Maintenance: Ensure there is always a blocking pod

We observed that during the node being terminated, that the pod
shortly disappeared due to some taint, which then allowed gardener
to tear the host down despite VMs being still active.

To counter that, tolerate any taint and effect.
Also change the deployment to a rolling-update,
so that instead of deleting that blocking pod and allowing
a teardown until the pod has been re-created, create it
first, and then let the other being torn down.

Author: fwiesel

internal/controller/maintenance_controller.go

@@ -186,14 +186,20 @@ func (r *MaintenanceController) ensureSignallingDeployment(ctx context.Context,
 		}
 
 		var one int64 = 1
+		zeroStr := intstr.FromInt(0)
+		oneStr := intstr.FromInt(1)
 
 		deployment.Spec = appsv1.DeploymentSpec{
 			Replicas: &scale,
 			Selector: &metav1.LabelSelector{
 				MatchLabels: labels,
 			},
 			Strategy: appsv1.DeploymentStrategy{
-				Type: appsv1.RecreateDeploymentStrategyType,
+				Type: appsv1.RollingUpdateDeploymentStrategyType,
+				RollingUpdate: &appsv1.RollingUpdateDeployment{
+					MaxUnavailable: &zeroStr,
+					MaxSurge:       &oneStr,
+				},
 			},
 			Template: corev1.PodTemplateSpec{
 				ObjectMeta: metav1.ObjectMeta{
@@ -207,9 +213,12 @@ func (r *MaintenanceController) ensureSignallingDeployment(ctx context.Context,
 					TerminationGracePeriodSeconds: &one, // busybox sleep doesn't handle TERM so well as pid 1
 					Tolerations: []corev1.Toleration{
 						{
-							Key:      labelCriticalComponentsNotReady,
+							Effect:   corev1.TaintEffectNoExecute,
+							Operator: corev1.TolerationOpExists,
+						},
+						{
 							Effect:   corev1.TaintEffectNoSchedule,
-							Operator: corev1.TolerationOpEqual,
+							Operator: corev1.TolerationOpExists,
 						},
 					},
 					Containers: []corev1.Container{