UNCLASSIFIED - NO CUI

Skip to content

istio: optionally override sidecar resources

Daniel Dides requested to merge dd/19-istio-sidecar-resources into master

General MR

Summary

Allow optionally setting the resources for the injected Istio sidecar to hopefully allow us to prevent 500 errors during testing.

Relevant logs/screenshots

According to the istio docs the sidecar resources are controlled by an annotation on the main pod spec.

Default annotaitons:

danieldides@BPH-MAC02 ~/P/b/p/neuvector (main)> helm template build chart/ --set bbtests.enabled=true | yq e '. | select(.metadata.name == "neuvector-cypress-test")'.metadata.annotations
"helm.sh/hook": test-success
"helm.sh/hook-weight": "5"

Overridden annotations:

bbtests:
  enabled: true
  istio:
    sidecar:
      resources:
        cpu:
          requests: 100m
          limits: 200m
        memory:
            requests: 5g
danieldides@BPH-MAC02 ~/P/b/p/neuvector (main)> helm template build chart -f override.yaml | yq e '. | select(.metadata.name == "neuvector-cypress-test")'.metadata.annotations
"helm.sh/hook": test-success
"helm.sh/hook-weight": "5"
"sidecar.istio.io/proxyCPU": "100m" # Default: 100m
"sidecar.istio.io/proxyCPULimit": "200m" # Default: 2000m
"sidecar.istio.io/proxyMemory": "5g" # Default: 128mi

Validated in-cluster:

Deployed Big-Bang with this override (you will also need to allowlist certain kyverno policies, reference the test-values.yaml in BB as a reference):

kiali:
  enabled: true
  values:
    bbtests:
      enabled: true
      cypress:
        envs:
          cypress_url: 'https://kiali.bigbang.dev'
          cypress_check_data: 'true'
      istio:
        sidecar:
          resources:
            cpu:
              requests: 500m
              limits: 1000m
            memory:
              requests: 256Mi
              limits: 2Gi

Run helm test kiali-kiali -n bigbang --timeout 10m. Inspect the kiali-cypress-test container. Verify the annotations are set:

k get pods -n kiali kiali-cypress-test -o yaml | yq .metadata.annotations
...
sidecar.istio.io/proxyCPU: 500m
sidecar.istio.io/proxyCPULimit: 1000m
sidecar.istio.io/proxyMemory: 256Mi
sidecar.istio.io/proxyMemoryLimit: 2Gi
...

And verify that the corresponding resources are set on the proxy container:

 k get pods -n kiali kiali-cypress-test -o yaml | yq '.spec.containers[] | select(.name=="istio-proxy").resources'
limits:
  cpu: "1"
  memory: 2Gi
requests:
  cpu: 500m
  memory: 256Mi

Closes #19 (closed)

Edited by Daniel Dides

Merge request reports

UNCLASSIFIED - NO CUI