From ce77f17192eb576936de3baf9e8cd88599099433 Mon Sep 17 00:00:00 2001 From: "v.lamykin" Date: Tue, 14 Jun 2022 17:49:01 +0300 Subject: [PATCH 1/3] ephemeral storage resourses --- agent-inject/agent/agent.go | 8 + agent-inject/agent/annotations.go | 17 +- agent-inject/agent/annotations_test.go | 36 ++-- agent-inject/agent/container_sidecar.go | 34 ++- agent-inject/agent/container_sidecar_test.go | 214 ++++++++++--------- subcommand/injector/command.go | 4 +- subcommand/injector/flags.go | 5 +- 7 files changed, 193 insertions(+), 125 deletions(-) diff --git a/agent-inject/agent/agent.go b/agent-inject/agent/agent.go index f0018948..25fcc604 100644 --- a/agent-inject/agent/agent.go +++ b/agent-inject/agent/agent.go @@ -67,6 +67,9 @@ type Agent struct { // LimitsMem is the upper memory limit the sidecar container is allowed to consume. LimitsMem string + // LimitsEphemeral is the upper ephemeral storage limit the sidecar container is allowed to consume. + LimitsEphemeral string + // Namespace is the Kubernetes namespace the request originated from. Namespace string @@ -97,6 +100,9 @@ type Agent struct { // RequestsMem is the requested minimum memory amount required when being scheduled to deploy. RequestsMem string + // RequestsEphemeral is the requested minimum ephemeral storage amount required when being scheduled to deploy. + RequestsEphemeral string + // Secrets are all the templates, the path in Vault where the secret can be // found, and the unique name of the secret which will be used for the filename. Secrets []*Secret @@ -323,12 +329,14 @@ func New(pod *corev1.Pod, patches []*jsonpatch.JsonPatchOperation) (*Agent, erro DefaultTemplate: pod.Annotations[AnnotationAgentInjectDefaultTemplate], LimitsCPU: pod.Annotations[AnnotationAgentLimitsCPU], LimitsMem: pod.Annotations[AnnotationAgentLimitsMem], + LimitsEphemeral: pod.Annotations[AnnotationAgentLimitsEphemeral], Namespace: pod.Annotations[AnnotationAgentRequestNamespace], Patches: patches, Pod: pod, Containers: []string{}, RequestsCPU: pod.Annotations[AnnotationAgentRequestsCPU], RequestsMem: pod.Annotations[AnnotationAgentRequestsMem], + RequestsEphemeral: pod.Annotations[AnnotationAgentRequestsEphemeral], ServiceAccountTokenVolume: sa, Status: pod.Annotations[AnnotationAgentStatus], ExtraSecret: pod.Annotations[AnnotationAgentExtraSecret], diff --git a/agent-inject/agent/annotations.go b/agent-inject/agent/annotations.go index 9954a7a8..2668b500 100644 --- a/agent-inject/agent/annotations.go +++ b/agent-inject/agent/annotations.go @@ -113,19 +113,24 @@ const ( // AnnotationAgentExtraSecret is the name of a Kubernetes secret that will be mounted // into the Vault agent container so that the agent config can reference secrets. AnnotationAgentExtraSecret = "vault.hashicorp.com/agent-extra-secret" - // AnnotationAgentLimitsCPU sets the CPU limit on the Vault Agent containers. AnnotationAgentLimitsCPU = "vault.hashicorp.com/agent-limits-cpu" // AnnotationAgentLimitsMem sets the memory limit on the Vault Agent containers. AnnotationAgentLimitsMem = "vault.hashicorp.com/agent-limits-mem" + // AnnotationAgentLimitsEphemeral sets the ephemeral storage limit on the Vault Agent containers. + AnnotationAgentLimitsEphemeral = "vault.hashicorp.com/agent-limits-ephemeral" + // AnnotationAgentRequestsCPU sets the requested CPU amount on the Vault Agent containers. AnnotationAgentRequestsCPU = "vault.hashicorp.com/agent-requests-cpu" // AnnotationAgentRequestsMem sets the requested memory amount on the Vault Agent containers. AnnotationAgentRequestsMem = "vault.hashicorp.com/agent-requests-mem" + // AnnotationAgentRequestsEphemeral sets the ephemeral storage request on the Vault Agent containers. + AnnotationAgentRequestsEphemeral = "vault.hashicorp.com/agent-requests-ephemeral" + // AnnotationAgentRevokeOnShutdown controls whether a sidecar container will revoke its // own Vault token before shutting down. If you are using a custom agent template, you must // make sure it's written to `/home/vault/.vault-token`. Only supported for sidecar containers. @@ -288,8 +293,10 @@ type AgentConfig struct { DefaultTemplate string ResourceRequestCPU string ResourceRequestMem string + ResourceRequestEphemeral string ResourceLimitCPU string ResourceLimitMem string + ResourceLimitEphemeral string ExitOnRetryFailure bool StaticSecretRenderInterval string AuthMinBackoff string @@ -363,6 +370,10 @@ func Init(pod *corev1.Pod, cfg AgentConfig) error { pod.ObjectMeta.Annotations[AnnotationAgentLimitsMem] = cfg.ResourceLimitMem } + if _, ok := pod.ObjectMeta.Annotations[AnnotationAgentLimitsEphemeral]; !ok { + pod.ObjectMeta.Annotations[AnnotationAgentLimitsEphemeral] = cfg.ResourceLimitEphemeral + } + if _, ok := pod.ObjectMeta.Annotations[AnnotationAgentRequestsCPU]; !ok { pod.ObjectMeta.Annotations[AnnotationAgentRequestsCPU] = cfg.ResourceRequestCPU } @@ -371,6 +382,10 @@ func Init(pod *corev1.Pod, cfg AgentConfig) error { pod.ObjectMeta.Annotations[AnnotationAgentRequestsMem] = cfg.ResourceRequestMem } + if _, ok := pod.ObjectMeta.Annotations[AnnotationAgentRequestsEphemeral]; !ok { + pod.ObjectMeta.Annotations[AnnotationAgentRequestsEphemeral] = cfg.ResourceRequestEphemeral + } + if _, ok := pod.ObjectMeta.Annotations[AnnotationVaultSecretVolumePath]; !ok { pod.ObjectMeta.Annotations[AnnotationVaultSecretVolumePath] = secretVolumePath } diff --git a/agent-inject/agent/annotations_test.go b/agent-inject/agent/annotations_test.go index 815828a7..277934e3 100644 --- a/agent-inject/agent/annotations_test.go +++ b/agent-inject/agent/annotations_test.go @@ -17,23 +17,25 @@ import ( func basicAgentConfig() AgentConfig { return AgentConfig{ - Image: "foobar-image", - Address: "http://foobar:8200", - AuthType: DefaultVaultAuthType, - AuthPath: "test", - Namespace: "test", - RevokeOnShutdown: true, - UserID: "100", - GroupID: "1000", - SameID: DefaultAgentRunAsSameUser, - SetSecurityContext: DefaultAgentSetSecurityContext, - ProxyAddress: "http://proxy:3128", - DefaultTemplate: DefaultTemplateType, - ResourceRequestCPU: DefaultResourceRequestCPU, - ResourceRequestMem: DefaultResourceRequestMem, - ResourceLimitCPU: DefaultResourceLimitCPU, - ResourceLimitMem: DefaultResourceLimitMem, - ExitOnRetryFailure: DefaultTemplateConfigExitOnRetryFailure, + Image: "foobar-image", + Address: "http://foobar:8200", + AuthType: DefaultVaultAuthType, + AuthPath: "test", + Namespace: "test", + RevokeOnShutdown: true, + UserID: "100", + GroupID: "1000", + SameID: DefaultAgentRunAsSameUser, + SetSecurityContext: DefaultAgentSetSecurityContext, + ProxyAddress: "http://proxy:3128", + DefaultTemplate: DefaultTemplateType, + ResourceRequestCPU: DefaultResourceRequestCPU, + ResourceRequestMem: DefaultResourceRequestMem, + ResourceRequestEphemeral: DefaultResourceRequestEphemeral, + ResourceLimitCPU: DefaultResourceLimitCPU, + ResourceLimitMem: DefaultResourceLimitMem, + ResourceLimitEphemeral: DefaultResourceLimitEphemeral, + ExitOnRetryFailure: DefaultTemplateConfigExitOnRetryFailure, } } diff --git a/agent-inject/agent/container_sidecar.go b/agent-inject/agent/container_sidecar.go index f7501d04..08eb7418 100644 --- a/agent-inject/agent/container_sidecar.go +++ b/agent-inject/agent/container_sidecar.go @@ -11,14 +11,16 @@ import ( const ( // https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/#meaning-of-cpu - DefaultResourceLimitCPU = "500m" - DefaultResourceLimitMem = "128Mi" - DefaultResourceRequestCPU = "250m" - DefaultResourceRequestMem = "64Mi" - DefaultContainerArg = "echo ${VAULT_CONFIG?} | base64 -d > /home/vault/config.json && vault agent -config=/home/vault/config.json" - DefaultRevokeGrace = 5 - DefaultAgentLogLevel = "info" - DefaultAgentLogFormat = "standard" + DefaultResourceLimitCPU = "500m" + DefaultResourceLimitMem = "128Mi" + DefaultResourceLimitEphemeral = "128Mi" + DefaultResourceRequestCPU = "250m" + DefaultResourceRequestMem = "64Mi" + DefaultResourceRequestEphemeral = "64Mi" + DefaultContainerArg = "echo ${VAULT_CONFIG?} | base64 -d > /home/vault/config.json && vault agent -config=/home/vault/config.json" + DefaultRevokeGrace = 5 + DefaultAgentLogLevel = "info" + DefaultAgentLogFormat = "standard" ) // ContainerSidecar creates a new container to be added @@ -133,6 +135,14 @@ func (a *Agent) parseResources() (corev1.ResourceRequirements, error) { limits[corev1.ResourceMemory] = mem } + if a.LimitsEphemeral != "" { + ephemeral, err := parseQuantity(a.LimitsEphemeral) + if err != nil { + return resources, err + } + limits[corev1.ResourceEphemeralStorage] = ephemeral + } + resources.Limits = limits // Requests @@ -152,6 +162,14 @@ func (a *Agent) parseResources() (corev1.ResourceRequirements, error) { requests[corev1.ResourceMemory] = mem } + if a.RequestsEphemeral != "" { + ephemeral, err := parseQuantity(a.RequestsEphemeral) + if err != nil { + return resources, err + } + requests[corev1.ResourceEphemeralStorage] = ephemeral + } + resources.Requests = requests return resources, nil diff --git a/agent-inject/agent/container_sidecar_test.go b/agent-inject/agent/container_sidecar_test.go index b9200422..1b5c7665 100644 --- a/agent-inject/agent/container_sidecar_test.go +++ b/agent-inject/agent/container_sidecar_test.go @@ -41,22 +41,24 @@ func TestContainerSidecarVolume(t *testing.T) { pod := testPod(annotations) var patches []*jsonpatch.JsonPatchOperation agentConfig := AgentConfig{ - Image: "foobar-image", - Address: "http://foobar:1234", - AuthType: DefaultVaultAuthType, - AuthPath: "test", - Namespace: "test", - RevokeOnShutdown: true, - UserID: "1000", - GroupID: "100", - SameID: DefaultAgentRunAsSameUser, - SetSecurityContext: DefaultAgentSetSecurityContext, - DefaultTemplate: "map", - ResourceRequestCPU: DefaultResourceRequestCPU, - ResourceRequestMem: DefaultResourceRequestMem, - ResourceLimitCPU: DefaultResourceLimitCPU, - ResourceLimitMem: DefaultResourceLimitMem, - ExitOnRetryFailure: DefaultTemplateConfigExitOnRetryFailure, + Image: "foobar-image", + Address: "http://foobar:1234", + AuthType: DefaultVaultAuthType, + AuthPath: "test", + Namespace: "test", + RevokeOnShutdown: true, + UserID: "1000", + GroupID: "100", + SameID: DefaultAgentRunAsSameUser, + SetSecurityContext: DefaultAgentSetSecurityContext, + DefaultTemplate: "map", + ResourceRequestCPU: DefaultResourceRequestCPU, + ResourceRequestMem: DefaultResourceRequestMem, + ResourceRequestEphemeral: DefaultResourceRequestEphemeral, + ResourceLimitCPU: DefaultResourceLimitCPU, + ResourceLimitMem: DefaultResourceLimitMem, + ResourceLimitEphemeral: DefaultResourceLimitEphemeral, + ExitOnRetryFailure: DefaultTemplateConfigExitOnRetryFailure, } err := Init(pod, agentConfig) @@ -136,22 +138,24 @@ func TestContainerSidecarVolumeWithIRSA(t *testing.T) { var patches []*jsonpatch.JsonPatchOperation agentConfig := AgentConfig{ - Image: "foobar-image", - Address: "http://foobar:1234", - AuthType: "aws", - AuthPath: "test", - Namespace: "test", - RevokeOnShutdown: true, - UserID: "1000", - GroupID: "100", - SameID: DefaultAgentRunAsSameUser, - SetSecurityContext: DefaultAgentSetSecurityContext, - DefaultTemplate: "map", - ResourceRequestCPU: DefaultResourceRequestCPU, - ResourceRequestMem: DefaultResourceRequestMem, - ResourceLimitCPU: DefaultResourceLimitCPU, - ResourceLimitMem: DefaultResourceLimitMem, - ExitOnRetryFailure: DefaultTemplateConfigExitOnRetryFailure, + Image: "foobar-image", + Address: "http://foobar:1234", + AuthType: "aws", + AuthPath: "test", + Namespace: "test", + RevokeOnShutdown: true, + UserID: "1000", + GroupID: "100", + SameID: DefaultAgentRunAsSameUser, + SetSecurityContext: DefaultAgentSetSecurityContext, + DefaultTemplate: "map", + ResourceRequestCPU: DefaultResourceRequestCPU, + ResourceRequestMem: DefaultResourceRequestMem, + ResourceRequestEphemeral: DefaultResourceRequestEphemeral, + ResourceLimitCPU: DefaultResourceLimitCPU, + ResourceLimitMem: DefaultResourceLimitMem, + ResourceLimitEphemeral: DefaultResourceLimitEphemeral, + ExitOnRetryFailure: DefaultTemplateConfigExitOnRetryFailure, } err := Init(pod, agentConfig) @@ -213,22 +217,24 @@ func TestContainerSidecar(t *testing.T) { var patches []*jsonpatch.JsonPatchOperation agentConfig := AgentConfig{ - Image: "foobar-image", - Address: "http://foobar:1234", - AuthType: DefaultVaultAuthType, - AuthPath: "test", - Namespace: "test", - UserID: "1000", - GroupID: "100", - SameID: DefaultAgentRunAsSameUser, - SetSecurityContext: DefaultAgentSetSecurityContext, - ProxyAddress: "https://proxy:3128", - DefaultTemplate: "map", - ResourceRequestCPU: DefaultResourceRequestCPU, - ResourceRequestMem: DefaultResourceRequestMem, - ResourceLimitCPU: DefaultResourceLimitCPU, - ResourceLimitMem: DefaultResourceLimitMem, - ExitOnRetryFailure: DefaultTemplateConfigExitOnRetryFailure, + Image: "foobar-image", + Address: "http://foobar:1234", + AuthType: DefaultVaultAuthType, + AuthPath: "test", + Namespace: "test", + UserID: "1000", + GroupID: "100", + SameID: DefaultAgentRunAsSameUser, + SetSecurityContext: DefaultAgentSetSecurityContext, + ProxyAddress: "https://proxy:3128", + DefaultTemplate: "map", + ResourceRequestCPU: DefaultResourceRequestCPU, + ResourceRequestMem: DefaultResourceRequestMem, + ResourceRequestEphemeral: DefaultResourceRequestEphemeral, + ResourceLimitCPU: DefaultResourceLimitCPU, + ResourceLimitMem: DefaultResourceLimitMem, + ResourceLimitEphemeral: DefaultResourceLimitEphemeral, + ExitOnRetryFailure: DefaultTemplateConfigExitOnRetryFailure, } err := Init(pod, agentConfig) @@ -295,12 +301,20 @@ func TestContainerSidecar(t *testing.T) { t.Errorf("resource memory limit value wrong, should have been %s, got %s", DefaultResourceLimitMem, container.Resources.Limits.Memory().String()) } + if container.Resources.Limits.StorageEphemeral().String() != DefaultResourceLimitEphemeral { + t.Errorf("resource ephemeral storage limit value wrong, should have been %s, got %s", DefaultResourceLimitEphemeral, container.Resources.Limits.StorageEphemeral().String()) + } + if container.Resources.Requests.Cpu().String() != DefaultResourceRequestCPU { t.Errorf("resource cpu requests value wrong, should have been %s, got %s", DefaultResourceRequestCPU, container.Resources.Requests.Cpu().String()) } if container.Resources.Requests.Memory().String() != DefaultResourceRequestMem { - t.Errorf("resource memory requests value wrong, should have been %s, got %s", DefaultResourceLimitMem, container.Resources.Requests.Memory().String()) + t.Errorf("resource memory requests value wrong, should have been %s, got %s", DefaultResourceRequestMem, container.Resources.Requests.Memory().String()) + } + + if container.Resources.Requests.StorageEphemeral().String() != DefaultResourceRequestEphemeral { + t.Errorf("resource ephemeral storage requests value wrong, should have been %s, got %s", DefaultResourceRequestEphemeral, container.Resources.Requests.Memory().String()) } for _, volumeMount := range container.VolumeMounts { @@ -345,22 +359,24 @@ func TestContainerSidecarRevokeHook(t *testing.T) { var patches []*jsonpatch.JsonPatchOperation agentConfig := AgentConfig{ - Image: "foobar-image", - Address: "http://foobar:1234", - AuthType: DefaultVaultAuthType, - AuthPath: "test", - Namespace: "test", - RevokeOnShutdown: tt.revokeFlag, - UserID: "1000", - GroupID: "100", - SameID: DefaultAgentRunAsSameUser, - SetSecurityContext: DefaultAgentSetSecurityContext, - DefaultTemplate: "map", - ResourceRequestCPU: DefaultResourceRequestCPU, - ResourceRequestMem: DefaultResourceRequestMem, - ResourceLimitCPU: DefaultResourceLimitCPU, - ResourceLimitMem: DefaultResourceLimitMem, - ExitOnRetryFailure: DefaultTemplateConfigExitOnRetryFailure, + Image: "foobar-image", + Address: "http://foobar:1234", + AuthType: DefaultVaultAuthType, + AuthPath: "test", + Namespace: "test", + RevokeOnShutdown: tt.revokeFlag, + UserID: "1000", + GroupID: "100", + SameID: DefaultAgentRunAsSameUser, + SetSecurityContext: DefaultAgentSetSecurityContext, + DefaultTemplate: "map", + ResourceRequestCPU: DefaultResourceRequestCPU, + ResourceRequestMem: DefaultResourceRequestMem, + ResourceRequestEphemeral: DefaultResourceRequestEphemeral, + ResourceLimitCPU: DefaultResourceLimitCPU, + ResourceLimitMem: DefaultResourceLimitMem, + ResourceLimitEphemeral: DefaultResourceLimitEphemeral, + ExitOnRetryFailure: DefaultTemplateConfigExitOnRetryFailure, } err := Init(pod, agentConfig) @@ -413,22 +429,24 @@ func TestContainerSidecarConfigMap(t *testing.T) { var patches []*jsonpatch.JsonPatchOperation agentConfig := AgentConfig{ - Image: "foobar-image", - Address: "http://foobar:1234", - AuthType: DefaultVaultAuthType, - AuthPath: "test", - Namespace: "test", - RevokeOnShutdown: true, - UserID: "1000", - GroupID: "100", - SameID: DefaultAgentRunAsSameUser, - SetSecurityContext: DefaultAgentSetSecurityContext, - DefaultTemplate: "map", - ResourceRequestCPU: DefaultResourceRequestCPU, - ResourceRequestMem: DefaultResourceRequestMem, - ResourceLimitCPU: DefaultResourceLimitCPU, - ResourceLimitMem: DefaultResourceLimitMem, - ExitOnRetryFailure: DefaultTemplateConfigExitOnRetryFailure, + Image: "foobar-image", + Address: "http://foobar:1234", + AuthType: DefaultVaultAuthType, + AuthPath: "test", + Namespace: "test", + RevokeOnShutdown: true, + UserID: "1000", + GroupID: "100", + SameID: DefaultAgentRunAsSameUser, + SetSecurityContext: DefaultAgentSetSecurityContext, + DefaultTemplate: "map", + ResourceRequestCPU: DefaultResourceRequestCPU, + ResourceRequestMem: DefaultResourceRequestMem, + ResourceRequestEphemeral: DefaultResourceRequestEphemeral, + ResourceLimitCPU: DefaultResourceLimitCPU, + ResourceLimitMem: DefaultResourceLimitMem, + ResourceLimitEphemeral: DefaultResourceLimitEphemeral, + ExitOnRetryFailure: DefaultTemplateConfigExitOnRetryFailure, } err := Init(pod, agentConfig) @@ -1128,22 +1146,24 @@ func TestContainerCache(t *testing.T) { var patches []*jsonpatch.JsonPatchOperation agentConfig := AgentConfig{ - Image: "foobar-image", - Address: "http://foobar:1234", - AuthType: DefaultVaultAuthType, - AuthPath: "test", - Namespace: "test", - RevokeOnShutdown: true, - UserID: "1000", - GroupID: "100", - SameID: DefaultAgentRunAsSameUser, - SetSecurityContext: DefaultAgentSetSecurityContext, - DefaultTemplate: "map", - ResourceRequestCPU: DefaultResourceRequestCPU, - ResourceRequestMem: DefaultResourceRequestMem, - ResourceLimitCPU: DefaultResourceLimitCPU, - ResourceLimitMem: DefaultResourceLimitMem, - ExitOnRetryFailure: DefaultTemplateConfigExitOnRetryFailure, + Image: "foobar-image", + Address: "http://foobar:1234", + AuthType: DefaultVaultAuthType, + AuthPath: "test", + Namespace: "test", + RevokeOnShutdown: true, + UserID: "1000", + GroupID: "100", + SameID: DefaultAgentRunAsSameUser, + SetSecurityContext: DefaultAgentSetSecurityContext, + DefaultTemplate: "map", + ResourceRequestCPU: DefaultResourceRequestCPU, + ResourceRequestMem: DefaultResourceRequestMem, + ResourceRequestEphemeral: DefaultResourceRequestEphemeral, + ResourceLimitCPU: DefaultResourceLimitCPU, + ResourceLimitMem: DefaultResourceLimitMem, + ResourceLimitEphemeral: DefaultResourceLimitEphemeral, + ExitOnRetryFailure: DefaultTemplateConfigExitOnRetryFailure, } err := Init(pod, agentConfig) diff --git a/subcommand/injector/command.go b/subcommand/injector/command.go index 88e6e64a..011a70ba 100644 --- a/subcommand/injector/command.go +++ b/subcommand/injector/command.go @@ -32,7 +32,7 @@ import ( "k8s.io/client-go/informers" informerv1 "k8s.io/client-go/informers/core/v1" "k8s.io/client-go/kubernetes" - "k8s.io/client-go/listers/admissionregistration/v1" + v1 "k8s.io/client-go/listers/admissionregistration/v1" "k8s.io/client-go/rest" "k8s.io/client-go/tools/cache" ) @@ -64,8 +64,10 @@ type Command struct { flagDefaultTemplate string // Toggles which default template to use flagResourceRequestCPU string // Set CPU request in the injected containers flagResourceRequestMem string // Set Memory request in the injected containers + flagResourceRequestEphemeral string // Set Ephemeral Storage request in the injected containers flagResourceLimitCPU string // Set CPU limit in the injected containers flagResourceLimitMem string // Set Memory limit in the injected containers + flagResourceLimitEphemeral string // Set Ephemeral storage limit in the injected containers flagTLSMinVersion string // Minimum TLS version supported by the webhook server flagTLSCipherSuites string // Comma-separated list of supported cipher suites flagAuthMinBackoff string // Auth min backoff on failure diff --git a/subcommand/injector/flags.go b/subcommand/injector/flags.go index 55d529fe..d6ea428f 100644 --- a/subcommand/injector/flags.go +++ b/subcommand/injector/flags.go @@ -165,16 +165,19 @@ func (c *Command) init() { "Use leader elector to coordinate multiple replicas when updating CA and Certs with auto-tls") c.flagSet.StringVar(&c.flagDefaultTemplate, "default-template", agent.DefaultTemplateType, "Sets the default template type (map or json). Defaults to map.") - c.flagSet.StringVar(&c.flagResourceRequestCPU, "cpu-request", agent.DefaultResourceRequestCPU, fmt.Sprintf("CPU resource request set in injected containers. Defaults to %s", agent.DefaultResourceRequestCPU)) c.flagSet.StringVar(&c.flagResourceRequestMem, "memory-request", agent.DefaultResourceRequestMem, fmt.Sprintf("Memory resource request set in injected containers. Defaults to %s", agent.DefaultResourceRequestMem)) + c.flagSet.StringVar(&c.flagResourceRequestEphemeral, "ephemeral-storage-request", agent.DefaultResourceRequestEphemeral, + fmt.Sprintf("Ephemeral Storage resource request set in injected containers. Defaults to %s", agent.DefaultResourceRequestEphemeral)) c.flagSet.StringVar(&c.flagResourceLimitCPU, "cpu-limit", agent.DefaultResourceLimitCPU, fmt.Sprintf("CPU resource limit set in injected containers. Defaults to %s", agent.DefaultResourceLimitCPU)) c.flagSet.StringVar(&c.flagResourceLimitMem, "memory-limit", agent.DefaultResourceLimitMem, fmt.Sprintf("Memory resource limit set in injected containers. Defaults to %s", agent.DefaultResourceLimitMem)) + c.flagSet.StringVar(&c.flagResourceLimitEphemeral, "ephemeral-storage-limit", agent.DefaultResourceLimitEphemeral, + fmt.Sprintf("Ephemeral Storage resource limit set in injected containers. Defaults to %s", agent.DefaultResourceLimitEphemeral)) c.flagSet.StringVar(&c.flagAuthMinBackoff, "auth-min-backoff", "", "Sets the minimum backoff on auto-auth failure. Default is 1s") c.flagSet.StringVar(&c.flagAuthMaxBackoff, "auth-max-backoff", "", From 94764e432b81d38d5a946ba9c631580f51324bcb Mon Sep 17 00:00:00 2001 From: "v.lamykin" Date: Wed, 15 Jun 2022 10:19:31 +0300 Subject: [PATCH 2/3] + Env --- agent-inject/handler.go | 4 ++++ subcommand/injector/flags.go | 14 ++++++++++++++ 2 files changed, 18 insertions(+) diff --git a/agent-inject/handler.go b/agent-inject/handler.go index 411e8954..fc0958d8 100644 --- a/agent-inject/handler.go +++ b/agent-inject/handler.go @@ -60,8 +60,10 @@ type Handler struct { DefaultTemplate string ResourceRequestCPU string ResourceRequestMem string + ResourceRequestEphemeral string ResourceLimitCPU string ResourceLimitMem string + ResourceLimitEphemeral string ExitOnRetryFailure bool StaticSecretRenderInterval string AuthMinBackoff string @@ -192,8 +194,10 @@ func (h *Handler) Mutate(req *admissionv1.AdmissionRequest) *admissionv1.Admissi DefaultTemplate: h.DefaultTemplate, ResourceRequestCPU: h.ResourceRequestCPU, ResourceRequestMem: h.ResourceRequestMem, + ResourceRequestEphemeral: h.ResourceRequestEphemeral, ResourceLimitCPU: h.ResourceLimitCPU, ResourceLimitMem: h.ResourceLimitMem, + ResourceLimitEphemeral: h.ResourceLimitEphemeral, ExitOnRetryFailure: h.ExitOnRetryFailure, StaticSecretRenderInterval: h.StaticSecretRenderInterval, AuthMinBackoff: h.AuthMinBackoff, diff --git a/subcommand/injector/flags.go b/subcommand/injector/flags.go index d6ea428f..b2b3c0f7 100644 --- a/subcommand/injector/flags.go +++ b/subcommand/injector/flags.go @@ -99,12 +99,18 @@ type Specification struct { // ResourceRequestMem is the AGENT_INJECT_MEM_REQUEST environment variable. ResourceRequestMem string `envconfig:"AGENT_INJECT_MEM_REQUEST"` + // ResourceRequestEphemeral is the AGENT_INJECT_EPHEMERAL_REQUEST environment variable. + ResourceRequestEphemeral string `envconfig:"AGENT_INJECT_EPHEMERAL_REQUEST"` + // ResourceLimitCPU is the AGENT_INJECT_CPU_LIMIT environment variable. ResourceLimitCPU string `envconfig:"AGENT_INJECT_CPU_LIMIT"` // ResourceLimitMem is the AGENT_INJECT_MEM_LIMIT environment variable. ResourceLimitMem string `envconfig:"AGENT_INJECT_MEM_LIMIT"` + // ResourceLimitEphemeral is the AGENT_INJECT_EPHEMERAL_LIMIT environment variable. + ResourceLimitEphemeral string `envconfig:"AGENT_INJECT_EPHEMERAL_LIMIT"` + // TLSMinVersion is the AGENT_INJECT_TLS_MIN_VERSION environment variable TLSMinVersion string `envconfig:"tls_min_version"` @@ -337,6 +343,10 @@ func (c *Command) parseEnvs() error { c.flagResourceRequestMem = envs.ResourceRequestMem } + if envs.ResourceRequestEphemeral != "" { + c.flagResourceRequestEphemeral = envs.ResourceRequestEphemeral + } + if envs.ResourceLimitCPU != "" { c.flagResourceLimitCPU = envs.ResourceLimitCPU } @@ -345,6 +355,10 @@ func (c *Command) parseEnvs() error { c.flagResourceLimitMem = envs.ResourceLimitMem } + if envs.ResourceLimitEphemeral != "" { + c.flagResourceLimitEphemeral = envs.ResourceLimitEphemeral + } + if envs.TLSMinVersion != "" { c.flagTLSMinVersion = envs.TLSMinVersion } From b6a6f27e0608200e7ff02d67a987ab0657552661 Mon Sep 17 00:00:00 2001 From: Tom Proctor Date: Tue, 16 Aug 2022 14:29:28 +0100 Subject: [PATCH 3/3] Thread flags through, changelog++ --- CHANGELOG.md | 1 + subcommand/injector/command.go | 2 ++ 2 files changed, 3 insertions(+) diff --git a/CHANGELOG.md b/CHANGELOG.md index 4c151e50..679fbabd 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -2,6 +2,7 @@ Features: * Support for setting [`disable_keep_alives`](https://github.com/hashicorp/vault/pull/16479) in the agent config [GH-376](https://github.com/hashicorp/vault-k8s/pull/376) +* Added flags, envs and annotations to control ephemeral storage resources for injected containers: [GH-360](https://github.com/hashicorp/vault-k8s/pull/360) ## 0.17.0 (July 28, 2022) diff --git a/subcommand/injector/command.go b/subcommand/injector/command.go index 90603f70..5ccaa730 100644 --- a/subcommand/injector/command.go +++ b/subcommand/injector/command.go @@ -205,8 +205,10 @@ func (c *Command) Run(args []string) int { DefaultTemplate: c.flagDefaultTemplate, ResourceRequestCPU: c.flagResourceRequestCPU, ResourceRequestMem: c.flagResourceRequestMem, + ResourceRequestEphemeral: c.flagResourceRequestEphemeral, ResourceLimitCPU: c.flagResourceLimitCPU, ResourceLimitMem: c.flagResourceLimitMem, + ResourceLimitEphemeral: c.flagResourceLimitEphemeral, ExitOnRetryFailure: c.flagExitOnRetryFailure, StaticSecretRenderInterval: c.flagStaticSecretRenderInterval, AuthMinBackoff: c.flagAuthMinBackoff,