mozilla · mikaeld · Mar 27, 2026 · Mar 27, 2026 · Mar 27, 2026
@@ -85,6 +85,7 @@ Next, update your tenant's values. Shared charts are meant to be self-documented
 | tasks.cronJobs.default.jobHistory.failed | int | `1` |  |
 | tasks.cronJobs.default.jobHistory.successful | int | `1` |  |
 | tasks.cronJobs.default.schedule | string | `""` |  |
+| tasks.jobs.default.affinity | object | `{}` |  |
 | tasks.jobs.default.argo | object | `{}` |  |
 | tasks.jobs.default.containers.default.args | list | `[]` |  |
 | tasks.jobs.default.containers.default.command | list | `[]` |  |
@@ -97,13 +98,16 @@ Next, update your tenant's values. Shared charts are meant to be self-documented
 | tasks.jobs.default.containers.default.security | object | `{}` |  |
 | tasks.jobs.default.containers.default.volumes | list | `[]` |  |
 | tasks.jobs.default.generateName | bool | `false` |  |
+| tasks.jobs.default.nodeSelector | object | `{}` |  |
 | tasks.jobs.default.otel.autoInstrumentation.enabled | bool | `false` |  |
 | tasks.jobs.default.otel.autoInstrumentation.language | string | `""` |  |
 | tasks.jobs.default.otel.containers | list | `[]` |  |
 | tasks.jobs.default.otel.enabled | bool | `true` |  |
 | tasks.jobs.default.security | object | `{}` |  |
 | tasks.jobs.default.serviceAccount | string | `""` |  |
+| tasks.jobs.default.tolerations | list | `[]` |  |
 | tasks.jobs.default.type | string | `"preDeployment"` |  |
+| workloads.default.affinity | object | `{}` |  |
 | workloads.default.autoscaling.enabled | bool | `true` |  |
 | workloads.default.autoscaling.metrics[0].threshold | int | `60` |  |
 | workloads.default.autoscaling.metrics[0].type | string | `"cpu"` |  |
@@ -161,13 +165,15 @@ Next, update your tenant's values. Shared charts are meant to be self-documented
 | workloads.default.labels | object | `{}` |  |
 | workloads.default.nginx.enabled | bool | `true` |  |
 | workloads.default.nginx.image | string | `"us-west1-docker.pkg.dev/moz-fx-platform-artifacts/platform-dockerhub-cache/nginxinc/nginx-unprivileged:1.29"` |  |
+| workloads.default.nodeSelector | object | `{}` |  |
 | workloads.default.otel.autoInstrumentation.enabled | bool | `false` |  |
 | workloads.default.otel.autoInstrumentation.language | string | `""` |  |
 | workloads.default.otel.containers | list | `[]` |  |
 | workloads.default.otel.enabled | bool | `true` |  |
 | workloads.default.security | object | `{}` |  |
 | workloads.default.serviceAccount | string | `""` |  |
 | workloads.default.strategy | string | `"RollingUpdate"` |  |
+| workloads.default.tolerations | list | `[]` |  |
 | workloads.default.type | string | `"deployment"` |  |
 
 ---

@@ -182,6 +182,18 @@ template:
     {{- if $jobConfig.serviceAccount }}
     serviceAccountName: {{ printf "%s%s" $prefix $jobConfig.serviceAccount }}
     {{- end }}
+    {{- if $jobConfig.affinity }}
+    affinity:
+      {{- $jobConfig.affinity | toYaml | nindent 6 }}
+    {{- end }}
+    {{- if $jobConfig.nodeSelector }}
+    nodeSelector:
+      {{- $jobConfig.nodeSelector | toYaml | nindent 6 }}
+    {{- end }}
+    {{- if $jobConfig.tolerations }}
+    tolerations:
+      {{- $jobConfig.tolerations | toYaml | nindent 6 }}
+    {{- end }}
     {{- if gt (keys $volumes | len) 0 }}
     volumes:
       {{- range $volumeName, $volumeConfig := $volumes }}

@@ -425,6 +425,18 @@ spec:
       {{- if $workloadConfig.terminationGracePeriodSeconds }}
       terminationGracePeriodSeconds: {{ $workloadConfig.terminationGracePeriodSeconds }}
       {{- end }}
+      {{- if $workloadConfig.affinity }}
+      affinity:
+        {{- $workloadConfig.affinity | toYaml | nindent 8 }}
+      {{- end }}
+      {{- if $workloadConfig.nodeSelector }}
+      nodeSelector:
+        {{- $workloadConfig.nodeSelector | toYaml | nindent 8 }}
+      {{- end }}
+      {{- if $workloadConfig.tolerations }}
+      tolerations:
+        {{- $workloadConfig.tolerations | toYaml | nindent 8 }}
+      {{- end }}
       {{- if or $nginxEnabled (gt (keys $volumes | len) 0) }}
       volumes:
         {{- if $nginxEnabled }}

@@ -431,6 +431,18 @@ spec:
       {{- if $workloadConfig.terminationGracePeriodSeconds }}
       terminationGracePeriodSeconds: {{ $workloadConfig.terminationGracePeriodSeconds }}
       {{- end }}
+      {{- if $workloadConfig.affinity }}
+      affinity:
+        {{- $workloadConfig.affinity | toYaml | nindent 8 }}
+      {{- end }}
+      {{- if $workloadConfig.nodeSelector }}
+      nodeSelector:
+        {{- $workloadConfig.nodeSelector | toYaml | nindent 8 }}
+      {{- end }}
+      {{- if $workloadConfig.tolerations }}
+      tolerations:
+        {{- $workloadConfig.tolerations | toYaml | nindent 8 }}
+      {{- end }}
       {{- if or $nginxEnabled (gt (keys $volumes | len) 0) }}
       volumes:
         {{- if $nginxEnabled }}

@@ -340,9 +340,34 @@
             "type": "boolean",
             "default": true
           },
+          "affinity": {
+            "type": "object",
+            "description": "Pod affinity rules (nodeAffinity, podAffinity, podAntiAffinity)"
+          },
           "component": {
             "type": "string"
           },
+          "nodeSelector": {
+            "type": "object",
+            "description": "Node label selectors for pod scheduling",
+            "additionalProperties": {
+              "type": "string"
+            }
+          },
+          "tolerations": {
+            "type": "array",
+            "description": "Pod tolerations for tainted nodes",
+            "items": {
+              "type": "object",
+              "properties": {
+                "key": { "type": "string" },
+                "operator": { "type": "string", "enum": ["Exists", "Equal"] },
+                "value": { "type": "string" },
+                "effect": { "type": "string", "enum": ["NoSchedule", "PreferNoSchedule", "NoExecute"] },
+                "tolerationSeconds": { "type": "integer" }
+              }
+            }
+          },
           "type": {
             "type": "string",
             "enum": ["deployment", "rollout"],
@@ -1234,6 +1259,10 @@
     "job": {
       "type": "object",
       "properties": {
+        "affinity": {
+          "type": "object",
+          "description": "Pod affinity rules (nodeAffinity, podAffinity, podAntiAffinity)"
+        },
         "generateName": {
           "type": "boolean"
         },
@@ -1244,6 +1273,13 @@
           "type": "integer",
           "default": 6
         },
+        "nodeSelector": {
+          "type": "object",
+          "description": "Node label selectors for pod scheduling",
+          "additionalProperties": {
+            "type": "string"
+          }
+        },
         "otel": {
           "$ref": "#/$defs/otel"
         },
@@ -1269,6 +1305,20 @@
         "suspend": {
           "type": "boolean"
         },
+        "tolerations": {
+          "type": "array",
+          "description": "Pod tolerations for tainted nodes",
+          "items": {
+            "type": "object",
+            "properties": {
+              "key": { "type": "string" },
+              "operator": { "type": "string", "enum": ["Exists", "Equal"] },
+              "value": { "type": "string" },
+              "effect": { "type": "string", "enum": ["NoSchedule", "PreferNoSchedule", "NoExecute"] },
+              "tolerationSeconds": { "type": "integer" }
+            }
+          }
+        },
         "ttlSecondsAfterFinished": {
           "type": "integer",
           "minimum": 0

@@ -697,11 +697,25 @@ tasks:
       #   runAsRoot: false
       security: {}
 
+      # Optionally configure pod affinity rules. Accepts the standard
+      # Kubernetes affinity structure. See workloads.default.affinity for
+      # full documentation and examples.
+      affinity: {}
+
+      # Optionally restrict pods to specific nodes using label selectors.
+      # See workloads.default.nodeSelector for full documentation.
+      nodeSelector: {}
+
       # Optionally use a custom service account for the container. The value
       # should match a service account created above in the `serviceAccounts`
       # section.
       serviceAccount: ''
 
+      # Optionally configure tolerations to allow pods to be scheduled on
+      # tainted nodes. See workloads.default.tolerations for full
+      # documentation and examples.
+      tolerations: []
+
       # When Kubernetes creates Job resources, the Job controller will
       # immediately begin executing the job by creating pods. If "suspend" is
       # enabled, the job will be suspended from execution, effectively
@@ -727,6 +741,44 @@ workloads:
     # the config block. Useful for staged rollouts or incident response.
     enabled: true
 
+    # Optionally configure pod affinity rules to control co-location or
+    # anti-affinity of pods. Accepts the standard Kubernetes affinity
+    # structure (nodeAffinity, podAffinity, podAntiAffinity).
+    #
+    # Example:
+    #
+    #   affinity:
+    #     nodeAffinity:
+    #       requiredDuringSchedulingIgnoredDuringExecution:
+    #         nodeSelectorTerms:
+    #           - matchExpressions:
+    #               - key: cloud.google.com/gke-nodepool
+    #                 operator: In
+    #                 values:
+    #                   - my-node-pool
+    affinity: {}
+
+    # Optionally restrict pods to specific nodes using label selectors.
+    #
+    # Example:
+    #
+    #   nodeSelector:
+    #     cloud.google.com/gke-nodepool: my-node-pool
+    nodeSelector: {}
+
+    # Optionally configure tolerations to allow pods to be scheduled on
+    # nodes with matching taints. This is commonly used alongside
+    # nodeSelector to target dedicated node pools.
+    #
+    # Example:
+    #
+    #   tolerations:
+    #     - key: dedicated
+    #       operator: Equal
+    #       value: my-node-pool
+    #       effect: NoSchedule
+    tolerations: []
+
     # The specific unit within an application that performs a distinct function,
     # typically aligned to a microservice or deployable artifact.
     #