Merge pull request #819 from weaveworks/806-resource-limits

feat: ability to set resource limits and security context for branch planner

charts/tf-controller/README.md

@@ -31,7 +31,7 @@ __Note__: If you need to use the `imagePullSecrets` it would be best to set `ser
 | awsPackage.install | bool | `true` |  |
 | awsPackage.repository | string | `"ghcr.io/tf-controller/aws-primitive-modules"` |  |
 | awsPackage.tag | string | `"v4.38.0-v1alpha11"` |  |
-| branchPlanner | object | `{"configMap":"branch-planner","enabled":false,"image":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/weaveworks/branch-planner","tag":""},"pollingInterval":"30s","sourceInterval":"30s"}` | Branch Planner-specific configurations |
+| branchPlanner | object | `{"configMap":"branch-planner","enabled":false,"image":{"pullPolicy":"IfNotPresent","repository":"ghcr.io/weaveworks/branch-planner","tag":""},"podSecurityContext":{"fsGroup":1337},"pollingInterval":"30s","resources":{"limits":{"cpu":"1000m","memory":"1Gi"},"requests":{"cpu":"200m","memory":"64Mi"}},"securityContext":{"allowPrivilegeEscalation":false,"capabilities":{"drop":["ALL"]},"readOnlyRootFilesystem":true,"runAsNonRoot":true,"runAsUser":65532,"seccompProfile":{"type":"RuntimeDefault"}},"sourceInterval":"30s"}` | Branch Planner-specific configurations |
 | caCertValidityDuration | string | `"168h0m"` | Argument for `--ca-cert-validity-duration` (Controller) |
 | certRotationCheckFrequency | string | `"30m0s"` | Argument for `--cert-rotation-check-frequency` (Controller) |
 | certValidityDuration | string | `"6h0m"` | Argument for `--cert-validity-duration` (Controller) |

charts/tf-controller/templates/planner-deployment.yaml

@@ -41,13 +41,12 @@ spec:
         image: "{{ .Values.branchPlanner.image.repository }}:{{ default .Chart.AppVersion .Values.branchPlanner.image.tag }}"
         imagePullPolicy: {{ .Values.image.pullPolicy }}
         name: {{ .Chart.Name }}
-        ports:
-        - containerPort: 8080
-          name: http-prom
+        resources:
+          {{- toYaml .Values.branchPlanner.resources | nindent 10 }}
         securityContext:
-          {{- toYaml .Values.securityContext | nindent 10 }}
+          {{- toYaml .Values.branchPlanner.securityContext | nindent 10 }}
       securityContext:
-        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+        {{- toYaml .Values.branchPlanner.podSecurityContext | nindent 8 }}
       serviceAccountName: {{ include "tf-controller.serviceAccountName" . }}
       terminationGracePeriodSeconds: 10
       {{- with .Values.nodeSelector }}

charts/tf-controller/values.yaml

@@ -179,3 +179,25 @@ branchPlanner:
   pollingInterval: 30s
   # Interval value to use for Source objects for branch planner Terraform objects.
   sourceInterval: 30s
+  # Pod-level security context
+  podSecurityContext:
+    fsGroup: 1337
+  # Container-level security context
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+        - ALL
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    runAsUser: 65532
+    seccompProfile:
+      type: RuntimeDefault
+  # Resource limits and requests
+  resources:
+    limits:
+      cpu: 1000m
+      memory: 1Gi
+    requests:
+      cpu: 200m
+      memory: 64Mi

runner-azure.Dockerfile

@@ -45,7 +45,7 @@ RUN apk add --no-cache libcrypto3=3.1.1-r3 && \
     apk add --no-cache busybox
 
 # Install az cli
-ARG AZCLI_VERSION=2.40.0
+ARG AZCLI_VERSION=2.50.0
 RUN apk add --no-cache py3-pip && \
     apk add --no-cache gcc musl-dev python3-dev libffi-dev openssl-dev
 RUN pip install --upgrade pip && \