hashicorp · natemollica-nm · Apr 9, 2025 · Apr 10, 2025 · Apr 10, 2025 · Apr 11, 2025
@@ -0,0 +1,3 @@
+```release-note:breaking-change
+helm: updated resource entry documentation to recommend "null" CPU limits for service mesh components in production, and added reference-architecture CPU/memory guidelines for Consul servers. Please update Helm values overrides for CPU limits if local policies dictate mandatory setting of Kubernetes/OpenShift resource settings for any components affected in update. Consul Components Affected by [PR #4518](https://github.com/hashicorp/consul-k8s/pull/4518) by Helm value override: server.resources, meshGateway.resources, terminatingGateway.defaults.resources, ingressGateway.defaults.resources, connectInject.resources, connectInject.sidecarProxy.resources, connectInject.apiGateway.resources
+```
@@ -325,9 +325,27 @@ spec:
               mountPath: /consul/tls/ca
               readOnly: true
           {{- end }}
-          {{- with .Values.connectInject.resources }}
+          {{- if .Values.connectInject.resources }}
           resources:
-            {{- toYaml . | nindent 12 }}
+            {{- if .Values.connectInject.resources.requests }}
+            requests:
+              {{- if .Values.connectInject.resources.requests.cpu }}
+              cpu: "{{ .Values.connectInject.resources.requests.cpu | toString | trim }}"
+              {{- end }}
+              {{- if .Values.connectInject.resources.requests.memory }}
+              memory: "{{ .Values.connectInject.resources.requests.memory | toString | trim }}"
+              {{- end }}
+            {{- end }}
+
+            {{- if .Values.connectInject.resources.limits }}
+            limits:
+              {{- if .Values.connectInject.resources.limits.cpu }}
+              cpu: "{{ .Values.connectInject.resources.limits.cpu | toString | trim }}"
+              {{- end }}
+              {{- if .Values.connectInject.resources.limits.memory }}
+              memory: "{{ .Values.connectInject.resources.limits.memory | toString | trim }}"
+              {{- end }}
+            {{- end }}
           {{- end }}
       volumes:
         - name: config

@@ -248,8 +248,34 @@ spec:
         image: {{ $root.Values.global.imageConsulDataplane | quote }}
         {{ template "consul.imagePullPolicy" $root }}
         {{- include "consul.restrictedSecurityContext" $ | nindent 8 }}
-        {{- if (default $defaults.resources .resources) }}
-        resources: {{ toYaml (default $defaults.resources .resources) | nindent 10 }}
+        # Only render 'resources' if it's not empty
+        {{- $gatewayResources := (default $defaults.resources .resources) }}
+        {{- if $gatewayResources }}
+        resources:
+          # If $gatewayResources is just a templated string, pass it as-is.
+          {{- if eq (typeOf $gatewayResources) "string" }}
+          {{ tpl $gatewayResources . | nindent 4 | trim }}
+          {{- else }}
+          {{- if $gatewayResources.requests }}
+          requests:
+              {{- if and $gatewayResources.requests.cpu (ne $gatewayResources.requests.cpu nil) }}
+            cpu: "{{ $gatewayResources.requests.cpu }}"
+              {{- end }}
+              {{- if and $gatewayResources.requests.memory (ne $gatewayResources.requests.memory nil) }}
+            memory: "{{ $gatewayResources.requests.memory }}"
+              {{- end }}
+          {{- end }}
+
+          {{- if $gatewayResources.limits }}
+          limits:
+              {{- if and $gatewayResources.limits.cpu (ne $gatewayResources.limits.cpu nil) }}
+            cpu: "{{ $gatewayResources.limits.cpu }}"
+              {{- end }}
+              {{- if and $gatewayResources.limits.memory (ne $gatewayResources.limits.memory nil) }}
+            memory: "{{ $gatewayResources.limits.memory }}"
+              {{- end }}
+          {{- end }}
+          {{- end }}
         {{- end }}
         volumeMounts:
         - name: tmp

@@ -211,11 +211,25 @@ spec:
               - NET_BIND_SERVICE
         {{- if .Values.meshGateway.resources }}
         resources:
-            {{- if eq (typeOf .Values.meshGateway.resources) "string" }}
-            {{ tpl .Values.meshGateway.resources . | nindent 12 | trim }}
-            {{- else }}
-            {{- toYaml .Values.meshGateway.resources | nindent 12 }}
+          {{- if .Values.meshGateway.resources.requests }}
+          requests:
+            {{- if .Values.meshGateway.resources.requests.cpu }}
+            cpu: {{ .Values.meshGateway.resources.requests.cpu | toString | trim }}
             {{- end }}
+            {{- if .Values.meshGateway.resources.requests.memory }}
+            memory: {{ .Values.meshGateway.resources.requests.memory | toString | trim }}
+            {{- end }}
+          {{- end }}
+
+          {{- if .Values.meshGateway.resources.limits }}
+          limits:
+            {{- if .Values.meshGateway.resources.limits.cpu }}
+            cpu: {{ .Values.meshGateway.resources.limits.cpu | toString | trim }}
+            {{- end }}
+            {{- if .Values.meshGateway.resources.limits.memory }}
+            memory: {{ .Values.meshGateway.resources.limits.memory | toString | trim }}
+            {{- end }}
+          {{- end }}
         {{- end }}
         volumeMounts:
         - mountPath: /consul/service

@@ -657,10 +657,24 @@ spec:
             timeoutSeconds: 5
           {{- if .Values.server.resources }}
           resources:
-            {{- if eq (typeOf .Values.server.resources) "string" }}
-            {{ tpl .Values.server.resources . | nindent 12 | trim }}
-            {{- else }}
-            {{- toYaml .Values.server.resources | nindent 12 }}
+            {{- if .Values.server.resources.requests }}
+            requests:
+              {{- if .Values.server.resources.requests.cpu }}
+              cpu: {{ .Values.server.resources.requests.cpu | toString | trim }}
+              {{- end }}
+              {{- if .Values.server.resources.requests.memory }}
+              memory: {{ .Values.server.resources.requests.memory | toString | trim }}
+              {{- end }}
+            {{- end }}
+
+            {{- if .Values.server.resources.limits }}
+            limits:
+              {{- if .Values.server.resources.limits.cpu }}
+              cpu: {{ .Values.server.resources.limits.cpu | toString | trim }}
+              {{- end }}
+              {{- if .Values.server.resources.limits.memory }}
+              memory: {{ .Values.server.resources.limits.memory | toString | trim }}
+              {{- end }}
             {{- end }}
           {{- end }}
           {{- if .Values.server.containerSecurityContext.server }}

@@ -251,8 +251,34 @@ spec:
               readOnly: true
               mountPath: /consul/userconfig/{{ .name }}
             {{- end }}
-          {{- if (default $defaults.resources .resources) }}
-          resources: {{ toYaml (default $defaults.resources .resources) | nindent 12 }}
+          # Only render 'resources' if it's not empty
+          {{- $gatewayResources := (default $defaults.resources .resources) }}
+          {{- if $gatewayResources }}
+          resources:
+            # If $gatewayResources is just a templated string, pass it as-is.
+            {{- if eq (typeOf $gatewayResources) "string" }}
+            {{ tpl $gatewayResources . | nindent 4 | trim }}
+            {{- else }}
+            {{- if $gatewayResources.requests }}
+            requests:
+                {{- if and $gatewayResources.requests.cpu (ne $gatewayResources.requests.cpu nil) }}
+              cpu: "{{ $gatewayResources.requests.cpu }}"
+                {{- end }}
+                {{- if and $gatewayResources.requests.memory (ne $gatewayResources.requests.memory nil) }}
+              memory: "{{ $gatewayResources.requests.memory }}"
+                {{- end }}
+            {{- end }}
+
+            {{- if $gatewayResources.limits }}
+            limits:
+                {{- if and $gatewayResources.limits.cpu (ne $gatewayResources.limits.cpu nil) }}
+              cpu: "{{ $gatewayResources.limits.cpu }}"
+                {{- end }}
+                {{- if and $gatewayResources.limits.memory (ne $gatewayResources.limits.memory nil) }}
+              memory: "{{ $gatewayResources.limits.memory }}"
+                {{- end }}
+            {{- end }}
+            {{- end }}
           {{- end }}
           env:
           - name: NAMESPACE

@@ -960,7 +960,7 @@ load _helpers
       --set 'connectInject.enabled=true' \
       . | tee /dev/stderr |
       yq -rc '.spec.template.spec.containers[0].resources' | tee /dev/stderr)
-  [ "${actual}" = '{"limits":{"cpu":"50m","memory":"200Mi"},"requests":{"cpu":"50m","memory":"200Mi"}}' ]
+  [ "${actual}" = '{"requests":{"cpu":"50m","memory":"200Mi"},"limits":{"memory":"200Mi"}}' ]
 }
 
 @test "connectInject/Deployment: can set resources" {
@@ -974,7 +974,7 @@ load _helpers
       --set 'connectInject.resources.limits.cpu=200m' \
       . | tee /dev/stderr |
       yq -rc '.spec.template.spec.containers[0].resources' | tee /dev/stderr)
-  [ "${actual}" = '{"limits":{"cpu":"200m","memory":"200Mi"},"requests":{"cpu":"100m","memory":"100Mi"}}' ]
+  [ "${actual}" = '{"requests":{"cpu":"100m","memory":"100Mi"},"limits":{"cpu":"200m","memory":"200Mi"}}' ]
 }
 
 #--------------------------------------------------------------------
@@ -1126,18 +1126,6 @@ load _helpers
       . | tee /dev/stderr |
       yq '.spec.template.spec.containers[0].command' | tee /dev/stderr)
 
-  local actual=$(echo "$cmd" |
-    yq 'any(contains("-default-sidecar-proxy-memory-request"))' | tee /dev/stderr)
-  [ "${actual}" = "false" ]
-
-  local actual=$(echo "$cmd" |
-    yq 'any(contains("-default-sidecar-proxy-cpu-request"))' | tee /dev/stderr)
-  [ "${actual}" = "false" ]
-
-  local actual=$(echo "$cmd" |
-    yq 'any(contains("-default-sidecar-proxy-memory-limit"))' | tee /dev/stderr)
-  [ "${actual}" = "false" ]
-
   local actual=$(echo "$cmd" |
     yq 'any(contains("-default-sidecar-proxy-cpu-limit"))' | tee /dev/stderr)
   [ "${actual}" = "false" ]

@@ -515,7 +515,7 @@ load _helpers
   [ $(echo "${actual}" | yq -r '.requests.memory') = "100Mi" ]
   [ $(echo "${actual}" | yq -r '.requests.cpu') = "100m" ]
   [ $(echo "${actual}" | yq -r '.limits.memory') = "100Mi" ]
-  [ $(echo "${actual}" | yq -r '.limits.cpu') = "100m" ]
+  [ $(echo "${actual}" | yq -r '.limits.cpu') = null ]
 }
 
 @test "ingressGateways/Deployment: resources can be set through defaults" {

@@ -345,7 +345,7 @@ key2: value2' \
   [ $(echo "${actual}" | yq -r '.requests.memory') = "100Mi" ]
   [ $(echo "${actual}" | yq -r '.requests.cpu') = "100m" ]
   [ $(echo "${actual}" | yq -r '.limits.memory') = "100Mi" ]
-  [ $(echo "${actual}" | yq -r '.limits.cpu') = "100m" ]
+  [ $(echo "${actual}" | yq -r '.limits.cpu') = null ]
 }
 
 @test "meshGateway/Deployment: resources can be overridden" {
@@ -354,10 +354,10 @@ key2: value2' \
       -s templates/mesh-gateway-deployment.yaml  \
       --set 'meshGateway.enabled=true' \
       --set 'connectInject.enabled=true' \
-      --set 'meshGateway.resources.foo=bar' \
+      --set 'meshGateway.resources.limits.cpu=4' \
       . | tee /dev/stderr |
-      yq -r '.spec.template.spec.containers[0].resources.foo' | tee /dev/stderr)
-  [ "${actual}" = "bar" ]
+      yq -r '.spec.template.spec.containers[0].resources.limits.cpu' | tee /dev/stderr)
+  [ "${actual}" = 4 ]
 }
 
 # Test support for the deprecated method of setting a YAML string.
@@ -368,10 +368,10 @@ key2: value2' \
       --set 'meshGateway.enabled=true' \
       --set 'connectInject.enabled=true' \
       --set 'client.grpc=true' \
-      --set 'meshGateway.resources=foo: bar' \
+      --set 'meshGateway.resources.limits.cpu="2000m"' \
       . | tee /dev/stderr |
-      yq -r '.spec.template.spec.containers[0].resources.foo' | tee /dev/stderr)
-  [ "${actual}" = "bar" ]
+      yq -r '.spec.template.spec.containers[0].resources.limits.cpu' | tee /dev/stderr)
+  [ "${actual}" = "2000m" ]
 }
 
 #--------------------------------------------------------------------

@@ -99,28 +99,28 @@ load _helpers
       -s templates/server-statefulset.yaml  \
       . | tee /dev/stderr |
       yq -rc '.spec.template.spec.containers[0].resources' | tee /dev/stderr)
-  [ "${actual}" = '{"limits":{"cpu":"100m","memory":"200Mi"},"requests":{"cpu":"100m","memory":"200Mi"}}' ]
+  [ "${actual}" = '{"requests":{"cpu":"100m","memory":"200Mi"},"limits":{"memory":"200Mi"}}' ]
 }
 
 @test "server/StatefulSet: resources can be overridden" {
   cd `chart_dir`
   local actual=$(helm template \
       -s templates/server-statefulset.yaml  \
-      --set 'server.resources.foo=bar' \
+      --set 'server.resources.limits.cpu=4' \
       . | tee /dev/stderr |
-      yq -r '.spec.template.spec.containers[0].resources.foo' | tee /dev/stderr)
-  [ "${actual}" = "bar" ]
+      yq -r '.spec.template.spec.containers[0].resources.limits.cpu' | tee /dev/stderr)
+  [ "${actual}" = 4 ]
 }
 
 # Test support for the deprecated method of setting a YAML string.
 @test "server/StatefulSet: resources can be overridden with string" {
   cd `chart_dir`
   local actual=$(helm template \
       -s templates/server-statefulset.yaml  \
-      --set 'server.resources=foo: bar' \
+      --set 'server.resources.limits.cpu="2000m"' \
       . | tee /dev/stderr |
-      yq -r '.spec.template.spec.containers[0].resources.foo' | tee /dev/stderr)
-  [ "${actual}" = "bar" ]
+      yq -r '.spec.template.spec.containers[0].resources.limits.cpu' | tee /dev/stderr)
+  [ "${actual}" = "2000m" ]
 }
 
 #--------------------------------------------------------------------

@@ -613,7 +613,7 @@ load _helpers
   [ $(echo "${actual}" | yq -r '.requests.memory') = "100Mi" ]
   [ $(echo "${actual}" | yq -r '.requests.cpu') = "100m" ]
   [ $(echo "${actual}" | yq -r '.limits.memory') = "100Mi" ]
-  [ $(echo "${actual}" | yq -r '.limits.cpu') = "100m" ]
+  [ $(echo "${actual}" | yq -r '.limits.cpu') = null ]
 }
 
 @test "terminatingGateways/Deployment: resources can be set through defaults" {