resource limits

2024-04-25 14:18:52 +02:00
parent 9d22ca2db3
commit e17507f643
8 changed files with 129 additions and 59 deletions
--- a/apps/adguard/base/adguard-deployment.yaml
+++ b/apps/adguard/base/adguard-deployment.yaml
@ -36,7 +36,10 @@ spec:
          mountPath: /opt/adguardhome/work
        - name: adguard-pvc
          mountPath: /opt/adguardhome/conf
-        resources: {}
+        resources:
+          limits:
+            cpu: "0.5"
+            memory: "512Mi"
      volumes:
        - name: adguard-pvc
          nfs:
--- a/apps/gitea/base/gitea-deployment.yaml
+++ b/apps/gitea/base/gitea-deployment.yaml
@ -26,7 +26,10 @@ spec:
            - name: ssh
              containerPort: 22
              protocol: TCP
-          resources: {}
+          resources:
+            limits:
+              cpu: "0.3"
+              memory: "2Gi"
          volumeMounts:
            - mountPath: /data
              name: gitea-pvc
--- a/apps/nextcloud/base/nextcloud.yaml
+++ b/apps/nextcloud/base/nextcloud.yaml
@ -41,7 +41,10 @@ spec:
                secretKeyRef:
                  name: nextcloud-secret
                  key: MYSQL_PASSWORD
-          resources: {}
+          resources:
+            limits:
+              cpu: "0.2"
+              memory: "2Gi"
          ports:
            - containerPort: 3306
              protocol: TCP
@ -51,7 +54,10 @@ spec:
              subPath: db-storage
        - image: redis:alpine
          name: redis
-          resources: {}
+          resources:
+            limits:
+              cpu: "0.1"
+              memory: "2Gi"
          ports:
            - containerPort: 6379
              protocol: TCP
@ -79,7 +85,10 @@ spec:
            - name: http
              containerPort: 80
              protocol: TCP
-          resources: {}
+          resources:
+            limits:
+              cpu: "0.5"
+              memory: "6Gi"
          volumeMounts:
            - mountPath: /var/www/html
              name: nextcloud-pvc
--- a/apps/paperless/base/paperless.yaml
+++ b/apps/paperless/base/paperless.yaml
@ -19,7 +19,10 @@ spec:
      containers:
        - image: docker.io/library/postgres:13
          name: paperless-db
-          resources: {}
+          resources:
+            limits:
+              cpu: "0.2"
+              memory: "1Gi"
          volumeMounts:
            - mountPath: /var/lib/postgresql/data
              name: paperless-pvc
@ -46,7 +49,10 @@ spec:
            - name: http 
              containerPort: 8000
              protocol: TCP
-          resources: {}
+          resources:
+            limits:
+              cpu: "0.5"
+              memory: "4Gi"
          volumeMounts:
            - mountPath: /usr/src/paperless/data
              name: paperless-pvc
@ -94,7 +100,10 @@ spec:
          ports:
            - containerPort: 6379
              protocol: TCP
-          resources: {}
+          resources:
+            limits:
+              cpu: "0.1"
+              memory: "1Gi"
      restartPolicy: Always
      volumes:
        - name: paperless-pvc
--- a/apps/vaultwarden/base/vaultwarden-deployment.yaml
+++ b/apps/vaultwarden/base/vaultwarden-deployment.yaml
@ -81,7 +81,10 @@ spec:
          ports:
            - containerPort: 80
              protocol: TCP
-          resources: {}
+          resources:
+            limits:
+              cpu: "0.1"
+              memory: "1Gi"
          volumeMounts:
            - mountPath: /data
              name: vaultwarden-pvc
--- a/infrastructure/03-traefik/base/deployment.yaml
+++ b/infrastructure/03-traefik/base/deployment.yaml
@ -21,63 +21,66 @@ spec:
        app: traefik
    spec: 
      containers:
-      - resources: {}
+      - resources:
+          limits:
+            cpu: "0.1"
+            memory: "512Mi"
        name: traefik         
        args:
-        - --global.sendanonymoususage=false
-        - --global.checknewversion=false
-        - --entrypoints.metrics.address=:9100/tcp
-        - --entrypoints.traefik.address=:9000/tcp
-        - --entrypoints.dns.address=:53/udp
+          - --global.sendanonymoususage=false
+          - --global.checknewversion=false
+          - --entrypoints.metrics.address=:9100/tcp
+          - --entrypoints.traefik.address=:9000/tcp
+          - --entrypoints.dns.address=:53/udp

-        - --entrypoints.web-local.address=:80/tcp
-        - --entrypoints.web-local.transport.respondingTimeouts.readTimeout=300
-        - --entrypoints.web-local.transport.respondingTimeouts.idleTimeout=0
+          - --entrypoints.web-local.address=:80/tcp
+          - --entrypoints.web-local.transport.respondingTimeouts.readTimeout=300
+          - --entrypoints.web-local.transport.respondingTimeouts.idleTimeout=0

-        - --entrypoints.websecure-local.address=:443/tcp
-        - --entrypoints.websecure-local.http.middlewares=traefik-default-headers
-        - --entrypoints.websecure-local.http.tls=true
-        - --entrypoints.websecure-local.transport.respondingTimeouts.readTimeout=300
-        - --entrypoints.websecure-local.transport.respondingTimeouts.idleTimeout=0
+          - --entrypoints.websecure-local.address=:443/tcp
+          - --entrypoints.websecure-local.http.middlewares=traefik-default-headers
+          - --entrypoints.websecure-local.http.tls=true
+          - --entrypoints.websecure-local.transport.respondingTimeouts.readTimeout=300
+          - --entrypoints.websecure-local.transport.respondingTimeouts.idleTimeout=0

-        - --entrypoints.websecure-front.address=:8443/tcp
-        - --entrypoints.websecure-front.http.middlewares=traefik-default-headers
-        - --entrypoints.websecure-front.http.tls=true
-        - --entrypoints.websecure-front.transport.respondingTimeouts.readTimeout=300
-        - --entrypoints.websecure-front.transport.respondingTimeouts.idleTimeout=0
+          - --entrypoints.websecure-front.address=:8443/tcp
+          - --entrypoints.websecure-front.http.middlewares=traefik-default-headers
+          - --entrypoints.websecure-front.http.tls=true
+          - --entrypoints.websecure-front.transport.respondingTimeouts.readTimeout=300
+          - --entrypoints.websecure-front.transport.respondingTimeouts.idleTimeout=0

-        - --certificatesResolvers.default.acme.caServer=https://acme-v02.api.letsencrypt.org/directory
-        - --certificatesResolvers.default.acme.email=steffen.illium@gmail.com
-        - --certificatesResolvers.default.acme.dnsChallenge.provider=ionos
-        - --certificatesResolvers.default.acme.storage=/certs/acme.json
+          - --certificatesResolvers.default.acme.caServer=https://acme-v02.api.letsencrypt.org/directory
+          - --certificatesResolvers.default.acme.email=steffen.illium@gmail.com
+          - --certificatesResolvers.default.acme.dnsChallenge.provider=ionos
+          - --certificatesResolvers.default.acme.storage=/certs/acme.json

-        - --api.dashboard=true
-        - --ping=true
-        - --metrics.prometheus=true
-        - --metrics.prometheus.entrypoint=metrics
-        - --providers.kubernetescrd
-        # - --providers.kubernetescrd.labelSelector=local=true
-        - --providers.kubernetescrd.allowExternalNameServices=true
-        
-        - --accesslog=false
-        - --accesslog.fields.defaultmode=keep
-        - --accesslog.fields.headers.defaultmode=drop
-        - --serversTransport.insecureSkipVerify=true
-        - --log.level=INFO
+          - --api.dashboard=true
+          - --ping=true
+          - --metrics.prometheus=true
+          - --metrics.prometheus.entrypoint=metrics
+          - --providers.kubernetescrd
+          # - --providers.kubernetescrd.labelSelector=local=true
+          - --providers.kubernetescrd.allowExternalNameServices=true
+          
+          - --accesslog=false
+          - --accesslog.fields.defaultmode=keep
+          - --accesslog.fields.headers.defaultmode=drop
+          - --serversTransport.insecureSkipVerify=true
+          - --log.level=INFO
        env:
-        - name: POD_NAME
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.name
-        - name: POD_NAMESPACE
-          valueFrom:
-            fieldRef:
-              fieldPath: metadata.namespace
-        - name: IONOS_API_KEY
-          valueFrom:
-            secretKeyRef:
-              name: ionos-secret
-              key: IONOS_API_KEY
+          - name: POD_NAME
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.name
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          - name: IONOS_API_KEY
+            valueFrom:
+              secretKeyRef:
+                name: ionos-secret
+                key: IONOS_API_KEY
        image: docker.io/traefik:latest
        imagePullPolicy: IfNotPresent
        livenessProbe:
--- a/infrastructure/03-traefik/base/mid-no-auth.yaml
+++ b/infrastructure/03-traefik/base/mid-no-auth.yaml
@ -0,0 +1,37 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: no-auth
+  namespace: traefik
+
+spec:
+  mid_error:
+    errors:
+      status:
+        - "400-599"
+      service: "srv_web@docker"
+      query: "https://steffenillium.de"
+
+  mid_compress:
+    compress: {}
+
+  mid_rate_limit:
+    rateLimit:
+      average: 50
+      burst: 200
+
+  mid_auth:
+    forwardAuth:
+      address: "http://oauth:4181"
+      trustForwardHeader: true
+      authResponseHeaders:
+        - "X-Forwarded-User"
+
+  noauth:
+    chain:
+      middlewares:
+        - mid_rate_limit
+        - mid_compress
+        - crowdsec
+        # - mid_error
+
--- a/projects/website/base/website-deployment.yaml
+++ b/projects/website/base/website-deployment.yaml
@ -21,7 +21,10 @@ spec:
            - name: http
              containerPort: 80
              protocol: TCP
-          resources: {}
+          resources:
+            limits:
+              cpu: "0.1"
+              memory: "1Gi"
      imagePullSecrets:
        - name: ghcr-io-secret
      restartPolicy: Always