feat(chart,jobs): Adding resources configuration blocks for AdmissionWebhooks

CHANGELOG.md

@@ -12,6 +12,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### enhancement
 - Propagate global tolerations to webhook jobs @chernetskyi [#668](https://github.com/newrelic/k8s-metadata-injection/pull/668)
+- Added `jobImage.admissionCreate.resources` and `jobImage.admissionPatch.resources` configuration block @tviaud [#657](https://github.com/newrelic/k8s-metadata-injection/pull/657).
 
 ## v1.38.1 - 2025-10-20
 

charts/nri-metadata-injection/README.md

@@ -46,6 +46,8 @@ Options that can be defined globally include `affinity`, `nodeSelector`, `tolera
 | image.pullSecrets | list | `[]` | The secrets that are needed to pull images from a custom registry. |
 | injectOnlyLabeledNamespaces | bool | `false` | Enable the metadata decoration only for pods living in namespaces labeled with 'newrelic-metadata-injection=enabled'. |
 | jobImage | object | See `values.yaml` | Image for creating the needed certificates of this webhook to work |
+| jobImage.admissionCreate.resources | object | `{}` | Resources to set for `admission-create` job  |
+| jobImage.admissionPatch.resources | object | `{}` | Resources to set for `admission-patch` job  |
 | jobImage.pullSecrets | list | `[]` | The secrets that are needed to pull images from a custom registry. |
 | jobImage.volumeMounts | list | `[]` | Volume mounts to add to the job, you might want to mount tmp if Pod Security Policies Enforce a read-only root. |
 | jobImage.volumes | list | `[]` | Volumes to add to the job container |

charts/nri-metadata-injection/templates/admission-webhooks/job-patch/job-createSecret.yaml

@@ -34,6 +34,10 @@ spec:
           securityContext:
             {{- . | nindent 12 }}
           {{- end }}
+          {{- if .Values.jobImage.admissionCreate.resources }}
+          resources:
+            {{ toYaml .Values.jobImage.admissionCreate.resources | nindent 12 }}
+          {{- end }}
           args:
             - create
             - --host={{ include "newrelic.common.naming.fullname" . }},{{ include "newrelic.common.naming.fullname" . }}.{{ .Release.Namespace }}.svc

charts/nri-metadata-injection/templates/admission-webhooks/job-patch/job-patchWebhook.yaml

@@ -34,6 +34,10 @@ spec:
           securityContext:
             {{- . | nindent 12 }}
           {{- end }}
+          {{- if .Values.jobImage.admissionPatch.resources }}
+          resources:
+            {{ toYaml .Values.jobImage.admissionPatch.resources | nindent 12 }}
+          {{- end }}
           args:
             - patch
             - --webhook-name={{ include "newrelic.common.naming.fullname" . }}

charts/nri-metadata-injection/tests/job_resources_test.yaml

@@ -0,0 +1,145 @@
+suite: test job resources configuration
+templates:
+  - templates/admission-webhooks/job-patch/job-createSecret.yaml
+  - templates/admission-webhooks/job-patch/job-patchWebhook.yaml
+release:
+  name: my-release
+  namespace: my-namespace
+tests:
+  - it: should not set resources by default for admission-create job
+    template: templates/admission-webhooks/job-patch/job-createSecret.yaml
+    set:
+      cluster: test-cluster
+    asserts:
+      - isNull:
+          path: spec.template.spec.containers[0].resources
+
+  - it: should not set resources by default for admission-patch job
+    template: templates/admission-webhooks/job-patch/job-patchWebhook.yaml
+    set:
+      cluster: test-cluster
+    asserts:
+      - isNull:
+          path: spec.template.spec.containers[0].resources
+
+  - it: should set resources for admission-create job when configured
+    template: templates/admission-webhooks/job-patch/job-createSecret.yaml
+    set:
+      cluster: test-cluster
+      jobImage:
+        admissionCreate:
+          resources:
+            requests:
+              cpu: 100m
+              memory: 64Mi
+            limits:
+              cpu: 200m
+              memory: 128Mi
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].resources
+          value:
+            requests:
+              cpu: 100m
+              memory: 64Mi
+            limits:
+              cpu: 200m
+              memory: 128Mi
+
+  - it: should set resources for admission-patch job when configured
+    template: templates/admission-webhooks/job-patch/job-patchWebhook.yaml
+    set:
+      cluster: test-cluster
+      jobImage:
+        admissionPatch:
+          resources:
+            requests:
+              cpu: 50m
+              memory: 32Mi
+            limits:
+              cpu: 100m
+              memory: 64Mi
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].resources
+          value:
+            requests:
+              cpu: 50m
+              memory: 32Mi
+            limits:
+              cpu: 100m
+              memory: 64Mi
+
+  - it: should set different resources for admission-create and admission-patch jobs
+    set:
+      cluster: test-cluster
+      jobImage:
+        admissionCreate:
+          resources:
+            requests:
+              cpu: 100m
+              memory: 64Mi
+            limits:
+              cpu: 200m
+              memory: 128Mi
+        admissionPatch:
+          resources:
+            requests:
+              cpu: 50m
+              memory: 32Mi
+            limits:
+              cpu: 100m
+              memory: 64Mi
+    asserts:
+      - template: templates/admission-webhooks/job-patch/job-createSecret.yaml
+        equal:
+          path: spec.template.spec.containers[0].resources.requests.cpu
+          value: 100m
+      - template: templates/admission-webhooks/job-patch/job-createSecret.yaml
+        equal:
+          path: spec.template.spec.containers[0].resources.requests.memory
+          value: 64Mi
+      - template: templates/admission-webhooks/job-patch/job-patchWebhook.yaml
+        equal:
+          path: spec.template.spec.containers[0].resources.requests.cpu
+          value: 50m
+      - template: templates/admission-webhooks/job-patch/job-patchWebhook.yaml
+        equal:
+          path: spec.template.spec.containers[0].resources.requests.memory
+          value: 32Mi
+
+  - it: should set only requests when limits are not specified for admission-create
+    template: templates/admission-webhooks/job-patch/job-createSecret.yaml
+    set:
+      cluster: test-cluster
+      jobImage:
+        admissionCreate:
+          resources:
+            requests:
+              cpu: 100m
+              memory: 64Mi
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].resources
+          value:
+            requests:
+              cpu: 100m
+              memory: 64Mi
+
+  - it: should set only limits when requests are not specified for admission-patch
+    template: templates/admission-webhooks/job-patch/job-patchWebhook.yaml
+    set:
+      cluster: test-cluster
+      jobImage:
+        admissionPatch:
+          resources:
+            limits:
+              cpu: 100m
+              memory: 64Mi
+    asserts:
+      - equal:
+          path: spec.template.spec.containers[0].resources
+          value:
+            limits:
+              cpu: 100m
+              memory: 64Mi

charts/nri-metadata-injection/values.yaml

@@ -38,6 +38,13 @@ jobImage:
   volumes: []
   #  - name: tmp
   #    emptyDir: {}
+  # -- Resources for the job container admission-create
+  admissionCreate:
+    resources: {}
+  # -- Resources for the job container admission-patch
+  admissionPatch:
+    resources: {}
+
 
 rbac:
   # rbac.pspEnabled -- Whether the chart should create Pod Security Policy objects.