install: Update node label prefix

For Kubernetes version greater than or equal to 1.16, node label keys
in the 'kubernetes.io' or 'k8s.io' namespace must begin with an allowed
prefix (kubelet.kubernetes.io, node.kubernetes.io).
Update node label from node-role.kubernetes.io to node.kubernetes.io

Fixes: confidential-containers#194
Signed-off-by: Kartik Joshi <kartikjoshi@microsoft.com>

.github/workflows/e2e.yaml

@@ -41,7 +41,7 @@ jobs:
       - name: Setup kind cluster
         run: |
           kind create cluster --image "kindest/node:v1.26.0-coco" -n coco-sgx --config tests/e2e/enclave-cc-kind-config.yaml --wait 120s
-          kubectl label node coco-sgx-worker node-role.kubernetes.io/worker=
+          kubectl label node coco-sgx-worker node.kubernetes.io/worker=
 
       - name: Deploy operator from the local registry
         run: |

.github/workflows/enclave-cc-cicd.yaml

@@ -40,7 +40,7 @@ jobs:
       - name: Setup kind cluster
         run: |
           kind create cluster --image "kindest/node:v1.26.0-coco" -n coco-sgx --config tests/e2e/enclave-cc-kind-config.yaml --wait 120s
-          kubectl label node coco-sgx-worker node-role.kubernetes.io/worker=
+          kubectl label node coco-sgx-worker node.kubernetes.io/worker=
 
       - name: Deploy operator from the local registry
         run: |

bundle/manifests/cc-operator.clusterserviceversion.yaml

@@ -14,7 +14,7 @@ metadata:
           "spec": {
             "ccNodeSelector": {
               "matchLabels": {
-                "node-role.kubernetes.io/worker": ""
+                "node.kubernetes.io/worker": ""
               }
             },
             "config": {

config/samples/ccruntime/base/ccruntime.yaml

@@ -7,7 +7,7 @@ spec:
   runtimeName: kata
   ccNodeSelector:
     matchLabels:
-      node-role.kubernetes.io/worker: ""
+      node.kubernetes.io/worker: ""
   config:
     installType: bundle
     payloadImage: quay.io/confidential-containers/runtime-payload:kata-containers

config/samples/enclave-cc/base/ccruntime-enclave-cc.yaml

@@ -6,7 +6,7 @@ spec:
   runtimeName: enclave-cc
   ccNodeSelector:
     matchLabels:
-      node-role.kubernetes.io/worker: ""
+      node.kubernetes.io/worker: ""
   config:
     installType: bundle
     payloadImage: quay.io/confidential-containers/runtime-payload:enclave-cc-HW-cc-kbc-v0.6.1

controllers/ccruntime_controller.go

@@ -347,7 +347,7 @@ func (r *CcRuntimeReconciler) processCcRuntimeInstallRequest() (ctrl.Result, err
 
 	if r.ccRuntime.Spec.CcNodeSelector == nil {
 		r.ccRuntime.Spec.CcNodeSelector = &metav1.LabelSelector{
-			MatchLabels: map[string]string{"node-role.kubernetes.io/worker": ""},
+			MatchLabels: map[string]string{"node.kubernetes.io/worker": ""},
 		}
 	}
 
@@ -535,7 +535,7 @@ func (r *CcRuntimeReconciler) getAllNodes() (*corev1.NodeList, ctrl.Result, erro
 
 	if r.ccRuntime.Spec.CcNodeSelector == nil {
 		r.ccRuntime.Spec.CcNodeSelector = &metav1.LabelSelector{
-			MatchLabels: map[string]string{"node-role.kubernetes.io/worker": ""},
+			MatchLabels: map[string]string{"node.kubernetes.io/worker": ""},
 		}
 	}
 
@@ -629,7 +629,7 @@ func (r *CcRuntimeReconciler) processDaemonset(operation DaemonOperation) *appsv
 		nodeSelector = r.ccRuntime.Spec.Config.UninstallDoneLabel
 	} else {
 		nodeSelector = map[string]string{
-			"node-role.kubernetes.io/worker": "",
+			"node.kubernetes.io/worker": "",
 		}
 	}
 
@@ -839,7 +839,7 @@ func (r *CcRuntimeReconciler) makeHookDaemonset(operation DaemonOperation) *apps
 		nodeSelector = r.ccRuntime.Spec.CcNodeSelector.MatchLabels
 	} else {
 		nodeSelector = map[string]string{
-			"node-role.kubernetes.io/worker": "",
+			"node.kubernetes.io/worker": "",
 		}
 	}
 

docs/INSTALL.md

@@ -5,9 +5,9 @@
 - Only containerd runtime based Kubernetes clusters are supported with the current Confidential Containers (CoCo) release
 - The minimum Kubernetes version should be 1.24.
 - Ensure KUBECONFIG points to the target Kubernetes cluster.
-- Ensure at least one Kubernetes node in the cluster is having the label `node-role.kubernetes.io/worker=`
+- Ensure at least one Kubernetes node in the cluster is having the label `node.kubernetes.io/worker=`
   ```
-  kubectl label node $NODENAME node-role.kubernetes.io/worker=
+  kubectl label node $NODENAME node.kubernetes.io/worker=
   ```
 
 ## Deploy the Operator

tests/e2e/cluster/up.sh

@@ -58,7 +58,7 @@ main() {
 	# Untaint the node so that pods can be scheduled on it.
 	for role in master control-plane; do
 		kubectl taint nodes "$(hostname)" \
-			"node-role.kubernetes.io/$role:NoSchedule-"
+			"node.kubernetes.io/$role:NoSchedule-"
 	done
 }
 

tests/e2e/operator.sh

@@ -48,7 +48,7 @@ install_operator() {
 	start_local_registry
 
 	# The node should be 'worker' labeled
-	local label="node-role.kubernetes.io/worker"
+	local label="node.kubernetes.io/worker"
 	if ! kubectl get node "$(hostname)" -o jsonpath='{.metadata.labels}' \
 		| grep -q "$label"; then
 		kubectl label node "$(hostname)" "$label="