From 6ba3d56ccb551eb201c3c3fbc86f4fd98a449644 Mon Sep 17 00:00:00 2001 From: xenolinux Date: Fri, 15 Sep 2023 18:47:14 +0530 Subject: [PATCH] OCPBUGS#19055: cert-manager: Configure CPU and Memory --- .../cert-manager-configure-cpu-memory.adoc | 196 ++++++++++++++++++ .../cert-manager-customizing-api-fields.adoc | 2 + 2 files changed, 198 insertions(+) create mode 100644 modules/cert-manager-configure-cpu-memory.adoc diff --git a/modules/cert-manager-configure-cpu-memory.adoc b/modules/cert-manager-configure-cpu-memory.adoc new file mode 100644 index 0000000000..fc6edbef38 --- /dev/null +++ b/modules/cert-manager-configure-cpu-memory.adoc @@ -0,0 +1,196 @@ +// Module included in the following assemblies: +// +// * security/cert_manager_operator/cert-manager-customizing-api-fields.adoc + +:_content-type: PROCEDURE +[id="cert-manager-configure-cpu-memory_{context}"] += Overriding CPU and memory limits for the cert-manager components + +After installing the {cert-manager-operator}, you can configure the CPU and memory limits from the {cert-manager-operator} API for the cert-manager components such as cert-manager controller, CA injector, and Webhook. + +.Prerequisites + +* You have access to the {product-title} cluster as a user with the `cluster-admin` role. +* You have installed the {cert-manager-operator} 1.12.0 or later. + +.Procedure + +. Check that the deployments of the cert-manager controller, CA injector, and Webhook are available by entering the following command: ++ +[source,terminal] +---- +$ oc get deployment -n cert-manager +---- ++ +.Example output +[source,terminal] +---- +NAME READY UP-TO-DATE AVAILABLE AGE +cert-manager 1/1 1 1 53m +cert-manager-cainjector 1/1 1 1 53m +cert-manager-webhook 1/1 1 1 53m +---- + +. Before setting the CPU and memory limit, check the existing configuration for the cert-manager controller, CA injector, and Webhook by entering the following command: ++ +[source,terminal] +---- +$ oc get deployment -n cert-manager -o yaml +---- ++ +.Example output +[source,terminal] +---- +# ... + metadata: + name: cert-manager + namespace: cert-manager +# ... + spec: + template: + spec: + containers: + - name: cert-manager-controller + resources: {} <1> +# ... + metadata: + name: cert-manager-cainjector + namespace: cert-manager +# ... + spec: + template: + spec: + containers: + - name: cert-manager-cainjector + resources: {} <1> +# ... + metadata: + name: cert-manager-webhook + namespace: cert-manager +# ... + spec: + template: + spec: + containers: + - name: cert-manager-webhook + resources: {} <1> +# ... +---- +<1> The `spec.resources` field is empty by default. The cert-manager components do not have CPU and memory limits. + +. To configure the CPU and memory limits for the cert-manager controller, CA injector, and Webhook, enter the following command: ++ +[source,terminal] +---- +$ oc patch certmanager.operator cluster --type=merge -p=" +spec: + controllerConfig: + overrideResources: + limits: <1> + cpu: 200m <2> + memory: 64Mi <3> + requests: <4> + cpu: 200m <2> + memory: 64Mi <3> + webhookConfig: + overrideResources: + limits: <5> + cpu: 200m <6> + memory: 64Mi <7> + requests: <8> + cpu: 200m <6> + memory: 64Mi <7> + cainjectorConfig: + overrideResources: + limits: <9> + cpu: 200m <10> + memory: 64Mi <11> + requests: <12> + cpu: 200m <10> + memory: 64Mi <11> +" +---- +<1> Defines the maximum amount of CPU and memory that a single container in a cert-manager controller pod can request. +<2> You can specify the CPU limit that a cert-manager controller pod can request. The default value is `10m`. +<3> You can specify the memory limit that a cert-manager controller pod can request. The default value is `32Mi`. +<4> Defines the amount of CPU and memory set by scheduler for the cert-manager controller pod. +<5> Defines the maximum amount of CPU and memory that a single container in a CA injector pod can request. +<6> You can specify the CPU limit that a CA injector pod can request. The default value is `10m`. +<7> You can specify the memory limit that a CA injector pod can request. The default value is `32Mi`. +<8> Defines the amount of CPU and memory set by scheduler for the CA injector pod. +<9> Defines the maximum amount of CPU and memory Defines the maximum amount of CPU and memory that a single container in a Webhook pod can request. +<10> You can specify the CPU limit that a Webhook pod can request. The default value is `10m`. +<11> You can specify the memory limit that a Webhook pod can request. The default value is `32Mi`. +<12> Defines the amount of CPU and memory set by scheduler for the Webhook pod. ++ +.Example output +[source,termnal] +---- +certmanager.operator.openshift.io/cluster patched +---- + +.Verification + +. Verify that the CPU and memory limits are updated for the cert-manager components: ++ +[source,terminal] +---- +$ oc get deployment -n cert-manager -o yaml +---- ++ +.Example output +[source,terminal] +---- +# ... + metadata: + name: cert-manager + namespace: cert-manager +# ... + spec: + template: + spec: + containers: + - name: cert-manager-controller + resources: + limits: + cpu: 200m + memory: 64Mi + requests: + cpu: 10m + memory: 16Mi +# ... + metadata: + name: cert-manager-cainjector + namespace: cert-manager +# ... + spec: + template: + spec: + containers: + - name: cert-manager-cainjector + resources: + limits: + cpu: 200m + memory: 64Mi + requests: + cpu: 10m + memory: 16Mi +# ... + metadata: + name: cert-manager-webhook + namespace: cert-manager +# ... + spec: + template: + spec: + containers: + - name: cert-manager-webhook + resources: + limits: + cpu: 200m + memory: 64Mi + requests: + cpu: 10m + memory: 16Mi +# ... +---- diff --git a/security/cert_manager_operator/cert-manager-customizing-api-fields.adoc b/security/cert_manager_operator/cert-manager-customizing-api-fields.adoc index b5072e8ed4..2a237621ba 100644 --- a/security/cert_manager_operator/cert-manager-customizing-api-fields.adoc +++ b/security/cert_manager_operator/cert-manager-customizing-api-fields.adoc @@ -18,3 +18,5 @@ include::modules/cert-manager-override-environment-variables.adoc[leveloffset=+1 include::modules/cert-manager-override-arguments.adoc[leveloffset=+1] include::modules/cert-manager-override-flag-controller.adoc[leveloffset=+1] + +include::modules/cert-manager-configure-cpu-memory.adoc[leveloffset=+1]