From ecc2ac7398d30124b76b05c1193e6f2b758f9a32 Mon Sep 17 00:00:00 2001 From: Eric Hibbs Date: Wed, 10 Jun 2026 09:25:54 -0700 Subject: [PATCH 1/2] Raise default resources to 4 CPU / 8Gi and tune nginx defaults Metadata filtering parsing large PyPI indexes (e.g. aiohttp, ~10k files) peaks ~1GB per worker and OOM-kills the old 768Mi default (Roark Capital outage, CE-249). Bump default resources to 4 CPU / 8Gi (memory request == limit for Guaranteed QoS so the pod isn't evicted under node pressure) and the nginx defaults the chart exposes (worker_processes 4, worker_connections 8192, access_log_buffer off). Chart 0.2.4 -> 0.3.0. --- helm/Chart.yaml | 2 +- helm/values.yaml | 18 +++++++++++------- 2 files changed, 12 insertions(+), 8 deletions(-) diff --git a/helm/Chart.yaml b/helm/Chart.yaml index b563937..5df58d8 100644 --- a/helm/Chart.yaml +++ b/helm/Chart.yaml @@ -2,7 +2,7 @@ apiVersion: v2 name: socket-firewall description: Socket.dev Registry Firewall - Block vulnerable packages before they reach your cluster type: application -version: 0.2.4 +version: 0.3.0 appVersion: "1.1.159" keywords: - security diff --git a/helm/values.yaml b/helm/values.yaml index d6db473..d92dc78 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -192,11 +192,11 @@ proxy: # Nginx performance tuning nginx: - workerProcesses: 2 - workerConnections: 4096 + workerProcesses: 4 + workerConnections: 8192 # Access log buffer setting (default: not set, nginx uses its default) # Set to "off" to flush access log lines immediately to stdout - accessLogBuffer: "" + accessLogBuffer: "off" # Lua shared-memory zone sizes (raise if cache/stats dictionaries fill up) lua: @@ -359,12 +359,16 @@ tls: # Resource limits resources: + # Defaults sized for metadata filtering: parsing large PyPI indexes (e.g. + # aiohttp, ~10k files) can peak ~1GB per worker and OOMs the old 768Mi default. + # Memory request == limit (Guaranteed QoS) so the pod isn't evicted/OOM-killed + # under node pressure. Lower these if you don't run metadata filtering. limits: - cpu: "1" - memory: 768Mi + cpu: "4" + memory: 8Gi requests: - cpu: 500m - memory: 512Mi + cpu: "2" + memory: 8Gi # Health check configuration healthCheck: From 8842e53b87665ef639c9ffdb68d186f97cae0466 Mon Sep 17 00:00:00 2001 From: Eric Hibbs Date: Wed, 10 Jun 2026 09:48:17 -0700 Subject: [PATCH 2/2] Default image tag to latest with Always pull policy Per Doug: default to the latest published image so deployments pick up new releases without a chart bump; customers pin a version for reproducibility. Set pullPolicy to Always so 'latest' actually refreshes on pod restart. --- helm/values.yaml | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/helm/values.yaml b/helm/values.yaml index d92dc78..ef44bed 100644 --- a/helm/values.yaml +++ b/helm/values.yaml @@ -3,9 +3,11 @@ # Image configuration image: repository: socketdev/socket-registry-firewall - # Always pin to a specific version - tag: "1.1.159" - pullPolicy: IfNotPresent + # Defaults to the latest published image so deployments pick up new releases + # without a chart bump. Pin a version for reproducibility, e.g. tag: "1.1.327". + tag: "latest" + # Always (not IfNotPresent) so "latest" actually refreshes on pod restart. + pullPolicy: Always # Image pull secrets for private registries imagePullSecrets: []