fix: Cert Mounter -> fix ram and cpu resources (#366)

* allow cert mounter version variable * added configuration for ram and cpu * pre-commit fixs
pagopa · Oct 28, 2024 · b38a631 · b38a631
1 parent c034ec1
commit b38a631
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 3 deletions.
diff --git a/cert_mounter/README.md b/cert_mounter/README.md
@@ -44,10 +44,12 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
-| <a name="input_cert_mounter_chart_version"></a> [cert\_mounter\_chart\_version](#input\_cert\_mounter\_chart\_version) | (Optional) Cert mounter chart version | `string` | `"1.0.4"` | no |
+| <a name="input_cert_mounter_chart_version"></a> [cert\_mounter\_chart\_version](#input\_cert\_mounter\_chart\_version) | (Optional) Cert mounter chart version | `string` | `"2.0.1"` | no |
 | <a name="input_certificate_name"></a> [certificate\_name](#input\_certificate\_name) | (Required) Name of the certificate stored in the keyvault, that will be installed as a secret in aks | `string` | n/a | yes |
 | <a name="input_kv_name"></a> [kv\_name](#input\_kv\_name) | (Required) Key vault name where to retrieve the certificate | `string` | n/a | yes |
 | <a name="input_namespace"></a> [namespace](#input\_namespace) | (Required) Namespace where the cert secret will be created | `string` | n/a | yes |
+| <a name="input_pod_cpu"></a> [pod\_cpu](#input\_pod\_cpu) | Pod request and limit for CPU (in `m`) | `number` | `10` | no |
+| <a name="input_pod_ram"></a> [pod\_ram](#input\_pod\_ram) | Pod request and limit for RAM memory (in `Mi`) | `number` | `30` | no |
 | <a name="input_tenant_id"></a> [tenant\_id](#input\_tenant\_id) | (Required) Tenant identifier | `string` | n/a | yes |
 | <a name="input_workload_identity_client_id"></a> [workload\_identity\_client\_id](#input\_workload\_identity\_client\_id) | ClientID in form of 'qwerty123-a1aa-1234-xyza-qwerty123' linked to workload identity | `string` | `null` | no |
 | <a name="input_workload_identity_enabled"></a> [workload\_identity\_enabled](#input\_workload\_identity\_enabled) | Enable workload identity chart | `bool` | `false` | no |

diff --git a/cert_mounter/helm/cert-mounter-workload-identity.yaml.tpl b/cert_mounter/helm/cert-mounter-workload-identity.yaml.tpl
@@ -13,5 +13,19 @@ keyvault:
 serviceAccount:
   name: ${SERVICE_ACCOUNT_NAME}
 
+resources:
+  # -- request is mandatory
+  requests:
+    # -- memory
+    memory: "${POD_RAM}Mi"
+    # -- cpu
+    cpu: "${POD_CPU}m"
+  # -- limits is mandatory
+  limits:
+    # -- memory
+    memory: "${POD_RAM}Mi"
+    # -- cpu
+    cpu: "${POD_CPU}m"
+
 azure:
   workloadIdentityClientId: ${WORKLOAD_IDENTITY_CLIENT_ID}
diff --git a/cert_mounter/main.tf b/cert_mounter/main.tf
@@ -16,6 +16,8 @@ resource "helm_release" "cert_mounter" {
       TENANT_ID                   = var.tenant_id
       SERVICE_ACCOUNT_NAME        = var.workload_identity_service_account_name
       WORKLOAD_IDENTITY_CLIENT_ID = var.workload_identity_client_id
+      POD_RAM                     = var.pod_ram
+      POD_CPU                     = var.pod_cpu
     }) :
     templatefile("${path.module}/helm/cert-mounter-pod-identity.yaml.tpl", {
       NAMESPACE        = var.namespace,

diff --git a/cert_mounter/variables.tf b/cert_mounter/variables.tf
@@ -1,5 +1,5 @@
 locals {
-  chart_version = var.workload_identity_enabled ? "2.0.0" : "1.0.4"
+  chart_version = var.workload_identity_enabled ? var.cert_mounter_chart_version : "1.0.4"
 }
 
 variable "namespace" {
@@ -25,7 +25,19 @@ variable "tenant_id" {
 variable "cert_mounter_chart_version" {
   type        = string
   description = "(Optional) Cert mounter chart version"
-  default     = "1.0.4"
+  default     = "2.0.1"
+}
+
+variable "pod_ram" {
+  type        = number
+  description = "Pod request and limit for RAM memory (in `Mi`)"
+  default     = 30
+}
+
+variable "pod_cpu" {
+  type        = number
+  description = "Pod request and limit for CPU (in `m`)"
+  default     = 10
 }
 
 #