openova/openova
1
0
Fork 0
Code Issues Pull Requests Actions 4 Packages Projects Releases Wiki Activity
27a1ac5472
openova/platform/vpa
History
hatiyildiz 5834daec14 docs(pass-10): banners on 7 more components + opentofu active-active drift fix 
7 more component READMEs got role-in-Catalyst banners:

- vpa, keda, reloader → per-host-cluster scaling/ops layer (§3.4).
  Reloader specifically calls out its role in Catalyst's secret-
  rotation flow (rolling deploy on K8s Secret hash change).
- external-dns → per-host-cluster DNS-sync (§3.1); pairs with k8gb
  for the GSLB zone separation.
- coraza → DMZ-block WAF on every host cluster (§3.1).
- crossplane → per-Sovereign on the management cluster (§3.2);
  banner explicitly emphasizes the agreed "never a user-facing
  surface" rule (Users don't write Compositions in Application
  configs; Blueprint authors and advanced contributors do). Cross-
  references the no-fourth-surface clause in ARCHITECTURE §4/§7
  and the Crossplane Composition section in BLUEPRINT-AUTHORING §8.
- opentofu → repositioned as Phase-0-only, runs on `catalyst-
  provisioner` only, NOT installed on host clusters at runtime.

opentofu drift fixes (uncovered by line-by-line read):
- Section 5 line 182: "Bootstrap Wizard prompts for cloud credentials"
  → "Catalyst Bootstrap (Phase 0) prompts for cloud credentials"
  (banned term).
- Same section line 186: "ESO PushSecrets sync to both regional
  OpenBao instances" — the active-active drift Pass 7 corrected
  elsewhere, still here. Replaced with "writes go to the primary
  OpenBao region only; replicas pick up via async perf replication".

VALIDATION-LOG: Pass 10 entry added.

Refs #37
2026-04-27 21:43:45 +02:00
..
README.md docs(pass-10): banners on 7 more components + opentofu active-active drift fix 2026-04-27 21:43:45 +02:00

README.md

Vertical Pod Autoscaler (VPA)

Automated resource right-sizing. Per-host-cluster infrastructure (see docs/PLATFORM-TECH-STACK.md §3.4) — runs on every host cluster a Sovereign owns.

Status: Accepted | Updated: 2026-04-27

Overview

VPA provides automated resource optimization:

  • Reduces over-provisioning waste
  • Prevents under-provisioning issues
  • Works alongside horizontal scaling (KEDA)
  • Provides recommendations even if not auto-applying

Architecture

flowchart TB
    subgraph VPA["VPA Components"]
        Rec[Recommender]
        Upd[Updater]
        Adm[Admission Controller]
    end

    subgraph Metrics["Metrics"]
        MS[Metrics Server]
        Prom[Prometheus/Mimir]
    end

    subgraph Workloads["Workloads"]
        Deploy[Deployments]
        Pods[Pods]
    end

    MS --> Rec
    Prom --> Rec
    Rec -->|"Recommendations"| Upd
    Upd -->|"Evict pods"| Pods
    Adm -->|"Mutate requests"| Pods
    Deploy --> Pods

Update Modes

Mode Behavior Use Case
Off Recommendations only Analysis, not auto-apply
Initial Apply on pod creation Batch jobs
Auto Evict and recreate Long-running services
Recreate Same as Auto Legacy compatibility

Recommended: Auto for most workloads

Configuration

VPA Resource

apiVersion: autoscaling.k8s.io/v1
kind: VerticalPodAutoscaler
metadata:
  name: <org>-app-vpa
  namespace: <org>
spec:
  targetRef:
    apiVersion: apps/v1
    kind: Deployment
    name: <org>-app
  updatePolicy:
    updateMode: Auto
  resourcePolicy:
    containerPolicies:
      - containerName: "*"
        minAllowed:
          cpu: 50m
          memory: 64Mi
        maxAllowed:
          cpu: 2
          memory: 4Gi
        controlledResources:
          - cpu
          - memory
        controlledValues: RequestsAndLimits

Kyverno Auto-Generation

Kyverno automatically generates VPAs for deployments:

apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
  name: generate-vpa
spec:
  rules:
    - name: generate-vpa-for-deployment
      match:
        any:
          - resources:
              kinds:
                - Deployment
      exclude:
        any:
          - resources:
              annotations:
                vpa.openova.io/skip: "true"
      generate:
        apiVersion: autoscaling.k8s.io/v1
        kind: VerticalPodAutoscaler
        name: "{{request.object.metadata.name}}-vpa"
        namespace: "{{request.object.metadata.namespace}}"
        data:
          spec:
            targetRef:
              apiVersion: apps/v1
              kind: Deployment
              name: "{{request.object.metadata.name}}"
            updatePolicy:
              updateMode: Auto

VPA + KEDA Interaction

flowchart LR
    subgraph Scaling["Scaling"]
        VPA[VPA<br/>Vertical]
        KEDA[KEDA<br/>Horizontal]
    end

    subgraph Workload["Workload"]
        Deploy[Deployment]
        Pods[Pods]
    end

    VPA -->|"Right-size resources"| Pods
    KEDA -->|"Scale replicas"| Deploy
    Deploy --> Pods

Coordination:

  • VPA handles CPU/memory per pod
  • KEDA handles replica count
  • Combined: optimal resource utilization

Monitoring

Metric Description
vpa_recommender_* Recommender metrics
vpa_updater_* Updater metrics
container_resource_recommendations Per-container recommendations

Dashboard

Grafana dashboard shows:

  • Current vs recommended resources
  • Historical recommendations
  • Eviction events
  • Cost savings estimates

Part of OpenOva