set container resources

8570696d · bhearn · e2a27a8a · 8570696d · 8570696d · 8570696d
Commit 8570696d authored Aug 19, 2021 by bhearn
20 changed files
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -4,6 +4,13 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),

 ---

+## [1.13.0-bb.6]
+## Changed
+- updated bb-test-lib dependency to gluon `0.2.3` to resolve OPA Gatekeeper violations
+- updated Redis dependency to `14.1.0-bb.3` to resolve OPA Gatekeeper violations
+- set resource requests and limits for all containers to resolve OPA Gatekeeper violations
+- set resource requests and limits equal to eachother to resolve OPA Gatekeeper violations
+
 ## [1.13.0-bb.5]
 ## Added
 - `.Values.postgresqlSuperUser.postgresUsername` and `.Values.postgresqlSuperUser.postgresPassword` for conditionally changing the commands in the ensure db jobs to allow for finer-grain postgres user permissions

--- a/chart/Chart.lock
+++ b/chart/Chart.lock
@@ -7,9 +7,9 @@ dependencies:
  version: 1.0.1
 - name: redis
  repository: file://./deps/redis
-  version: 14.1.0-bb.2
- name: bb-test-lib
-  repository: oci://registry.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates
-  version: 0.5.2
-digest: sha256:b6031a1579e20adfbd8f708ede7fc9665a21a5c030ca7304af18acdff3b56150
-generated: "2021-07-13T16:37:10.13824-04:00"
+  version: 14.1.0-bb.3
+- name: gluon
+  repository: oci://registry.dso.mil/platform-one/big-bang/apps/library-charts/gluon
+  version: 0.2.3
+digest: sha256:18e2ebc2abf59245eb530874f5c9aab50f3041a4959aa6534b6411810191d078
+generated: "2021-08-18T14:00:09.786881-04:00"
--- a/chart/Chart.yaml
+++ b/chart/Chart.yaml
 apiVersion: v2
 name: anchore-engine
-version: 1.13.0-bb.5
+version: 1.13.0-bb.6
 appVersion: 0.10.0
 description: Anchore container analysis and policy evaluation engine service
 keywords:
@@ -33,10 +33,10 @@ dependencies:
   condition: anchore-feeds-db.enabled,anchoreEnterpriseGlobal.enabled
   alias: anchore-feeds-db
 - name: redis
-   version: "14.1.0-bb.2"
+   version: "14.1.0-bb.3"
   repository: "file://./deps/redis"
   condition: anchore-ui-redis.enabled,anchoreEnterpriseGlobal.enabled
   alias: anchore-ui-redis
- - name: bb-test-lib
-   version: "0.5.2"
-   repository: "oci://registry.dso.mil/platform-one/big-bang/pipeline-templates/pipeline-templates"
+ - name: gluon
+   version: "0.2.3"
+   repository: oci://registry.dso.mil/platform-one/big-bang/apps/library-charts/gluon
\ No newline at end of file
--- a/chart/charts/bb-test-lib-0.5.2.tgz
+++ b/chart/charts/bb-test-lib-0.5.2.tgz
--- a/chart/charts/gluon-0.2.3.tgz
+++ b/chart/charts/gluon-0.2.3.tgz
--- a/chart/charts/postgresql-1.0.1.tgz
+++ b/chart/charts/postgresql-1.0.1.tgz
--- a/chart/charts/redis-14.1.0-bb.2.tgz
+++ b/chart/charts/redis-14.1.0-bb.2.tgz
--- a/chart/charts/redis-14.1.0-bb.3.tgz
+++ b/chart/charts/redis-14.1.0-bb.3.tgz
--- a/chart/deps/redis/Chart.yaml
+++ b/chart/deps/redis/Chart.yaml
@@ -25,4 +25,4 @@ name: redis
 sources:
  - https://github.com/bitnami/bitnami-docker-redis
  - http://redis.io/
-version: 14.1.0-bb.2
+version: 14.1.0-bb.3
--- a/chart/deps/redis/Kptfile
+++ b/chart/deps/redis/Kptfile
@@ -5,7 +5,7 @@ metadata:
 upstream:
  type: git
  git:
-    commit: ca398b827ba384da78213d9b2f21abf83a9eea8a
+    commit: f24af16a6d583e9e125f519127ffab11f48f42f8
    repo: https://repo1.dso.mil/platform-one/big-bang/apps/sandbox/redis
    directory: /chart
-    ref: 14.1.0-bb.2
+    ref: 14.1.0-bb.3
--- a/chart/deps/redis/templates/bigbang/redis-upgrade.yaml
+++ b/chart/deps/redis/templates/bigbang/redis-upgrade.yaml
@@ -124,4 +124,7 @@ spec:
                echo "No PVCs to clean up."
              fi
              echo "Done with upgrade steps."
+          {{- if .Values.cleanUpgrade.resources }}
+          resources: {{- toYaml .Values.cleanUpgrade.resources | nindent 12 }}
+          {{- end }}
 {{- end }}
--- a/chart/deps/redis/values.yaml
+++ b/chart/deps/redis/values.yaml
@@ -23,6 +23,13 @@ monitoring:
 cleanUpgrade:
  enabled: true
  image: "registry1.dso.mil/ironbank/big-bang/base:8.4"
+  resources:
+    requests:
+      memory: 256Mi
+      cpu: 100m
+    limits:
+      memory: 256Mi
+      cpu: 100m

 # NOTE: We default this to true in case packages consuming Redis forget to turn it on and have API traffic blocked
 networkPolicies:
@@ -879,8 +886,12 @@ sentinel:
  ## @param sentinel.resources.requests The requested resources for the Redis(TM) Sentinel containers
  ##
  resources:
-    limits: {}
-    requests: {}
+    requests:
+      memory: 256Mi
+      cpu: 100m
+    limits:
+      memory: 256Mi
+      cpu: 100m
  ## Configure Container Security Context
  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
  ## @param sentinel.containerSecurityContext.enabled Enabled Redis(TM) Sentinel containers' Security Context
@@ -1123,8 +1134,12 @@ metrics:
  ## @param metrics.resources.requests The requested resources for the Redis(TM) exporter container
  ##
  resources:
-    limits: {}
-    requests: {}
+    requests:
+      memory: 256Mi
+      cpu: 100m
+    limits:
+      memory: 256Mi
+      cpu: 100m
  ## @param metrics.podLabels Extra labels for Redis(TM) exporter pods
  ## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
  ##
@@ -1209,8 +1224,12 @@ metrics:
    ## @param metrics.sentinel.resources.requests The requested resources for the Redis(TM) Sentinel exporter container
    ##
    resources:
-      limits: {}
-      requests: {}
+      requests:
+        memory: 256Mi
+        cpu: 100m
+      limits:
+        memory: 256Mi
+        cpu: 100m
    ## Redis(TM) Sentinel exporter service parameters
    ##
    service:
@@ -1364,8 +1383,12 @@ volumePermissions:
  ## @param volumePermissions.resources.requests The requested resources for the init container
  ##
  resources:
-    limits: {}
-    requests: {}
+    requests:
+      memory: 256Mi
+      cpu: 100m
+    limits:
+      memory: 256Mi
+      cpu: 100m
  ## Init container Container Security Context
  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
  ## @param volumePermissions.containerSecurityContext.runAsUser Set init container's Security Context runAsUser
@@ -1416,5 +1439,9 @@ sysctl:
  ## @param sysctl.resources.requests The requested resources for the init container
  ##
  resources:
-    limits: {}
-    requests: {}
+    requests:
+      memory: 256Mi
+      cpu: 100m
+    limits:
+      memory: 256Mi
+      cpu: 100m
--- a/chart/templates/bigbang/db/ensure-anchore-db.yaml
+++ b/chart/templates/bigbang/db/ensure-anchore-db.yaml
@@ -61,6 +61,8 @@ spec:
            - secretRef:
                name: anchore-db-credentials
          {{- end }}
+          resources:
+            {{ toYaml .Values.ensureDbJobs.resources | nindent 12 }}
      restartPolicy: OnFailure
 {{- end }}
 {{- end }}
--- a/chart/templates/bigbang/db/ensure-feeds-db.yaml
+++ b/chart/templates/bigbang/db/ensure-feeds-db.yaml
@@ -61,6 +61,8 @@ spec:
            - secretRef:
                name: feeds-db-credentials
          {{- end }}
+          resources:
+            {{ toYaml .Values.ensureDbJobs.resources | nindent 12 }}
      restartPolicy: OnFailure
 {{- end }}
 {{- end }}
--- a/chart/templates/bigbang/sso/configure-sso.yaml
+++ b/chart/templates/bigbang/sso/configure-sso.yaml
@@ -61,6 +61,8 @@ spec:
            - name: anchore-sso
              mountPath: "/tmp"
              readOnly: true
+          resources:
+            {{ toYaml .Values.sso.resources | nindent 12 }}
      volumes:
        - name: anchore-sso
          secret:

--- a/chart/templates/engine_upgrade_job.yaml
+++ b/chart/templates/engine_upgrade_job.yaml
@@ -109,6 +109,8 @@ spec:
          mountPath: /home/anchore/certs/
          readOnly: true
        {{- end }}
+        resources:
+          {{ toYaml .Values.anchoreEngineUpgradeJob.resources | nindent 10 }}
    {{- if or .Values.anchoreGlobal.certStoreSecretName .Values.cloudsql.useExistingServiceAcc }}
      volumes:
      {{- with .Values.anchoreGlobal.certStoreSecretName }}

--- a/chart/templates/enterprise_feeds_upgrade_job.yaml
+++ b/chart/templates/enterprise_feeds_upgrade_job.yaml
@@ -100,6 +100,8 @@ spec:
          mountPath: /home/anchore/certs/
          readOnly: true
        {{- end }}
+        resources:
+          {{ toYaml .Values.anchoreEnterpriseFeedsUpgradeJob.resources | nindent 10 }}
    {{- if or .Values.anchoreGlobal.certStoreSecretName .Values.cloudsql.useExistingServiceAcc }}
      volumes:
      {{- with .Values.anchoreGlobal.certStoreSecretName }}

--- a/chart/templates/enterprise_upgrade_job.yaml
+++ b/chart/templates/enterprise_upgrade_job.yaml
@@ -97,6 +97,8 @@ spec:
          mountPath: /home/anchore/certs/
          readOnly: true
        {{- end }}
+        resources:
+          {{ toYaml .Values.anchoreEnterpriseEngineUpgradeJob.resources | nindent 10 }}
    {{- if or .Values.anchoreGlobal.certStoreSecretName .Values.cloudsql.useExistingServiceAcc }}
      volumes:
      {{- with .Values.anchoreGlobal.certStoreSecretName }}

--- a/chart/templates/tests/test-scripts.yaml
+++ b/chart/templates/tests/test-scripts.yaml
-{{- include "bb-test-lib.script-configmap.base" . }}
+{{- include "gluon.tests.script-configmap.base" .}}
 ---
-{{- include "bb-test-lib.script-runner.base" . }}
\ No newline at end of file
+{{- include "gluon.tests.script-runner.base" .}}
\ No newline at end of file
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -37,6 +37,16 @@ postgresqlSuperUser:
  postgresUsername: ""
  postgresPassword: ""

+# Configure resource requests and limits in ./chart/templates/bigbang/db/ensure-anchore-db.yaml and ./chart/templates/bigbang/db/ensure-feeds-db.yaml
+ensureDbJobs:
+  resources:
+    limits:
+      cpu: 100m
+      memory: 256Mi
+    requests:
+      cpu: 100m
+      memory: 256Mi
+
 # Enable Prometheus Monitoring
 monitoring:
  enabled: false
@@ -61,7 +71,14 @@ sso:
  requireSignedAssertions: false
  requireSignedResponse: true
  idpMetadataUrl: "https://login.dso.mil/auth/realms/baby-yoda/protocol/saml/descriptor"
-
+  # Configure resource requests and limits in the ./chart/templates/bigbang/sso/configure-sso.yaml job
+  resources:
+    limits:
+      cpu: 100m
+      memory: 256Mi
+    requests:
+      cpu: 100m
+      memory: 256Mi

 # Upstream Anchore Values
 # -----------------------
@@ -89,6 +106,25 @@ postgresql:
    subPath: "pgdata"
    mountPath: /var/lib/postgresql
  
+  # Configure resource limits and requests for the postgresql deployment
+  resources:
+    limits:
+      cpu: 100m
+      memory: 256Mi
+    requests:
+      cpu: 100m
+      memory: 256Mi
+  
+  # Configure resource limits and requests for postgresql metrics (disabled by default)
+  metrics:
+    resources:
+      limits:
+        cpu: 100m
+        memory: 256Mi
+      requests:
+        cpu: 100m
+        memory: 256Mi
+
  # Set the configs to allow listening and connecting from other pods
  postgresConfig: {"listen_addresses": "*"}
  pgHbaConf: |-
@@ -427,13 +463,13 @@ anchoreAnalyzer:
    #     db_update_enabled: true


-  # resources:
-  #  limits:
-  #    cpu: 1
-  #    memory: 4G
-  #  requests:
-  #    cpu: 1
-  #    memory: 1G
+  resources:
+    limits:
+      cpu: 500m
+      memory: 1000Mi
+    requests:
+      cpu: 500m
+      memory: 1000Mi

  labels: {}
  annotations: {}
@@ -464,13 +500,13 @@ anchoreApi:
  #   hostname: anchore-api.example.com
  #   port: 8443

-  # resources:
-  #  limits:
-  #    cpu: 1
-  #    memory: 4G
-  #  requests:
-  #    cpu: 100m
-  #    memory: 1G
+  resources:
+    limits:
+      cpu: 500m
+      memory: 4G
+    requests:
+      cpu: 500m
+      memory: 4G

  labels: {}
  annotations: {}
@@ -622,13 +658,13 @@ anchoreCatalog:
    annotations: {}
    labels: {}

-  # resources:
-  #  limits:
-  #    cpu: 1
-  #    memory: 2G
-  #  requests:
-  #    cpu: 100m
-  #    memory: 500M
+  resources:
+    limits:
+      cpu: 500m
+      memory: 2Gi
+    requests:
+      cpu: 500m
+      memory: 2Gi

  labels: {}
  annotations: {}
@@ -694,13 +730,13 @@ anchorePolicyEngine:
    annotations: {}
    labels: {}

-  # resources:
-  #  limits:
-  #    cpu: 1
-  #    memory: 4G
-  #  requests:
-  #    cpu: 100m
-  #    memory: 1G
+  resources:
+    limits:
+      cpu: 500m
+      memory: 3Gi
+    requests:
+      cpu: 500m
+      memory: 3Gi

  labels: {}
  annotations: {}
@@ -724,13 +760,13 @@ anchoreSimpleQueue:
    annotations: {}
    labels: {}

-  # resources:
-  #  limits:
-  #    cpu: 1
-  #    memory: 1G
-  #  requests:
-  #    cpu: 100m
-  #    memory: 256M
+  resources:
+    limits:
+      cpu: 500m
+      memory: 4G
+    requests:
+      cpu: 500m
+      memory: 4G

  labels: {}
  annotations: {}
@@ -741,6 +777,15 @@ anchoreSimpleQueue:
 # Pod configuration for the helm post-install-hook engine upgrade Job
 anchoreEngineUpgradeJob:
  enabled: true
+
+  resources:
+    limits:
+      cpu: 500m
+      memory: 1.5Gi
+    requests:
+      cpu: 500m
+      memory: 1.5Gi
+
  nodeSelector: {}
  tolerations: []
  affinity: {}
@@ -784,6 +829,25 @@ anchore-feeds-db:
    subPath: "pgdata"
    mountPath: /var/lib/postgresql

+  # Configure resource limits and requests for the postgresql deployment
+  resources:
+    limits:
+      cpu: 100m
+      memory: 256Mi
+    requests:
+      cpu: 100m
+      memory: 256Mi
+  
+  # Configure resource limits and requests for postgresql metrics (disabled by default)
+  metrics:
+    resources:
+      limits:
+        cpu: 100m
+        memory: 256Mi
+      requests:
+        cpu: 100m
+        memory: 256Mi
+
  # Set the configs to allow listening and connecting from other pods
  postgresConfig: {"listen_addresses": "*"}
  pgHbaConf: |-
@@ -866,13 +930,13 @@ anchoreEnterpriseFeeds:
    annotations: {}
    labels: {}

-  # resources:
-  #  limits:
-  #    cpu: 1
-  #    memory: 4G
-  #  requests:
-  #    cpu: 1
-  #    memory: 2G
+  resources:
+    limits:
+      cpu: 1
+      memory: 4G
+    requests:
+      cpu: 1
+      memory: 4G

  labels: {}
  annotations: {}
@@ -883,6 +947,15 @@ anchoreEnterpriseFeeds:
 # Pod configuration for the helm post-install-hook feeds upgrade Job
 anchoreEnterpriseFeedsUpgradeJob:
  enabled: true
+  
+  resources:
+    limits:
+      cpu: 500m
+      memory: 1.5Gi
+    requests:
+      cpu: 500m
+      memory: 1.5Gi
+  
  nodeSelector: {}
  tolerations: []
  affinity: {}
@@ -916,11 +989,11 @@ anchoreEnterpriseRbac:

  managerResources:
    limits:
-     cpu: 500m
-     memory: 1G
+      cpu: 1
+      memory: 4G
    requests:
-     cpu: 500m
-     memory: 1G
+      cpu: 1
+      memory: 4G

 # Configure the Anchore Enterprise reporting component.
 anchoreEnterpriseReports:
@@ -950,13 +1023,13 @@ anchoreEnterpriseReports:
  service:
    port: 8558

-  # resources:
-  #  limits:
-  #    cpu: 1
-  #    memory: 1G
-  #  requests:
-  #    cpu: 100m
-  #    memory: 256M
+  resources:
+    limits:
+      cpu: 500m
+      memory: 3Gi
+    requests:
+      cpu: 500m
+      memory: 3Gi

  labels: {}
  annotations: {}
@@ -984,13 +1057,13 @@ anchoreEnterpriseNotifications:
  service:
    port: 8668

-  # resources:
-  #  limits:
-  #    cpu: 1
-  #    memory: 1G
-  #  requests:
-  #    cpu: 100m
-  #    memory: 256M
+  resources:
+    limits:
+      cpu: 500m
+      memory: 1.5Gi
+    requests:
+      cpu: 500m
+      memory: 1.5Gi

  labels: {}
  annotations: {}
@@ -1093,13 +1166,13 @@ anchoreEnterpriseUi:
    labels: {}
    sessionAffinity: ClientIP

-  # resources:
-  #  limits:
-  #    cpu: 1
-  #    memory: 1G
-  #  requests:
-  #    cpu: 100m
-  #    memory: 256M
+  resources:
+    limits:
+      cpu: 500m
+      memory: 1.5Gi
+    requests:
+      cpu: 500m
+      memory: 1.5Gi

  labels: {}
  annotations: {}
@@ -1123,6 +1196,15 @@ anchore-ui-redis:
 # Pod configuration for the helm post-install-hook enterprise engine upgrade Job
 anchoreEnterpriseEngineUpgradeJob:
  enabled: true
+
+  resources:
+    limits:
+      cpu: 500m
+      memory: 1.5Gi
+    requests:
+      cpu: 500m
+      memory: 1.5Gi
+
  nodeSelector: {}
  tolerations: []
  affinity: {}