refactor(helm): rework values for k8s client rate-limiter

enix · Apr 22, 2024 · a106ca6 · a106ca6
1 parent e002b89
commit a106ca6
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 7 deletions.
diff --git a/deploy/charts/x509-certificate-exporter/README.md b/deploy/charts/x509-certificate-exporter/README.md
@@ -379,7 +379,7 @@ hostPathsExporter:
 | secretsExporter.priorityClassName | string | `""` | PriorityClassName for Pods of the TLS Secrets exporter |
 | secretsExporter.podExtraLabels | object | `{}` | Additional labels added to Pods of the TLS Secrets exporter |
 | secretsExporter.podAnnotations | object | `{}` | Annotations added to Pods of the TLS Secrets exporter |
-| secretsExporter.podSecurityContext | object | `{}` | PodSecurityContext for Pods of the TLS Secrets exporter |
+| secretsExporter.podSecurityContext | object | check `values.yaml` | PodSecurityContext for Pods of the TLS Secrets exporter |
 | secretsExporter.securityContext | object | check `values.yaml` | SecurityContext for containers of the TLS Secrets exporter |
 | secretsExporter.extraVolumes | list | `[]` | Additionnal volumes added to Pods of the TLS Secrets exporter (combined with global `extraVolumes`) |
 | secretsExporter.extraVolumeMounts | list | `[]` | Additionnal volume mounts added to Pod containers of the TLS Secrets exporter (combined with global `extraVolumeMounts`) |
@@ -390,6 +390,9 @@ hostPathsExporter:
 | secretsExporter.excludeLabels | list | `[]` | Exclude TLS Secrets having these labels. Items can be keys such as `my-label` or also require a value with syntax `my-label=my-value`. |
 | secretsExporter.cache.enabled | bool | `true` | Enable caching of Kubernetes objects to prevent scraping timeouts |
 | secretsExporter.cache.maxDuration | int | `300` | Maximum time an object can stay in cache unrefreshed (seconds) - it will be at least half of that |
+| secretsExporter.kubeApiRateLimits.enabled | bool | `false` | Should requests to the Kubernetes API server be rate-limited |
+| secretsExporter.kubeApiRateLimits.queriesPerSecond | int | `5` | Maximum rate of queries sent to the API server (per second) |
+| secretsExporter.kubeApiRateLimits.burstQueries | int | `10` | Burst bucket size for queries sent to the API server |
 | secretsExporter.env | list | `[]` | Additional environment variables for container |
 | hostPathsExporter.debugMode | bool | `false` | Should debug messages be produced by hostPath exporters (default for all hostPathsExporter.daemonSets) |
 | hostPathsExporter.restartPolicy | string | `"Always"` | restartPolicy for Pods of hostPath exporters (default for all hostPathsExporter.daemonSets) |

diff --git a/deploy/charts/x509-certificate-exporter/templates/deployment.yaml b/deploy/charts/x509-certificate-exporter/templates/deployment.yaml
@@ -126,8 +126,10 @@ spec:
         - --max-cache-duration=0
         {{- end }}
         {{- with .Values.secretsExporter.kubeApiRateLimits }}
-        - --kube-api-rate-limit-qps={{ .qps }}
-        - --kube-api-rate-limit-burst={{ .burst }}
+          {{- if .enabled }}
+        - --kube-api-rate-limit-qps={{ int .queriesPerSecond }}
+        - --kube-api-rate-limit-burst={{ int .burstQueries }}
+          {{- end }}
         {{- end }}
         {{- if .Values.exposePerCertificateErrorMetrics }}
         - --expose-per-cert-error-metrics

diff --git a/deploy/charts/x509-certificate-exporter/values.yaml b/deploy/charts/x509-certificate-exporter/values.yaml
@@ -91,6 +91,7 @@ secretsExporter:
   # -- Annotations added to Pods of the TLS Secrets exporter
   podAnnotations: {}
   # -- PodSecurityContext for Pods of the TLS Secrets exporter
+  # @default -- check `values.yaml`
   podSecurityContext:
     runAsNonRoot: true
   # -- SecurityContext for containers of the TLS Secrets exporter
@@ -128,10 +129,13 @@ secretsExporter:
     # -- Maximum time an object can stay in cache unrefreshed (seconds) - it will be at least half of that
     maxDuration: 300
 
-  kubeApiRateLimits: {}
-    # -- Try higher values if querying secrets takes a long time because of throttling
-    # qps: 5
-    # burst: 10
+  kubeApiRateLimits:
+    # -- Should requests to the Kubernetes API server be rate-limited
+    enabled: false
+    # -- Maximum rate of queries sent to the API server (per second)
+    queriesPerSecond: 5
+    # -- Burst bucket size for queries sent to the API server
+    burstQueries: 10
 
   # -- Additional environment variables for container
   env: []