Add Taints and Tolerations for Server and ServerClaim

[xkonni]

Closes #850

Summary

Introduces a taint/toleration mechanism for bare-metal server scheduling,
modelled after the Kubernetes taint/toleration API.

• Adds Taint and Toleration types to api/v1alpha1
• TaintEffect supports NoBind (default, blocks binding) and Evict
  (reserved for future eviction logic)
• Server.spec.taints — set by operators or external systems to restrict
  which claims can bind to a server
• ServerClaim.spec.tolerations — set on a claim to opt in to tainted servers
• isServerClaimable() now checks that all NoBind taints on a server are
  covered by a matching toleration on the claim

Behavior

A server with a NoBind taint will not be bound to a claim unless the claim
carries a matching toleration. The server remains Available — taints only
affect binding, not server lifecycle.

Evict taints are defined in the API but not yet enforced. They are ignored
during binding and reserved for a future "drain and evict" flow.

Maintenance operations are not affected by taints.

Example

# Server with a taint (effect defaults to NoBind)
spec:
  taints:
  - key: dedicated
    value: gpu

# Claim that tolerates it
spec:
  tolerations:
  - key: dedicated
    operator: Exists

Summary by CodeRabbit

• New Features

  • Servers can be marked with taints to control which claims may bind
  • Server claims can declare tolerations to allow binding to tainted servers
  • Binding now enforces taint/toleration compatibility

• CRD / API

  • Server and ServerClaim CRD schemas updated to include taints and tolerations; new taint/toleration types added

• Docs

  • API reference updated with taint/toleration schemas

• Tests

  • New unit and controller tests covering taint/toleration behavior

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 56ea4c32-49e7-4cf4-b20c-fef1cb11120d

📥 Commits

Reviewing files that changed from the base of the PR and between 6aacc07 and 1aaf397.

📒 Files selected for processing (2)

• internal/controller/taints.go
• internal/controller/taints_test.go

🚧 Files skipped from review as they are similar to previous changes (2)

• internal/controller/taints.go
• internal/controller/taints_test.go

---

📝 Walkthrough

Walkthrough

Adds Kubernetes-style taints to Server and tolerations to ServerClaim, with API types, CRD schema and docs, generated apply/deepcopy helpers, matching utilities, and controller checks plus tests enforcing tolerations during claim binding.

Changes

Server Taint/Toleration Scheduling

Layer / File(s)	Summary
API Type Definitions api/v1alpha1/common_types.go	Defines TaintEffect (NoBind, Evict) and Taint structs with Key, optional Value, and optional Effect; TolerationOperator (Equal, Exists) and Toleration structs with Key, optional Operator, Value, and Effect.
ServerSpec and ServerClaimSpec fields api/v1alpha1/server_types.go, api/v1alpha1/serverclaim_types.go	ServerSpec gains optional Taints []Taint; ServerClaimSpec gains optional Tolerations []Toleration to enable taint-based binding control.
Generated apply-configuration, deepcopy, and utilities api/v1alpha1/applyconfiguration/..., api/v1alpha1/zz_generated.deepcopy.go, api/v1alpha1/applyconfiguration/utils.go	Adds TaintApplyConfiguration and TolerationApplyConfiguration builders, updates deepcopy for new slice fields and types, and registers new kinds in ForKind.
CRD schema and API documentation config/crd/bases/metal.ironcore.dev_servers.yaml, config/crd/bases/metal.ironcore.dev_serverclaims.yaml, docs/api-reference/api.md	Server CRD adds spec.taints[] with key validation and effect enum (default NoBind); ServerClaim CRD adds spec.tolerations[] with key, operator enum, and optional value/effect; docs updated accordingly.
Taint/toleration matching helpers and tests internal/controller/taints.go, internal/controller/taints_test.go	Implements tolerationMatchesTaint and tolerates (skipping Evict taints, requiring tolerations for NoBind taints) and a table-driven test covering operators, values, effects, and edge cases.
Controller integration and binding tests internal/controller/serverclaim_controller.go, internal/controller/serverclaim_controller_test.go	isServerClaimable now rejects servers whose Spec.Taints are not tolerated by a claim's Spec.Tolerations; controller tests validate rejected and accepted binding scenarios and defaulting behavior.

Sequence Diagram(s)

sequenceDiagram
  participant ServerClaimController
  participant isServerClaimable
  participant tolerates
  participant ServerTaints
  participant ClaimTolerations
  ServerClaimController->>isServerClaimable: check if server claimable
  isServerClaimable->>tolerates: tolerates(server.Spec.Taints, claim.Spec.Tolerations)
  tolerates->>ServerTaints: filter NoBind taints (skip Evict)
  tolerates->>ClaimTolerations: verify each NoBind taint matches a toleration
  ClaimTolerations-->>tolerates: true if all NoBind taints covered, false otherwise
  alt Tolerations match taints
    tolerates-->>isServerClaimable: true
    isServerClaimable-->>ServerClaimController: server is claimable
  else Tolerations do not match
    tolerates-->>isServerClaimable: false
    isServerClaimable->>isServerClaimable: log rejection, return false
    isServerClaimable-->>ServerClaimController: server not claimable
  end

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

Possibly related PRs

• ironcore-dev/metal-operator#748: Modifies server claim binding logic in internal/controller/serverclaim_controller.go, related to claim ownership/ref handling and binding behavior.

Suggested reviewers

• afritzler
• nagadeesh-nagaraja

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title directly and clearly summarizes the main change: adding taints and tolerations support for Server and ServerClaim resources.
Description check	✅ Passed	The PR description is comprehensive and well-structured, providing summary, behavior details, and examples. However, it deviates from the template structure which requires 'Proposed Changes' bullet points and explicit 'Fixes #' line (template format is not strictly followed).
Linked Issues check	✅ Passed	All requirements from issue #850 are met: Taint and Toleration types added [850], ServerSpec.Taints field added [850], ServerClaimSpec.Tolerations field added [850], isServerClaimable() enforces taint matching [850], backward compatibility maintained [850].
Out of Scope Changes check	✅ Passed	All changes are directly related to taint/toleration feature scope. Type definitions, field additions, controller logic, tests, CRD schemas, documentation, and apply-configuration builders are all in-scope for the taint/toleration implementation.
Docstring Coverage	✅ Passed	Docstring coverage is 87.50% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

• Create stacked PR
• Commit on current branch

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch feat/taints

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/api-reference/api.md`:
- Around line 1856-1857: Update the documentation for the taint effects so that
TaintEffectEvict is described as reserved/non-functional rather than actively
evicting claims: replace the current sentence that says "TaintEffectEvict causes
existing ServerClaims bound to the server to be evicted..." with wording that
explicitly states TaintEffectEvict is reserved/placeholder and does not
currently trigger eviction, and keep TaintEffectNoBind description as-is;
reference the symbols TaintEffectEvict and TaintEffectNoBind when making the
change so the intent is clear to readers.

In `@internal/controller/serverclaim_controller_test.go`:
- Around line 530-559: The test "should claim a server with a NoBind taint when
the claim has a matching toleration" creates a ServerClaim (variable claim) but
never deletes it; add cleanup after the assertion that the claim is bound by
calling the k8s client to delete the ServerClaim (e.g.,
Expect(k8sClient.Delete(ctx, claim)).To(Succeed())) and optionally wait for
deletion with an Eventually/Object(check) to ensure the claim is removed; place
this cleanup immediately after the
Eventually(Object(claim)).Should(HaveField("Status.Phase",
Equal(metalv1alpha1.PhaseBound))) line so the created claim is removed at the
end of the test.
- Around line 518-523: The negative assertions using
Consistently(Object(server)) and Consistently(Object(claim)) need explicit
duration and polling interval to avoid flakiness—update those calls to include a
timeout and polling interval (e.g., Consistently(..., 2*time.Second,
100*time.Millisecond)) so the controller has time to reconcile; for the positive
test that creates a ServerClaim (the block that asserts Status.Phase becomes
PhaseBound) add explicit cleanup to mirror the negative test by deleting the
created ServerClaim at the end of that test (ensure you reference the same claim
variable used when creating it) so resources are removed after the test
completes.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 21978aab-929d-44f9-b01e-acd8592d9606

📥 Commits

Reviewing files that changed from the base of the PR and between 23be4e1 and e05ec77.

⛔ Files ignored due to path filters (2)

• dist/chart/templates/crd/metal.ironcore.dev_serverclaims.yaml is excluded by !**/dist/**
• dist/chart/templates/crd/metal.ironcore.dev_servers.yaml is excluded by !**/dist/**

📒 Files selected for processing (13)

• api/v1alpha1/server_types.go
• api/v1alpha1/serverclaim_types.go
• api/v1alpha1/taint_types.go
• api/v1alpha1/zz_generated.deepcopy.go
• config/crd/bases/metal.ironcore.dev_serverclaims.yaml
• config/crd/bases/metal.ironcore.dev_servers.yaml
• docs/api-reference/api.md
• internal/controller/serverclaim_controller.go
• internal/controller/serverclaim_controller_test.go
• internal/controller/taint.go
• internal/controller/taint_test.go
• third_party/expansion/expand.go
• third_party/expansion/expand_test.go

[afritzler]

@coderabbitai do you think it is a good idea to reuse the k8s.io corev1.Taints instead of declaring own struct types here?

[coderabbitai]

Tip

For best results, initiate chat on the files or code changes.

@afritzler Great question! Here's a balanced analysis:

Arguments for reusing corev1.Taint / corev1.Toleration:

• Familiarity: users already know the Kubernetes taint/toleration API.
• k8s.io/api is almost certainly already a transitive dependency in any operator project, so no new import is needed.
• Reduces code surface and avoids maintaining custom types.

Arguments against (and why custom types are the better fit here):

1. Different effect semantics. corev1.TaintEffect carries node/pod scheduling concepts. Its values are NoSchedule, PreferNoSchedule, and NoExecute — none of which map cleanly to this PR's bare-metal binding domain. The PR's NoBind and Evict effects are fundamentally different concepts (binding prevention vs. eviction of a server claim), and forcing them into corev1.TaintEffect would be a semantic mismatch.

2. Irrelevant fields pollute the CRD schema. corev1.Taint includes a TimeAdded *metav1.Time field that represents when the taint was added, and is only written for NoExecute taints — a concept with no equivalent in bare-metal binding. Similarly, corev1.Toleration carries a TolerationSeconds field that only applies to NoExecute eviction timing. Both fields would appear in the Server/ServerClaim CRD schema without meaning.

3. The Cluster API precedent is a different use case. Cluster API's MachineSpec uses []corev1.Taint because those taints are meant to be applied to the corresponding Kubernetes Node. In this project, the taints are not propagated to a real Kubernetes Node — they govern bare-metal server binding logic. The use cases are fundamentally different.

4. API stability coupling. Embedding corev1 types directly exposes the CRD API to any future upstream changes in the core Kubernetes types.

Verdict: The custom types defined in this PR (TaintEffect, Taint, TolerationOperator, Toleration) are the right call. They keep the domain semantics explicit and clean (NoBind is immediately understandable in a bare-metal context), avoid polluting the CRD with irrelevant Kubernetes scheduler fields, and decouple the API from upstream corev1 churn. The tradeoff of a small amount of additional code is well worth it.

[coderabbitai]

🧹 Nitpick comments (1)

api/v1alpha1/common_types.go (1)

348-351: ⚡ Quick win

Add // +kubebuilder:default=Equal to clarify Operator field behavior.

The Operator field is optional but currently relies on controller-side fallback (empty operator treated as Equal). Adding the default marker makes this behavior explicit in the API schema, matching Kubernetes conventions and improving clarity for API consumers.

Suggested change

 	// Operator represents the key's relationship to the value.
+	// +kubebuilder:default=Equal
 	// +optional
 	Operator TolerationOperator `json:"operator,omitempty"`

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@api/v1alpha1/common_types.go` around lines 348 - 351, Add the kubebuilder
default marker to the Operator field so the API schema documents the default
behavior: add the comment "// +kubebuilder:default=Equal" immediately above the
Operator declaration for the Operator TolerationOperator
`json:"operator,omitempty"` field in the struct (where Operator is defined) so
codegen will set the schema default to Equal.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@api/v1alpha1/common_types.go`:
- Around line 348-351: Add the kubebuilder default marker to the Operator field
so the API schema documents the default behavior: add the comment "//
+kubebuilder:default=Equal" immediately above the Operator declaration for the
Operator TolerationOperator `json:"operator,omitempty"` field in the struct
(where Operator is defined) so codegen will set the schema default to Equal.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 2e343064-8865-4e50-84ce-e383ee370ef5

📥 Commits

Reviewing files that changed from the base of the PR and between dbfe373 and 5620567.

⛔ Files ignored due to path filters (2)

• dist/chart/templates/crd/metal.ironcore.dev_serverclaims.yaml is excluded by !**/dist/**
• dist/chart/templates/crd/metal.ironcore.dev_servers.yaml is excluded by !**/dist/**

📒 Files selected for processing (16)

• api/v1alpha1/applyconfiguration/api/v1alpha1/serverclaimspec.go
• api/v1alpha1/applyconfiguration/api/v1alpha1/serverspec.go
• api/v1alpha1/applyconfiguration/api/v1alpha1/taint.go
• api/v1alpha1/applyconfiguration/api/v1alpha1/toleration.go
• api/v1alpha1/applyconfiguration/utils.go
• api/v1alpha1/common_types.go
• api/v1alpha1/server_types.go
• api/v1alpha1/serverclaim_types.go
• api/v1alpha1/zz_generated.deepcopy.go
• config/crd/bases/metal.ironcore.dev_serverclaims.yaml
• config/crd/bases/metal.ironcore.dev_servers.yaml
• docs/api-reference/api.md
• internal/controller/serverclaim_controller.go
• internal/controller/serverclaim_controller_test.go
• internal/controller/taint.go
• internal/controller/taint_test.go

✅ Files skipped from review due to trivial changes (5)

• api/v1alpha1/applyconfiguration/api/v1alpha1/serverclaimspec.go
• api/v1alpha1/applyconfiguration/utils.go
• api/v1alpha1/applyconfiguration/api/v1alpha1/taint.go
• docs/api-reference/api.md
• api/v1alpha1/zz_generated.deepcopy.go

🚧 Files skipped from review as they are similar to previous changes (8)

• internal/controller/serverclaim_controller.go
• config/crd/bases/metal.ironcore.dev_servers.yaml
• api/v1alpha1/serverclaim_types.go
• config/crd/bases/metal.ironcore.dev_serverclaims.yaml
• api/v1alpha1/applyconfiguration/api/v1alpha1/serverspec.go
• internal/controller/taint_test.go
• internal/controller/taint.go
• api/v1alpha1/server_types.go

[afritzler]

Just some small nit.

[coderabbitai]

🧹 Nitpick comments (1)

internal/controller/taints_test.go (1)

12-119: ⚡ Quick win

Consider adding a test case for empty Taint.Effect.

The test suite is comprehensive, but there is no test case covering a taint with an empty Effect field. If taints with empty Effect are possible (and should default to NoBind), adding a test case would verify the expected behavior and catch any regression.

Suggested test entry:

Entry("taint with empty effect treated as NoBind",
	[]metalv1alpha1.Taint{
		{Key: "dedicated", Value: "gpu", Effect: ""},
	},
	[]metalv1alpha1.Toleration{
		{Key: "dedicated", Operator: metalv1alpha1.TolerationOperatorExists},
	},
	true,
),

However, if the API layer guarantees that Taint.Effect is always populated (via defaulting or validation), then this test case is unnecessary.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@internal/controller/taints_test.go` around lines 12 - 119, Add a test Entry
to the DescribeTable in internal/controller/taints_test.go to cover a taint with
an empty Effect and assert it is treated like TaintEffectNoBind; specifically
add an Entry that calls tolerates with a taint {Key: "dedicated", Value: "gpu",
Effect: ""} and a toleration {Key: "dedicated", Operator:
metalv1alpha1.TolerationOperatorExists} expecting true so the tolerates(taints,
tolerations) behavior for empty Taint.Effect is verified; place it alongside the
other Entry cases in the same DescribeTable that uses the tolerates function and
metalv1alpha1.Taint/metalv1alpha1.Toleration types.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Nitpick comments:
In `@internal/controller/taints_test.go`:
- Around line 12-119: Add a test Entry to the DescribeTable in
internal/controller/taints_test.go to cover a taint with an empty Effect and
assert it is treated like TaintEffectNoBind; specifically add an Entry that
calls tolerates with a taint {Key: "dedicated", Value: "gpu", Effect: ""} and a
toleration {Key: "dedicated", Operator: metalv1alpha1.TolerationOperatorExists}
expecting true so the tolerates(taints, tolerations) behavior for empty
Taint.Effect is verified; place it alongside the other Entry cases in the same
DescribeTable that uses the tolerates function and
metalv1alpha1.Taint/metalv1alpha1.Toleration types.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 1f6ef323-1db4-48e9-9427-fbf66314c298

📥 Commits

Reviewing files that changed from the base of the PR and between 5620567 and 6aacc07.

⛔ Files ignored due to path filters (2)

• dist/chart/templates/crd/metal.ironcore.dev_serverclaims.yaml is excluded by !**/dist/**
• dist/chart/templates/crd/metal.ironcore.dev_servers.yaml is excluded by !**/dist/**

📒 Files selected for processing (16)

• api/v1alpha1/applyconfiguration/api/v1alpha1/serverclaimspec.go
• api/v1alpha1/applyconfiguration/api/v1alpha1/serverspec.go
• api/v1alpha1/applyconfiguration/api/v1alpha1/taint.go
• api/v1alpha1/applyconfiguration/api/v1alpha1/toleration.go
• api/v1alpha1/applyconfiguration/utils.go
• api/v1alpha1/common_types.go
• api/v1alpha1/server_types.go
• api/v1alpha1/serverclaim_types.go
• api/v1alpha1/zz_generated.deepcopy.go
• config/crd/bases/metal.ironcore.dev_serverclaims.yaml
• config/crd/bases/metal.ironcore.dev_servers.yaml
• docs/api-reference/api.md
• internal/controller/serverclaim_controller.go
• internal/controller/serverclaim_controller_test.go
• internal/controller/taints.go
• internal/controller/taints_test.go

✅ Files skipped from review due to trivial changes (6)

• api/v1alpha1/applyconfiguration/api/v1alpha1/taint.go
• api/v1alpha1/applyconfiguration/utils.go
• api/v1alpha1/applyconfiguration/api/v1alpha1/serverclaimspec.go
• api/v1alpha1/applyconfiguration/api/v1alpha1/serverspec.go
• api/v1alpha1/zz_generated.deepcopy.go
• api/v1alpha1/applyconfiguration/api/v1alpha1/toleration.go

🚧 Files skipped from review as they are similar to previous changes (8)

• config/crd/bases/metal.ironcore.dev_serverclaims.yaml
• internal/controller/serverclaim_controller.go
• api/v1alpha1/serverclaim_types.go
• api/v1alpha1/common_types.go
• config/crd/bases/metal.ironcore.dev_servers.yaml
• api/v1alpha1/server_types.go
• docs/api-reference/api.md
• internal/controller/serverclaim_controller_test.go

[afritzler]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.