feat: suport native nodeSelector

[j-zimnowoda]

📌 Summary

Do not rely on Kyverno mutating web hook to set nodeSelector

🔍 Reviewer Notes

🧹 Checklist

• Code is readable, maintainable, and robust.
• Unit tests added/updated

[Copilot]

Pull request overview

This PR aims to make platform workload scheduling honor otomi.nodeSelector directly via chart values/templates, removing reliance on a Kyverno mutating admission policy to inject nodeSelectors.

Changes:

• Add nodeSelector wiring (based on .Values.otomi.nodeSelector) to many app values templates.
• Remove the Kyverno ClusterPolicy that mutated Pods to apply the platform nodeSelector.
• Set a default otomi.nodeSelector (linux) and update the dyff tooling/workflow to better track rendered changes.

Reviewed changes

Copilot reviewed 41 out of 42 changed files in this pull request and generated 1 comment.

Show a summary per file

File	Description
values/trivy-operator/trivy-operator.gotmpl	Adds platform nodeSelector to Trivy Operator values.
values/tekton-pipelines/tekton-pipelines.gotmpl	Adds nodeSelector for Tekton Pipelines controller/remoteresolver/webhook.
values/sealed-secrets/sealed-secrets.gotmpl	Adds platform nodeSelector to Sealed Secrets values.
values/rabbitmq/rabbitmq.gotmpl	Adds nodeSelector to RabbitMQ operators.
values/promtail/promtail.gotmpl	Adds platform nodeSelector to Promtail values.
values/prometheus-operator/prometheus-operator.gotmpl	Adds nodeSelector to kube-prometheus-stack components (operator/prometheus/alertmanager/grafana/etc.).
values/prometheus-msteams/prometheus-msteams.gotmpl	Adds platform nodeSelector to prometheus-msteams.
values/prometheus-blackbox-exporter/prometheus-blackbox-exporter.gotmpl	Adds platform nodeSelector to blackbox exporter.
values/policy-reporter/policy-reporter.gotmpl	Adds platform nodeSelector to policy-reporter.
values/otomi-operator/otomi-operator.gotmpl	Adds platform nodeSelector to Otomi Operator.
values/otomi-console/otomi-console.gotmpl	Adds platform nodeSelector to Otomi Console.
values/otomi-api/otomi-api.gotmpl	Adds platform nodeSelector to Otomi API.
values/otel-operator/otel-operator.gotmpl	Adds platform nodeSelector to otel-operator.
values/oauth2-proxy/oauth2-proxy.gotmpl	Adds platform nodeSelector to oauth2-proxy.
values/metrics-server/metrics-server.gotmpl	Adds platform nodeSelector to metrics-server.
values/loki/loki.gotmpl	Adds nodeSelector across Loki distributed/single-binary components.
values/linode-cfw/linode-cfw.gotmpl	Adds platform nodeSelector to linode-cfw.
values/kyverno/kyverno.gotmpl	Adds nodeSelector for Kyverno controllers.
values/kyverno/kyverno-raw.gotmpl	Removes Kyverno mutation policy that injected nodeSelector; retains ORCS validation policy logic.
values/kserve/kserve.gotmpl	Adds controller nodeSelector for KServe.
values/keycloak/keycloak.gotmpl	Adds platform nodeSelector to Keycloak values.
values/istiod/istiod.gotmpl	Adds platform nodeSelector to Istiod values.
values/istio-gateway/istio-ingressgateway.yaml.gotmpl	Adds platform nodeSelector to Istio ingress gateway values.
values/istio-gateway/istio-egressgateway.yaml.gotmpl	Adds platform nodeSelector to Istio egress gateway values.
values/ingress-nginx/ingress-nginx.gotmpl	Adds nodeSelector to ingress-nginx controller/defaultBackend and webhook patch job.
values/harbor/harbor.gotmpl	Adds nodeSelector across Harbor components.
values/gitea/gitea.gotmpl	Adds platform nodeSelector to Gitea values.
values/gitea/gitea-valkey.gotmpl	Adds nodeSelector for Valkey primary/replica.
values/external-dns/external-dns.gotmpl	Adds platform nodeSelector to external-dns.
values/cloudnative-pg/cloudnative-pg.gotmpl	Adds platform nodeSelector to CloudNativePG.
values/cloudnative-pg-plugin-barman-cloud/cloudnative-pg-plugin-barman-cloud.gotmpl	Adds platform nodeSelector to the Barman plugin.
values/cert-manager/cert-manager.gotmpl	Adds platform nodeSelector to cert-manager values.
values/cert-manager-webhook-linode/cert-manager-webhook-linode.gotmpl	Adds platform nodeSelector to cert-manager webhook linode values.
values/argocd/argocd.gotmpl	Switches Argo CD global nodeSelector rendering to always emit from otomi.nodeSelector.
values/argocd-image-updater/argocd-image-updater.gotmpl	Adds platform nodeSelector to argocd-image-updater.
values/apl-operator/apl-operator.gotmpl	Adds platform nodeSelector to apl-operator.
values/apl-keycloak-operator/apl-keycloak-operator.gotmpl	Adds platform nodeSelector to apl-keycloak-operator.
values/apl-harbor-operator/apl-harbor-operator.gotmpl	Adds platform nodeSelector to apl-harbor-operator.
values/apl-gitea-operator/apl-gitea-operator.gotmpl	Adds platform nodeSelector to apl-gitea-operator.
helmfile.d/snippets/defaults.yaml	Changes default otomi.nodeSelector from {} to kubernetes.io/os: linux.
bin/dyff.sh	Improves parsing/printing of diff -q -r results and adds helper functions for relative paths.
.github/workflows/svcaplbot-run-dyff.yml	Expands workflow path triggers to include dyff/compare scripts and adjusts a comment formatting.

[Copilot]

This file removes the Kyverno mutate policy that previously enforced .Values.otomi.nodeSelector across many namespaces. Some deployed components still don't expose a configurable nodeSelector via values (e.g., charts/tekton-triggers has no nodeSelector support in its templates/values), so the platform-level nodeSelector will no longer be applied there after this change. Consider either adding nodeSelector support to those charts/templates or keeping a targeted Kyverno mutation for the remaining workloads so behavior doesn't regress for users relying on nodeSelector placement.