openstack-k8s-operators · openshift-merge-bot · Aug 6, 2025 · Aug 5, 2025
diff --git a/Makefile b/Makefile
@@ -156,6 +156,7 @@ bindata: kustomize yq ## Call sync bindata script
 	sed -i bindata/operator/operator.yaml -e "/customLimits/c\\            cpu: {{ .OpenStackOperator.Deployment.Manager.Resources.Limits.CPU }}\n            memory: {{ .OpenStackOperator.Deployment.Manager.Resources.Limits.Memory }}"
 	sed -i bindata/operator/operator.yaml -e "/customRequests/c\\            cpu: {{ .OpenStackOperator.Deployment.Manager.Resources.Requests.CPU }}\n            memory: {{ .OpenStackOperator.Deployment.Manager.Resources.Requests.Memory }}"
 	sed -i bindata/operator/operator.yaml -e "s|kube-rbac-proxy:replace_me.*|'{{ .OpenStackOperator.Deployment.KubeRbacProxy.Image }}'|"
+	sed -i bindata/operator/operator.yaml -e "/customTolerations/c\\      tolerations:\n{{- range .OpenStackOperator.Deployment.Tolerations }}\n      - key: \"{{ .Key }}\"\n{{- if .Operator }}\n        operator: \"{{ .Operator }}\"\n{{- end }}\n{{- if .Value }}\n        value: \"{{ .Value }}\"\n{{- end }}\n{{- if .Effect }}\n        effect: \"{{ .Effect }}\"\n{{- end }}\n{{- if .TolerationSeconds }}\n        tolerationSeconds: {{ .TolerationSeconds }}\n{{- end }}\n{{- end }}"
 	cp config/operator/managers.yaml bindata/operator/
 	cp config/operator/rabbit.yaml bindata/operator/
 	$(KUSTOMIZE) build config/rbac > bindata/rbac/rbac.yaml
@@ -203,7 +204,7 @@ ginkgo-run: ## Run ginkgo.
 	source hack/export_related_images.sh && \
 	KUBEBUILDER_ASSETS="$(shell $(ENVTEST) -v debug --bin-dir $(LOCALBIN) use $(ENVTEST_K8S_VERSION) -p path)" \
 	OPERATOR_TEMPLATES="$(PWD)/templates" \
-	$(GINKGO) --trace --cover --coverpkg=./pkg/operator,./pkg/openstack,./pkg/openstackclient,./pkg/util,./pkg/dataplane/...,./controllers/...,./apis/client/v1beta1,./apis/core/v1beta1,./apis/dataplane/v1beta1 --coverprofile cover.out --covermode=atomic ${PROC_CMD} $(GINKGO_ARGS) $(GINKGO_TESTS)
+	$(GINKGO) --trace --cover --coverpkg=./pkg/...,./controllers/...,./apis/... --coverprofile cover.out --covermode=atomic ${PROC_CMD} $(GINKGO_ARGS) $(GINKGO_TESTS)
 
 .PHONY: test-all
 test-all: test golint golangci golangci-lint ## Run all tests.
@@ -302,7 +303,7 @@ CONTROLLER_GEN ?= $(LOCALBIN)/controller-gen
 ENVTEST ?= $(LOCALBIN)/setup-envtest
 CRD_MARKDOWN ?= $(LOCALBIN)/crd-to-markdown
 GINKGO ?= $(LOCALBIN)/ginkgo
-GINKGO_TESTS ?= ./tests/... ./apis/client/... ./apis/core/... ./apis/dataplane/... ./pkg/dataplane/...
+GINKGO_TESTS ?= ./tests/... ./apis/client/... ./apis/core/... ./apis/dataplane/... ./pkg/...
 
 KUTTL ?= $(LOCALBIN)/kubectl-kuttl
 

diff --git a/apis/bases/operator.openstack.org_openstacks.yaml b/apis/bases/operator.openstack.org_openstacks.yaml
@@ -70,6 +70,22 @@ spec:
                                 x-kubernetes-int-or-string: true
                               type: object
                           type: object
+                        tolerations:
+                          items:
+                            properties:
+                              effect:
+                                type: string
+                              key:
+                                type: string
+                              operator:
+                                type: string
+                              tolerationSeconds:
+                                format: int64
+                                type: integer
+                              value:
+                                type: string
+                            type: object
+                          type: array
                       type: object
                     name:
                       enum:

diff --git a/apis/operator/v1beta1/openstack_types.go b/apis/operator/v1beta1/openstack_types.go
@@ -21,6 +21,7 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/utils/ptr"
 )
 
 const (
@@ -69,6 +70,23 @@ var (
 	DefaultRbacProxyMemoryLimit resource.Quantity = resource.MustParse("128Mi")
 	// DefaultRbacProxyMemoryRequests - Default kube rbac proxy container memory requests
 	DefaultRbacProxyMemoryRequests resource.Quantity = resource.MustParse("64Mi")
+
+	// DefaultTolerations - Default tolerations for all operators
+	DefaultTolerations = []corev1.Toleration{
+		{
+			Key:               corev1.TaintNodeNotReady, // "node.kubernetes.io/not-ready"
+			Operator:          corev1.TolerationOpExists,
+			Effect:            corev1.TaintEffectNoExecute,
+			TolerationSeconds: ptr.To[int64](120),
+		},
+		{
+			Key:               corev1.TaintNodeUnreachable, // "node.kubernetes.io/unreachable"
+			Operator:          corev1.TolerationOpExists,
+			Effect:            corev1.TaintEffectNoExecute,
+			TolerationSeconds: ptr.To[int64](120),
+		},
+	}
+
 	// OperatorList - list of all operators with optional different defaults then the above.
 	// NOTE: test-operator was deployed as a independant package so it may or may not be installed
 	// NOTE: depending on how watcher-operator is released for FR2 and then in FR3 it may need to be
@@ -210,6 +228,11 @@ type ContainerSpec struct {
 	// Resources - Compute Resources for the service operator controller manager
 	// https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
 	Resources corev1.ResourceRequirements `json:"resources,omitempty"`
+
+	// +kubebuilder:validation:Optional
+	// Tolerations - Tolerations for the service operator controller manager
+	// https://kubernetes.io/docs/concepts/scheduling-eviction/taint-and-toleration/
+	Tolerations []corev1.Toleration `json:"tolerations,omitempty"`
 }
 
 // OpenStackStatus defines the observed state of OpenStack

diff --git a/apis/operator/v1beta1/zz_generated.deepcopy.go b/apis/operator/v1beta1/zz_generated.deepcopy.go
diff --git a/bindata/operator/managers.yaml b/bindata/operator/managers.yaml
@@ -86,14 +86,21 @@ spec:
       serviceAccountName: {{ .Name }}-operator-controller-manager
       terminationGracePeriodSeconds: 10
       tolerations:
-      - key: "node.kubernetes.io/not-ready"
-        operator: "Exists"
-        effect: "NoExecute"
-        tolerationSeconds: 120
-      - key: "node.kubernetes.io/unreachable"
-        operator: "Exists"
-        effect: "NoExecute"
-        tolerationSeconds: 120
+{{- range .Deployment.Tolerations }}
+      - key: "{{ .Key }}"
+{{- if .Operator }}
+        operator: "{{ .Operator }}"
+{{- end }}
+{{- if .Value }}
+        value: "{{ .Value }}"
+{{- end }}
+{{- if .Effect }}
+        effect: "{{ .Effect }}"
+{{- end }}
+{{- if .TolerationSeconds }}
+        tolerationSeconds: {{ .TolerationSeconds }}
+{{- end }}
+{{- end }}
 {{- if isEnvVarTrue .Deployment.Manager.Env "ENABLE_WEBHOOKS" }}
       volumes:
       - name: cert

diff --git a/bindata/operator/operator.yaml b/bindata/operator/operator.yaml
@@ -129,19 +129,26 @@ spec:
             memory: 64Mi
         securityContext:
           allowPrivilegeEscalation: false
+      tolerations:
+{{- range .OpenStackOperator.Deployment.Tolerations }}
+      - key: "{{ .Key }}"
+{{- if .Operator }}
+        operator: "{{ .Operator }}"
+{{- end }}
+{{- if .Value }}
+        value: "{{ .Value }}"
+{{- end }}
+{{- if .Effect }}
+        effect: "{{ .Effect }}"
+{{- end }}
+{{- if .TolerationSeconds }}
+        tolerationSeconds: {{ .TolerationSeconds }}
+{{- end }}
+{{- end }}
       securityContext:
         runAsNonRoot: true
       serviceAccountName: openstack-operator-controller-manager
       terminationGracePeriodSeconds: 10
-      tolerations:
-      - effect: NoExecute
-        key: node.kubernetes.io/not-ready
-        operator: Exists
-        tolerationSeconds: 120
-      - effect: NoExecute
-        key: node.kubernetes.io/unreachable
-        operator: Exists
-        tolerationSeconds: 120
       volumes:
       - name: cert
         secret:

diff --git a/config/crd/bases/operator.openstack.org_openstacks.yaml b/config/crd/bases/operator.openstack.org_openstacks.yaml
@@ -70,6 +70,22 @@ spec:
                                 x-kubernetes-int-or-string: true
                               type: object
                           type: object
+                        tolerations:
+                          items:
+                            properties:
+                              effect:
+                                type: string
+                              key:
+                                type: string
+                              operator:
+                                type: string
+                              tolerationSeconds:
+                                format: int64
+                                type: integer
+                              value:
+                                type: string
+                            type: object
+                          type: array
                       type: object
                     name:
                       enum:

diff --git a/config/manager/manager.yaml b/config/manager/manager.yaml
@@ -72,12 +72,4 @@ spec:
             customRequests: replace_me #NOTE: this is used via the Makefile to inject a custom template that kustomize won't allow
       serviceAccountName: openstack-operator-controller-manager
       terminationGracePeriodSeconds: 10
-      tolerations:
-      - key: "node.kubernetes.io/not-ready"
-        operator: "Exists"
-        effect: "NoExecute"
-        tolerationSeconds: 120
-      - key: "node.kubernetes.io/unreachable"
-        operator: "Exists"
-        effect: "NoExecute"
-        tolerationSeconds: 120
+      customTolerations: replace_me #NOTE: this is used via the Makefile to inject a custom template that kustomize won't allow
diff --git a/config/operator/managers.yaml b/config/operator/managers.yaml
@@ -86,14 +86,21 @@ spec:
       serviceAccountName: {{ .Name }}-operator-controller-manager
       terminationGracePeriodSeconds: 10
       tolerations:
-      - key: "node.kubernetes.io/not-ready"
-        operator: "Exists"
-        effect: "NoExecute"
-        tolerationSeconds: 120
-      - key: "node.kubernetes.io/unreachable"
-        operator: "Exists"
-        effect: "NoExecute"
-        tolerationSeconds: 120
+{{- range .Deployment.Tolerations }}
+      - key: "{{ .Key }}"
+{{- if .Operator }}
+        operator: "{{ .Operator }}"
+{{- end }}
+{{- if .Value }}
+        value: "{{ .Value }}"
+{{- end }}
+{{- if .Effect }}
+        effect: "{{ .Effect }}"
+{{- end }}
+{{- if .TolerationSeconds }}
+        tolerationSeconds: {{ .TolerationSeconds }}
+{{- end }}
+{{- end }}
 {{- if isEnvVarTrue .Deployment.Manager.Env "ENABLE_WEBHOOKS" }}
       volumes:
       - name: cert

diff --git a/config/samples/operator_v1beta1_openstack_tolerations_example.yaml b/config/samples/operator_v1beta1_openstack_tolerations_example.yaml
@@ -0,0 +1,76 @@
+apiVersion: operator.openstack.org/v1beta1
+kind: OpenStack
+metadata:
+  labels:
+    app.kubernetes.io/name: openstack
+    app.kubernetes.io/instance: openstack-sample
+    app.kubernetes.io/part-of: openstack-operator
+    app.kubernetes.io/managed-by: kustomize
+    app.kubernetes.io/created-by: openstack-operator
+  name: openstack-sample
+spec:
+  # Example showing how to customize tolerations for different service operators
+  #
+  # MERGE BEHAVIOR:
+  # - Custom tolerations are MERGED with the default tolerations
+  # - If a custom toleration has the same KEY as a default, it OVERRIDES the default
+  # - If a custom toleration has a different KEY, it is ADDED to the defaults
+  #
+  # Default tolerations (applied automatically unless overridden):
+  #   - key: "node.kubernetes.io/not-ready"
+  #     operator: "Exists"
+  #     effect: "NoExecute"
+  #     tolerationSeconds: 120
+  #   - key: "node.kubernetes.io/unreachable"
+  #     operator: "Exists"
+  #     effect: "NoExecute"
+  #     tolerationSeconds: 120
+  operatorOverrides:
+  - name: "keystone"
+    # Custom tolerations for keystone operator pods
+    controllerManager:
+      tolerations:
+      - key: "example.com/special-nodes"
+        operator: "Equal"
+        value: "keystone"
+        effect: "NoSchedule"
+      - key: "node.kubernetes.io/memory-pressure"
+        operator: "Exists"
+        effect: "NoExecute"
+        tolerationSeconds: 300
+  - name: "nova"
+    # Example: Override default tolerations and add new ones
+    # Result will be:
+    #   1. node.kubernetes.io/not-ready (OVERRIDDEN - 600s instead of 120s)
+    #   2. node.kubernetes.io/unreachable (OVERRIDDEN - 400s instead of 120s)
+    #   3. node.example.com/compute (ADDED - new toleration)
+    controllerManager:
+        tolerations:
+        - key: "node.kubernetes.io/not-ready"
+          operator: "Exists"
+          effect: "NoExecute"
+          tolerationSeconds: 600  # Override default 120s
+        - key: "node.kubernetes.io/unreachable"
+          operator: "Exists"
+          effect: "NoExecute"
+          tolerationSeconds: 400  # Override default 120s
+        - key: "node.example.com/compute"  # Add new toleration
+          operator: "Equal"
+          value: "true"
+          effect: "NoSchedule"
+  - name: "glance"
+    # Custom resource limits AND tolerations example
+    controllerManager:
+      resources:
+        limits:
+          cpu: "2"
+          memory: "4Gi"
+        requests:
+          cpu: "1"
+          memory: "2Gi"
+      tolerations:
+      - key: "storage-node"
+        operator: "Equal"
+        value: "true"
+        effect: "NoSchedule"
+  # Note: Operators not listed (like mariadb, neutron, etc.) will use the default tolerations
diff --git a/controllers/operator/openstack_controller.go b/controllers/operator/openstack_controller.go
@@ -563,6 +563,7 @@ func (r *OpenStackReconciler) applyOperator(ctx context.Context, instance *opera
 						},
 					},
 					KubeRbacProxy: kubeRbacProxyContainer,
+					Tolerations:   operatorv1beta1.DefaultTolerations,
 				},
 			}
 

diff --git a/pkg/operator/override.go b/pkg/operator/override.go
@@ -38,6 +38,7 @@ type Deployment struct {
 	Replicas      *int32
 	Manager       Container
 	KubeRbacProxy Container
+	Tolerations   []corev1.Toleration
 }
 
 // Container -
@@ -108,6 +109,38 @@ func SetOverrides(opOvr operatorv1beta1.OperatorSpec, op *Operator) {
 			op.Deployment.Manager.Resources.Requests.Memory = opOvr.ControllerManager.Resources.Requests.Memory().String()
 		}
 	}
+	if len(opOvr.ControllerManager.Tolerations) > 0 {
+		op.Deployment.Tolerations = mergeTolerations(op.Deployment.Tolerations, opOvr.ControllerManager.Tolerations)
+	}
+}
+
+// mergeTolerations merges custom tolerations with default tolerations.
+// If a custom toleration has the same key as a default one, it overrides the default.
+// Otherwise, the custom toleration is added to the list.
+func mergeTolerations(defaults, custom []corev1.Toleration) []corev1.Toleration {
+	if len(custom) == 0 {
+		return defaults
+	}
+
+	// Start with a copy of defaults
+	merged := make([]corev1.Toleration, len(defaults))
+	copy(merged, defaults)
+
+	// For each custom toleration, check if it should override a default one
+	for _, customTol := range custom {
+
+		f := func(c corev1.Toleration) bool {
+			return c.Key == customTol.Key
+		}
+		idx := slices.IndexFunc(merged, f)
+		if idx >= 0 {
+			merged[idx] = customTol
+		} else {
+			merged = append(merged, customTol)
+		}
+	}
+
+	return merged
 }
 
 func GetOperator(operators []Operator, name string) (int, Operator) {
-Original file line number
+Diff line change
@@ Expand Up @@
     						},
     					},
     					KubeRbacProxy: kubeRbacProxyContainer,
+    					Tolerations:   operatorv1beta1.DefaultTolerations,
     				},
     			}
@@ Expand Down @@