Skip to content

chore(helm): set sensible resource defaults and drop CPU limits#2911

Open
rzala wants to merge 1 commit intoaquasecurity:mainfrom
rzala:chore/helm-resource-defaults
Open

chore(helm): set sensible resource defaults and drop CPU limits#2911
rzala wants to merge 1 commit intoaquasecurity:mainfrom
rzala:chore/helm-resource-defaults

Conversation

@rzala
Copy link

@rzala rzala commented Mar 5, 2026

Summary

  • Set production-tested resource defaults for the operator pod (was resources: {})
  • Lower trivy-server resource requests to match real-world usage
  • Comment out all CPU limits across components to allow burstable scheduling

Motivation

Helm deep-merges dictionaries, so consumers using ArgoCD or extra values overlays cannot remove individual keys from resource specs — they can only change values. Lists are replaced entirely, but dict keys are permanent once set in values.yaml.

This means if the chart ships with resources.requests.cpu: 200m and a user doesn't want a CPU request at all (e.g. for burstable QoS), there's no way to remove that key via values overrides.

Alternative approach

If setting static defaults is not desirable, replacing the current resource blocks with resources: {} would also solve the merge problem — consumers can then define exactly the keys they need without inheriting any they can't remove. Happy to adjust the PR either way.

Changes

Section Before After
resources (operator) {} requests: 35m CPU, 300Mi mem; limits: 500Mi mem
trivy.resources (scan jobs) cpu: 500m limit active CPU limit commented out
trivy.server.resources 200m CPU, 512Mi mem requests; cpu: 1 limit 25m CPU, 150Mi mem requests; CPU limit commented out

Test plan

  • helm template renders correct resource blocks for operator deployment
  • helm template renders correct resource blocks for trivy server statefulset
  • Verify no active CPU limits in rendered output
  • Deploy with extra values overlay and confirm keys can be added/changed as expected

@rzala
chore(helm): set sensible resource defaults and drop CPU limits
1ef9823 
Helm deep-merges dictionaries, which means consumers using ArgoCD or
extra values files can never remove individual keys from resource
specs — only change their values.  Ship production-tested defaults so
users don't have to fight this behaviour:

- operator pod: add concrete requests/limits instead of empty `{}`
- trivy server: lower requests to match real-world usage
- all components: comment out CPU limits to allow burstable scheduling
@rzala rzala requested review from afdesk and simar7 as code owners March 5, 2026 12:54
@github-actions github-actions bot added the misc label Mar 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@simar7 simar7 Awaiting requested review from simar7 simar7 is a code owner

@afdesk afdesk Awaiting requested review from afdesk afdesk is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

misc

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@rzala