diff --git a/.gitea/workflows/deploy.yml b/.gitea/workflows/deploy.yml
index fdf8cba..f7a4450 100644
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -214,11 +214,12 @@ jobs:
           kubectl apply -f clusters/prod/flux-system/gitrepository-platform.yaml
           kubectl apply -f clusters/prod/flux-system/kustomization-infrastructure.yaml
           kubectl apply -f clusters/prod/flux-system/kustomization-apps.yaml
-          # Patch Flux controllers to run on cp-1 only
-          kubectl -n flux-system patch deployment source-controller --type='merge' -p='{"spec":{"template":{"spec":{"nodeSelector":{"kubernetes.io/hostname":"k8s-cluster-cp-1"}}}}}'
-          kubectl -n flux-system patch deployment kustomize-controller --type='merge' -p='{"spec":{"template":{"spec":{"nodeSelector":{"kubernetes.io/hostname":"k8s-cluster-cp-1"}}}}}'
-          kubectl -n flux-system patch deployment helm-controller --type='merge' -p='{"spec":{"template":{"spec":{"nodeSelector":{"kubernetes.io/hostname":"k8s-cluster-cp-1"}}}}}'
-          kubectl -n flux-system patch deployment notification-controller --type='merge' -p='{"spec":{"template":{"spec":{"nodeSelector":{"kubernetes.io/hostname":"k8s-cluster-cp-1"}}}}}'
+          # Patch Flux controllers to run on cp-1 and tolerate the control-plane taint
+          PATCH='{"spec":{"template":{"spec":{"nodeSelector":{"kubernetes.io/hostname":"k8s-cluster-cp-1"},"tolerations":[{"key":"node-role.kubernetes.io/control-plane","operator":"Exists","effect":"NoSchedule"}]}}}}'
+          kubectl -n flux-system patch deployment source-controller --type='merge' -p="$PATCH"
+          kubectl -n flux-system patch deployment kustomize-controller --type='merge' -p="$PATCH"
+          kubectl -n flux-system patch deployment helm-controller --type='merge' -p="$PATCH"
+          kubectl -n flux-system patch deployment notification-controller --type='merge' -p="$PATCH"
           kubectl -n flux-system rollout status deployment/source-controller --timeout=180s
           kubectl -n flux-system rollout status deployment/kustomize-controller --timeout=180s
           kubectl -n flux-system rollout status deployment/helm-controller --timeout=180s
diff --git a/clusters/prod/flux-system/gotk-controller-cp1-patches.yaml b/clusters/prod/flux-system/gotk-controller-cp1-patches.yaml
index e20eef5..c32851e 100644
--- a/clusters/prod/flux-system/gotk-controller-cp1-patches.yaml
+++ b/clusters/prod/flux-system/gotk-controller-cp1-patches.yaml
@@ -8,6 +8,10 @@ spec:
     spec:
       nodeSelector:
         kubernetes.io/hostname: k8s-cluster-cp-1
+      tolerations:
+        - key: node-role.kubernetes.io/control-plane
+          operator: Exists
+          effect: NoSchedule
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -19,6 +23,10 @@ spec:
     spec:
       nodeSelector:
         kubernetes.io/hostname: k8s-cluster-cp-1
+      tolerations:
+        - key: node-role.kubernetes.io/control-plane
+          operator: Exists
+          effect: NoSchedule
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -30,6 +38,10 @@ spec:
     spec:
       nodeSelector:
         kubernetes.io/hostname: k8s-cluster-cp-1
+      tolerations:
+        - key: node-role.kubernetes.io/control-plane
+          operator: Exists
+          effect: NoSchedule
 ---
 apiVersion: apps/v1
 kind: Deployment
@@ -41,3 +53,7 @@ spec:
     spec:
       nodeSelector:
         kubernetes.io/hostname: k8s-cluster-cp-1
+      tolerations:
+        - key: node-role.kubernetes.io/control-plane
+          operator: Exists
+          effect: NoSchedule