From 58c8703b69c157d0497b1bdf3050b436014660e8 Mon Sep 17 00:00:00 2001 From: Spencer Gilbert Date: Wed, 15 Apr 2020 22:46:51 -0400 Subject: [PATCH] Add resources for pod disruption budgets and horizontal scaling (#81) Signed-off-by: Spencer Gilbert --- charts/pomerium/Chart.yaml | 2 +- charts/pomerium/README.md | 23 +++++++++++++ .../templates/authenticate-deployment.yaml | 2 ++ .../pomerium/templates/authenticate-hpa.yaml | 32 +++++++++++++++++++ .../pomerium/templates/authenticate-pdb.yaml | 18 +++++++++++ .../templates/authorize-deployment.yaml | 2 ++ charts/pomerium/templates/authorize-hpa.yaml | 32 +++++++++++++++++++ charts/pomerium/templates/authorize-pdb.yaml | 18 +++++++++++ charts/pomerium/templates/cache-pdb.yaml | 18 +++++++++++ .../pomerium/templates/proxy-deployment.yaml | 2 ++ charts/pomerium/templates/proxy-hpa.yaml | 32 +++++++++++++++++++ charts/pomerium/templates/proxy-pdb.yaml | 18 +++++++++++ charts/pomerium/values.yaml | 30 +++++++++++++++++ 13 files changed, 228 insertions(+), 1 deletion(-) create mode 100644 charts/pomerium/templates/authenticate-hpa.yaml create mode 100644 charts/pomerium/templates/authenticate-pdb.yaml create mode 100644 charts/pomerium/templates/authorize-hpa.yaml create mode 100644 charts/pomerium/templates/authorize-pdb.yaml create mode 100644 charts/pomerium/templates/cache-pdb.yaml create mode 100644 charts/pomerium/templates/proxy-hpa.yaml create mode 100644 charts/pomerium/templates/proxy-pdb.yaml diff --git a/charts/pomerium/Chart.yaml b/charts/pomerium/Chart.yaml index 9878a074..4552d0a4 100644 --- a/charts/pomerium/Chart.yaml +++ b/charts/pomerium/Chart.yaml @@ -1,6 +1,6 @@ apiVersion: v1 name: pomerium -version: 8.0.1 +version: 8.1.0 appVersion: 0.6.2 home: http://www.pomerium.io/ icon: https://www.pomerium.io/logo-long.svg diff --git a/charts/pomerium/README.md b/charts/pomerium/README.md index 8f353f9f..d3dda521 100644 --- a/charts/pomerium/README.md +++ b/charts/pomerium/README.md @@ -158,6 +158,13 @@ A full listing of Pomerium's configuration variables can be found on the [config | `authenticate.idp.scopes` | Identity [Provider Scopes](https://www.pomerium.io/configuration/#identity-provider-scopes). | Optional | | `authenticate.idp.serviceAccount` | Identity Provider [service account](https://www.pomerium.io/docs/reference/reference.html#identity-provider-service-account). | Optional | | `authenticate.replicaCount` | Number of Authenticate pods to run | `1` | +| `authenticate.autoscaling.enabled` | Enable Horizontal Pod Autoscaler for Authenticate pods | false | +| `authenticate.autoscaling.minReplicas`| Minimum number of pods in the Authenticate deployment | `1` | +| `authenticate.autoscaling.maxReplicas`| Maximum number of pods in the Authenticate deployment | `5` | +| `authenticate.autoscaling.targetCPUUtilizationPercentage` | Target CPU utilization, averaged across pods (as a percent) | `50` | +| `authenticate.autoscaling.targetMemoryUtilizationPercentage` | Target Memory utilization, averaged across pods (as a percent)| `50` | +| `authenticate.pdb.enabled` | Enable PodDisruptionBudget for Authenticate deployment | false | +| `authenticate.pdb.minAvailable` | Number of Authenticate pods that must be available, can be a number or percentage | `1` | | `authenticate.existingTLSSecret` | Name of existing TLS Secret for authenticate service | | | `authenticate.deployment.annotations` | Annotations for the authenticate deployment. If none given, then use value of `annotations` | `{}` | | `authenticate.service.annotations` | Annotations for the authenticate service. If none given, then use value of `service.annotations` | `{}` | @@ -166,6 +173,13 @@ A full listing of Pomerium's configuration variables can be found on the [config | `proxy.fullnameOverride` | Full name of the proxy service. | `proxy` | | `proxy.authenticateServiceUrl` | The externally accessible url for the authenticate service. | `https://{{authenticate.name}}.{{config.rootDomain}}` | | `proxy.replicaCount` | Number of Proxy pods to run | `1` | +| `proxy.autoscaling.enabled` | Enable Horizontal Pod Autoscaler for Proxy pods | false | +| `proxy.autoscaling.minReplicas` | Minimum number of pods in the Proxy deployment | `1` | +| `proxy.autoscaling.maxReplicas` | Maximum number of pods in the Proxy deployment | `5` | +| `proxy.autoscaling.targetCPUUtilizationPercentage` | Target CPU utilization, averaged across pods (as a percent) | `50` | +| `proxy.autoscaling.targetMemoryUtilizationPercentage` | Target Memory utilization, averaged across pods (as a percent) | `50` | +| `proxy.pdb.enabled` | Enable PodDisruptionBudget for Proxy deployment | false | +| `proxy.pdb.minAvailable` | Number of Proxy pods that must be available, can be a number or percentage | `1` | | `proxy.existingTLSSecret` | Name of existing TLS Secret for proxy service | | | `proxy.deployment.annotations` | Annotations for the proxy deployment. If none given, then use value of `annotations` | `{}` | | `proxy.service.annotations` | Annotations for the proxy service. If none given, then use value of `service.annotations` | `{}` | @@ -174,6 +188,13 @@ A full listing of Pomerium's configuration variables can be found on the [config | `authorize.nameOverride` | Name of the authorize service. | `authorize` | | `authorize.fullnameOverride` | Full name of the authorize service. | `authorize` | | `authorize.replicaCount` | Number of Authorize pods to run | `1` | +| `authorize.autoscaling.enabled` | Enable Horizontal Pod Autoscaler for Authorize pods | false | +| `authorize.autoscaling.minReplicas` | Minimum number of pods in the Authorize deployment | `1` | +| `authorize.autoscaling.maxReplicas` | Maximum number of pods in the Authorize deployment | `5` | +| `authorize.autoscaling.targetCPUUtilizationPercentage` | Target CPU utilization, averaged across pods (as a percent) | `50` | +| `authorize.autoscaling.targetMemoryUtilizationPercentage` | Target Memory utilization, averaged across pods (as a percent) | `50` | +| `authorize.pdb.enabled` | Enable PodDisruptionBudget for Authorize deployment | false | +| `authorize.pdb.minAvailable` | Number of Authorize pods that must be available, can be a number or percentage | `1` | | `authorize.existingTLSSecret` | Name of existing TLS Secret for authorize service | | | `forwardAuth.nameOverride` | External name of the forward-auth endpoint | `forwardauth.${rootDomain}` | | `forwardAuth.enabled` | Enable forward-auth endpoint for third party ingress controllers to use for auth checks. Setting this disables automatic enumeration of `from` hostnames in the Pomerium Ingress object to prevent conflicts. Use `ingress.hosts` to mix forward-auth and proxy mode on a single Pomerium instance | `false` | @@ -203,6 +224,8 @@ A full listing of Pomerium's configuration variables can be found on the [config | `cache.nameOverride` | Name of the cache service. | `cache` | | `cache.fullnameOverride` | Full name of the cache service. | `cache` | | `cache.replicaCount` | Number of cache pods to run | `1` | +| `cache.pdb.enabled` | Enable PodDisruptionBudget for Cache deployment | false | +| `cache.pdb.minAvailable` | Number of pods that must be available, can be a number or percentage | `1` | | `cache.existingTLSSecret` | Name of existing TLS Secret for authorize service | | `operator.enabled` | Enable experimental pomerium operator support | false | | `operator.nameOverride` | Name of the operator | `operator` | diff --git a/charts/pomerium/templates/authenticate-deployment.yaml b/charts/pomerium/templates/authenticate-deployment.yaml index d49c5ee2..28907704 100644 --- a/charts/pomerium/templates/authenticate-deployment.yaml +++ b/charts/pomerium/templates/authenticate-deployment.yaml @@ -20,7 +20,9 @@ metadata: {{- end }} {{- end }} spec: + {{- if (ne .Values.authenticate.autoscaling.enabled true) }} replicas: {{ default .Values.replicaCount .Values.authenticate.replicaCount }} + {{- end }} selector: matchLabels: app.kubernetes.io/name: {{ template "pomerium.authenticate.name" . }} diff --git a/charts/pomerium/templates/authenticate-hpa.yaml b/charts/pomerium/templates/authenticate-hpa.yaml new file mode 100644 index 00000000..c57dd452 --- /dev/null +++ b/charts/pomerium/templates/authenticate-hpa.yaml @@ -0,0 +1,32 @@ +{{- if .Values.authenticate.autoscaling.enabled }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + labels: + app.kubernetes.io/name: {{ template "pomerium.authenticate.name" . }} + helm.sh/chart: {{ template "pomerium.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: authenticate + name: {{ template "pomerium.authenticate.fullname" . }}-hpa +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ template "pomerium.authenticate.fullname" . }} + minReplicas: {{ .Values.authenticate.autoscaling.minReplicas }} + maxReplicas: {{ .Values.authenticate.autoscaling.maxReplicas }} + metrics: +{{- with .Values.authenticate.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + targetAverageUtilization: {{ . }} +{{- end }} +{{- with .Values.authenticate.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ . }} +{{- end }} +{{- end }} diff --git a/charts/pomerium/templates/authenticate-pdb.yaml b/charts/pomerium/templates/authenticate-pdb.yaml new file mode 100644 index 00000000..6b8e2866 --- /dev/null +++ b/charts/pomerium/templates/authenticate-pdb.yaml @@ -0,0 +1,18 @@ +{{- if .Values.authenticate.pdb.enabled -}} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + labels: + app.kubernetes.io/name: {{ template "pomerium.authenticate.name" . }} + helm.sh/chart: {{ template "pomerium.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: authenticate + name: {{ template "pomerium.authenticate.fullname" . }}-pdp +spec: + selector: + matchLabels: + app.kubernetes.io/name: {{ template "pomerium.authenticate.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + minAvailable: {{ .Values.authenticate.pdb.minAvailable }} +{{- end }} diff --git a/charts/pomerium/templates/authorize-deployment.yaml b/charts/pomerium/templates/authorize-deployment.yaml index 1a67ded9..7e6381d8 100644 --- a/charts/pomerium/templates/authorize-deployment.yaml +++ b/charts/pomerium/templates/authorize-deployment.yaml @@ -22,7 +22,9 @@ metadata: {{- end }} {{- end }} spec: + {{- if (ne .Values.authorize.autoscaling.enabled true) }} replicas: {{ default .Values.replicaCount .Values.authorize.replicaCount }} + {{- end }} selector: matchLabels: app.kubernetes.io/name: {{ template "pomerium.authorize.name" . }} diff --git a/charts/pomerium/templates/authorize-hpa.yaml b/charts/pomerium/templates/authorize-hpa.yaml new file mode 100644 index 00000000..3e935145 --- /dev/null +++ b/charts/pomerium/templates/authorize-hpa.yaml @@ -0,0 +1,32 @@ +{{- if .Values.authorize.autoscaling.enabled }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + labels: + app.kubernetes.io/name: {{ template "pomerium.authorize.name" . }} + helm.sh/chart: {{ template "pomerium.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: authorize + name: {{ template "pomerium.authorize.fullname" . }}-hpa +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ template "pomerium.authorize.fullname" . }} + minReplicas: {{ .Values.authorize.autoscaling.minReplicas }} + maxReplicas: {{ .Values.authorize.autoscaling.maxReplicas }} + metrics: +{{- with .Values.authorize.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + targetAverageUtilization: {{ . }} +{{- end }} +{{- with .Values.authorize.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ . }} +{{- end }} +{{- end }} diff --git a/charts/pomerium/templates/authorize-pdb.yaml b/charts/pomerium/templates/authorize-pdb.yaml new file mode 100644 index 00000000..d8489a9a --- /dev/null +++ b/charts/pomerium/templates/authorize-pdb.yaml @@ -0,0 +1,18 @@ +{{- if .Values.authorize.pdb.enabled -}} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + labels: + app.kubernetes.io/name: {{ template "pomerium.authorize.name" . }} + helm.sh/chart: {{ template "pomerium.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: authorize + name: {{ template "pomerium.authorize.fullname" . }}-pdp +spec: + selector: + matchLabels: + app.kubernetes.io/name: {{ template "pomerium.authorize.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + minAvailable: {{ .Values.authorize.pdb.minAvailable }} +{{- end }} diff --git a/charts/pomerium/templates/cache-pdb.yaml b/charts/pomerium/templates/cache-pdb.yaml new file mode 100644 index 00000000..b2ee5bfb --- /dev/null +++ b/charts/pomerium/templates/cache-pdb.yaml @@ -0,0 +1,18 @@ +{{- if .Values.cache.pdb.enabled -}} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + labels: + app.kubernetes.io/name: {{ template "pomerium.cache.name" . }} + helm.sh/chart: {{ template "pomerium.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: cache + name: {{ template "pomerium.cache.fullname" . }}-pdp +spec: + selector: + matchLabels: + app.kubernetes.io/name: {{ template "pomerium.cache.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + minAvailable: {{ .Values.cache.pdb.minAvailable }} +{{- end }} diff --git a/charts/pomerium/templates/proxy-deployment.yaml b/charts/pomerium/templates/proxy-deployment.yaml index f69af1c8..01787dfb 100644 --- a/charts/pomerium/templates/proxy-deployment.yaml +++ b/charts/pomerium/templates/proxy-deployment.yaml @@ -22,7 +22,9 @@ metadata: {{- end }} {{- end }} spec: + {{- if (ne .Values.proxy.autoscaling.enabled true) }} replicas: {{ default .Values.replicaCount .Values.proxy.replicaCount }} + {{- end }} selector: matchLabels: app.kubernetes.io/name: {{ template "pomerium.proxy.name" . }} diff --git a/charts/pomerium/templates/proxy-hpa.yaml b/charts/pomerium/templates/proxy-hpa.yaml new file mode 100644 index 00000000..598c9330 --- /dev/null +++ b/charts/pomerium/templates/proxy-hpa.yaml @@ -0,0 +1,32 @@ +{{- if .Values.proxy.autoscaling.enabled }} +apiVersion: autoscaling/v2beta1 +kind: HorizontalPodAutoscaler +metadata: + labels: + app.kubernetes.io/name: {{ template "pomerium.proxy.name" . }} + helm.sh/chart: {{ template "pomerium.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: proxy + name: {{ template "pomerium.proxy.fullname" . }}-hpa +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ template "pomerium.proxy.fullname" . }} + minReplicas: {{ .Values.proxy.autoscaling.minReplicas }} + maxReplicas: {{ .Values.proxy.autoscaling.maxReplicas }} + metrics: +{{- with .Values.proxy.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + targetAverageUtilization: {{ . }} +{{- end }} +{{- with .Values.proxy.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + targetAverageUtilization: {{ . }} +{{- end }} +{{- end }} diff --git a/charts/pomerium/templates/proxy-pdb.yaml b/charts/pomerium/templates/proxy-pdb.yaml new file mode 100644 index 00000000..a6f829df --- /dev/null +++ b/charts/pomerium/templates/proxy-pdb.yaml @@ -0,0 +1,18 @@ +{{- if .Values.proxy.pdb.enabled -}} +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + labels: + app.kubernetes.io/name: {{ template "pomerium.proxy.name" . }} + helm.sh/chart: {{ template "pomerium.chart" . }} + app.kubernetes.io/managed-by: {{ .Release.Service }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: proxy + name: {{ template "pomerium.proxy.fullname" . }}-pdp +spec: + selector: + matchLabels: + app.kubernetes.io/name: {{ template "pomerium.proxy.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + minAvailable: {{ .Values.proxy.pdb.minAvailable }} +{{- end }} diff --git a/charts/pomerium/values.yaml b/charts/pomerium/values.yaml index a4ec2a0f..6d75ba5b 100644 --- a/charts/pomerium/values.yaml +++ b/charts/pomerium/values.yaml @@ -44,6 +44,15 @@ authenticate: defaultSANList: [] defaultIPList: [] replicaCount: 1 + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 50 + targetMemoryUtilizationPercentage: 50 + pdb: + enabled: false + minAvailable: 1 service: annotations: {} deployment: @@ -60,6 +69,15 @@ authorize: defaultSANList: [] defaultIPList: [] replicaCount: 1 + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 50 + targetMemoryUtilizationPercentage: 50 + pdb: + enabled: false + minAvailable: 1 service: annotations: {} deployment: @@ -75,6 +93,9 @@ cache: defaultSANList: [] defaultIPList: [] replicaCount: 1 + pdb: + enabled: false + minAvailable: 1 service: annotations: {} deployment: @@ -93,6 +114,15 @@ proxy: existingSigningKeySecret: "" signingKey: "" replicaCount: 1 + autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 5 + targetCPUUtilizationPercentage: 50 + targetMemoryUtilizationPercentage: 50 + pdb: + enabled: false + minAvailable: 1 authenticateServiceUrl: "" authorizeInternalUrl: "" service: