From a106ca61d88efc152c04e6edfc8d8f2131dea373 Mon Sep 17 00:00:00 2001
From: Thibault VINCENT <root@devcat.org>
Date: Mon, 22 Apr 2024 15:22:41 +0200
Subject: [PATCH] refactor(helm): rework values for k8s client rate-limiter

---
 deploy/charts/x509-certificate-exporter/README.md    |  5 ++++-
 .../templates/deployment.yaml                        |  6 ++++--
 deploy/charts/x509-certificate-exporter/values.yaml  | 12 ++++++++----
 3 files changed, 16 insertions(+), 7 deletions(-)

diff --git a/deploy/charts/x509-certificate-exporter/README.md b/deploy/charts/x509-certificate-exporter/README.md
index 8cc9802..61d2420 100644
--- a/deploy/charts/x509-certificate-exporter/README.md
+++ b/deploy/charts/x509-certificate-exporter/README.md
@@ -379,7 +379,7 @@ hostPathsExporter:
 | secretsExporter.priorityClassName | string | `""` | PriorityClassName for Pods of the TLS Secrets exporter |
 | secretsExporter.podExtraLabels | object | `{}` | Additional labels added to Pods of the TLS Secrets exporter |
 | secretsExporter.podAnnotations | object | `{}` | Annotations added to Pods of the TLS Secrets exporter |
-| secretsExporter.podSecurityContext | object | `{}` | PodSecurityContext for Pods of the TLS Secrets exporter |
+| secretsExporter.podSecurityContext | object | check `values.yaml` | PodSecurityContext for Pods of the TLS Secrets exporter |
 | secretsExporter.securityContext | object | check `values.yaml` | SecurityContext for containers of the TLS Secrets exporter |
 | secretsExporter.extraVolumes | list | `[]` | Additionnal volumes added to Pods of the TLS Secrets exporter (combined with global `extraVolumes`) |
 | secretsExporter.extraVolumeMounts | list | `[]` | Additionnal volume mounts added to Pod containers of the TLS Secrets exporter (combined with global `extraVolumeMounts`) |
@@ -390,6 +390,9 @@ hostPathsExporter:
 | secretsExporter.excludeLabels | list | `[]` | Exclude TLS Secrets having these labels. Items can be keys such as `my-label` or also require a value with syntax `my-label=my-value`. |
 | secretsExporter.cache.enabled | bool | `true` | Enable caching of Kubernetes objects to prevent scraping timeouts |
 | secretsExporter.cache.maxDuration | int | `300` | Maximum time an object can stay in cache unrefreshed (seconds) - it will be at least half of that |
+| secretsExporter.kubeApiRateLimits.enabled | bool | `false` | Should requests to the Kubernetes API server be rate-limited |
+| secretsExporter.kubeApiRateLimits.queriesPerSecond | int | `5` | Maximum rate of queries sent to the API server (per second) |
+| secretsExporter.kubeApiRateLimits.burstQueries | int | `10` | Burst bucket size for queries sent to the API server |
 | secretsExporter.env | list | `[]` | Additional environment variables for container |
 | hostPathsExporter.debugMode | bool | `false` | Should debug messages be produced by hostPath exporters (default for all hostPathsExporter.daemonSets) |
 | hostPathsExporter.restartPolicy | string | `"Always"` | restartPolicy for Pods of hostPath exporters (default for all hostPathsExporter.daemonSets) |
diff --git a/deploy/charts/x509-certificate-exporter/templates/deployment.yaml b/deploy/charts/x509-certificate-exporter/templates/deployment.yaml
index d8a4b01..47c09f7 100644
--- a/deploy/charts/x509-certificate-exporter/templates/deployment.yaml
+++ b/deploy/charts/x509-certificate-exporter/templates/deployment.yaml
@@ -126,8 +126,10 @@ spec:
         - --max-cache-duration=0
         {{- end }}
         {{- with .Values.secretsExporter.kubeApiRateLimits }}
-        - --kube-api-rate-limit-qps={{ .qps }}
-        - --kube-api-rate-limit-burst={{ .burst }}
+          {{- if .enabled }}
+        - --kube-api-rate-limit-qps={{ int .queriesPerSecond }}
+        - --kube-api-rate-limit-burst={{ int .burstQueries }}
+          {{- end }}
         {{- end }}
         {{- if .Values.exposePerCertificateErrorMetrics }}
         - --expose-per-cert-error-metrics
diff --git a/deploy/charts/x509-certificate-exporter/values.yaml b/deploy/charts/x509-certificate-exporter/values.yaml
index 698974b..b337703 100644
--- a/deploy/charts/x509-certificate-exporter/values.yaml
+++ b/deploy/charts/x509-certificate-exporter/values.yaml
@@ -91,6 +91,7 @@ secretsExporter:
   # -- Annotations added to Pods of the TLS Secrets exporter
   podAnnotations: {}
   # -- PodSecurityContext for Pods of the TLS Secrets exporter
+  # @default -- check `values.yaml`
   podSecurityContext:
     runAsNonRoot: true
   # -- SecurityContext for containers of the TLS Secrets exporter
@@ -128,10 +129,13 @@ secretsExporter:
     # -- Maximum time an object can stay in cache unrefreshed (seconds) - it will be at least half of that
     maxDuration: 300
 
-  kubeApiRateLimits: {}
-    # -- Try higher values if querying secrets takes a long time because of throttling
-    # qps: 5
-    # burst: 10
+  kubeApiRateLimits:
+    # -- Should requests to the Kubernetes API server be rate-limited
+    enabled: false
+    # -- Maximum rate of queries sent to the API server (per second)
+    queriesPerSecond: 5
+    # -- Burst bucket size for queries sent to the API server
+    burstQueries: 10
 
   # -- Additional environment variables for container
   env: []