kaap icon indicating copy to clipboard operation
kaap copied to clipboard
verified publisher icon datastax

Add resources templating option to kaap operator deployment

Open MarkusNeuron opened this issue 2 years ago • 6 comments

For our cluster operation and complying to security standards its mandatory being able to configure pod resources.

Some standards for resources configuration we need to comply:

  • OWASP API Security Top 10-API7:2019-Security Misconfiguration
  • CWE Top 25 Most Dangerous Software Weaknesses-cwe-top-25
  • OWASP Docker Top 10 2018-D07 - Resource Protection
  • CIS Docker - Level 1-5.10

Because we should be flexible to applying different patterns for resource-requests and -limits I templated the full resources: block depending on values configuration and not the individual values. E.g. one example pattern for requests and limits

MarkusNeuron avatar Sep 21 '23 09:09 MarkusNeuron

Any update on this one?

MarkusNeuron avatar Oct 12 '23 08:10 MarkusNeuron

Thanks @MarkusNeuron I'll cut a release once CI passes and this is merged

nicoloboschi avatar Oct 12 '23 09:10 nicoloboschi

@MarkusNeuron can you please fix the CI?

I think you have to add the new values property here: https://github.com/datastax/kaap/blob/daaf6fc88d0599be04af063eb8cb1606c36558e8/tests/src/test/java/com/datastax/oss/kaap/tests/BaseK8sEnvTest.java#L215

nicoloboschi avatar Oct 12 '23 10:10 nicoloboschi

Added var to test. Hope this fixes CI.

MarkusNeuron avatar Oct 12 '23 10:10 MarkusNeuron

Test failed again. It seems that the test library can not work with templating functions. I will change test test to an empty resources key. I hope to fix the testcase issue this way.

MarkusNeuron avatar Oct 12 '23 10:10 MarkusNeuron

Sorry guys I do not know how to fix this in test. When I template with:

operator:
  enabled: true
  image: datastax/kaap:0.2.0
  imagePullPolicy: IfNotPresent
  replicas: 1
  resources: {}
  livenessProbe:
    failureThreshold: 3
...

of without resource key at all I get the correct output without resource config.

Templating with values:

operator:
  enabled: true
  image: datastax/kaap:0.2.0
  imagePullPolicy: IfNotPresent
  replicas: 1
  resources:
    requests:
      cpu: "0.2"
      memory: "512Mi"
    limits:
      memory: "512Mi"  
  livenessProbe:
    failureThreshold: 3

leads also to the correct template:

...
    spec:
      containers:
        - env:
            - name: KUBERNETES_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
          envFrom:
            - configMapRef:
                name: kaap
          image: datastax/kaap:0.2.0
          imagePullPolicy: IfNotPresent
          resources:
            limits:
              memory: 512Mi
            requests:
              cpu: "0.2"
              memory: 512Mi
          livenessProbe:
            failureThreshold: 3
...

So how we can fix the java for ci testing? Thx, Markus

MarkusNeuron avatar Oct 13 '23 09:10 MarkusNeuron