deckhouse
diff --git a/‎.golangci.yaml‎
Lines changed: 3 additions & 0 deletions b/‎.golangci.yaml‎
Lines changed: 3 additions & 0 deletions
diff --git a/‎api/v1alpha1/nfs_storage_class.go‎
Lines changed: 11 additions & 5 deletions b/‎api/v1alpha1/nfs_storage_class.go‎
Lines changed: 11 additions & 5 deletions
diff --git a/‎crds/doc-ru-nfsstorageclass.yaml‎
Lines changed: 10 additions & 0 deletions b/‎crds/doc-ru-nfsstorageclass.yaml‎
Lines changed: 10 additions & 0 deletions
diff --git a/‎crds/nfsstorageclass.yaml‎
Lines changed: 37 additions & 0 deletions b/‎crds/nfsstorageclass.yaml‎
Lines changed: 37 additions & 0 deletions
diff --git a/‎hooks/generate_scheduler_extender_certs.py‎
Lines changed: 44 additions & 0 deletions b/‎hooks/generate_scheduler_extender_certs.py‎
Lines changed: 44 additions & 0 deletions
diff --git a/‎hooks/scheduler_extender_enabler.py‎
Lines changed: 72 additions & 0 deletions b/‎hooks/scheduler_extender_enabler.py‎
Lines changed: 72 additions & 0 deletions
diff --git a/‎images/controller/src/cmd/main.go‎
Lines changed: 9 additions & 4 deletions b/‎images/controller/src/cmd/main.go‎
Lines changed: 9 additions & 4 deletions
diff --git a/‎images/controller/src/go.mod‎
Lines changed: 11 additions & 9 deletions b/‎images/controller/src/go.mod‎
Lines changed: 11 additions & 9 deletions
@@ -13,6 +13,9 @@ linters-settings:
     sections:
       - standard
       - default
+      - prefix(d8-controller)
+      - prefix(csi-nfs-scheduler-extender)
+      - prefix(webhooks)
 
 linters:
   disable-all: true
 
@@ -39,11 +39,12 @@ type NFSStorageClassList struct {
 
 // +k8s:deepcopy-gen=true
 type NFSStorageClassSpec struct {
-	Connection        *NFSStorageClassConnection   `json:"connection,omitempty"`
-	MountOptions      *NFSStorageClassMountOptions `json:"mountOptions,omitempty"`
-	ChmodPermissions  string                       `json:"chmodPermissions,omitempty"`
-	ReclaimPolicy     string                       `json:"reclaimPolicy"`
-	VolumeBindingMode string                       `json:"volumeBindingMode"`
+	Connection        *NFSStorageClassConnection    `json:"connection,omitempty"`
+	MountOptions      *NFSStorageClassMountOptions  `json:"mountOptions,omitempty"`
+	ChmodPermissions  string                        `json:"chmodPermissions,omitempty"`
+	ReclaimPolicy     string                        `json:"reclaimPolicy"`
+	VolumeBindingMode string                        `json:"volumeBindingMode"`
+	WorkloadNodes     *NFSStorageClassWorkloadNodes `json:"workloadNodes,omitempty"`
 }
 
 // +k8s:deepcopy-gen=true
@@ -61,6 +62,11 @@ type NFSStorageClassMountOptions struct {
 	ReadOnly        *bool  `json:"readOnly,omitempty"`
 }
 
+// +k8s:deepcopy-gen=true
+type NFSStorageClassWorkloadNodes struct {
+	NodeSelector *metav1.LabelSelector `json:"nodeSelector"`
+}
+
 // +k8s:deepcopy-gen=true
 type NFSStorageClassStatus struct {
 	Phase  string `json:"phase,omitempty"`
 
@@ -50,6 +50,16 @@ spec:
                 volumeBindingMode:
                   description: |
                     Режим создания тома. Может быть Immediate (запрос при создании PVC) или WaitForFirstConsumer (до появления первого Pod)
+                nodeSelector:
+                  description: |
+                    Селектор узлов для определения правил выбора узлов, на которых Persistent Volumes (PVs), созданные этим StorageClass, могут подключаться. Комбинирует простое сопоставление меток и сложные выражения для фильтрации узлов.
+                  properties:
+                    matchLabels:
+                      description: |
+                        Карта меток, которые должны точно совпадать с метками узла. Узлы, которые не соответствуют хотя бы одной из указанных меток, будут исключены.
+                    matchExpressions:
+                      description: |
+                        Список сложных условий выбора узлов. Каждое условие задаёт ключ, оператор и, при необходимости, значения для фильтрации узлов на основе их меток или других полей.
             status:
               properties:
                 phase:
 
@@ -129,6 +129,43 @@ spec:
                   enum:
                     - Immediate
                     - WaitForFirstConsumer
+                workloadNodes:
+                  type: object
+                  minProperties: 1
+                  properties:
+                    nodeSelector:
+                      type: object
+                      minProperties: 1
+                      description: |
+                        Node selector to specify rules for selecting nodes where Persistent Volumes (PVs) created by this StorageClass are allowed to connect. Combines simple label matches and advanced matching expressions.
+                        If this parameter is omitted, NFS shares can be mounted on any node in the cluster running the `Linux` OS.
+                      properties:
+                        matchLabels:
+                          type: object
+                          description: |
+                            A map of labels that must match exactly with the labels of a node. Nodes that do not match any of the specified labels will be excluded.
+                          additionalProperties:
+                            type: string
+                        matchExpressions:
+                          type: array
+                          description: |
+                            A list of advanced node selector requirements. Each requirement specifies a key, an operator, and optional values for filtering nodes based on their labels or other fields.
+                          items:
+                            type: object
+                            properties:
+                              key:
+                                type: string
+                              operator:
+                                type: string
+                                enum:
+                                  - In
+                                  - NotIn
+                                  - Exists
+                                  - DoesNotExist
+                              values:
+                                type: array
+                                items:
+                                  type: string
             status:
               type: object
               description: |
 
@@ -0,0 +1,44 @@
+#!/usr/bin/env python3
+#
+# Copyright 2023 Flant JSC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+from lib.hooks.internal_tls import GenerateCertificateHook, TlsSecret, default_sans
+from lib.module import values as module_values
+from deckhouse import hook
+from typing import Callable
+import common
+
+def main():
+    hook = GenerateCertificateHook(
+        TlsSecret(
+            cn="csi-nfs-scheduler-extender",
+            name="scheduler-extender-https-certs",
+            sansGenerator=default_sans([
+                "csi-nfs-scheduler-extender",
+                f"csi-nfs-scheduler-extender.{common.NAMESPACE}",
+                f"csi-nfs-scheduler-extender.{common.NAMESPACE}.svc",
+                f"%CLUSTER_DOMAIN%://csi-nfs-scheduler-extender.{common.NAMESPACE}.svc",
+            ]),
+            values_path_prefix=f"{common.MODULE_NAME}.internal.customSchedulerExtenderCert"
+            ),
+        cn="csi-nfs-scheduler-extender",
+        common_ca=True,
+        namespace=common.NAMESPACE)
+
+    hook.run()
+
+if __name__ == "__main__":
+    main()
@@ -0,0 +1,72 @@
+#!/usr/bin/env python3
+#
+# Copyright 2025 Flant JSC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+
+# import yaml
+# from deckhouse import hook
+from deckhouse import hook
+
+from lib.hooks.hook import Hook
+from lib.module import values as module_values
+
+
+config = """
+configVersion: v1
+kubernetes:
+- name: nfs-storage-classes
+  apiVersion: storage.deckhouse.io/v1alpha1
+  kind: NFSStorageClass
+  includeSnapshotsFrom:
+    - nfs-storage-classes
+  executeHookOnEvent: [ "Added", "Modified", "Deleted" ]
+  executeHookOnSynchronization: true
+  keepFullObjectsInMemory: false
+  jqFilter: ".spec.workloadNodes"
+  queue: /modules/csi-nfs
+settings:
+  executionMinInterval: 3s
+  executionBurst: 1
+"""
+
+def main(ctx: hook.Context):
+    print("Scheduler extender enabler hook started")
+    should_enable = False
+    snapshots = ctx.snapshots.get("nfs-storage-classes", [])
+    for snapshot in snapshots:
+        print(f"get snapshot: {snapshot}")
+        filter_result = snapshot.get("filterResult", [])
+        if not filter_result:
+            print(f"filter result is empty")
+            continue
+        print(f"get filter result: {filter_result}")
+        nodeSelector = filter_result.get("nodeSelector", {})
+        print(f"get nodeSelector: {nodeSelector}")
+        if not nodeSelector:
+            print(f"nodeSelector is empty")
+            continue
+        print("NodeSelector is not empty. Should enable scheduler extender")
+        should_enable = True
+        break
+    if should_enable:
+        print("Enable scheduler extender")
+        module_values.set_value(f"csiNfs.internal.shedulerExtenderEnabled", ctx.values, True)
+    else:
+        print("Disable scheduler extender")
+        module_values.set_value(f"csiNfs.internal.shedulerExtenderEnabled", ctx.values, False)
+
+
+if __name__ == "__main__":
+    hook.run(main, config=config)
@@ -22,11 +22,8 @@ import (
 	"os"
 	goruntime "runtime"
 
-	"d8-controller/pkg/config"
-	"d8-controller/pkg/controller"
-	"d8-controller/pkg/kubutils"
-	"d8-controller/pkg/logger"
 	cn "github.com/deckhouse/csi-nfs/api/v1alpha1"
+	snapshotv1 "github.com/kubernetes-csi/external-snapshotter/client/v8/apis/volumesnapshot/v1"
 	v1 "k8s.io/api/core/v1"
 	sv1 "k8s.io/api/storage/v1"
 	extv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
@@ -36,6 +33,11 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/cache"
 	"sigs.k8s.io/controller-runtime/pkg/healthz"
 	"sigs.k8s.io/controller-runtime/pkg/manager"
+
+	"d8-controller/pkg/config"
+	"d8-controller/pkg/controller"
+	"d8-controller/pkg/kubutils"
+	"d8-controller/pkg/logger"
 )
 
 var (
@@ -45,6 +47,7 @@ var (
 		extv1.AddToScheme,
 		v1.AddToScheme,
 		sv1.AddToScheme,
+		snapshotv1.AddToScheme,
 	}
 )
 
@@ -110,6 +113,8 @@ func main() {
 		os.Exit(1)
 	}
 
+	controller.RunNodeSelectorReconciler(ctx, mgr, *cfgParams, *log)
+
 	if err = mgr.AddHealthzCheck("healthz", healthz.Ping); err != nil {
 		log.Error(err, "[main] unable to mgr.AddHealthzCheck")
 		os.Exit(1)
 
@@ -5,14 +5,16 @@ go 1.23.4
 require (
 	github.com/deckhouse/csi-nfs/api v0.0.0-20250116103144-d23aedd591a3
 	github.com/go-logr/logr v1.4.2
+	github.com/kubernetes-csi/external-snapshotter/client/v8 v8.2.0
 	github.com/onsi/ginkgo/v2 v2.22.2
 	github.com/onsi/gomega v1.36.2
-	k8s.io/api v0.32.0
-	k8s.io/apiextensions-apiserver v0.32.0
-	k8s.io/apimachinery v0.32.0
-	k8s.io/client-go v0.32.0
+	gopkg.in/yaml.v3 v3.0.1
+	k8s.io/api v0.32.1
+	k8s.io/apiextensions-apiserver v0.32.1
+	k8s.io/apimachinery v0.32.1
+	k8s.io/client-go v0.32.1
 	k8s.io/klog/v2 v2.130.1
-	sigs.k8s.io/controller-runtime v0.19.4
+	sigs.k8s.io/controller-runtime v0.20.0
 )
 
 replace github.com/deckhouse/csi-nfs/api => ../../../api
@@ -31,6 +33,7 @@ require (
 	github.com/go-task/slim-sprig/v3 v3.0.0 // indirect
 	github.com/gogo/protobuf v1.3.2 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
+	github.com/google/btree v1.1.3 // indirect
 	github.com/google/gnostic-models v0.6.9 // indirect
 	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/gofuzz v1.2.0 // indirect
@@ -46,23 +49,22 @@ require (
 	github.com/pkg/errors v0.9.1 // indirect
 	github.com/prometheus/client_golang v1.20.5 // indirect
 	github.com/prometheus/client_model v0.6.1 // indirect
-	github.com/prometheus/common v0.61.0 // indirect
+	github.com/prometheus/common v0.62.0 // indirect
 	github.com/prometheus/procfs v0.15.1 // indirect
 	github.com/spf13/pflag v1.0.5 // indirect
 	github.com/x448/float16 v0.8.4 // indirect
-	golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8 // indirect
 	golang.org/x/net v0.34.0 // indirect
 	golang.org/x/oauth2 v0.25.0 // indirect
+	golang.org/x/sync v0.10.0 // indirect
 	golang.org/x/sys v0.29.0 // indirect
 	golang.org/x/term v0.28.0 // indirect
 	golang.org/x/text v0.21.0 // indirect
 	golang.org/x/time v0.9.0 // indirect
 	golang.org/x/tools v0.29.0 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
-	google.golang.org/protobuf v1.36.2 // indirect
+	google.golang.org/protobuf v1.36.3 // indirect
 	gopkg.in/evanphx/json-patch.v4 v4.12.0 // indirect
 	gopkg.in/inf.v0 v0.9.1 // indirect
-	gopkg.in/yaml.v3 v3.0.1 // indirect
 	k8s.io/kube-openapi v0.0.0-20241212222426-2c72e554b1e7 // indirect
 	k8s.io/utils v0.0.0-20241210054802-24370beab758 // indirect
 	sigs.k8s.io/json v0.0.0-20241014173422-cfa47c3a1cc8 // indirect