[api, lineage] Tolerate all taints

[nbykov0]

What this PR does

Cozystack-api and lineage-webhook tolerate all taints, so they are able to run on masters no matter what.
Needed for unschedulable control-plane setup, quorum nodes, etc.

Release note

Cozystack-api and lineage-webhook tolerate all taints.

Summary by CodeRabbit

• Chores
  • Updated pod scheduling tolerations to improve deployment flexibility and compatibility across diverse cluster configurations.
  • Enhanced workload distribution by making pods more resilient to cluster taints, enabling better resource utilization in various environments.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Note

Other AI code review bot(s) detected

CodeRabbit has detected other AI code review bot(s) in this pull request and will avoid duplicating their findings in the review comments. This may lead to a less comprehensive review.

📝 Walkthrough

Walkthrough

Both Kubernetes pod templates are updated to use operator: Exists tolerations, replacing previously specific taint configurations. This allows pods to tolerate any taints without requiring explicit key or effect specifications, simplifying scheduling constraints.

Changes

Cohort / File(s)	Summary
Kubernetes tolerations updates packages/system/cozystack-api/templates/deployment.yaml, packages/system/lineage-controller-webhook/templates/daemonset.yaml	Both YAML templates modified to introduce or replace tolerations with operator: Exists for broader taint tolerance during pod scheduling; no other pod spec fields altered

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 Hops and cheers for taint-free schedules!
No more specific taints to juggle,
With Exists operator so free,
Our pods find homes more naturally. ✨

Pre-merge checks

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title '[api, lineage] Tolerate all taints' directly and clearly summarizes the main change: both components (api and lineage) now tolerate all Kubernetes taints via operator: Exists tolerations.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

---

📜 Recent review details

Configuration used: defaults

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2d6e50b and 4e602fd.

📒 Files selected for processing (2)

• packages/system/cozystack-api/templates/deployment.yaml
• packages/system/lineage-controller-webhook/templates/daemonset.yaml

🧰 Additional context used

📓 Path-based instructions (2)

packages/system/**

📄 CodeRabbit inference engine (AGENTS.md)

Use Helm Chart umbrella pattern with vendored upstream charts in charts/ directory

Files:

• packages/system/cozystack-api/templates/deployment.yaml
• packages/system/lineage-controller-webhook/templates/daemonset.yaml

**/*.yaml

📄 CodeRabbit inference engine (AGENTS.md)

Do NOT directly edit upstream Helm charts in vendored charts directory; use proper chart vendoring mechanisms

Files:

• packages/system/cozystack-api/templates/deployment.yaml
• packages/system/lineage-controller-webhook/templates/daemonset.yaml

🔇 Additional comments (2)

packages/system/lineage-controller-webhook/templates/daemonset.yaml (1)

18-19: LGTM!

The operator: Exists toleration without a key or effect correctly tolerates all taints, allowing the DaemonSet pods to schedule on control-plane nodes regardless of what taints are applied. This aligns with the PR objective.

packages/system/cozystack-api/templates/deployment.yaml (1)

24-25: LGTM!

The unconditional operator: Exists toleration correctly allows the pod to be scheduled on any node regardless of taints. This works well for both the DaemonSet mode (where nodeSelector restricts to control-plane nodes that may have taints) and the Deployment mode (where pods can be scheduled on any available node).

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Summary of Changes

Hello @nbykov0, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request enhances the resilience and deployment flexibility of the Cozystack-api and lineage-webhook components. By configuring them to tolerate all taints, these critical services can now reliably run on control-plane (master) nodes, which are typically tainted to prevent general workloads. This ensures their continuous operation and availability within the Kubernetes cluster.

Highlights

• Cozystack-api Tolerations: The cozystack-api deployment now includes a toleration with operator: Exists, allowing it to be scheduled on Kubernetes nodes that have any taints. This ensures the API can run on master nodes regardless of their specific taints.
• Lineage-webhook Tolerations: The lineage-controller-webhook daemonset has been updated to include a toleration with operator: Exists. This change enables the webhook to run on any Kubernetes node, including master nodes, by tolerating all existing taints.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request aims to make cozystack-api and lineage-webhook tolerate all taints by adding a generic toleration. While the change for cozystack-api is correct, the modification to lineage-controller-webhook introduces a duplicate tolerations key in the YAML manifest. This will cause the new toleration to be ignored, defeating the purpose of the change. I've left a comment with details on how to fix this critical issue.

[kvaps]

This will tolerate nodes with unconfigured network, however it won't start pod until CNI is ready.
Then it seems ok

[nbykov0]

In our case it will be handled by helmreleases dependencies, when first of all cilium and kube-ovn are deployed and up.

[kvaps]

Is there any reason to backport this?

[nbykov0]

Is there any reason to backport this?

I'll DM you.

[kvaps]

LGTM

[github-actions]

Successfully created backport PR for release-0.39:

• [Backport release-0.39] [api, lineage] Tolerate all taints #1827