terminationMessagePolicy: File
+          volumeMounts:
+            - mountPath: /certs
+              name: certs
+              readOnly: true
+            - mountPath: /sds
+              name: sds
+      dnsPolicy: ClusterFirst
+      nodeSelector:
+        key1: value1
+        key2: value2
+      restartPolicy: Always
+      schedulerName: default-scheduler
+      serviceAccountName: envoy-default-37a8eec1
+      terminationGracePeriodSeconds: 300
+      volumes:
+        - name: certs
+          secret:
+            secretName: envoy
+            defaultMode: 420
+        - configMap:
+            defaultMode: 420
+            items:
+              - key: xds-trusted-ca.json
+                path: xds-trusted-ca.json
+              - key: xds-certificate.json
+                path: xds-certificate.json
+            name: envoy-default-37a8eec1
+            optional: false
+          name: sds
+  revisionHistoryLimit: 10
+  progressDeadlineSeconds: 600

internal/infrastructure/kubernetes/ratelimit/resource_provider.go

@@ -183,6 +183,7 @@ func (r *ResourceRender) Deployment() (*appsv1.Deployment, error) {
 					Affinity:                      r.rateLimitDeployment.Pod.Affinity,
 					Tolerations:                   r.rateLimitDeployment.Pod.Tolerations,
 					ImagePullSecrets:              r.rateLimitDeployment.Pod.ImagePullSecrets,
+					NodeSelector:                  r.rateLimitDeployment.Pod.NodeSelector,
 				},
 			},
 			RevisionHistoryLimit:    ptr.To[int32](10),

internal/infrastructure/kubernetes/ratelimit/resource_provider_test.go

@@ -481,6 +481,18 @@ func TestDeployment(t *testing.T) {
 				},
 			},
 		},
+		{
+			caseName:  "with-node-selector",
+			rateLimit: rateLimit,
+			deploy: &egv1a1.KubernetesDeploymentSpec{
+				Pod: &egv1a1.KubernetesPodSpec{
+					NodeSelector: map[string]string{
+						"key1": "value1",
+						"key2": "value2",
+					},
+				},
+			},
+		},
 	}
 	for _, tc := range cases {
 		t.Run(tc.caseName, func(t *testing.T) {