feat(base-cluster/monitoring): fix most of resource linting errors

charts/base-cluster/templates/backup/velero.yaml

@@ -36,6 +36,7 @@ spec:
         volumeMounts:
           - mountPath: /target
             name: plugins
+        resources: {{- include "common.resources" .Values.backup.initContainer | nindent 10 }}
     podSecurityContext:
       fsGroup: 1000
       runAsUser: 1000

charts/base-cluster/templates/cert-manager/cert-manager.yaml

@@ -23,7 +23,16 @@ spec:
     {{- if .Values.global.imageRegistry }}
     image:
       repository: {{ printf "%s/jetstack/cert-manager-controller" $.Values.global.imageRegistry }}
+    {{- end }}
     startupapicheck:
+      resources: {{- include "common.resources" $.Values.certManager.startupapicheck | nindent 8 }}
+        limits:
+          cpu: 50m
+          memory: 100m
+        requests:
+          cpu: 10m
+          memory: 10m
+    {{- if .Values.global.imageRegistry }}
       image:
         repository: {{ printf "%s/jetstack/cert-manager-ctl" $.Values.global.imageRegistry }}
     {{- end }}

charts/base-cluster/templates/flux/_create-authentication-key-secret-job.yaml

@@ -27,6 +27,14 @@ spec:
       containers:
         - name: generate-ssh-key
           image: {{ template "base-cluster.flux.image" .context }}
+          imagePullPolicy: {{ empty .Values.global.kubectl.image.digest | ternary "Always" "IfNotPresent" }}
+          resources:
+            limits:
+              cpu: 50m
+              memory: 100m
+            requests:
+              cpu: 50m
+              memory: 100m
           imagePullPolicy: {{ empty .Values.global.flux.image.digest | ternary "Always" "IfNotPresent" }}
           securityContext:
             readOnlyRootFilesystem: true
@@ -55,6 +63,13 @@ spec:
               value: {{ .identity }}
             - name: GNUPGHOME
               value: /tmp/gnupg
+          resources:
+            limits:
+              cpu: 50m
+              memory: 100m
+            requests:
+              cpu: 50m
+              memory: 100m
           securityContext:
             readOnlyRootFilesystem: true
             privileged: false
@@ -90,6 +105,14 @@ spec:
         - name: create-k8s-secret
           image: {{ include "base-cluster.kubectl.image" .context }}
           imagePullPolicy: {{ empty .Values.global.kubectl.image.digest | ternary "Always" "IfNotPresent" }}
+          resources:
+            limits:
+              cpu: 50m
+              memory: 100m
+            requests:
+              cpu: 10m
+              memory: 10m
+          imagePullPolicy: {{ empty .Values.global.kubectl.image.digest | ternary "Always" "IfNotPresent" }}
           securityContext:
             readOnlyRootFilesystem: true
             privileged: false

charts/base-cluster/templates/global/prevent-uninstallation.yaml

@@ -23,6 +23,13 @@ spec:
         - name: fail
           image: {{ template "base-cluster.kubectl.image" . }}
           imagePullPolicy: {{ empty .Values.global.kubectl.image.digest | ternary "Always" "IfNotPresent" }}
+          resources:
+            limits:
+              cpu: 50m
+              memory: 100m
+            requests:
+              cpu: 50m
+              memory: 100m
           securityContext:
             readOnlyRootFilesystem: true
             privileged: false

charts/base-cluster/templates/ingress/nginx.yaml

@@ -30,6 +30,7 @@ spec:
       {{- if .Values.monitoring.tracing.enabled }}
       opentelemetry:
         enabled: true
+        resources: {{- include "common.resources" .Values.ingress | nindent 10 }}
         {{- if and .Values.global.imageRegistry false }}
         # TODO: this is not really viable, therefore we skip this image for mirroring until this is adjusted upstream
         image: {{ printf "%s/ingress-nginx/opentelemetry:v20230721-3e2062ee5@sha256:13bee3f5223883d3ca62fee7309ad02d22ec00ff0d7033e3e9aca7a9f60fd472" .Values.global.imageRegistry }}

charts/base-cluster/templates/monitoring/deadMansSwitch/registration.yaml

@@ -25,6 +25,13 @@ spec:
         - name: register
           image: {{ include "base-cluster.curl.image" . }}
           imagePullPolicy: {{ empty .Values.global.kubectl.image.digest | ternary "Always" "IfNotPresent" }}
+          resources:
+            limits:
+              cpu: 50m
+              memory: 100m
+            requests:
+              cpu: 50m
+              memory: 100m
           securityContext:
             allowPrivilegeEscalation: false
             capabilities:

charts/base-cluster/templates/monitoring/kube-prometheus-stack/_grafana-config.yaml

@@ -36,6 +36,7 @@ imageRenderer:
     runAsNonRoot: true
     runAsUser: 472
     runAsGroup: 472
+  resources: {{- include "common.resources" .Values.monitoring.grafana.imageRenderer | nindent 2 }}
 enabled: true
 securityContext:
   seccompProfile:
@@ -191,6 +192,13 @@ envValueFrom:
 grafana.ini: {{- $grafanaIni | toYaml | nindent 2 }}
 {{- end }}
 downloadDashboards:
+  resources:
+    limits:
+      cpu: 50m
+      memory: 100m
+    requests:
+      cpu: 10m
+      memory: 10m
   securityContext: {{- include "base-cluster.prometheus-stack.containerSecurityContext" (dict) | nindent 4 }}
 initChownData:
   enabled: false

charts/base-cluster/templates/monitoring/kube-prometheus-stack/_prometheus-stack-config.yaml

@@ -4,6 +4,15 @@ global:
   imageRegistry: {{ .Values.global.imageRegistry }}
   {{- end }}
 prometheusOperator:
+  admissionWebhooks:
+    patch:
+      resources:
+        limits:
+          cpu: 50m
+          memory: 100m
+        requests:
+          cpu: 10m
+          memory: 10m
   secretFieldSelector: 'type!=helm.sh/release.v1'
   resources: {{- include "common.resources" .Values.monitoring.prometheus.operator | nindent 4 }}
   priorityClassName: monitoring-components

charts/base-cluster/templates/monitoring/metrics-server/metrics-server.yaml

@@ -20,6 +20,10 @@ spec:
     global:
       imageRegistry: {{ $.Values.global.imageRegistry }}
     {{- end }}
+    resources:
+      limits:
+        cpu: 100m
+        memory: 64Mi
     replicas: 2
     priorityClassName: cluster-components
     podDisruptionBudget:

charts/base-cluster/templates/monitoring/security/trivy.yaml

@@ -23,6 +23,7 @@ spec:
   upgrade:
     crds: CreateReplace
   values:
+    resources: {{- include "common.resources" .Values.monitoring.securityScanning | nindent 6 }}
     {{- if .Values.global.imageRegistry }}
     image:
       registry: {{ $.Values.global.imageRegistry }}
@@ -44,11 +45,6 @@ spec:
         registry: {{ $.Values.global.imageRegistry }}
     {{- end }}
       ignoreUnfixed: true
-      resources:
-        requests:
-          memory: 256Mi
-        limits:
-          memory: 4Gi
     operator:
       scanJobsConcurrentLimit: 3
       metricsVulnIdEnabled: true

charts/base-cluster/templates/monitoring/tracing/grafana-tempo.yaml

@@ -21,14 +21,32 @@ spec:
     global:
       imageRegistry: {{ $.Values.global.imageRegistry }}
     {{- end }}
-    ingester: {{- include "common.resourcesWithPreset" .Values.monitoring.tracing.ingester | nindent 6 }}
     tempo:
       traces:
         jaeger:
           grpc: false
           thriftHttp: false
         otlp:
           grpc: true
+      resources: {{- include "common.resources" .Values.monitoring.tracing.tempo | nindent 6 }}
+    ingester:
+      resources: {{- include "common.resources" .Values.monitoring.tracing.ingester | nindent 6 }}
+    query:
+      resources: {{- include "common.resources" .Values.monitoring.tracing.query | nindent 6 }}
+    querier:
+      resources: {{- include "common.resources" .Values.monitoring.tracing.querier | nindent 6 }}
+    distributor:
+      resources: {{- include "common.resources" .Values.monitoring.tracing.distributor | nindent 6 }}
+    memcached:
+      resources: {{- include "common.resources" .Values.monitoring.tracing.memcached | nindent 6 }}
+    compactor:
+      resources: {{- include "common.resources" .Values.monitoring.tracing.compactor | nindent 6 }}
+    metricsGenerator:
+      resources: {{- include "common.resources" .Values.monitoring.tracing.metricsGenerator | nindent 6 }}
+    queryFrontend:
+      resources: {{- include "common.resources" .Values.monitoring.tracing.queryFrontend | nindent 6 }}
+    vulture:
+      resources: {{- include "common.resources" .Values.monitoring.tracing.vulture | nindent 6 }}
     metrics:
       enabled: true
       serviceMonitor:

charts/base-cluster/templates/monitoring/tracing/opentelemetry-collector.yaml

@@ -24,6 +24,13 @@ spec:
     mode: daemonset
     service:
       enabled: true
+    resources:
+      limits:
+        cpu: 250m
+        memory: 512Mi
+      requests:
+        cpu: 10m
+        memory: 60Mi
     config:
       receivers:
         prometheus: null

charts/base-cluster/templates/nfs-server-provisioner/nfs-server-provisioner.yaml

@@ -27,6 +27,7 @@ spec:
     image:
       repository: {{ printf "%s/sig-storage/nfs-provisioner" $.Values.global.imageRegistry }}
     {{- end }}
+    resources: {{- include "common.resources" .Values.nfsServerProvisioner | nindent 6 }}
     podSecurityContext:
       seccompProfile:
         type: Unconfined