From 317940cb34077611e47a6106bf3986c31d54aaf6 Mon Sep 17 00:00:00 2001
From: Jesper Noordsij <45041769+jnoordsij@users.noreply.github.com>
Date: Thu, 23 May 2024 12:17:21 +0200
Subject: [PATCH] [helm] Set `GOMAXPROCS` and `GOMEMLIMIT` environment
 variables (#1528)

**Description of the change**

Set `GOMAXPROCS` and `GOMEMLIMIT` environment variables based on
container resources.

Inspired by https://github.com/traefik/traefik-helm-chart/pull/1029.

**Benefits**

This should reduce potential CPU throttling and OOMKills on containers.

**Possible drawbacks**

This creates an empty `env` key for those not setting resource values.
This is only a little ugly, but should not be harmful. Alternatively, we
could add some conditional wrapper around the whole `env` block to only
make it appear if a value is set, but that will be more complicated if
additional env would be added in the future.

**Additional information**

The
[`resourceFieldRef`](https://kubernetes.io/docs/concepts/workloads/pods/downward-api/#downwardapi-resourceFieldRef)
is a very specific Kubernetes directive that is created specifically for
passing resource-related values, which rounds up the CPU value to the
nearest whole number (e.g. 250m to 1) and passes the memory as a numeric
value; so `64Mi` would result in the environment variable being set to
`67108864`. This by design makes it completely compatible with Go's API.

An example is documented within Kubernetes documentation itself:
https://kubernetes.io/docs/tasks/inject-data-application/environment-variable-expose-pod-information/#use-container-fields-as-values-for-environment-variables.

---------

Signed-off-by: Jesper Noordsij <jesper.noordsij@gmail.com>
---
 helm/sealed-secrets/templates/deployment.yaml | 21 +++++++++++++++----
 1 file changed, 17 insertions(+), 4 deletions(-)

diff --git a/helm/sealed-secrets/templates/deployment.yaml b/helm/sealed-secrets/templates/deployment.yaml
index 7f58646e61..ee3f644301 100644
--- a/helm/sealed-secrets/templates/deployment.yaml
+++ b/helm/sealed-secrets/templates/deployment.yaml
@@ -106,7 +106,7 @@ spec:
             {{- end }}
             - --privatekey-annotations
             - {{ trimSuffix "," $privatekeyAnnotations | quote }}
-            {{- end }}            
+            {{- end }}
             {{- if $.Values.privateKeyLabels }}
             {{- $privateKeyLabels := ""}}
             {{- range $k, $v := $.Values.privateKeyLabels }}
@@ -132,6 +132,19 @@ spec:
           {{- end }}
           image: {{ printf "%s/%s:%s" .Values.image.registry .Values.image.repository .Values.image.tag }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
+          env:
+            {{- if (.Values.resources.limits).cpu }}
+            - name: GOMAXPROCS
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.cpu
+            {{- end }}
+            {{- if (.Values.resources.limits).memory }}
+            - name: GOMEMLIMIT
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.memory
+            {{- end }}
           ports:
             - containerPort: 8080
               name: http
@@ -168,13 +181,13 @@ spec:
           {{- end }}
           volumeMounts:
             {{- if .Values.additionalVolumeMounts }}
-              {{- toYaml .Values.additionalVolumeMounts | nindent 12 }} 
+              {{- toYaml .Values.additionalVolumeMounts | nindent 12 }}
             {{- end }}
             - mountPath: /tmp
               name: tmp
-      volumes: 
+      volumes:
       {{- if .Values.additionalVolumes }}
-        {{- toYaml .Values.additionalVolumes | nindent 8 }} 
+        {{- toYaml .Values.additionalVolumes | nindent 8 }}
       {{- end }}
         - name: tmp
           emptyDir: {}