Expose resources for sync, inject and snapshot.

hashicorp · Jun 1, 2020 · f0ce5e1 · f0ce5e1
1 parent e7aac63
commit f0ce5e1
Show file tree

Hide file tree

Showing 8 changed files with 140 additions and 12 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,19 @@
 ## Unreleased
 
+FEATURES:
+
+* Resources are now set on all containers. This enables the chart to be deployed
+  in clusters that have resource quotas set. This also ensures that Consul
+  server and client pods won't be evicted by Kubernetes when nodes reach their
+  resource limits.
+
+  Resource settings have been made configurable for sync catalog, connect inject
+  and client snapshot deployments.
+
+  The defaults settings were chosen based on a cluster with a small workload.
+  For production, we recommend monitoring resource usage and modifying the
+  defaults according to your usage.
+
 BREAKING CHANGES:
 
 * Mesh Gateway: `meshGateway.enableHealthChecks` is no longer supported. This config

diff --git a/templates/client-snapshot-agent-deployment.yaml b/templates/client-snapshot-agent-deployment.yaml
@@ -127,13 +127,15 @@ spec:
               readOnly: true
             {{- end }}
           {{- end }}
+          {{- with .Values.client.snapshotAgent.resources }}
           resources:
             requests:
-              memory: "50Mi"
-              cpu: "50m"
+              memory: {{ .requests.memory | quote }}
+              cpu: {{ .requests.cpu | quote }}
             limits:
-              memory: "50Mi"
-              cpu: "50m"
+              memory: {{ .limits.memory | quote }}
+              cpu: {{ .limits.cpu | quote }}
+          {{- end }}
       {{- if (or (or .Values.global.acls.manageSystemACLs .Values.global.bootstrapACLs) (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt)) }}
       initContainers:
       {{- if (or .Values.global.acls.manageSystemACLs .Values.global.bootstrapACLs) }}

diff --git a/templates/connect-inject-deployment.yaml b/templates/connect-inject-deployment.yaml
@@ -161,13 +161,15 @@ spec:
               readOnly: true
             {{- end }}
           {{- end }}
+          {{- with .Values.connectInject.resources }}
           resources:
             requests:
-              memory: "50Mi"
-              cpu: "50m"
+              memory: {{ .requests.memory | quote }}
+              cpu: {{ .requests.cpu | quote }}
             limits:
-              memory: "50Mi"
-              cpu: "50m"
+              memory: {{ .limits.memory | quote }}
+              cpu: {{ .limits.cpu | quote }}
+          {{- end }}
       {{- if (or .Values.connectInject.certs.secretName .Values.global.tls.enabled) }}
       volumes:
         {{- if .Values.connectInject.certs.secretName }}

diff --git a/templates/sync-catalog-deployment.yaml b/templates/sync-catalog-deployment.yaml
@@ -176,13 +176,15 @@ spec:
             periodSeconds: 5
             successThreshold: 1
             timeoutSeconds: 5
+          {{- with .Values.syncCatalog.resources }}
           resources:
             requests:
-              memory: "50Mi"
-              cpu: "50m"
+              memory: {{ .requests.memory | quote }}
+              cpu: {{ .requests.cpu | quote }}
             limits:
-              memory: "50Mi"
-              cpu: "50m"
+              memory: {{ .limits.memory | quote }}
+              cpu: {{ .limits.cpu | quote }}
+          {{- end }}
       {{- if or (or .Values.global.acls.manageSystemACLs .Values.global.bootstrapACLs) (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt) }}
       initContainers:
       {{- if (or .Values.global.acls.manageSystemACLs .Values.global.bootstrapACLs) }}

diff --git a/test/unit/client-snapshot-agent-deployment.bats b/test/unit/client-snapshot-agent-deployment.bats
@@ -335,3 +335,30 @@ load _helpers
       yq '.spec.template.spec.volumes[] | select(.name == "consul-ca-cert")' | tee /dev/stderr)
   [ "${actual}" = "" ]
 }
+
+#--------------------------------------------------------------------
+# resources
+
+@test "client/SnapshotAgentDeployment: default resources" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/client-snapshot-agent-deployment.yaml  \
+      --set 'client.snapshotAgent.enabled=true' \
+      . | tee /dev/stderr |
+      yq -rc '.spec.template.spec.containers[0].resources' | tee /dev/stderr)
+  [ "${actual}" = '{"requests":{"memory":"50Mi","cpu":"50m"},"limits":{"memory":"50Mi","cpu":"50m"}}' ]
+}
+
+@test "client/SnapshotAgentDeployment: can set resources" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/client-snapshot-agent-deployment.yaml  \
+      --set 'client.snapshotAgent.enabled=true' \
+      --set 'client.snapshotAgent.resources.requests.memory=100Mi' \
+      --set 'client.snapshotAgent.resources.requests.cpu=100m' \
+      --set 'client.snapshotAgent.resources.limits.memory=200Mi' \
+      --set 'client.snapshotAgent.resources.limits.cpu=200m' \
+      . | tee /dev/stderr |
+      yq -rc '.spec.template.spec.containers[0].resources' | tee /dev/stderr)
+  [ "${actual}" = '{"requests":{"memory":"100Mi","cpu":"100m"},"limits":{"memory":"200Mi","cpu":"200m"}}' ]
+}
diff --git a/test/unit/connect-inject-deployment.bats b/test/unit/connect-inject-deployment.bats
@@ -849,3 +849,30 @@ load _helpers
       yq '[.spec.template.spec.containers[0].env[].name] | any(contains("HOST_IP"))' | tee /dev/stderr)
   [ "${actual}" = "true" ]
 }
+
+#--------------------------------------------------------------------
+# resources
+
+@test "connectInject/Deployment: default resources" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/connect-inject-deployment.yaml  \
+      --set 'connectInject.enabled=true' \
+      . | tee /dev/stderr |
+      yq -rc '.spec.template.spec.containers[0].resources' | tee /dev/stderr)
+  [ "${actual}" = '{"requests":{"memory":"50Mi","cpu":"50m"},"limits":{"memory":"50Mi","cpu":"50m"}}' ]
+}
+
+@test "connectInject/Deployment: can set resources" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/connect-inject-deployment.yaml  \
+      --set 'connectInject.enabled=true' \
+      --set 'connectInject.resources.requests.memory=100Mi' \
+      --set 'connectInject.resources.requests.cpu=100m' \
+      --set 'connectInject.resources.limits.memory=200Mi' \
+      --set 'connectInject.resources.limits.cpu=200m' \
+      . | tee /dev/stderr |
+      yq -rc '.spec.template.spec.containers[0].resources' | tee /dev/stderr)
+  [ "${actual}" = '{"requests":{"memory":"100Mi","cpu":"100m"},"limits":{"memory":"200Mi","cpu":"200m"}}' ]
+}
diff --git a/test/unit/sync-catalog-deployment.bats b/test/unit/sync-catalog-deployment.bats
@@ -692,3 +692,30 @@ load _helpers
       yq '.spec.template.spec.containers[0].command | any(contains("-consul-cross-namespace-acl-policy"))' | tee /dev/stderr)
   [ "${actual}" = "true" ]
 }
+
+#--------------------------------------------------------------------
+# resources
+
+@test "syncCatalog/Deployment: default resources" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/sync-catalog-deployment.yaml  \
+      --set 'syncCatalog.enabled=true' \
+      . | tee /dev/stderr |
+      yq -rc '.spec.template.spec.containers[0].resources' | tee /dev/stderr)
+  [ "${actual}" = '{"requests":{"memory":"50Mi","cpu":"50m"},"limits":{"memory":"50Mi","cpu":"50m"}}' ]
+}
+
+@test "syncCatalog/Deployment: can set resources" {
+  cd `chart_dir`
+  local actual=$(helm template \
+      -x templates/sync-catalog-deployment.yaml  \
+      --set 'syncCatalog.enabled=true' \
+      --set 'syncCatalog.resources.requests.memory=100Mi' \
+      --set 'syncCatalog.resources.requests.cpu=100m' \
+      --set 'syncCatalog.resources.limits.memory=200Mi' \
+      --set 'syncCatalog.resources.limits.cpu=200m' \
+      . | tee /dev/stderr |
+      yq -rc '.spec.template.spec.containers[0].resources' | tee /dev/stderr)
+  [ "${actual}" = '{"requests":{"memory":"100Mi","cpu":"100m"},"limits":{"memory":"200Mi","cpu":"200m"}}' ]
+}
diff --git a/values.yaml b/values.yaml
@@ -516,6 +516,15 @@ client:
       secretName: null
       secretKey: null
 
+    # Resource settings for snapshot agent pods.
+    resources:
+      requests:
+        memory: "50Mi"
+        cpu: "50m"
+      limits:
+        memory: "50Mi"
+        cpu: "50m"
+
 # Configuration for DNS configuration within the Kubernetes cluster.
 # This creates a service that routes to all agents (client or server)
 # for serving DNS requests. This DOES NOT automatically configure kube-dns
@@ -693,6 +702,15 @@ syncCatalog:
   #   beta.kubernetes.io/arch: amd64
   nodeSelector: null
 
+  # Resource settings for sync catalog pods.
+  resources:
+    requests:
+      memory: "50Mi"
+      cpu: "50m"
+    limits:
+      memory: "50Mi"
+      cpu: "50m"
+
   # Log verbosity level. One of "trace", "debug", "info", "warn", or "error".
   logLevel: info
 
@@ -712,6 +730,15 @@ connectInject:
   # Defaults to global.image.
   imageConsul: null
 
+  # Resource settings for connect inject pods.
+  resources:
+    requests:
+      memory: "50Mi"
+      cpu: "50m"
+    limits:
+      memory: "50Mi"
+      cpu: "50m"
+
   # The Docker image for envoy to use as the proxy sidecar when performing
   # Connect injection. If using Consul 1.7+, the envoy version must be 1.13+.
   # If not set, the image used depends on the consul-k8s version. For