Add option to configure resource request/limits for vault-agent sidecar

[elcomtik]

Is your feature request related to a problem? Please describe.
When I use multiple deployments with vault-injector, vault-agent sidecar requests an additional 250m/64Mi per pod. Actually, it consumes only 2m/13Mi. This may seem insignificant, however, summed together it may be a lot of wasted resources.

Describe the solution you'd like
I would like to have the option to configure resource request/limits for vault-agent sidecar the same way as it is configurable for vault-injector itself. Currently, I didn't found any option to set these values.

Additional context
Part of my test pod yaml definition, which includes added vault-agent sidecar.

Containers:                                                                                                                            
  orgchart:                                                        
    Container ID:   docker://54244c36f9cfb108edfdda5d46377b2e196e32c40c105afaf0c35ba99d55a906                                          
    Image:          jweissig/app:0.0.1                             
    Image ID:       docker-pullable://jweissig/app@sha256:54e7159831602dd8ffd8b81e1d4534c664a73e88f3f340df9c637fc16a5cf0b7                                                                                                                                                    
    Port:           <none>                                                                                                             
    Host Port:      <none>                                                                                                             
    State:          Running                                        
      Started:      Sun, 14 Mar 2021 14:07:53 +0100                                                                                                                                                                                                                           
    Ready:          True                                           
    Restart Count:  0                                              
    Environment:    <none>                                         
    Mounts:                                                        
      /var/run/secrets/kubernetes.io/serviceaccount from authelia-token-rlv9f (ro)                                                     
      /vault/secrets from vault-secrets (rw)                       
  vault-agent:                                                     
    Container ID:  docker://94e6ff5961720f9032e3d68c36ee610e08d9ddb73f4494876092891b703f8d1e                                           
    Image:         vault:1.6.2                                     
    Image ID:      docker-pullable://vault@sha256:959b931bdd10055462fe2dd69575cfab1a38bea2962c56fe81ade417558c46dc                     
    Port:          <none>                                          
    Host Port:     <none>                                          
    Command:                                                       
      /bin/sh                                                      
      -ec                                                          
    Args:                                                          
      echo ${VAULT_CONFIG?} | base64 -d > /home/vault/config.json && vault agent -config=/home/vault/config.json                       
    State:          Running                                        
      Started:      Sun, 14 Mar 2021 14:07:59 +0100                
    Ready:          True                                           
    Restart Count:  0                                              
    Limits:                                                        
      cpu:     500m                                                
      memory:  128Mi                                               
    Requests:                                                      
      cpu:     250m                                                
      memory:  64Mi                                                
    Environment:                                                   
      VAULT_LOG_LEVEL:   info                                      
      VAULT_LOG_FORMAT:  standard 

[jasonodonnell]

Hi @elcomtik, thanks for the feature request!

This is a good feature but will require changes to the Vault Agent Injector. Currently the injector only supports changing the resource settings via annotation, so we would need to add flag/environment variable support in that project first because we can add Helm configurables.

I opened an issue in Vault K8s for this: hashicorp/vault-k8s#238

[elcomtik]

@jasonodonnell Thanks for taking action.

[jasonodonnell]

@elcomtik This feature was implemented and merged in Vault K8s. We'll expose these in Vault Helm so they're configurable.

[elcomtik]

Great to hear that.

[ryanmt]

It looks like this functionality is now exposed in v0.11.0. Should this be closed?

[elcomtik]

Yes, I'm closing it. Thanks a lot.

[SohamJ]

I don't see the agentDefaults documented yet in the vault docs. Do these updates go hand in hand? I didn't see an open PR in the vault repo, but I may have missed it

Related issue: hashicorp/vault#11572

[jasonodonnell]

Thanks @SohamJ, they are documented but an error with auto-publishing to the website prevented them from going live (PR here: hashicorp/vault#11355).

We'll get this updated today along with the release of Vault Helm 0.12.0

[jasonodonnell]

You can find these on the website now. Vault Helm 0.12.0 is delayed slightly but the documentation is now updated. Thanks again!