Merge pull request #89 from becitsthere/master

Add per component resources requests and limits

Author: becitsthere

charts/core/Chart.yaml

@@ -1,6 +1,6 @@
 name: core
 apiVersion: v1
-version: 1.7.1
+version: 1.7.2
 appVersion: 4.2.0
 description: Helm chart for NeuVector's core services
 home: https://neuvector.com

charts/core/README.md

@@ -82,12 +82,14 @@ Parameter | Description | Default | Notes
 `controller.ingress.host` | Must set this host value if ingress is enabled | `nil` |
 `controller.ingress.path` | Set ingress path |`/` | If set, it might be necessary to set a rewrite rule in annotations.
 `controller.ingress.annotations` | Add annotations to ingress to influence behavior | `ingress.kubernetes.io/protocol: https ingress.kubernetes.io/rewrite-target: /` | see examples in [values.yaml](values.yaml)
+`controller.resources` | Add resources requests and limits to controller deployment | `{}` | see examples in [values.yaml](values.yaml)
 `controller.configmap.enabled` | If true, configure NeuVector using a ConfigMap | `false`
 `controller.configmap.data` | NeuVector configuration in YAML format | `{}`
 `enforcer.enabled` | If true, create enforcer | `true` |
 `enforcer.image.repository` | enforcer image repository | `neuvector/enforcer` |
 `enforcer.priorityClassName` | enforcer priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` |
 `enforcer.tolerations` | List of node taints to tolerate | `- effect: NoSchedule`<br>`key: node-role.kubernetes.io/master` | other taints can be added after the default
+`enforcer.resources` | Add resources requests and limits to enforcer deployment | `{}` | see examples in [values.yaml](values.yaml)
 `manager.enabled` | If true, create manager | `true` |
 `manager.image.repository` | manager image repository | `neuvector/manager` |
 `manager.priorityClassName` | manager priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` |
@@ -104,6 +106,7 @@ Parameter | Description | Default | Notes
 `manager.ingress.annotations` | Add annotations to ingress to influence behavior | `{}` | see examples in [values.yaml](values.yaml)
 `manager.ingress.tls` | If true, TLS is enabled for manager ingress service |`false` | If set, the tls-host used is the one set with `manager.ingress.host`.
 `manager.ingress.secretName` | Name of the secret to be used for TLS-encryption | `nil` | Secret must be created separately (Let's encrypt, manually)
+`manager.resources` | Add resources requests and limits to manager deployment | `{}` | see examples in [values.yaml](values.yaml)
 `cve.updater.enabled` | If true, create cve updater | `true` |
 `cve.updater.image.repository` | cve updater image repository | `neuvector/updater` |
 `cve.updater.image.tag` | image tag for cve updater | `latest` |
@@ -114,6 +117,7 @@ Parameter | Description | Default | Notes
 `cve.scanner.priorityClassName` | cve scanner priorityClassName. Must exist prior to helm deployment. Leave empty to disable. | `nil` |
 `cve.scanner.replicas` | external scanner replicas | `3` |
 `cve.scanner.dockerPath` | the remote docker socket if CI/CD integration need scan images before they are pushed to the registry | `nil` |
+`cve.scanner.resources` | Add resources requests and limits to scanner deployment | `{}` | see examples in [values.yaml](values.yaml)
 `docker.path` | docker path | `/var/run/docker.sock` |
 `containerd.enabled` | Set to true, if the container runtime is containerd | `false` |
 `containerd.path` | If containerd is enabled, this local containerd socket path will be used | `/var/run/containerd/containerd.sock` |

charts/core/templates/controller-deployment.yaml

@@ -53,7 +53,11 @@ spec:
           securityContext:
             privileged: true
           resources:
+          {{- if .Values.controller.resources }}
+{{ toYaml .Values.controller.resources | indent 12 }}
+          {{- else }}
 {{ toYaml .Values.resources | indent 12 }}
+          {{- end }}
           readinessProbe:
             exec:
               command:

charts/core/templates/enforcer-daemonset.yaml

@@ -44,7 +44,11 @@ spec:
           securityContext:
             privileged: true
           resources:
+          {{- if .Values.enforcer.resources }}
+{{ toYaml .Values.enforcer.resources | indent 12 }}
+          {{- else }}
 {{ toYaml .Values.resources | indent 12 }}
+          {{- end }}
           env:
             - name: CLUSTER_JOIN_ADDR
               value: neuvector-svc-controller.{{ .Release.Namespace }}

charts/core/templates/manager-deployment.yaml

@@ -54,7 +54,11 @@ spec:
               readOnly: true
           {{- end }}
           resources:
+          {{- if .Values.manager.resources }}
+{{ toYaml .Values.manager.resources | indent 12 }}
+          {{- else }}
 {{ toYaml .Values.resources | indent 12 }}
+          {{- end }}
       restartPolicy: Always
       volumes:
       {{- if .Values.manager.certificate.secret }}

charts/core/templates/scanner-deployment.yaml

@@ -44,5 +44,7 @@ spec:
             - name: SCANNER_DOCKER_URL
               value: {{ .Values.cve.scanner.dockerPath }}
           {{- end }}
+          resources:
+{{ toYaml .Values.cve.scanner.resources | indent 12 }}
       restartPolicy: Always
 {{- end }}

charts/core/values.yaml

@@ -53,6 +53,13 @@ controller:
       # ingress.kubernetes.io/rewrite-target: /
     tls: false
     secretName:
+  resources: {}
+    # limits:
+    #   cpu: 400m
+    #   memory: 2792Mi
+    # requests:
+    #   cpu: 100m
+    #   memory: 2280Mi
   configmap:
     enabled: false
     data:
@@ -78,6 +85,13 @@ enforcer:
   tolerations:
     - effect: NoSchedule
       key: node-role.kubernetes.io/master
+  resources: {}
+    # limits:
+    #   cpu: 400m
+    #   memory: 2792Mi
+    # requests:
+    #   cpu: 100m
+    #   memory: 2280Mi
 
 manager:
   # If false, manager will not be installed
@@ -109,6 +123,13 @@ manager:
       # nginx.ingress.kubernetes.io/enable-rewrite-log: "true"
     tls: false
     secretName:  # my-tls-secret
+  resources: {}
+    # limits:
+    #   cpu: 400m
+    #   memory: 2792Mi
+    # requests:
+    #   cpu: 100m
+    #   memory: 2280Mi
 
 cve:
   updater:
@@ -131,6 +152,13 @@ cve:
     image:
       repository: neuvector/scanner
     priorityClassName:
+    resources: {}
+      # limits:
+      #   cpu: 400m
+      #   memory: 2792Mi
+      # requests:
+      #   cpu: 100m
+      #   memory: 2280Mi
 
 docker:
   path: /var/run/docker.sock