feat: TaintToleration and NodeSelector for CSI components csi-attacher/csi-provisioner/csi-resizer/csi-snapshotter

[semenas]

Which issue(s) this PR fixes:

Issue # longhorn/longhorn#12079

What this PR does / why we need it:

Additional settings defaultSettings.taintTolerationKubernetesCSI and defaultSettings.systemManagedComponentsNodeSelectorKubernetesCSI provide more flexible options for pod placement of the CSI sidecars components (csi-attacher, csi-provisioner, csi-resizer, csi-snapshotter).

Currently, CSI sidecars components inherit the same node placement rules as all other system-managed components through defaultSettings.taintToleration and defaultSettings.systemManagedComponentsNodeSelector. These CSI components is not necessary to run on all nodes of cluster and in some cases it could be a requirement to use only specified nodes, e.g. control-plane. At other hand using available settings leads to other system-managed pods required for operation cannot start on all nodes.

Special notes for your reviewer:

This PR makes some minor fixes in the affected functions as well.

Additional documentation or context

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on this repository. Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

Adds Kubernetes CSI-specific settings (taint tolerations and node selector), registers their types, exposes datastore getters, loads them in the driver to configure CSI sidecar deployments, and extends the settings controller with dedicated update handlers and runtime-object collection for CSI components.

Changes

Cohort / File(s)	Summary
Settings & Types types/setting.go, types/types.go	Adds SettingNameCSISidecarComponentTaintToleration and SettingNameSystemManagedCSISidecarComponentsNodeSelector, registers their setting definitions, extends validation to parse tolerations/nodeSelector, and adds KubernetesCSISidecarList of CSI sidecar names.
Data Access Layer datastore/longhorn.go	Adds GetSettingCSISidecarComponentTaintToleration and GetSettingSystemManagedCSISidecarComponentsNodeSelector to read/unmarshal the new settings.
Driver / Deployment wiring app/driver.go	Loads the new Kubernetes CSI-specific tolerations/nodeSelector (and marshals tolerations to JSON) and passes them into CSI sidecar deployment constructors (Attacher, Provisioner, Resizer, Snapshotter) instead of the generic settings.
Settings controller & update handlers controller/setting_controller.go	Adds the two CSI settings to danger-zone handling; introduces updateCSISidecarComponentTaintToleration and updateCSISidecarComponentsNodeSelector; adds collectRuntimeObjectsKubernetesCSI; adjusts collectRuntimeObjects and update flows (including updatePriorityClass) to include/exclude CSI deployments appropriately and wraps errors with context.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20–30 minutes

• Pay extra attention to:
  • controller/setting_controller.go — correctness of runtime-object collection, selection/exclusion logic for CSI deployments, and safe update/delete order (DaemonSets/Deployments/Pods).
  • app/driver.go — ensure new settings are loaded before creating CSI deployments and tolerations JSON is encoded correctly for use in manifests.
  • datastore/longhorn.go / types/setting.go — validation/unmarshal behavior for the new settings and any display/description changes.

Possibly related PRs

• feat: create hard/soft podAntiAffinity preset configuration #4133 — touches CSI deployment construction flow and the same CSI deployment constructors (Attacher/Provisioner/Resizer/Snapshotter).

Suggested reviewers

• COLDTURNIP
• c3y1huang
• shuo-wu
• davidcheng0922

Pre-merge checks and finishing touches

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 33.33% which is insufficient. The required threshold is 80.00%.	You can run @coderabbitai generate docstrings to improve docstring coverage.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding TaintToleration and NodeSelector settings specifically for CSI sidecar components (csi-attacher, csi-provisioner, csi-resizer, csi-snapshotter).
Description check	✅ Passed	The description clearly relates to the changeset, explaining the purpose of the new settings and why they are needed for flexible CSI component pod placement.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[derekbit]

These CSI components is not necessary to run on all nodes of cluster and in some cases it could be a requirement to use only specified nodes, e.g. control-plane.

The default number of replicas of each CSI component in Longhorn is 3.

At other hand using available settings leads to other system-managed pods required for operation cannot start on all nodes.

@semenas Could you elaborate more on the statement?

[semenas]

These CSI components is not necessary to run on all nodes of cluster and in some cases it could be a requirement to use only specified nodes, e.g. control-plane.

The default number of replicas of each CSI component in Longhorn is 3.

At other hand using available settings leads to other system-managed pods required for operation cannot start on all nodes.

@semenas Could you elaborate more on the statement?

That's right, but if we decide to restrict to run these CSI components pods on "Control Plane" nodes, we have to use setting defaultSettings.systemManagedComponentsNodeSelector. In this case this setting affected other system managed pods like instance manager and deamon sets longhron-csi-plugin, engine-image-ei and so on. But these "other" components have to be run on all nodes where we are planning to mount a volume, e.g. "Control Plane" and "Workers" nodes. And the same situation about setting defaultSettings.taintToleration.

[derekbit]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (3)

types/setting.go (2)

64-90: CSI setting names are inconsistent and will not compile

You currently define:

• SettingNameCSISidecarComponentTaintToleration
• SettingNameSystemManagedCSISidecarComponentsNodeSelector

but elsewhere in this file and in other packages you use:

• SettingNameTaintTolerationKubernetesCSI
• SettingNameSystemManagedComponentsNodeSelectorKubernetesCSI

The latter two are not defined in the SettingName const block, yet they’re referenced in:

• SettingNameList
• settingDefinitions
• validateSettingString
• controller and app code

This will fail to compile and also creates ambiguity about the actual CR setting names exposed to users.

I recommend standardizing on the *KubernetesCSI identifiers and matching the string values to the documentation (e.g. *-kubernetes-csi), removing the unused *CSISidecar* names.

-	SettingNameTaintToleration                                          = SettingName("taint-toleration")
-	SettingNameSystemManagedComponentsNodeSelector                      = SettingName("system-managed-components-node-selector")
-	SettingNameCSISidecarComponentTaintToleration                             = SettingName("csi-sidecar-taint-toleration")
-	SettingNameSystemManagedCSISidecarComponentsNodeSelector         = SettingName("system-managed-csi-sidecar-components-node-selector")
+	SettingNameTaintToleration                                  = SettingName("taint-toleration")
+	SettingNameSystemManagedComponentsNodeSelector              = SettingName("system-managed-components-node-selector")
+	SettingNameTaintTolerationKubernetesCSI                     = SettingName("taint-toleration-kubernetes-csi")
+	SettingNameSystemManagedComponentsNodeSelectorKubernetesCSI = SettingName("system-managed-components-node-selector-kubernetes-csi")

With that in place, the existing uses of SettingNameTaintTolerationKubernetesCSI and SettingNameSystemManagedComponentsNodeSelectorKubernetesCSI in:

• SettingNameList
• settingDefinitions
• validateSettingString
  become consistent and no further renames are needed.

You can then drop the unused SettingNameCSISidecarComponentTaintToleration / SettingNameSystemManagedCSISidecarComponentsNodeSelector constants entirely unless you explicitly need aliases for backward compatibility.

Also applies to: 180-208, 333-360, 2490-2568

---

786-803: Clarify wording for node selector settings and fix truncated description

The behavioral split between generic and CSI‑specific node‑selector/taint settings is good, but the descriptions have a couple of issues:

• SettingDefinitionSystemManagedComponentsNodeSelector has:
  except for . — looks like an incomplete sentence.
• SettingDefinitionSystemManagedComponentsNodeSelectorKubernetesCSI starts with “set node selector for all Longhorn components”, which contradicts the subsequent explanation that it only applies to system‑managed Kubernetes CSI components.

Suggest tightening the copy for clarity and correctness, e.g.:

@@
-	SettingDefinitionSystemManagedComponentsNodeSelector = SettingDefinition{
-		DisplayName: "System Managed Components Node Selector",
-		Description: "If you want to restrict Longhorn components to only run on particular set of nodes, you can set node selector for **all** Longhorn components except for . " +
+	SettingDefinitionSystemManagedComponentsNodeSelector = SettingDefinition{
+		DisplayName: "System Managed Components Node Selector",
+		Description: "If you want to restrict Longhorn components to only run on a particular set of nodes, you can set a node selector for **all** Longhorn system managed components except for Kubernetes CSI sidecar components. " +
@@
-	SettingDefinitionSystemManagedComponentsNodeSelectorKubernetesCSI = SettingDefinition{
-		DisplayName: "System Managed Components Node Selector for Kubernetes CSI components",
-		Description: "If you want to restrict Longhorn components to only run on particular set of nodes, you can set node selector for **all** Longhorn components. " +
+	SettingDefinitionSystemManagedComponentsNodeSelectorKubernetesCSI = SettingDefinition{
+		DisplayName: "System Managed Components Node Selector for Kubernetes CSI components",
+		Description: "If you want to restrict Kubernetes CSI sidecar components to only run on a particular set of nodes, you can set a node selector for system managed Kubernetes CSI components here. " +

The rest of each description (the ordered steps and examples) already clearly explains how the generic and CSI‑specific selectors should be combined.

Also applies to: 805-823, 824-841, 843-861

app/driver.go (1)

237-280: Sidecars now ignore global taint/nodeSelector; consider fallback for backward compatibility

The new logic:

• Fetches and unmarshals SettingNameTaintTolerationKubernetesCSI / SettingNameSystemManagedComponentsNodeSelectorKubernetesCSI.
• Uses those values exclusively for the Attacher/Provisioner/Resizer/Snapshotter deployments.
• Continues to use the global SettingNameTaintToleration / SettingNameSystemManagedComponentsNodeSelector for the plugin DaemonSet and for getProcArg.

This cleanly separates CSI sidecar placement from other components, which is the PR’s intent. However, it also changes behavior for existing clusters:

• Before this change, sidecars always honored the global taint/nodeSelector settings.
• After this change, if the CSI‑specific settings are left at their (empty) defaults, sidecars will have no tolerations/node selectors even when global values are set.

On an upgraded cluster that already relies on global taints/node selectors, this could:

• Make CSI sidecars unschedulable on tainted nodes, or
• Move them to a different subset of nodes than before, until admins explicitly configure the new settings.

Consider adding a fallback to preserve existing behavior, e.g.:

• If SettingNameTaintTolerationKubernetesCSI.Value == "", default to SettingNameTaintToleration.Value.
• If SettingNameSystemManagedComponentsNodeSelectorKubernetesCSI.Value == "", default to SettingNameSystemManagedComponentsNodeSelector.Value.

You can implement this directly here when computing tolerationsKubernetesCSI / nodeSelectorKubernetesCSI, or inside the corresponding datastore helpers if you prefer a single source of truth.

-	tolerationSettingKubernetesCSI, err := lhClient.LonghornV1beta2().Settings(namespace).Get(context.TODO(), string(types.SettingNameTaintTolerationKubernetesCSI), metav1.GetOptions{})
+	tolerationSettingKubernetesCSI, err := lhClient.LonghornV1beta2().Settings(namespace).Get(context.TODO(), string(types.SettingNameTaintTolerationKubernetesCSI), metav1.GetOptions{})
 	if err != nil {
 		return err
 	}
-	tolerationsKubernetesCSI, err := types.UnmarshalTolerations(tolerationSettingKubernetesCSI.Value)
+	tolerationValueCSI := tolerationSettingKubernetesCSI.Value
+	if tolerationValueCSI == "" {
+		// Fallback to global setting for backward compatibility
+		tolerationValueCSI = tolerationSetting.Value
+	}
+	tolerationsKubernetesCSI, err := types.UnmarshalTolerations(tolerationValueCSI)
@@
-	nodeSelectorSettingKubernetesCSI, err := lhClient.LonghornV1beta2().Settings(namespace).Get(context.TODO(), string(types.SettingNameSystemManagedComponentsNodeSelectorKubernetesCSI), metav1.GetOptions{})
+	nodeSelectorSettingKubernetesCSI, err := lhClient.LonghornV1beta2().Settings(namespace).Get(context.TODO(), string(types.SettingNameSystemManagedComponentsNodeSelectorKubernetesCSI), metav1.GetOptions{})
 	if err != nil {
 		return err
 	}
-	nodeSelectorKubernetesCSI, err := types.UnmarshalNodeSelector(nodeSelectorSettingKubernetesCSI.Value)
+	nodeSelectorValueCSI := nodeSelectorSettingKubernetesCSI.Value
+	if nodeSelectorValueCSI == "" {
+		// Fallback to global setting for backward compatibility
+		nodeSelectorValueCSI = nodeSelectorSetting.Value
+	}
+	nodeSelectorKubernetesCSI, err := types.UnmarshalNodeSelector(nodeSelectorValueCSI)

This keeps existing behavior by default while still allowing admins to override CSI sidecar placement independently.

Also applies to: 340-356, 360-360

🧹 Nitpick comments (5)

types/types.go (1)

248-253: CSI sidecar set definition looks good; minor naming/read‑only nit

The exported set of CSI sidecar names is correct and idiomatic (map[string]struct{} as a set). To make intent slightly clearer, consider either renaming to something like KubernetesCSISidecarSet or adding a brief comment that this map is read‑only and used purely for membership checks so callers don’t mutate it.

datastore/longhorn.go (1)

4099-4121: CSI-specific setting getters mirror existing pattern and look correct

Both GetSettingTaintTolerationKubernetesCSI and GetSettingSystemManagedComponentsNodeSelectorKubernetesCSI are consistent with the existing non-CSI getters: they use GetSettingWithAutoFillingRO plus UnmarshalTolerations/UnmarshalNodeSelector, so empty values yield empty slice/map and invalid strings surface as errors. This is fine as-is; if more similar getters are added later, you might factor out small helpers to avoid duplication.

controller/setting_controller.go (3)

470-533: updateTaintTolerationKubernetesCSI duplicates existing logic but scope is correct

The new handler cleanly reuses the existing toleration update flow while scoping updates to CSI Deployments via collectRuntimeObjectsKubernetesCSI. Error handling and detached‑volume gating are consistent with updateTaintToleration.

One nit: the function comment still says “deletes all user‑deployed and system‑managed components”; in reality this only targets Kubernetes CSI system‑managed components. Consider tightening the comment to avoid confusion.

-// updateTaintTolerationKubernetesCSI deletes all user-deployed and system-managed components immediately with the updated taint toleration.
+// updateTaintTolerationKubernetesCSI updates tolerations for Kubernetes CSI system-managed components.

---

1068-1128: Minor consistency nit in updateNodeSelector error reporting

Logic is unchanged except for the default branch error message, which still references SettingNameSystemManagedComponentsNodeSelector. Since this function now coexists with the CSI‑specific variant, the message is fine but slightly generic.

If you later share getNotUpdatedNodeSelectorList between both settings (as you already do), consider making the error message setting‑agnostic there to avoid confusion.

---

535-576: Centralize CSI sidecar deployment app label key constant to clarify the label/key contract

The code correctly separates CSI and non-CSI Deployments based on matching dp.Labels["app"] against KubernetesCSISidecarList keys. However, this contract is implicit and distributed across two functions (collectRuntimeObjects at line 563 and collectRuntimeObjectsKubernetesCSI at line 586), with the key ("app") hardcoded in both checks.

To improve maintainability and make the contract explicit, define the label key as a constant (e.g., CSIDeploymentAppLabelKey = "app") in types/types.go alongside KubernetesCSISidecarList, then reuse it in both filtering locations. This prevents accidental divergence if the label key ever changes, and clarifies the dependency for future maintainers.

Additionally, consider adding a test case that verifies mock CSI Deployments with these specific app labels are correctly included/excluded.

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 98f1224 and ac467da.

📒 Files selected for processing (5)

• app/driver.go (2 hunks)
• controller/setting_controller.go (6 hunks)
• datastore/longhorn.go (1 hunks)
• types/setting.go (6 hunks)
• types/types.go (1 hunks)

🧰 Additional context used

🧬 Code graph analysis (3)

datastore/longhorn.go (1)

types/setting.go (2)

• UnmarshalTolerations (1995-2012)
• UnmarshalNodeSelector (2055-2070)

controller/setting_controller.go (3)

types/setting.go (2)

• UnmarshalTolerations (1995-2012)
• UnmarshalNodeSelector (2055-2070)

util/util.go (1)

• TolerationListToMap (613-621)

types/types.go (3)

• ErrorInvalidState (341-343)
• GetBaseLabelsForSystemManagedComponent (460-462)
• KubernetesCSISidecarList (248-253)

app/driver.go (2)

types/setting.go (2)

• UnmarshalTolerations (1995-2012)
• UnmarshalNodeSelector (2055-2070)

csi/deployment.go (4)

• NewAttacherDeployment (53-91)
• NewProvisionerDeployment (109-150)
• NewResizerDeployment (168-216)
• NewSnapshotterDeployment (234-272)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (1)

• GitHub Check: Summary

🔇 Additional comments (4)

controller/setting_controller.go (3)

279-287: Danger‑zone wiring for new CSI settings looks consistent

New Kubernetes CSI settings are added to dangerSettingsRequiringAllVolumesDetached and wired to dedicated handlers, mirroring the existing taint/node‑selector behavior (including AreAllVolumesDetachedState checks). This is structurally sound and matches the intent of isolating CSI from generic settings.

Also applies to: 288-305

---

666-686: Including CSI deployments in priority‑class updates is correct

Aggregating collectRuntimeObjects() with collectRuntimeObjectsKubernetesCSI() for updatePriorityClass is the right fix after excluding CSI from the generic collector. The combined list ensures sidecars still receive PriorityClass updates alongside other components.

---

1130-1191: updateNodeSelectorKubernetesCSI mirrors existing behavior appropriately

The CSI‑specific node‑selector update handler correctly:

• Collects only CSI deployments,
• Checks all volumes are detached,
• Updates DaemonSet/Deployment NodeSelector, and
• Deletes Pods when necessary.

The error message in the default branch correctly references SettingNameSystemManagedComponentsNodeSelectorKubernetesCSI. Overall this is aligned with the non‑CSI variant.

types/setting.go (1)

790-803: Validation wiring for new CSI settings is correct

For both CSI‑specific settings:

• SettingNameTaintTolerationKubernetesCSI → validated via UnmarshalTolerations
• SettingNameSystemManagedComponentsNodeSelectorKubernetesCSI → validated via UnmarshalNodeSelector

which mirrors the existing generic settings. Once the constant naming issue above is fixed, this validation path is appropriate and consistent.

Also applies to: 824-841, 2490-2568

[derekbit]

Hello @semenas
CI failed. Could you fix them? Thanks.

[derekbit]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 0

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

types/setting.go (1)

789-807: SystemManagedComponentsNodeSelector description has a broken sentence

The SettingDefinitionSystemManagedComponentsNodeSelector.Description now tries to explain the split between generic and CSI-sidecar node selectors, but the first sentence contains an incomplete fragment:

“... set node selector for all Longhorn components except for .”

This is user-facing and confusing; it should explicitly mention “except for Kubernetes CSI sidecar components” (or similar) and read cleanly as a full sentence.

-        Description: "If you want to restrict Longhorn components to only run on particular set of nodes, you can set node selector for **all** Longhorn components except for . " +
+        Description: "If you want to restrict Longhorn components to only run on a particular set of nodes, you can set node selectors for **all** Longhorn components except for Kubernetes CSI sidecar components. " +

Also applies to: 808-826

🧹 Nitpick comments (2)

controller/setting_controller.go (2)

470-533: CSI-sidecar toleration update logic matches existing pattern; minor doc/duplication nits

The implementation is essentially a scoped clone of updateTaintToleration, limited to collectRuntimeObjectsKubernetesCSI(), which is correct for targeting only CSI sidecars.

Two small points:

• The comment still says “deletes all user-deployed and system-managed components”, but this function only touches the CSI sidecar deployments.
• The code is now duplicated between updateTaintToleration and updateCSISidecarComponentTaintToleration except for the setting name and collector; a shared helper taking (settingName, collectorFn) would reduce future drift.

---

1068-1128: Node-selector flows for generic vs CSI components are consistent; minor error-message nit

The new updateCSISidecarComponentsNodeSelector mirrors updateNodeSelector but scopes to collectRuntimeObjectsKubernetesCSI(), which is the right split given the two settings. Volume-detached gating and object handling (DaemonSet/Deployment/Pod) are consistent.

Small nit: getNotUpdatedNodeSelectorList still uses SettingNameSystemManagedComponentsNodeSelector in its default-case error message even when invoked from the CSI-specific updater. If that error ever triggers, it will point to the generic setting name regardless of which setting is being processed; not critical, but a bit confusing.

Also applies to: 1130-1191

📜 Review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between ac467da and d834dd4.

📒 Files selected for processing (5)

• app/driver.go (2 hunks)
• controller/setting_controller.go (6 hunks)
• datastore/longhorn.go (1 hunks)
• types/setting.go (6 hunks)
• types/types.go (1 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• datastore/longhorn.go

🧰 Additional context used

🧬 Code graph analysis (2)

controller/setting_controller.go (3)

types/setting.go (4)

• SettingNameCSISidecarComponentTaintToleration (89-89)
• SettingNameSystemManagedCSISidecarComponentsNodeSelector (90-90)
• UnmarshalTolerations (2014-2031)
• UnmarshalNodeSelector (2074-2089)

util/util.go (1)

• TolerationListToMap (613-621)

types/types.go (3)

• ErrorInvalidState (341-343)
• GetBaseLabelsForSystemManagedComponent (460-462)
• KubernetesCSISidecarList (248-253)

app/driver.go (1)

types/setting.go (4)

• SettingNameCSISidecarComponentTaintToleration (89-89)
• UnmarshalTolerations (2014-2031)
• SettingNameSystemManagedCSISidecarComponentsNodeSelector (90-90)
• UnmarshalNodeSelector (2074-2089)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (2)

• GitHub Check: Build binaries
• GitHub Check: Summary

🔇 Additional comments (7)

controller/setting_controller.go (2)

279-286: Danger-zone wiring for new CSI settings is consistent

Including SettingNameCSISidecarComponentTaintToleration and SettingNameSystemManagedCSISidecarComponentsNodeSelector in the “all volumes detached” danger-zone list and branching to dedicated update handlers keeps their behavior aligned with the existing taint/node selector settings.

Also applies to: 298-305

---

535-576: <!-- [scratchpad_start]
[task verification_1/1 complete]
[observations]

• csi/deployment_util.go:41 confirms app label set as: deploymentLabels["app"] = commonName
• NewAttacherDeployment passes types.CSIAttacherName to getCommonDeployment
• types/deploy.go values: CSIAttacherName="csi-attacher", CSIProvisionerName="csi-provisioner", CSIResizerName="csi-resizer", CSISnapshotterName="csi-snapshotter"
• types/types.go: CSISidecarPortNameAttacher="csi-attacher", CSISidecarPortNameProvisioner="csi-provisioner", CSISidecarPortNameResizer="csi-resizer", CSISidecarPortNameSnapshotter="csi-snapshotter"
• KubernetesCSISidecarList keys use CSISidecarPortName* constants
• All string values match exactly between CSIName and CSISidecarPortName constants
• setting_controller.go:563 correctly excludes CSI deployments from collectRuntimeObjects()
• setting_controller.go:586 correctly includes CSI deployments in collectRuntimeObjectsKubernetesCSI()

[analysis]

• Verification confirms the CSI sidecar deployments have app labels that exactly match KubernetesCSISidecarList keys
• Filtering logic properly classifies CSI vs non-CSI deployments
• No other deployments would accidentally match the list
• Original review comment's verification request is satisfied

[done]
✓ Confirmed CSI app labels match KubernetesCSISidecarList keys
✓ Verified filtering logic is correct
✓ Confirmed classification is properly localized
✓ No false positive risks identified
</scratchpad_end] -->

Runtime object collection split between general and CSI scope is correct

Excluding CSI sidecar deployments from collectRuntimeObjects() and reintroducing them via collectRuntimeObjectsKubernetesCSI() gives you:

• Generic updates (taint toleration, generic node selector) that no longer touch CSI sidecars.
• PriorityClass updates that still see all managed objects by appending the CSI-specific slice.

This matches the new settings semantics, and the classification via types.KubernetesCSISidecarList + "app" label keeps the logic localized. The app labels used by CSI sidecar deployments (csi-attacher, csi-provisioner, csi-resizer, csi-snapshotter) are correctly mapped as keys in the list, and no non-CSI deployments use these values.

types/setting.go (3)

89-90: New CSI-sidecar setting names and definitions are wired correctly

The new SettingNameCSISidecarComponentTaintToleration and SettingNameSystemManagedCSISidecarComponentsNodeSelector are:

• Declared alongside the existing taint/node-selector settings.
• Included in SettingNameList so they get CRs.
• Added to settingDefinitions with corresponding SettingDefinition* entries, both in the DangerZone category.

This ensures they participate fully in validation, default-setting handling, and danger-zone logic.

Also applies to: 181-209, 335-362

---

827-865: New CSI-sidecar-specific setting definitions are consistent with existing ones

SettingDefinitionCSISidecarComponentTaintToleration and SettingDefinitionSystemManagedCSISidecarComponentsNodeSelector:

• Mirror the wording and behavior of the existing taint/node-selector definitions, but scoped to CSI sidecars.
• Are categorized as SettingCategoryDangerZone, non-required, string-typed settings.
• Clearly document example formats and the intended order of configuration steps between user-deployed, CSI sidecar, and other system-managed components.

This is aligned with how the controller uses them and with the split between generic and CSI-only behavior.

---

2579-2587: Validation for new CSI-sidecar settings correctly reuses existing parsers

Extending validateSettingString with:

• case SettingNameCSISidecarComponentTaintToleration: → UnmarshalTolerations
• case SettingNameSystemManagedCSISidecarComponentsNodeSelector: → UnmarshalNodeSelector

keeps the syntax and validation rules identical to the existing taint and generic node-selector settings, which is what you want.

types/types.go (1)

248-253: KubernetesCSISidecarList implementation is correct and properly verified

The KubernetesCSISidecarList map is properly defined and serves its intended purpose. Verification confirms it is used in controller/setting_controller.go (lines 563 and 586) to filter deployments based on the dp.Labels["app"] field—deployments are either excluded or included only if their app label matches one of these four CSI sidecar constants. The constants are consistently used as container port names in the deployment definitions. The code is correct as written.

app/driver.go (1)

259-280: CSI sidecars now use dedicated placement settings; verify upgrade behavior is intentional

Verification confirms the behavioral concern: on upgrade, existing clusters will see CSI sidecar deployments ignore the global taint toleration and node selector settings if the new CSI-specific settings (csi-sidecar-taint-toleration and system-managed-csi-sidecar-components-node-selector) are not explicitly populated. The upgrade path does not automatically migrate values from global to CSI-specific settings, and no fallback logic exists in the deployment code.

This is a breaking change for clusters that previously relied on global settings for CSI sidecar placement. Please confirm:

1. Whether this behavioral change is intentional (i.e., CSI sidecars should start with empty placement unless explicitly configured), or
2. Whether migration/fallback logic should be added to inherit from global settings when CSI-specific ones are empty, and
3. Whether the release notes and upgrade documentation clearly document this change.

Also applies to: 340-355

[derekbit]

@semenas
The implementation is LGTM.

However, we need to copy the valules of the settings taint-toleration and system-managed-components-node-selector to the new settings csi-sidecar-taint-toleration and system-managed-csi-sidecar-components-node-selector in the upgrade path.

Can you add a commit to handle it?
Ref: https://github.com/longhorn/longhorn-manager/tree/master/upgrade

[derekbit]

@semenas Will you update the PR for #4251 (comment)?

[semenas]

@semenas Will you update the PR for #4251 (comment)?

Yes, I'll try to do it today, thank you

[semenas]

@semenas Will you update the PR for #4251 (comment)?

done

[mergify]

This pull request is now in conflict. Could you fix it @semenas? 🙏

[derekbit]

@semenas Can you check the implementation of the upgrade path https://github.com/longhorn/longhorn-manager/blob/master/upgrade/v19xto1100/upgrade.go? We read the CRs from cache instead.

[semenas]

@derekbit Could you please check if that's the right way?

[derekbit]

@semenas Still have some issues. How about removing the upgrade path implementation commts? I can help implement this part.

[semenas]

@derekbit I would appreciate it

[c3y1huang]

I think casting isn’t needed. The type switch already handles that. https://go.dev/ref/spec#Type_switches

Suggested change

	switch objType := obj.(type) {
	case *appsv1.DaemonSet:
	ds := obj.(*appsv1.DaemonSet)
	sc.logger.Infof("Updating the node selector from %v to %v for %v", ds.Spec.Template.Spec.NodeSelector, newNodeSelector, ds.Name)
	ds.Spec.Template.Spec.NodeSelector = newNodeSelector
	if _, err := sc.ds.UpdateDaemonSet(ds); err != nil {
	switch objTyped := obj.(type) {
	case *appsv1.DaemonSet:
	sc.logger.Infof("Updating the node selector from %v to %v for %v", objTyped.Spec.Template.Spec.NodeSelector, newNodeSelector, ds.Name)
	objTyped.Spec.Template.Spec.NodeSelector = newNodeSelector
	if _, err := sc.ds.UpdateDaemonSet(objTyped); err != nil {

[c3y1huang]

We should refactor the other parts of the code as well. cc @derekbit
longhorn/longhorn#12316

[c3y1huang]

Suggested change

	SettingNameTaintToleration = SettingName("taint-toleration")
	SettingNameSystemManagedComponentsNodeSelector = SettingName("system-managed-components-node-selector")
	SettingNameCSISidecarComponentTaintToleration = SettingName("csi-sidecar-taint-toleration")
	SettingNameSystemManagedCSISidecarComponentsNodeSelector = SettingName("system-managed-csi-sidecar-components-node-selector")
	SettingNameSystemManagedCSIComponentsResourceLimits = SettingName("system-managed-csi-components-resource-limits")
	SettingNameTaintToleration = SettingName("taint-toleration")
	SettingNameCSISidecarComponentTaintToleration = SettingName("csi-sidecar-taint-toleration")
	SettingNameSystemManagedComponentsNodeSelector = SettingName("system-managed-components-node-selector")
	SettingNameSystemManagedCSISidecarComponentsNodeSelector = SettingName("system-managed-csi-sidecar-components-node-selector")
	SettingNameSystemManagedCSIComponentsResourceLimits = SettingName("system-managed-csi-components-resource-limits")

[c3y1huang]

Suggested change

	SettingNameTaintToleration,
	SettingNameSystemManagedComponentsNodeSelector,
	SettingNameCSISidecarComponentTaintToleration,
	SettingNameSystemManagedCSISidecarComponentsNodeSelector,
	SettingNameSystemManagedCSIComponentsResourceLimits,
	SettingNameTaintToleration,
	SettingNameCSISidecarComponentTaintToleration,
	SettingNameSystemManagedComponentsNodeSelector,
	SettingNameSystemManagedCSISidecarComponentsNodeSelector,
	SettingNameSystemManagedCSIComponentsResourceLimits,

[c3y1huang]

Suggested change

	SettingNameTaintToleration: SettingDefinitionTaintToleration,
	SettingNameSystemManagedComponentsNodeSelector: SettingDefinitionSystemManagedComponentsNodeSelector,
	SettingNameCSISidecarComponentTaintToleration: SettingDefinitionCSISidecarComponentTaintToleration,
	SettingNameSystemManagedCSISidecarComponentsNodeSelector: SettingDefinitionSystemManagedCSISidecarComponentsNodeSelector,
	SettingNameSystemManagedCSIComponentsResourceLimits: SettingDefinitionSystemManagedCSIComponentsResourceLimits,
	SettingNameTaintToleration: SettingDefinitionTaintToleration,
	SettingNameCSISidecarComponentTaintToleration: SettingDefinitionCSISidecarComponentTaintToleration,
	SettingNameSystemManagedComponentsNodeSelector: SettingDefinitionSystemManagedComponentsNodeSelector,
	SettingNameSystemManagedCSISidecarComponentsNodeSelector: SettingDefinitionSystemManagedCSISidecarComponentsNodeSelector,
	SettingNameSystemManagedCSIComponentsResourceLimits: SettingDefinitionSystemManagedCSIComponentsResourceLimits,

[c3y1huang]

Please see the documentation at https://longhorn.io/ for more detailed instructions about changing node selector

This line can probably be removed

[c3y1huang]

Suggested change

	var KubernetesCSISidecarList = map[string]struct{}{
	CSISidecarPortNameAttacher: {},
	CSISidecarPortNameProvisioner: {},
	CSISidecarPortNameResizer: {},
	CSISidecarPortNameSnapshotter: {},
	}
	func IsKubernetesCSISidecar(appName string) bool {
	switch appName {
	case CSISidecarPortNameAttacher,
	CSISidecarPortNameProvisioner,
	CSISidecarPortNameResizer,
	CSISidecarPortNameSnapshotter:
	return true
	default:
	return false
	}
	}

[c3y1huang]

Is there a reason Longhorn needs to handle other object types like Pods or DaemonSets? The CSI sidecar components seem to be deployed only as DaemonSets.

[semenas]

It looks like Pods and DaemonSets could be removed. These CSI sidecars handled as a Deployment.

[derekbit]

@semenas Could you consolidate the commits in the PR and address @c3y1huang's comments? Thanks.

[derekbit]

Hello @semenas
Could you consolidate the commits? For example, remove the revert and related commits. Thanks.

[semenas]

Hello @semenas Could you consolidate the commits? For example, remove the revert and related commits. Thanks.

@derekbit Should I rebase all commits from the very beginning?

[derekbit]

Hello @semenas Could you consolidate the commits? For example, remove the revert and related commits. Thanks.

@derekbit Should I rebase all commits from the very beginning?

Yes.

[semenas]

Hello @semenas Could you consolidate the commits? For example, remove the revert and related commits. Thanks.

@derekbit Should I rebase all commits from the very beginning?

Yes.

@derekbit Could you please check whether it's okay?

[derekbit]

Some questions need to be clarified.

[derekbit]

Since the taint toleration only applies to CSI sidecar components, requiring all volumes to be detached does not seem necessary. WDYT? @c3y1huang @PhanLe1010 @shuo-wu

[shuo-wu]

Agree. There is no need to guarantee the detachment of all volumes

[derekbit]

@semenas CSINodeDriverRegistrar

[derekbit]

Similar question as above.

[derekbit]

Should update the description

Description: "This setting configures the node selector **only for system managed Kubernetes CSI sidecar components** (e.g., csi-attacher, csi-provisioner, csi-resizer, csi-snapshotter). " +
    "It is used to restrict these CSI sidecar components to run on a specific set of nodes. " +
    "Longhorn system contains user deployed components (e.g., Longhorn manager, Longhorn driver, Longhorn UI) and system managed components (e.g., instance manager, engine image, CSI driver, etc.). " +
    "You must follow the order below when configuring node selectors:\n\n" +
    "1. Configure node selectors for user deployed components via the Helm chart or deployment YAML, depending on how Longhorn was deployed.\n\n" +
    "2. Configure node selectors for system managed Kubernetes CSI sidecar components using this setting.\n\n" +
    "Multiple label key-value pairs can be specified and separated by semicolons. For example:\n\n" +
    "* `label-key1=label-value1; label-key2=label-value2`\n\n",

cc @c3y1huang

[derekbit]

The description is not correct. Should be

Description: "This setting configures taint tolerations **only for system managed Kubernetes CSI sidecar components** (e.g., csi-attacher, csi-provisioner, csi-resizer, csi-snapshotter). " +
    "It is intended for environments where nodes are dedicated for Longhorn storage by applying taints. " +
    "Multiple tolerations can be specified and separated by semicolons. For example:\n\n" +
    "* `key1=value1:NoSchedule; key2:NoExecute:` this toleration tolerates everything because an empty key with operator `Exists` matches all keys, values, and effects.\n\n" +
    "* `key1=value1:` this toleration has an empty effect and matches all effects with key `key1`.\n\n" +
    "Because `kubernetes.io` is used as the key for Kubernetes default tolerations, it should not be used in the toleration settings.\n\n",

Correct?

cc @c3y1huang

[semenas]

@derekbit The naming convention for the settings is a little different. Should we make some changes?

csi-sidecar-taint-toleration
system-managed-csi-sidecar-components-node-selector

system-managed-csi-components-resource-limits

[derekbit]

@derekbit The naming convention for the settings is a little different. Should we make some changes?

csi-sidecar-taint-toleration system-managed-csi-sidecar-components-node-selector

system-managed-csi-components-resource-limits

I thought the question before. csi-sidecar-taint-toleration might be fine because we have another setting taint-toleration.

[semenas]

@derekbit The naming convention for the settings is a little different. Should we make some changes?
csi-sidecar-taint-toleration system-managed-csi-sidecar-components-node-selector
system-managed-csi-components-resource-limits

I thought the question before. csi-sidecar-taint-toleration might be fine because we have another setting taint-toleration.

Mostly about these settings:

system-managed-csi-sidecar-components-node-selector

system-managed-csi-components-resource-limits (It's from the another pr in the master branch)

[shuo-wu]

I am OK with this backend implementation in general.
But for the UI, I have a suggestion: Would we add special buttons like Apply the same value of setting "Kubernetes Taint Toleration" for the new settings?

[shuo-wu]

As mentioned by Derek, CSI components restart won't affect the existing running volumes, hence there is no need to put these 2 settings in the danger zone.

[semenas]

@derekbit I can remove these settings from the danger zone. WDYT?

[derekbit]

Sure.

[semenas]

@derekbit I've removed settings from the danger zone and made some fixes around descriptions and so on.

[mergify]

This pull request is now in conflict. Could you fix it @semenas? 🙏