Today we will shortly describe how in an automated way you can avoid manual installation of of Vertical Pod Autoscaler ( VPA ) for Kubernetes.
For simplicity of this post in our case - we manage our infrastructure using ArgoCD with multiple frameworks enabling the platform to be very robust.
That is the reason why having custom/manual interactions in our clusters is not an acceptable approach - it just doesn't scale nor its sustainable from an operations perspective.
The problem ....
When looking at the documentation on installation process you will notice at certain moment that there is a need to generate an SSL certificates which would be used by VPA admission hook.
The certs generation is just a plain bash script which ( documentation says) has to be executed using context of your target Kubernetes cluster.
Now as much as this could be ok during a PoC phase or viable for a single cluster in enterprise environments consisting of multiple clusters it just does not scale.
One of the possible solutions
So, what is the way to solve this? Well, it's quite straightforward if you do have cert-manager installed in your Kubernetes ecosystem.
I will not be covering details of installation & configuration of cert-manager - but will provide snippet for certificate assuming you do have a self signing ClusterIssuer CA.
name: root-issuer # comes from the cert-manager installation of our own CA
With this you are almost done. The only change left is to modify the deployment args for the admission controller to contain different paths of the certs.
Below, we share the Kustomize patch, which you can use to address that.
- target: group: apps version: v1 kind: Deployment name: vpa-admission-controller patch: |- - op: replace path: /spec/template/spec/containers/0/args value: ["--client-ca-file=/etc/tls-certs/ca.crt", "--tls-cert-file=/etc/tls-certs/tls.crt", "--tls-private-key=/etc/tls-certs/tls.key"]
After that, you will have a fully operational installation of Vertical Pod Autoscaler for your environments.