From a66aac0d77a88a382554a85e96a63029bc252840 Mon Sep 17 00:00:00 2001 From: Wainer dos Santos Moschetta Date: Fri, 25 Apr 2025 16:57:40 -0300 Subject: [PATCH] tests/k8s: optimize nginx ingress for AKS small VM It's used an AKS managed ingress controller which keeps two nginx pod replicas where both request 500m of CPU. On small VMs like we've used on CI for running the CoCo non-TEE tests, it left only a few amount of CPU for the tests. Actually, one of these pod replicas won't even get started. So let's patch the ingress controller to have only one replica of nginx. Signed-off-by: Wainer dos Santos Moschetta --- .../kubernetes/confidential_kbs.sh | 20 +++++++++++++++++++ 1 file changed, 20 insertions(+) diff --git a/tests/integration/kubernetes/confidential_kbs.sh b/tests/integration/kubernetes/confidential_kbs.sh index 03a1a15f02..bc57528deb 100644 --- a/tests/integration/kubernetes/confidential_kbs.sh +++ b/tests/integration/kubernetes/confidential_kbs.sh @@ -372,6 +372,10 @@ function kbs_k8s_deploy() { fi echo "::endgroup::" + echo "::group::Post deploy actions" + _post_deploy "${ingress}" + echo "::endgroup::" + # By default, the KBS service is reachable within the cluster only, # thus the following healthy checker should run from a pod. So start a # debug pod where it will try to get a response from the service. The @@ -547,6 +551,22 @@ _handle_ingress_nodeport() { export DEPLOYMENT_DIR=nodeport } +# Run further actions after the kbs was deployed, usually to apply further +# configurations. +# +_post_deploy() { + local ingress="${1:-}" + + if [[ "${ingress}" = "aks" ]]; then + # The AKS managed ingress controller defaults to two nginx pod + # replicas where both request 500m of CPU. On cluster made of small + # VMs (e.g. 2 vCPU) one of the pod might not even start. We need only + # one nginx, so patching the controller to keep only one replica. + echo "Patch the ingress controller to have only one replica of nginx" + waitForProcess "20" "5" \ + "kubectl patch nginxingresscontroller/default -n app-routing-system --type=merge -p='{\"spec\":{\"scaling\": {\"minReplicas\": 1}}}'" + fi +} # Prepare necessary resources for qemu-se runtime # Documentation: https://github.com/confidential-containers/trustee/tree/main/attestation-service/verifier/src/se