possibility to configure the nodeSelector for the resources in the "cert-manager" namespace

[ocpvkb]

The Operator (Pod) instantiates several pods in the (by RedHat hard-coded) namespace "cert-manager". (which will be also created by the Operator Pod) We need to schedule the resources in the "cert-manager" namespace, which are created and managed by the operator, on nodes of type/role "infra". According to the CRD, the deployments of resources can be adjusted using the CR “Cert Manager”. However, this is limited to ENV, labels, request+limits and Args of the containers. See: https://github.com/openshift/cert-manager-operator/blob/master/pkg/controller/deployment/deployment_overrides.go Please add the possibility to configure the nodeSelector for the resources in the "cert-manager" namespace.

[WAR-S]

+, i want to schedule 3 components with toleration/nodeSelector like this:

  unsupportedConfigOverrides:
    cainjector:
      nodeSelector:
        node-role.kubernetes.io/infra: ''
      tolerations:
        - effect: NoSchedule
          key: node-role.kubernetes.io/infra
          operator: Exists
        - effect: NoExecute
          key: node-role.kubernetes.io/infra
          operator: Exists
    controller:
      nodeSelector:
        node-role.kubernetes.io/infra: ''
      tolerations:
        - effect: NoSchedule
          key: node-role.kubernetes.io/infra
          operator: Exists
        - effect: NoExecute
          key: node-role.kubernetes.io/infra
          operator: Exists
    webhook:
      nodeSelector:
        node-role.kubernetes.io/infra: ''
      tolerations:
        - effect: NoSchedule
          key: node-role.kubernetes.io/infra
          operator: Exists
        - effect: NoExecute
          key: node-role.kubernetes.io/infra
          operator: Exists

I want to do this, without label/annotate namespace kind;

@ocpvkb, tell me, I understood your idea correctly?

[ocpvkb]

Hello @WAR-S , thank you for your answer. Your suggestion could be a possible solution (besides setting the nodeSelector for the entire "cert-manager" namespace).

The keys “nodeSelector” and “tolerations” should then also be configurable independently of each other.

Whether this configuration is now correctly placed under the item "unsupportedConfigOverrides" can be debated, since "nodeSelector" and "olerations" certainly represent k8s-compliant definitions; far from "unsupported".... When I look at the possibilities of the operator, "overrideArgs" may be "better" suited.

https://github.com/openshift/cert-manager-operator/blob/master/pkg/controller/deployment/deployment_overrides.go https://github.com/openshift/cert-manager-operator/blob/master/deploy/examples/cluster-cert-manager-overrides.yaml

[ocpvkb]

But yes, you understood my idea correctly.

[openshift-bot]

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale. Stale issues rot after an additional 30d of inactivity and eventually close. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

[openshift-bot]

Stale issues rot after 30d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle rotten. Rotten issues close after an additional 30d of inactivity. Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle rotten /remove-lifecycle stale