From 1813db8b4a65bc5b6d2bd3a7224d6f32720553a7 Mon Sep 17 00:00:00 2001
From: Vicente Cheng <vicente.cheng@suse.com>
Date: Wed, 31 Jul 2024 14:06:17 +0800
Subject: [PATCH] webhook/mutator: filter out the witness node

    - we do not allow any workload on the witness node, so we should
      filter out the witness node when creating the vlan config

Signed-off-by: Vicente Cheng <vicente.cheng@suse.com>
---
 pkg/utils/labels.go               | 2 ++
 pkg/webhook/vlanconfig/mutator.go | 9 ++++++++-
 2 files changed, 10 insertions(+), 1 deletion(-)

diff --git a/pkg/utils/labels.go b/pkg/utils/labels.go
index c379d1ec..9da2b5c9 100644
--- a/pkg/utils/labels.go
+++ b/pkg/utils/labels.go
@@ -20,4 +20,6 @@ const (
 
 	ValueTrue  = "true"
 	ValueFalse = "false"
+
+	HarvesterWitnessNodeLabelKey = "node-role.harvesterhci.io/witness"
 )
diff --git a/pkg/webhook/vlanconfig/mutator.go b/pkg/webhook/vlanconfig/mutator.go
index 3ccef1e4..cf8ddd86 100644
--- a/pkg/webhook/vlanconfig/mutator.go
+++ b/pkg/webhook/vlanconfig/mutator.go
@@ -10,6 +10,7 @@ import (
 	admissionregv1 "k8s.io/api/admissionregistration/v1"
 	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/apimachinery/pkg/selection"
 
 	networkv1 "github.com/harvester/harvester-network-controller/pkg/apis/network.harvesterhci.io/v1beta1"
 	"github.com/harvester/harvester-network-controller/pkg/utils"
@@ -82,7 +83,13 @@ func getCnLabelPatch(v *networkv1.VlanConfig) admission.Patch {
 }
 
 func (m *Mutator) matchNodes(vc *networkv1.VlanConfig) (admission.Patch, error) {
-	nodes, err := m.nodeCache.List(labels.Set(vc.Spec.NodeSelector).AsSelector())
+	selector := labels.Set(vc.Spec.NodeSelector).AsSelector()
+	witnessFilter, err := labels.NewRequirement(utils.HarvesterWitnessNodeLabelKey, selection.DoesNotExist, nil)
+	if err != nil {
+		return nil, err
+	}
+	selector = selector.Add(*witnessFilter)
+	nodes, err := m.nodeCache.List(selector)
 	if err != nil {
 		return nil, err
 	}