chore: update istio-proxy resource requests and limits

a0677fb7 · Ronnie Webb · michaelmcleroy · 18d922c9 · a0677fb7 · a0677fb7
Commit a0677fb7 authored Sep 07, 2021 by Ronnie Webb Committed by michaelmcleroy Sep 07, 2021
Showing with 52 additions and 11 deletions

CHANGELOG.md CHANGELOG.md +31 -0

chart/Chart.yaml chart/Chart.yaml +1 -1

chart/templates/controlplane.yaml chart/templates/controlplane.yaml +1 -1

chart/values.yaml chart/values.yaml +19 -9

No files found.
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -2,58 +2,89 @@
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/), and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+## [1.10.4-bb.1]
+### Changed
+- Update Istio proxy and proxy init pods to be in compliance with opa gatekeeper.
 ## [1.10.4-bb.0]
 ### Changed
 - Update to Istio 1.10.4
 ## [1.10.3-bb.1]
 ### Changed
 - Add envoyfilter to remove server response header to prevent information disclosure
 ## [1.10.3-bb.0]
 ### Changed
 - Update to Istio 1.10.3
 ## [1.9.7-bb.1]
 ### Added
 - Default configuration to hold application start until istio proxy is ready
 ## [1.9.7-bb.0]
 ### Changed
 - Update to Istio 1.9.7
 ## [1.8.4-bb.6]
 ### Changed
 - **BREAKING** `ingressGateway` deprecated in favor of creating `ingressGateways` in a uniform manner
 - **BREAKING** `gateway` deprecated in favor of creating `gateways` in a uniform manner
 ## [1.8.4-bb.5]
 ### Fixed
 - Kube API egress allowed for all pods, not just istiod
 ## [1.8.4-bb.4]
 ### Added
 - Kube API egress networkpolicy
 ## [1.8.4-bb.3]
 ### Added
 - Added network policies for istio
 ## [1.8.4-bb.2]
 ### Fixed
 - fixed bug with indentation when providing resources to istio ingressgateways
 ## [1.8.4-bb.1]
 ### Fixed
 - updated dsop.io registry hostname to dso.mil
 ## [1.7.3-bb.1]
 ### Added
 - Top level "sso" values designation. This will enable an haproxy package installation in the desired namespace (sso.namespace: istio-addons-sso) that in conjunction with authservice package will place an SSO gate in front of Kiali+Jaeger UIs.
 - Top level "ingress" values designation. This will control configuration for the virtualservices created. Leave empty with sso.enabled = false to have the virtualservices go straight to the kiali/jaeger UIs. Leave empty with sso.enabled = true to place the haproxy+authservice injection in front of kiali/tracing. Fill in with your own service/port if customizing the installation/services.
 - New Jaeger+Kiali VirtualServices pointing to the haproxy installation will be installed when "sso.enabled: true"
 - sso.selector variable sets the label that will be applied to the authservice EnvoyFilter placing the SSO page in front of the regular UIs. Must match the selector for "authservice.selector.key/value".
 ### Changed
 - Jaeger+Kiali VirtualServices pointing directly to the UIs will be skipped when "sso.enabled: true"
 - Jaeger+Kiali VirtualServices pull in their configs from the "ingress" designation so VirtualServices can be customized.
--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
 apiVersion: v2
 name: istio
-version: 1.10.4-bb.0
+version: 1.10.4-bb.1
--- a/chart/templates/controlplane.yaml
+++ b/chart/templates/controlplane.yaml
@@ -127,4 +127,4 @@ spec:
        - matchExpressions:
            - key: app.kubernetes.io/component
              operator: In
              values: [fluentd-configcheck]
\ No newline at end of file
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -28,16 +28,10 @@ ingressGateways:
    k8s: # Set any value from https://istio.io/latest/docs/reference/config/istio.operator.v1alpha1/#KubernetesResourcesSpec
      # hpaSpec:  By default, HPA is set from 1-5 instances with a target average utilization of 80%
      resources: {}
-        # requests:
-        #   cpu: 500m
-        #   memory: 1Gi
-        # limits:
-        #   cpu: 1.5
-        #   memory: 3Gi
      service:
        type: "LoadBalancer" # or "NodePort"
        # ports: By default ports 15021 (status), 80, 443, and 15443 (SNI Routing) are setup
-      podAnnotations: {} # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
+      podAnnotations: {}  # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
      serviceAnnotations: {} # https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
      nodeSelector: {} # https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
      affinity: {} # https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
@@ -145,6 +139,7 @@ cni:
  podAnnotations: {}
  #  k8s nodeSelector. https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#nodeselector
  nodeSelector: {}
  #  k8s affinity / anti-affinity. https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#affinity-and-anti-affinity
  affinity: {}
  #  k8s toleration https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
@@ -154,8 +149,23 @@ cni:
 meshConfig: {}
 values:
-  global: {}
+  global: 
+    proxy:
+      resources:
+        requests:
+          cpu: 100m
+          memory: 256Mi
+        limits:
+          cpu: 100m
+          memory: 256Mi
+    proxy_init:
+      resources:
+        limits:
+          cpu: 100m
+          memory: 256Mi
+        requests:
+          cpu: 100m
+          memory: 256Mi
 networkPolicies:
  enabled: false
  # See `kubectl cluster-info` and then resolve to IP