23019da8e5
After node2 OOM incident, right-size memory across the cluster by setting requests=limits based on max_over_time(container_memory_working_set_bytes[7d]) with 1.3x headroom. Eliminates ~37Gi overcommit gap. Categories: - Safe equalization (50 containers): set req=lim where max7d well within target - Limit increases (8 containers): raise limits for services spiking above current - No Prometheus data (12 containers): conservatively set lim=req - Exception: nextcloud keeps req=256Mi/lim=8Gi due to Apache memory spikes Also increased dbaas namespace quota from 12Gi to 16Gi to accommodate mysql 4Gi limits across 3 replicas.
45 lines
1.2 KiB
HCL
45 lines
1.2 KiB
HCL
variable "tier" { type = string }
|
|
|
|
# -----------------------------------------------------------------------------
|
|
# Namespace
|
|
# -----------------------------------------------------------------------------
|
|
resource "kubernetes_namespace" "sealed_secrets" {
|
|
metadata {
|
|
name = "sealed-secrets"
|
|
labels = {
|
|
tier = var.tier
|
|
}
|
|
}
|
|
}
|
|
|
|
# -----------------------------------------------------------------------------
|
|
# Sealed Secrets — encrypts secrets for safe git storage
|
|
# https://github.com/bitnami-labs/sealed-secrets
|
|
# -----------------------------------------------------------------------------
|
|
resource "helm_release" "sealed_secrets" {
|
|
namespace = kubernetes_namespace.sealed_secrets.metadata[0].name
|
|
create_namespace = false
|
|
name = "sealed-secrets"
|
|
atomic = true
|
|
timeout = 300
|
|
|
|
repository = "https://bitnami-labs.github.io/sealed-secrets"
|
|
chart = "sealed-secrets"
|
|
version = "2.18.3"
|
|
|
|
values = [yamlencode({
|
|
crds = {
|
|
create = true
|
|
}
|
|
|
|
resources = {
|
|
requests = {
|
|
cpu = "50m"
|
|
memory = "192Mi"
|
|
}
|
|
limits = {
|
|
memory = "192Mi"
|
|
}
|
|
}
|
|
})]
|
|
}
|