Merge pull request #156 from projectsyn/feat/shadow-ranges-daemonset-custom-nodesel

simu · web-flow · commit c50d4bddbc42 · 2025-04-14T15:45:04.000+02:00
Add support to configure a custom node selector for the shadow ranges DaemonSet
diff --git a/class/defaults.yml b/class/defaults.yml
@@ -94,6 +94,7 @@ parameters:
       enabled: false
       policies: {}
       generate_shadow_ranges_configmap: false
+      shadow_ranges_daemonset_node_selector: {}
       egress_ip_ranges: {}
 
     l2_announcements:
diff --git a/component/egress-gateway-policies.jsonnet b/component/egress-gateway-policies.jsonnet
@@ -287,7 +287,7 @@ local egress_ip_shadow_ranges =
     {}
   );
 
-  local daemonsets = [
+  local make_daemonset(ds_configs, sel_hash) =
     kube.DaemonSet(
       'eip-shadow-ranges-%s' % std.substr(
         sel_hash, std.length(sel_hash) - 5, 5
@@ -318,7 +318,7 @@ local egress_ip_shadow_ranges =
                 },
               },
             },
-            nodeSelector: daemonset_configs[sel_hash],
+            nodeSelector: ds_configs[sel_hash],
             volumes_: {
               shadow_ranges: {
                 configMap: {
@@ -329,9 +329,23 @@ local egress_ip_shadow_ranges =
           },
         },
       },
-    }
-    for sel_hash in std.objectFields(daemonset_configs)
-  ];
+    };
+
+  local daemonsets =
+    if std.length(params.egress_gateway.shadow_ranges_daemonset_node_selector) == 0 then [
+      make_daemonset(daemonset_configs, sel_hash)
+      for sel_hash in std.objectFields(daemonset_configs)
+    ] else
+      local sel_hash =
+        std.md5(std.manifestJsonMinified(
+          params.egress_gateway.shadow_ranges_daemonset_node_selector
+        ));
+      [
+        make_daemonset({
+          [sel_hash]:
+            params.egress_gateway.shadow_ranges_daemonset_node_selector,
+        }, sel_hash),
+      ];
 
   [ configmap ] + daemonsets;
 
diff --git a/docs/modules/ROOT/pages/references/parameters.adoc b/docs/modules/ROOT/pages/references/parameters.adoc
@@ -336,6 +336,21 @@ Additionally, the component will deploy one or more DaemonSets (depending on the
 
 See also the documentation for https://hub.syn.tools/openshift4-nodes/references/parameters.html#_egressinterfaces[parameter `egressInterfaces` in openshift4-nodes].
 
+=== `egress_gateway.shadow_ranges_daemonset_node_selector`
+
+[horizontal]
+type:: object
+default:: `{}`
+
+This parameter can be set when the DaemonSet that mounts the shadow ranges ConfigMap (see parameter `generate_shadow_ranges_configmap`) should run on a larger set of nodes than the ones indicated by each `egress_ip_ranges` entry's `node_selector`.
+
+The contents of this parameter are used as-is for the DaemonSet's `spec.template.spec.nodeSelector`.
+
+An example configuration where this parameter is useful is when only a subset of nodes in an OpenShift machine config pool are designated egress nodes with an associated shadow range.
+In this case, we must ensure that all nodes in the machine config pool can read the shadow ranges ConfigMap, but at the same time we must ensure that policies generated via `egress_ip_ranges.<group>.namespace_egress_ips` only select the nodes that have a shadow range assigned.
+
+NOTE: When setting this parameter, it's the user's responsibility to ensure that the provided DaemonSet node selector selects all nodes that are designated egress nodes.
+
 === `egress_gateway.egress_ip_ranges`
 
 [horizontal]
