Fix labeler jobs for nodes with readonly FS (#74)

* Fix devcontainer DIND configuration for trixie

See devcontainers/features#1482 for details

Signed-off-by: Sébastien Masset <[email protected]>

* Improve Docker build cache usage

Signed-off-by: Sébastien Masset <[email protected]>

* Rename logger in nodelabeler_controller setup

Signed-off-by: Sébastien Masset <[email protected]>

* Filter out explicitly labeled nodes in nodelabeler_controller setup

Signed-off-by: Sébastien Masset <[email protected]>

---------

Signed-off-by: Sébastien Masset <[email protected]>

Author: smasset-orange

.devcontainer/devcontainer.json

@@ -2,7 +2,9 @@
   "name": "Kubebuilder DevContainer",
   "image": "docker.io/golang:1.26",
   "features": {
-    "ghcr.io/devcontainers/features/docker-in-docker:2": {},
+    "ghcr.io/devcontainers/features/docker-in-docker:2": {
+      "moby": false
+    },
     "ghcr.io/devcontainers/features/git:1": {}
   },
 

Dockerfile

@@ -28,14 +28,14 @@ RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -a -o ma
 FROM alpine:3.23@sha256:25109184c71bdad752c8312a8623239686a9a2071e8825f20acb8f2198c3f659
 ARG TARGETARCH
 WORKDIR /
+# Create a non-root user with numeric UID
+RUN adduser -D -u 65532 -s /bin/sh manager
 # Install kubectl and other necessary tools
 RUN apk add --no-cache curl ca-certificates && \
     curl -LO "https://dl.k8s.io/release/$(curl -L -s https://dl.k8s.io/release/stable.txt)/bin/linux/${TARGETARCH}/kubectl" && \
     chmod +x kubectl && \
     mv kubectl /usr/local/bin/
 COPY --from=builder /workspace/manager .
-# Create a non-root user with numeric UID
-RUN adduser -D -u 65532 -s /bin/sh manager
-USER 65532:65532
 
+USER 65532:65532
 ENTRYPOINT ["/manager"]

internal/controller/nodelabeler_controller.go

@@ -10,10 +10,13 @@ import (
 	rbacv1 "k8s.io/api/rbac/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/labels"
 	"k8s.io/apimachinery/pkg/runtime"
 	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/builder"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	logf "sigs.k8s.io/controller-runtime/pkg/log"
+	"sigs.k8s.io/controller-runtime/pkg/predicate"
 
 	"github.com/kairos-io/kairos-operator/internal/utils"
 )
@@ -239,15 +242,37 @@ func (r *NodeLabelerReconciler) Reconcile(ctx context.Context, req ctrl.Request)
 }
 
 func (r *NodeLabelerReconciler) SetupWithManager(mgr ctrl.Manager) error {
+	setupLog := logf.Log.WithName("setup")
+
 	// Ensure RBAC resources are created when the controller starts
 	namespace := r.getOperatorNamespace()
 	if err := r.ensureServiceAccount(context.Background(), namespace); err != nil {
-		log := logf.Log.WithName("setup")
-		log.Error(err, "Failed to ensure service account and RBAC")
+		setupLog.Error(err, "Failed to ensure service account and RBAC")
 		os.Exit(1)
 	}
 
+	// Define selector for nodes that should be ignored
+	nodeSelector, err := labels.Parse("kairos.io/managed notin (false)")
+	if err != nil {
+		setupLog.Error(err, "Failed to parse label selector for nodes")
+		os.Exit(1)
+	}
+
+	log := logf.FromContext(context.TODO())
 	return ctrl.NewControllerManagedBy(mgr).
-		For(&corev1.Node{}).
+		For(
+			&corev1.Node{},
+			// Filter out ignored nodes
+			builder.WithPredicates(predicate.NewPredicateFuncs(func(obj client.Object) bool {
+				node := obj.(*corev1.Node)
+
+				matches := nodeSelector.Matches(labels.Set(node.ObjectMeta.Labels))
+				if !matches {
+					log.V(1).Info("Ignoring explicitly labeled node", "node", node.ObjectMeta.Name)
+				}
+
+				return matches
+			})),
+		).
 		Complete(r)
 }