Add VerticalPodAutoscaler, resource requests and limits, and priority… (

#6) … class
trufflesecurity · Sep 12, 2024 · e3768f7 · e3768f7
1 parent 6ee6f58
commit e3768f7
Show file tree

Hide file tree

Showing 7 changed files with 99 additions and 16 deletions.
diff --git a/trufflehog-0.1.1.tgz b/trufflehog-0.1.1.tgz
diff --git a/trufflehog/Chart.yaml b/trufflehog/Chart.yaml
@@ -1,4 +1,4 @@
 apiVersion: v2
 name: trufflehog
-description: A Helm chart for trufflehog secrets scanning
-version: 0.1.0
+description: A Helm chart for TruffleHog Enterprise
+version: 0.1.1
diff --git a/trufflehog/README.md b/trufflehog/README.md
@@ -1,4 +1,4 @@
-# Trufflehog Helm Chart
+# TruffleHog Enterprise Helm Chart
 
 Description of what the chart deploys and its purpose.
 
@@ -15,31 +15,23 @@ kubectl create namespace trufflehog
 ### Create the Configuration Secret:
 
 Ensure you have the config.yaml file prepared with the appropriate configuration. Then, create the secret in the trufflehog namespace:
+
 ```bash
-kubectl create secret generic config --namespace trufflehog --from-file=config.yaml=config.yaml
+kubectl create secret generic config --namespace trufflehog --from-file=config.yaml=/path/to/config.yaml
 ```
 
 ### Installing the Chart:
 
 Once the prerequisites are satisfied, you can deploy Trufflehog using the following command:
+
 ```bash
 helm repo add trufflesecurity https://trufflesecurity.github.io/helm-charts
 helm install trufflehog trufflesecurity/trufflehog --namespace trufflehog
 ```
 
 ### Configuration
 
-The `values.yaml` file provides configuration options for the Trufflehog Helm chart. This allows you to customize the deployment according to your environment and requirements.
-
-#### Key Configurations:
-
-- **replicaCount**: Sets the number of pod replicas.
-- **image**: Defines the Docker image repository and tag.
-- **config**: Configures the Kubernetes secret that provides the application's configuration data.
-- **probe**: Specifies the health probe settings for the pod, including initial delay and check frequency.
-- **nameOverride** and **fullnameOverride**: Allow for overriding the default naming of the deployment.
-
-To adjust these configurations:
+The [`values.yaml`](values.yaml) file provides configuration options for the Trufflehog Helm chart. This allows you to customize the deployment according to your environment and requirements.
 
 ## Configuration
 
@@ -86,4 +78,3 @@ If you've already installed the Helm release and want to modify the values:
   ```
 
   This command upgrades the existing release using the modified `values.yaml` file.
-
diff --git a/trufflehog/templates/deployment.yaml b/trufflehog/templates/deployment.yaml
@@ -16,6 +16,13 @@ spec:
         app.kubernetes.io/name: {{ include "trufflehog.name" . }}
         app.kubernetes.io/instance: {{ .Release.Name }}
     spec:
+      {{- if .Values.priorityClass.create }}
+      priorityClassName: trufflehog-enterprise
+      {{- else if .Values.priorityClass.name }}
+      priorityClassName: {{ .Values.priorityClass.name }}
+      {{- else }}
+      # no priority class, leave it up to the system
+      {{- end }}
       volumes:
         - name: config-secret-volume
           secret:
@@ -34,3 +41,20 @@ spec:
           volumeMounts:
             - name: config-secret-volume
               mountPath: /secret/
+          resources:
+            requests:
+              memory: "{{ .Values.resources.requests.memory }}"
+              cpu: "{{ .Values.resources.requests.cpu }}"
+              ephemeral-storage: "{{ .Values.resources.requests.ephemeralStorage }}"
+            {{- if .Values.resources.limits.enabled }}
+            limits:
+              {{- if .Values.resources.limits.memory }}
+              memory: "{{ .Values.resources.limits.memory }}"
+              {{- end }}
+              {{- if .Values.resources.limits.cpu }}
+              cpu: "{{ .Values.resources.limits.cpu }}"
+              {{- end }}
+              {{- if .Values.resources.limits.ephemeralStorage }}
+              ephemeral-storage: "{{ .Values.resources.limits.ephemeralStorage }}"
+              {{- end }}
+            {{- end }}
diff --git a/trufflehog/templates/priorityclass.yaml b/trufflehog/templates/priorityclass.yaml
@@ -0,0 +1,11 @@
+{{- if .Values.priorityClass.create }}
+apiVersion: scheduling.k8s.io/v1
+kind: PriorityClass
+metadata:
+  name: "trufflehog-enterprise"
+  labels:
+    app.kubernetes.io/name: {{ include "trufflehog.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+value: {{ .Values.priorityClass.value }}
+description: "Priority class for Trufflehog Enterprise"
+{{- end }}
diff --git a/trufflehog/templates/verticalpodautoscaler.yaml b/trufflehog/templates/verticalpodautoscaler.yaml
@@ -0,0 +1,28 @@
+{{- if .Values.vpa.enabled }}
+apiVersion: autoscaling.k8s.io/v1
+kind: VerticalPodAutoscaler
+metadata:
+  name: {{ include "trufflehog.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: {{ include "trufflehog.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+spec:
+  targetRef:
+    apiVersion: "apps/v1"
+    kind:       "Deployment"
+    name:       {{ include "trufflehog.fullname" . }}
+  updatePolicy:
+    updateMode: "Auto"
+  resourcePolicy:
+    containerPolicies:
+      - containerName: trufflehog
+        minAllowed:
+          cpu: {{ .Values.vpa.minAllowed.cpu }}
+          memory: {{ .Values.vpa.minAllowed.memory }}
+        {{- if .Values.vpa.maxAllowed.enabled }}
+        maxAllowed:
+          cpu: {{ .Values.vpa.maxAllowed.cpu }}
+          memory: {{ .Values.vpa.maxAllowed.memory }}
+        {{- end }}
+{{- end }}
diff --git a/trufflehog/values.yaml b/trufflehog/values.yaml
@@ -1,9 +1,33 @@
+# Sets the number of pod replicas.
 replicaCount: 1
 
 image:
   repository: us-docker.pkg.dev/thog-artifacts/public/scanner
   tag: latest
 
+# The resources requests and limits for the TruffleHog Enterprise container.
+resources:
+  requests:
+    memory: "16Gi"
+    cpu: "4000m"
+    ephemeralStorage: "10Gi"
+  limits:
+    enabled: true
+    memory: "48Gi"
+    cpu: "12000m"
+
+# A VerticalPodAutoscaler will adjust resource requests based on observed CPU and memory usage.
+vpa:
+  enabled: true
+  minAllowed:
+    cpu: "4000m"
+    memory: "16Gi"
+  maxAllowed:
+    enabled: true
+    memory: "48Gi"
+    cpu: "12000m"
+
+# Configures the Kubernetes secret that provides the application's configuration data.
 config:
   secretName: config
 
@@ -13,3 +37,8 @@ probe:
 
 nameOverride: ""
 fullnameOverride: ""
+
+priorityClass:
+  create: true
+  name: ""                # Existing priority class to use if create is false
+  value: 1000             # Priority value, only used if create is true