Add tolerations customization interface for service operators

Adds ability for service operators to customize pod tolerations similar
to how resource limits/requests are currently handled.

Features:
- Add Tolerations field to ContainerSpec API type
- Implement merge behavior: custom tolerations are merged with defaults,
  overriding by key when same key exists
- Set global default tolerations (node.kubernetes.io/not-ready and
  node.kubernetes.io/unreachable with 120s timeout) in controller
- Update deployment templates (managers.yaml, operator.yaml) to render
  custom tolerations from Deployment struct
- Add test coverage for merge logic and override behavior

Example usage:
```yaml
operatorOverrides:
- name: "keystone"
  controllerManager:
    tolerations:
    - key: "node.kubernetes.io/not-ready"  # Override default timeout
      operator: "Exists"
      effect: "NoExecute"
      tolerationSeconds: 600
    - key: "node.example.com/gpu"          # Add new toleration
      operator: "Equal"
      value: "nvidia"
      effect: "NoSchedule"
```

The merge behavior ensures operators get both default tolerations
(unless overridden by matching key) plus any additional custom ones,
providing flexibility while maintaining safe defaults.

Assisted-by: claude-4-sonnet

Signed-off-by: Martin Schuppert <mschuppert@redhat.com>

Author: stuggi

Makefile

@@ -156,6 +156,7 @@ bindata: kustomize yq ## Call sync bindata script
 	sed -i bindata/operator/operator.yaml -e "/customLimits/c\\            cpu: {{ .OpenStackOperator.Deployment.Manager.Resources.Limits.CPU }}\n            memory: {{ .OpenStackOperator.Deployment.Manager.Resources.Limits.Memory }}"
 	sed -i bindata/operator/operator.yaml -e "/customRequests/c\\            cpu: {{ .OpenStackOperator.Deployment.Manager.Resources.Requests.CPU }}\n            memory: {{ .OpenStackOperator.Deployment.Manager.Resources.Requests.Memory }}"
 	sed -i bindata/operator/operator.yaml -e "s|kube-rbac-proxy:replace_me.*|'{{ .OpenStackOperator.Deployment.KubeRbacProxy.Image }}'|"
+	sed -i bindata/operator/operator.yaml -e "/customTolerations/c\\      tolerations:\n{{- range .OpenStackOperator.Deployment.Tolerations }}\n      - key: \"{{ .Key }}\"\n{{- if .Operator }}\n        operator: \"{{ .Operator }}\"\n{{- end }}\n{{- if .Value }}\n        value: \"{{ .Value }}\"\n{{- end }}\n{{- if .Effect }}\n        effect: \"{{ .Effect }}\"\n{{- end }}\n{{- if .TolerationSeconds }}\n        tolerationSeconds: {{ .TolerationSeconds }}\n{{- end }}\n{{- end }}"
 	cp config/operator/managers.yaml bindata/operator/
 	cp config/operator/rabbit.yaml bindata/operator/
 	$(KUSTOMIZE) build config/rbac > bindata/rbac/rbac.yaml

apis/bases/operator.openstack.org_openstacks.yaml

@@ -70,6 +70,22 @@ spec:
                                 x-kubernetes-int-or-string: true
                               type: object
                           type: object
+                        tolerations:
+                          items:
+                            properties:
+                              effect:
+                                type: string
+                              key:
+                                type: string
+                              operator:
+                                type: string
+                              tolerationSeconds:
+                                format: int64
+                                type: integer
+                              value:
+                                type: string
+                            type: object
+                          type: array
                       type: object
                     name:
                       enum:

apis/operator/v1beta1/openstack_types.go

@@ -21,6 +21,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/ptr"
 )
 
 const (
@@ -69,6 +70,23 @@ var (
 	DefaultRbacProxyMemoryLimit resource.Quantity = resource.MustParse("128Mi")
 	// DefaultRbacProxyMemoryRequests - Default kube rbac proxy container memory requests
 	DefaultRbacProxyMemoryRequests resource.Quantity = resource.MustParse("64Mi")
+
+	// DefaultTolerations - Default tolerations for all operators
+	DefaultTolerations = []corev1.Toleration{
+		{
+			Key:               "node.kubernetes.io/not-ready",
+			Operator:          corev1.TolerationOpExists,
+			Effect:            corev1.TaintEffectNoExecute,
+			TolerationSeconds: ptr.To[int64](120),
+		},
+		{
+			Key:               "node.kubernetes.io/unreachable",
+			Operator:          corev1.TolerationOpExists,
+			Effect:            corev1.TaintEffectNoExecute,
+			TolerationSeconds: ptr.To[int64](120),
+		},
+	}
+
 	// OperatorList - list of all operators with optional different defaults then the above.
 	// NOTE: test-operator was deployed as a independant package so it may or may not be installed
 	// NOTE: depending on how watcher-operator is released for FR2 and then in FR3 it may need to be
@@ -210,6 +228,11 @@ type ContainerSpec struct {
 	// Resources - Compute Resources for the service operator controller manager
 	// https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
 	Resources corev1.ResourceRequirements `json:"resources,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	// Tolerations - Tolerations for the service operator controller manager
+	// https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
+	Tolerations []corev1.Toleration `json:"tolerations,omitempty"`
 }
 
 // OpenStackStatus defines the observed state of OpenStack

apis/operator/v1beta1/zz_generated.deepcopy.go

@@ -86,14 +86,21 @@ spec:
       serviceAccountName: {{ .Name }}-operator-controller-manager
       terminationGracePeriodSeconds: 10
       tolerations:
-      - key: "node.kubernetes.io/not-ready"
-        operator: "Exists"
-        effect: "NoExecute"
-        tolerationSeconds: 120
-      - key: "node.kubernetes.io/unreachable"
-        operator: "Exists"
-        effect: "NoExecute"
-        tolerationSeconds: 120
+{{- range .Deployment.Tolerations }}
+      - key: "{{ .Key }}"
+{{- if .Operator }}
+        operator: "{{ .Operator }}"
+{{- end }}
+{{- if .Value }}
+        value: "{{ .Value }}"
+{{- end }}
+{{- if .Effect }}
+        effect: "{{ .Effect }}"
+{{- end }}
+{{- if .TolerationSeconds }}
+        tolerationSeconds: {{ .TolerationSeconds }}
+{{- end }}
+{{- end }}
 {{- if isEnvVarTrue .Deployment.Manager.Env "ENABLE_WEBHOOKS" }}
       volumes:
       - name: cert

bindata/operator/managers.yaml

@@ -129,19 +129,26 @@ spec:
             memory: 64Mi
         securityContext:
           allowPrivilegeEscalation: false
+      tolerations:
+{{- range .OpenStackOperator.Deployment.Tolerations }}
+      - key: "{{ .Key }}"
+{{- if .Operator }}
+        operator: "{{ .Operator }}"
+{{- end }}
+{{- if .Value }}
+        value: "{{ .Value }}"
+{{- end }}
+{{- if .Effect }}
+        effect: "{{ .Effect }}"
+{{- end }}
+{{- if .TolerationSeconds }}
+        tolerationSeconds: {{ .TolerationSeconds }}
+{{- end }}
+{{- end }}
       securityContext:
         runAsNonRoot: true
       serviceAccountName: openstack-operator-controller-manager
       terminationGracePeriodSeconds: 10
-      tolerations:
-      - effect: NoExecute
-        key: node.kubernetes.io/not-ready
-        operator: Exists
-        tolerationSeconds: 120
-      - effect: NoExecute
-        key: node.kubernetes.io/unreachable
-        operator: Exists
-        tolerationSeconds: 120
       volumes:
       - name: cert
         secret:

bindata/operator/operator.yaml

@@ -70,6 +70,22 @@ spec:
                                 x-kubernetes-int-or-string: true
                               type: object
                           type: object
+                        tolerations:
+                          items:
+                            properties:
+                              effect:
+                                type: string
+                              key:
+                                type: string
+                              operator:
+                                type: string
+                              tolerationSeconds:
+                                format: int64
+                                type: integer
+                              value:
+                                type: string
+                            type: object
+                          type: array
                       type: object
                     name:
                       enum:

config/crd/bases/operator.openstack.org_openstacks.yaml

@@ -72,12 +72,4 @@ spec:
             customRequests: replace_me #NOTE: this is used via the Makefile to inject a custom template that kustomize won't allow
       serviceAccountName: openstack-operator-controller-manager
       terminationGracePeriodSeconds: 10
-      tolerations:
-      - key: "node.kubernetes.io/not-ready"
-        operator: "Exists"
-        effect: "NoExecute"
-        tolerationSeconds: 120
-      - key: "node.kubernetes.io/unreachable"
-        operator: "Exists"
-        effect: "NoExecute"
-        tolerationSeconds: 120
+      customTolerations: replace_me #NOTE: this is used via the Makefile to inject a custom template that kustomize won't allow

config/manager/manager.yaml

@@ -86,14 +86,21 @@ spec:
       serviceAccountName: {{ .Name }}-operator-controller-manager
       terminationGracePeriodSeconds: 10
       tolerations:
-      - key: "node.kubernetes.io/not-ready"
-        operator: "Exists"
-        effect: "NoExecute"
-        tolerationSeconds: 120
-      - key: "node.kubernetes.io/unreachable"
-        operator: "Exists"
-        effect: "NoExecute"
-        tolerationSeconds: 120
+{{- range .Deployment.Tolerations }}
+      - key: "{{ .Key }}"
+{{- if .Operator }}
+        operator: "{{ .Operator }}"
+{{- end }}
+{{- if .Value }}
+        value: "{{ .Value }}"
+{{- end }}
+{{- if .Effect }}
+        effect: "{{ .Effect }}"
+{{- end }}
+{{- if .TolerationSeconds }}
+        tolerationSeconds: {{ .TolerationSeconds }}
+{{- end }}
+{{- end }}
 {{- if isEnvVarTrue .Deployment.Manager.Env "ENABLE_WEBHOOKS" }}
       volumes:
       - name: cert

config/operator/managers.yaml

@@ -0,0 +1,76 @@
+apiVersion: operator.openstack.org/v1beta1
+kind: OpenStack
+metadata:
+  labels:
+    app.kubernetes.io/name: openstack
+    app.kubernetes.io/instance: openstack-sample
+    app.kubernetes.io/part-of: openstack-operator
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/created-by: openstack-operator
+  name: openstack-sample
+spec:
+  # Example showing how to customize tolerations for different service operators
+  #
+  # MERGE BEHAVIOR:
+  # - Custom tolerations are MERGED with the default tolerations
+  # - If a custom toleration has the same KEY as a default, it OVERRIDES the default
+  # - If a custom toleration has a different KEY, it is ADDED to the defaults
+  #
+  # Default tolerations (applied automatically unless overridden):
+  #   - key: "node.kubernetes.io/not-ready"
+  #     operator: "Exists"
+  #     effect: "NoExecute"
+  #     tolerationSeconds: 120
+  #   - key: "node.kubernetes.io/unreachable"
+  #     operator: "Exists"
+  #     effect: "NoExecute"
+  #     tolerationSeconds: 120
+  operatorOverrides:
+  - name: "keystone"
+    # Custom tolerations for keystone operator pods
+    controllerManager:
+      tolerations:
+      - key: "example.com/special-nodes"
+        operator: "Equal"
+        value: "keystone"
+        effect: "NoSchedule"
+      - key: "node.kubernetes.io/memory-pressure"
+        operator: "Exists"
+        effect: "NoExecute"
+        tolerationSeconds: 300
+  - name: "nova"
+    # Example: Override default tolerations and add new ones
+    # Result will be:
+    #   1. node.kubernetes.io/not-ready (OVERRIDDEN - 600s instead of 120s)
+    #   2. node.kubernetes.io/unreachable (OVERRIDDEN - 400s instead of 120s)
+    #   3. node.example.com/compute (ADDED - new toleration)
+    controllerManager:
+        tolerations:
+        - key: "node.kubernetes.io/not-ready"
+          operator: "Exists"
+          effect: "NoExecute"
+          tolerationSeconds: 600  # Override default 120s
+        - key: "node.kubernetes.io/unreachable"
+          operator: "Exists"
+          effect: "NoExecute"
+          tolerationSeconds: 400  # Override default 120s
+        - key: "node.example.com/compute"  # Add new toleration
+          operator: "Equal"
+          value: "true"
+          effect: "NoSchedule"
+  - name: "glance"
+    # Custom resource limits AND tolerations example
+    controllerManager:
+      resources:
+        limits:
+          cpu: "2"
+          memory: "4Gi"
+        requests:
+          cpu: "1"
+          memory: "2Gi"
+      tolerations:
+      - key: "storage-node"
+        operator: "Equal"
+        value: "true"
+        effect: "NoSchedule"
+  # Note: Operators not listed (like mariadb, neutron, etc.) will use the default tolerations