Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add resources templating option to kaap operator deployment #159

Open
wants to merge 7 commits into
base: main
Choose a base branch
from
Open

Add resources templating option to kaap operator deployment #159

wants to merge 7 commits into from

Conversation

MarkusNeuron
Copy link

@MarkusNeuron MarkusNeuron commented Sep 21, 2023
edited
Loading

For our cluster operation and complying to security standards its mandatory being able to configure pod resources.

Some standards for resources configuration we need to comply:

  • OWASP API Security Top 10-API7:2019-Security Misconfiguration
  • CWE Top 25 Most Dangerous Software Weaknesses-cwe-top-25
  • OWASP Docker Top 10 2018-D07 - Resource Protection
  • CIS Docker - Level 1-5.10

Because we should be flexible to applying different patterns for resource-requests and -limits I templated the full resources: block depending on values configuration and not the individual values.
E.g. one example pattern for requests and limits

@MarkusNeuron
Copy link
Author

Any update on this one?

@nicoloboschi
Copy link
Contributor

Thanks @MarkusNeuron
I'll cut a release once CI passes and this is merged

@nicoloboschi
Copy link
Contributor

@MarkusNeuron can you please fix the CI?

I think you have to add the new values property here:

kaap/tests/src/test/java/com/datastax/oss/kaap/tests/BaseK8sEnvTest.java

Line 215 in daaf6fc

vars.put(".Release.Namespace", namespace);

@MarkusNeuron
Copy link
Author

Added var to test. Hope this fixes CI.

@MarkusNeuron
Copy link
Author

Test failed again. It seems that the test library can not work with templating functions. I will change test test to an empty resources key. I hope to fix the testcase issue this way.

@MarkusNeuron
Copy link
Author

Sorry guys I do not know how to fix this in test. When I template with:

operator:
  enabled: true
  image: datastax/kaap:0.2.0
  imagePullPolicy: IfNotPresent
  replicas: 1
  resources: {}
  livenessProbe:
    failureThreshold: 3
...

of without resource key at all I get the correct output without resource config.

Templating with values:

operator:
  enabled: true
  image: datastax/kaap:0.2.0
  imagePullPolicy: IfNotPresent
  replicas: 1
  resources:
    requests:
      cpu: "0.2"
      memory: "512Mi"
    limits:
      memory: "512Mi"  
  livenessProbe:
    failureThreshold: 3

leads also to the correct template:

...
    spec:
      containers:
        - env:
            - name: KUBERNETES_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
          envFrom:
            - configMapRef:
                name: kaap
          image: datastax/kaap:0.2.0
          imagePullPolicy: IfNotPresent
          resources:
            limits:
              memory: 512Mi
            requests:
              cpu: "0.2"
              memory: 512Mi
          livenessProbe:
            failureThreshold: 3
...

So how we can fix the java for ci testing?
Thx, Markus

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nicoloboschi nicoloboschi nicoloboschi approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@MarkusNeuron @nicoloboschi