From 4bd83a1aa83e50f156bf3015aa5f1b95b71ea045 Mon Sep 17 00:00:00 2001
From: jenkins <jenkins@bstein.dev>
Date: Tue, 19 May 2026 17:35:10 -0300
Subject: [PATCH] cert-manager: harden webhook resources

---
 infrastructure/cert-manager/helmrelease.yaml | 33 ++++++++++++++++++++
 1 file changed, 33 insertions(+)

diff --git a/infrastructure/cert-manager/helmrelease.yaml b/infrastructure/cert-manager/helmrelease.yaml
index fdcbca9a..e48a1bd6 100644
--- a/infrastructure/cert-manager/helmrelease.yaml
+++ b/infrastructure/cert-manager/helmrelease.yaml
@@ -29,6 +29,13 @@ spec:
     installCRDs: true
     extraArgs:
       - --acme-http01-solver-nameservers=1.1.1.1:53,8.8.8.8:53
+    resources:
+      requests:
+        cpu: 50m
+        memory: 128Mi
+      limits:
+        cpu: 500m
+        memory: 512Mi
     nodeSelector:
       node-role.kubernetes.io/worker: "true"
     affinity:
@@ -72,6 +79,25 @@ spec:
                     - rpi5
                     - rpi4
     webhook:
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+        limits:
+          cpu: 500m
+          memory: 512Mi
+      livenessProbe:
+        failureThreshold: 8
+        initialDelaySeconds: 90
+        periodSeconds: 10
+        successThreshold: 1
+        timeoutSeconds: 5
+      readinessProbe:
+        failureThreshold: 8
+        initialDelaySeconds: 10
+        periodSeconds: 5
+        successThreshold: 1
+        timeoutSeconds: 5
       nodeSelector:
         node-role.kubernetes.io/worker: "true"
       affinity:
@@ -115,6 +141,13 @@ spec:
                       - rpi5
                       - rpi4
     cainjector:
+      resources:
+        requests:
+          cpu: 50m
+          memory: 128Mi
+        limits:
+          cpu: 500m
+          memory: 512Mi
       nodeSelector:
         node-role.kubernetes.io/worker: "true"
       affinity: