hashicorp · kschoche · Jul 7, 2020 · Jul 8, 2020 · Jul 8, 2020
diff --git a/templates/connect-inject-deployment.yaml b/templates/connect-inject-deployment.yaml
@@ -138,6 +138,34 @@ spec:
                 {{- if not (kindIs "invalid" $resources.requests.cpu) }}
                 -default-sidecar-proxy-cpu-request={{ $resources.requests.cpu }} \
                 {{- end }}
+                {{- $resources := .Values.global.initCopyContainerResources.resources }}
+                {{- /* kindIs is used here to differentiate between null and 0 */}}
+                {{- if not (kindIs "invalid" $resources.limits.memory) }}
+                -init-copy-container-memory-limit={{ $resources.limits.memory }} \
+                {{- end }}
+                {{- if not (kindIs "invalid" $resources.requests.memory) }}
+                -init-copy-container-memory-request={{ $resources.requests.memory }} \
+                {{- end }}
+                {{- if not (kindIs "invalid" $resources.limits.cpu) }}
+                -init-copy-container-cpu-limit={{ $resources.limits.cpu }} \
+                {{- end }}
+                {{- if not (kindIs "invalid" $resources.requests.cpu) }}
+                -init-copy-container-cpu-request={{ $resources.requests.cpu }} \
+                {{- end }}
+                {{- $resources := .Values.global.lifecycleSidecarContainerResources.resources }}
+                {{- /* kindIs is used here to differentiate between null and 0 */}}
+                {{- if not (kindIs "invalid" $resources.limits.memory) }}
+                -lifecycle-sidecar-memory-limit={{ $resources.limits.memory }} \
+                {{- end }}
+                {{- if not (kindIs "invalid" $resources.requests.memory) }}
+                -lifecycle-sidecar-memory-request={{ $resources.requests.memory }} \
+                {{- end }}
+                {{- if not (kindIs "invalid" $resources.limits.cpu) }}
+                -lifecycle-sidecar-cpu-limit={{ $resources.limits.cpu }} \
+                {{- end }}
+                {{- if not (kindIs "invalid" $resources.requests.cpu) }}
+                -lifecycle-sidecar-cpu-request={{ $resources.requests.cpu }} \
+                {{- end }}
           livenessProbe:
             httpGet:
               path: /health/ready

diff --git a/templates/ingress-gateways-deployment.yaml b/templates/ingress-gateways-deployment.yaml
@@ -110,6 +110,9 @@ spec:
           volumeMounts:
           - name: consul-bin
             mountPath: /consul-bin
+          {{- if ( default $root.Values.global.initCopyContainerResources .resources) }}
+          resources: {{ toYaml (default $root.Values.global.initCopyContainerResources.resources .resources) | nindent 12 }}
+          {{- end }}
         {{- if (and $root.Values.global.tls.enabled $root.Values.global.tls.enableAutoEncrypt) }}
         {{- include "consul.getAutoEncryptClientCA" $root | nindent 8 }}
         {{- end }}
@@ -260,8 +263,7 @@ spec:
         - name: ingress-gateway
           image: {{ $root.Values.global.imageEnvoy | quote }}
           {{- if (default $defaults.resources .resources) }}
-          resources:
-            {{ toYaml (default $defaults.resources .resources) | nindent 12 }}
+          resources: {{ toYaml (default $defaults.resources .resources) | nindent 12 }}
           {{- end }}
           volumeMounts:
           - name: consul-bin

diff --git a/templates/mesh-gateway-deployment.yaml b/templates/mesh-gateway-deployment.yaml
@@ -90,13 +90,10 @@ spec:
           volumeMounts:
           - name: consul-bin
             mountPath: /consul-bin
+          {{- if ( default .Values.global.initCopyContainerResources .resources) }}
           resources:
-            requests:
-              memory: "25Mi"
-              cpu: "50m"
-            limits:
-              memory: "25Mi"
-              cpu: "50m"
+            {{ toYaml (default .Values.global.initCopyContainerResources .resources) | nindent 12 }}
+          {{- end }}
         {{- if (and .Values.global.tls.enabled .Values.global.tls.enableAutoEncrypt) }}
         {{- include "consul.getAutoEncryptClientCA" . | nindent 8 }}
         {{- end }}
@@ -356,13 +353,10 @@ spec:
             {{- if .Values.global.acls.manageSystemACLs }}
             - -token-file=/consul/service/acl-token
             {{- end }}
+          {{- if ( default .Values.global.lifecycleSidecarContainerResources .resources) }}
           resources:
-            requests:
-              memory: "25Mi"
-              cpu: "10m"
-            limits:
-              memory: "25Mi"
-              cpu: "10m"
+            {{ toYaml (default .Values.global.lifecycleSidecarContainerResources .resources) | nindent 12 }}
+          {{- end }}
       {{- if .Values.meshGateway.priorityClassName }}
       priorityClassName: {{ .Values.meshGateway.priorityClassName | quote }}
       {{- end }}

diff --git a/templates/terminating-gateways-deployment.yaml b/templates/terminating-gateways-deployment.yaml
@@ -124,6 +124,10 @@ spec:
           volumeMounts:
           - name: consul-bin
             mountPath: /consul-bin
+          {{- if ( default $root.Values.global.initCopyContainerResources .resources) }}
+          resources:
+            {{ toYaml (default $root.Values.global.initCopyContainerResources .resources) | nindent 12 }}
+          {{- end }}
         {{- if (and $root.Values.global.tls.enabled $root.Values.global.tls.enableAutoEncrypt) }}
         {{- include "consul.getAutoEncryptClientCA" $root | nindent 8 }}
         {{- end }}

diff --git a/values.yaml b/values.yaml
@@ -219,6 +219,28 @@ global:
     # Requires consul-k8s 0.15.0+.
     createFederationSecret: false
 
+  # Resource settings for lifecycle-sidecar containers
+  lifecycleSidecarContainerResources:
+    resources:
+      requests:
+        memory: "25Mi"
+        cpu: "20m"
+      limits:
+        memory: "25Mi"
+        cpu: "20m"
+
+  # Resource settings for copy-consul-bin init containers.
+  # these settings are bounded by the size of the consul binary
+  # as we issue a cp of it during the init container.
+  initCopyContainerResources:
+    resources:
+      requests:
+        memory: "25Mi"
+        cpu: "50m"
+      limits:
+        memory: "125Mi"
+        cpu: "50m"
+
 # Server, when enabled, configures a server cluster to run. This should
 # be disabled if you plan on connecting to a Consul cluster external to
 # the Kube cluster.