From 79c6ba4a4f491497dcae71addff758cfb705773d Mon Sep 17 00:00:00 2001 From: Michael Bangas Date: Fri, 5 Jun 2026 10:25:47 +0200 Subject: [PATCH 1/9] add vpa and increment replicas --- .../templates/deployment.yaml | 2 +- .../github-oidc-federation/templates/vpa.yaml | 20 +++++++++++++++++++ 2 files changed, 21 insertions(+), 1 deletion(-) create mode 100644 charts/github-oidc-federation/templates/vpa.yaml diff --git a/charts/github-oidc-federation/templates/deployment.yaml b/charts/github-oidc-federation/templates/deployment.yaml index e61b7f7..8590fd4 100644 --- a/charts/github-oidc-federation/templates/deployment.yaml +++ b/charts/github-oidc-federation/templates/deployment.yaml @@ -3,7 +3,7 @@ kind: Deployment metadata: name: github-oidc-federation spec: - replicas: 1 + replicas: 5 selector: matchLabels: role: github-oidc-federation diff --git a/charts/github-oidc-federation/templates/vpa.yaml b/charts/github-oidc-federation/templates/vpa.yaml new file mode 100644 index 0000000..938fc37 --- /dev/null +++ b/charts/github-oidc-federation/templates/vpa.yaml @@ -0,0 +1,20 @@ +apiVersion: autoscaling.k8s.io/v1 +kind: VerticalPodAutoscaler +metadata: + name: github-oidc-federation +spec: + targetRef: + apiVersion: apps/v1 + kind: Deployment + name: github-oidc-federation + updatePolicy: + updateMode: InPlaceOrRecreate + resourcePolicy: + containerPolicies: + - containerName: github-oidc-federation + minAllowed: + cpu: 50m + memory: 128Mi + maxAllowed: + cpu: 1 + memory: 512Mi \ No newline at end of file From f5d88b27ce42eac3c86b171a0c2e624ad030fa47 Mon Sep 17 00:00:00 2001 From: Michael Bangas Date: Fri, 5 Jun 2026 12:35:45 +0200 Subject: [PATCH 2/9] spread replicas over multiples zones --- charts/github-oidc-federation/templates/deployment.yaml | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/charts/github-oidc-federation/templates/deployment.yaml b/charts/github-oidc-federation/templates/deployment.yaml index 8590fd4..d8b9482 100644 --- a/charts/github-oidc-federation/templates/deployment.yaml +++ b/charts/github-oidc-federation/templates/deployment.yaml @@ -30,3 +30,10 @@ spec: - name: github-oidc-federation secret: secretName: github-oidc-federation + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + role: github-oidc-federation From 08fdad3f80bb6f5c720adb6416275d49ff8ebb65 Mon Sep 17 00:00:00 2001 From: Michael Bangas Date: Mon, 8 Jun 2026 08:54:54 +0200 Subject: [PATCH 3/9] read replica count from values file --- charts/github-oidc-federation/templates/deployment.yaml | 2 +- charts/github-oidc-federation/templates/vpa.yaml | 2 +- charts/github-oidc-federation/values.yaml | 1 + 3 files changed, 3 insertions(+), 2 deletions(-) diff --git a/charts/github-oidc-federation/templates/deployment.yaml b/charts/github-oidc-federation/templates/deployment.yaml index d8b9482..e82c6f7 100644 --- a/charts/github-oidc-federation/templates/deployment.yaml +++ b/charts/github-oidc-federation/templates/deployment.yaml @@ -3,7 +3,7 @@ kind: Deployment metadata: name: github-oidc-federation spec: - replicas: 5 + replicas: {{ .Values.replicas }} selector: matchLabels: role: github-oidc-federation diff --git a/charts/github-oidc-federation/templates/vpa.yaml b/charts/github-oidc-federation/templates/vpa.yaml index 938fc37..15d8f3a 100644 --- a/charts/github-oidc-federation/templates/vpa.yaml +++ b/charts/github-oidc-federation/templates/vpa.yaml @@ -17,4 +17,4 @@ spec: memory: 128Mi maxAllowed: cpu: 1 - memory: 512Mi \ No newline at end of file + memory: 512Mi diff --git a/charts/github-oidc-federation/values.yaml b/charts/github-oidc-federation/values.yaml index ecf3a79..b3ac982 100644 --- a/charts/github-oidc-federation/values.yaml +++ b/charts/github-oidc-federation/values.yaml @@ -1,3 +1,4 @@ +replicas: 5 image: repository: europe-docker.pkg.dev/gardener-project/releases/github-oidc-federation tag: latest From 12dfa990fad90d9f7004e3ea1602401a75e9f106 Mon Sep 17 00:00:00 2001 From: Michael Bangas Date: Mon, 8 Jun 2026 09:56:25 +0200 Subject: [PATCH 4/9] switch from vpa to hpa --- .../github-oidc-federation/templates/hpa.yaml | 24 +++++++++++++++++++ .../github-oidc-federation/templates/vpa.yaml | 20 ---------------- 2 files changed, 24 insertions(+), 20 deletions(-) create mode 100644 charts/github-oidc-federation/templates/hpa.yaml delete mode 100644 charts/github-oidc-federation/templates/vpa.yaml diff --git a/charts/github-oidc-federation/templates/hpa.yaml b/charts/github-oidc-federation/templates/hpa.yaml new file mode 100644 index 0000000..5fd05d9 --- /dev/null +++ b/charts/github-oidc-federation/templates/hpa.yaml @@ -0,0 +1,24 @@ +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: github-oidc-federation +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: github-oidc-federation + minReplicas: 2 + maxReplicas: 5 + metrics: + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: 80 + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: 80 diff --git a/charts/github-oidc-federation/templates/vpa.yaml b/charts/github-oidc-federation/templates/vpa.yaml deleted file mode 100644 index 15d8f3a..0000000 --- a/charts/github-oidc-federation/templates/vpa.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: autoscaling.k8s.io/v1 -kind: VerticalPodAutoscaler -metadata: - name: github-oidc-federation -spec: - targetRef: - apiVersion: apps/v1 - kind: Deployment - name: github-oidc-federation - updatePolicy: - updateMode: InPlaceOrRecreate - resourcePolicy: - containerPolicies: - - containerName: github-oidc-federation - minAllowed: - cpu: 50m - memory: 128Mi - maxAllowed: - cpu: 1 - memory: 512Mi From 86182dd4a59b07a5f5c1afe8ee56371a6c9742a4 Mon Sep 17 00:00:00 2001 From: Michael Bangas Date: Mon, 8 Jun 2026 10:19:12 +0200 Subject: [PATCH 5/9] allow ingress only from proxy nginx controller --- .../templates/network_policies.yaml | 9 ++++++++- charts/github-oidc-federation/values.yaml | 2 +- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/charts/github-oidc-federation/templates/network_policies.yaml b/charts/github-oidc-federation/templates/network_policies.yaml index 0e89653..7e18458 100644 --- a/charts/github-oidc-federation/templates/network_policies.yaml +++ b/charts/github-oidc-federation/templates/network_policies.yaml @@ -34,6 +34,13 @@ spec: policyTypes: - Ingress ingress: - - ports: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: nginx-ingress + podSelector: + matchLabels: + app.kubernetes.io/component: controller + ports: - protocol: TCP port: 3000 diff --git a/charts/github-oidc-federation/values.yaml b/charts/github-oidc-federation/values.yaml index b3ac982..851b473 100644 --- a/charts/github-oidc-federation/values.yaml +++ b/charts/github-oidc-federation/values.yaml @@ -1,4 +1,4 @@ -replicas: 5 +replicas: 3 image: repository: europe-docker.pkg.dev/gardener-project/releases/github-oidc-federation tag: latest From 6f88bd15732ad655c4bb5a8f8c77de57b64c3dcf Mon Sep 17 00:00:00 2001 From: Michael Bangas Date: Mon, 8 Jun 2026 11:17:44 +0200 Subject: [PATCH 6/9] remove replica directive in deployment as hpa is used --- charts/github-oidc-federation/templates/deployment.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/charts/github-oidc-federation/templates/deployment.yaml b/charts/github-oidc-federation/templates/deployment.yaml index e82c6f7..968a03d 100644 --- a/charts/github-oidc-federation/templates/deployment.yaml +++ b/charts/github-oidc-federation/templates/deployment.yaml @@ -3,7 +3,6 @@ kind: Deployment metadata: name: github-oidc-federation spec: - replicas: {{ .Values.replicas }} selector: matchLabels: role: github-oidc-federation From 14c1fe1c20459153ebd8ddf76f393b134ce7707b Mon Sep 17 00:00:00 2001 From: Michael Bangas Date: Mon, 8 Jun 2026 11:18:18 +0200 Subject: [PATCH 7/9] avoid hardcoding values for hpa --- charts/github-oidc-federation/templates/hpa.yaml | 8 ++++---- charts/github-oidc-federation/values.yaml | 7 +++++++ 2 files changed, 11 insertions(+), 4 deletions(-) diff --git a/charts/github-oidc-federation/templates/hpa.yaml b/charts/github-oidc-federation/templates/hpa.yaml index 5fd05d9..f337da0 100644 --- a/charts/github-oidc-federation/templates/hpa.yaml +++ b/charts/github-oidc-federation/templates/hpa.yaml @@ -7,18 +7,18 @@ spec: apiVersion: apps/v1 kind: Deployment name: github-oidc-federation - minReplicas: 2 - maxReplicas: 5 + minReplicas: {{ .Values.hpa.minReplicas }} + maxReplicas: {{ .Values.hpa.maxReplicas }} metrics: - type: Resource resource: name: cpu target: type: Utilization - averageUtilization: 80 + averageUtilization: {{ .Values.hpa.cpu.averageUtilization }} - type: Resource resource: name: memory target: type: Utilization - averageUtilization: 80 + averageUtilization: {{ .Values.hpa.memory.averageUtilization }} diff --git a/charts/github-oidc-federation/values.yaml b/charts/github-oidc-federation/values.yaml index 851b473..99c9ded 100644 --- a/charts/github-oidc-federation/values.yaml +++ b/charts/github-oidc-federation/values.yaml @@ -1,4 +1,11 @@ replicas: 3 +hpa: + minReplicas: 2 + maxReplicas: 5 + cpu: + averageUtilization: 80 + memory: + averageUtilization: 80 image: repository: europe-docker.pkg.dev/gardener-project/releases/github-oidc-federation tag: latest From afc1824ff385f7f8726650b0f7a1f05e6fb0bc27 Mon Sep 17 00:00:00 2001 From: Michael Bangas Date: Mon, 8 Jun 2026 11:19:17 +0200 Subject: [PATCH 8/9] make ingress only from proxy optional as the ingress controller is not part of the helm chart --- .../templates/network_policies.yaml | 10 ++++++---- charts/github-oidc-federation/values.yaml | 3 +++ 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/charts/github-oidc-federation/templates/network_policies.yaml b/charts/github-oidc-federation/templates/network_policies.yaml index 7e18458..0a35797 100644 --- a/charts/github-oidc-federation/templates/network_policies.yaml +++ b/charts/github-oidc-federation/templates/network_policies.yaml @@ -34,13 +34,15 @@ spec: policyTypes: - Ingress ingress: - - from: + - ports: + - protocol: TCP + port: 3000 + {{- if .Values.networkPolicy.ingressController.enabled }} + from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: nginx-ingress podSelector: matchLabels: app.kubernetes.io/component: controller - ports: - - protocol: TCP - port: 3000 + {{- end }} diff --git a/charts/github-oidc-federation/values.yaml b/charts/github-oidc-federation/values.yaml index 99c9ded..09e43c0 100644 --- a/charts/github-oidc-federation/values.yaml +++ b/charts/github-oidc-federation/values.yaml @@ -13,3 +13,6 @@ ingress: annotations: {} class: nginx hosts: [] +networkPolicy: + ingressController: + enabled: true From 0872e3cf0603a99c8c4ae6a24a7789708f7ef8aa Mon Sep 17 00:00:00 2001 From: Michael Bangas Date: Mon, 8 Jun 2026 12:44:58 +0200 Subject: [PATCH 9/9] remove unused value --- charts/github-oidc-federation/values.yaml | 1 - 1 file changed, 1 deletion(-) diff --git a/charts/github-oidc-federation/values.yaml b/charts/github-oidc-federation/values.yaml index 09e43c0..14865d7 100644 --- a/charts/github-oidc-federation/values.yaml +++ b/charts/github-oidc-federation/values.yaml @@ -1,4 +1,3 @@ -replicas: 3 hpa: minReplicas: 2 maxReplicas: 5