Do not request resources in teleport-cluster config hooks

[hugoShaka]

Config check hooks don't run a full Teleport, they are only validate that the config file is valid. Applying resoucre requests is not useful and can block the rollout in smaller clusters.

This is a papercut I faced when doing a large Teleport deployment in resource-constrainted AKS clusters.

Changelog: Prevented stuck teleport-cluster Helm chart rollouts in small Kubernetes clusters. Removed resource requests from configuration check hooks.

[webvictim]

Looks like there's a failing test to remove too:

- should set resources on auth predeploy job when set in values

[backport-bot-workflows]

@hugoShaka See the table below for backport results.

Branch	Result
branch/v17	Create PR
branch/v18	Create PR

[programmerq]

@hugoShaka For clusters that have policies that require resources always be set, this will prevent deployments from working. We'll definitely want to make this change be an opt-out behavior rather than off for everywhere.

See also: #62597

[hugoShaka]

Thank you, I did not think of such compliance tools. I can revert the change in v17 but I don't think we should bring the old resource behaviour back, requesting 4cpu and 16GiB of memory to run a config linter is absurd and breaks on small clusters.

What I can do is:

• revert the change in v17 to revert the breaking change
• add a jobResource field in v18 & master
• set jobResource to a small default, like 10mcore and 100MiB of memory

[programmerq]

Yes, a separate job resource setting would be great! I think 100MiB might be too small for a default though. I did a quick test and saw the maximum RSS for teleport configure --test command was 158 MiB with Teleport 18.2.2 and 202 MiB with Teleport 18.6.2 using the same teleport.yaml file.