[node-labeler] Refactor node labeling to use taints instead of labels

[iQQBot]

Description

[node-labeler] Refactor node labeling to use taints instead of labels

Note: It's not a long-term taint, so we don't need to worry too much about interfering with the scheduling of other daemonsets, and I've checked our daemonsets at GCP and AWS, and the vast majority of them tolerate the NoSchedule taint

Related Issue(s)

Fixes CLC-1032

How to test

The best testing method is to use a cell or a ephemeral workspace cluster.

1. deploy this node-labeler image to cell or ephemeral workspace cluster
2. try deleting the ws-daemonset / registry-facade pod to see how it affects the corresponding node's taint
3. observe how the newly added workspace node handles these taint (We also need other PRs to make ASG create the node with this taint)

I ran loadgen in my testing cell, it works without problem.

Documentation

Preview status

Gitpod was successfully deployed to your preview environment.

• 🏷️ Name - pd-clc-1032
• 🔗 URL - pd-clc-1032.preview.gitpod-dev.com/workspaces.
• 📚 Documentation - See our internal documentation for information on how to interact with your preview environment.
• 📦 Version - pd-CLC-1032-gha.31746
• 🗒️ Logs - GCP Logs Explorer

Build Options

Build

• /werft with-werft
  Run the build with werft instead of GHA
• leeway-no-cache
• /werft no-test
  Run Leeway with --dont-test

Publish

• /werft publish-to-npm
• /werft publish-to-jb-marketplace

Installer

• analytics=segment
• with-dedicated-emulation
• workspace-feature-flags
  Add desired feature flags to the end of the line above, space separated

Preview Environment / Integration Tests

• /werft with-local-preview
  If enabled this will build install/preview
• /werft with-preview
• /werft with-large-vm
• /werft with-gce-vm
  If enabled this will create the environment on GCE infra
• /werft preemptible
  Saves cost. Untick this only if you're really sure you need a non-preemtible machine.
• with-integration-tests=all
  Valid options are all, workspace, webapp, ide, jetbrains, vscode, ssh. If enabled, with-preview and with-large-vm will be enabled.
• with-monitoring

/hold

[iQQBot]

The ideal should be achieved under ASG, so that when a node is newly created, it will have the corresponding taint.
However, this may require upgrading infra CF. Therefore, the approach here is a supplement; we will perform a check as soon as the workspace node is created and add the corresponding label and taint.

[kylos101]

and the vast majority of them tolerate the NoSchedule taint

What does not support the NoSchedule taint?

[iQQBot]

for daemon set it will keep waiting until taint remove

[kylos101]

Adding ✔️ to unblock.

Please see this question: #20652 (comment)

Depending on which workloads are impacted (metrics, logs), we should consider a follow-on PR for prereqs.

[iQQBot]

Depending on which workloads are impacted (metrics, logs), we should consider a follow-on PR for prereqs.

All of the things you mentioned are tolerated, only some of the customized optional addons are not.

[iQQBot]

/unhold