Add default resource limits and separate proxy runner resource configuration

Implements default resource limits for MCP server and VirtualMCP server containers
to prevent resource monopolization, with intelligent merging of user-provided values
and separate resource configuration for proxy runner containers.

Per issue #2873, vmcp and MCP server containers lacked default resource limits,
creating security and operational risks where misbehaving containers could
exhaust node resources and affect other workloads.

Additionally, MCPServer deployments have two containers (MCP server + proxy runner)
but only had one resource field (`spec.resources`), creating ambiguity about which
container the resources applied to.

- MCP server container: 500m/100m CPU, 512Mi/128Mi memory
- Proxy runner container: 200m/50m CPU, 256Mi/64Mi memory (lighter weight)
- VirtualMCP server container: 500m/100m CPU, 512Mi/128Mi memory
- Defaults are intelligently merged with user-provided values

- Add `spec.proxyRunnerResources` field for proxy runner container configuration
- Existing `spec.resources` applies to MCP server container
- Clear separation eliminates ambiguity between the two containers

MCP server resources are composed from three sources:
- Defaults → `spec.resources` → `spec.podTemplateSpec` (highest precedence)

Proxy runner resources are composed from:
- Defaults → `spec.proxyRunnerResources`

- Add `resourceRequirementsForMCPServer()`: Merges defaults with spec.resources
- Add `resourceRequirementsForProxyRunner()`: Merges defaults with spec.proxyRunnerResources
- Update `deploymentNeedsUpdate()`: Checks both MCP and proxy resources separately
- Add `PodTemplateSpecBuilder.WithResources()`: Merges resources intelligently
- Add shared utility functions in `pkg/controllerutil/resources.go`

- Add regression tests for `deploymentNeedsUpdate()` resource changes (4 tests)
- Add tests for resource merging in PodTemplateSpecBuilder (2 tests)
- Add tests for default resources and merging (3 tests)
- Add VirtualMCPServer deployment tests (10 tests)
- Total: 19 new tests ensuring no reconciliation loops

- Add `proxyRunnerResources` field to MCPServer CRD
- Regenerate deepcopy methods and CRD manifests
- Bump Helm chart version: 0.0.75 → 0.0.76

- Update example YAML with clear comments
- Document default values and composition precedence

**MCPServer (2 containers):**
- `spec.resources` → MCP server container (via pod template patch)
- `spec.proxyRunnerResources` → Proxy runner container (in deployment)

**VirtualMCPServer (1 container):**
- `spec.resources` → VirtualMCP server container

- Prevents resource exhaustion by providing sensible defaults
- Clear separation: separate fields for separate containers in MCPServer
- User can customize each container independently
- Intelligent merging allows partial overrides
- Prevents reconciliation loops through proper update detection

Fixes #2873

Signed-off-by: 4t8dd <wanger.xyz@gmail.com>

Author: 4t8dd

cmd/thv-operator/api/v1alpha1/mcpserver_types.go

@@ -107,6 +107,12 @@ type MCPServerSpec struct {
 	// +optional
 	Resources ResourceRequirements `json:"resources,omitempty"`
 
+	// ProxyRunnerResources defines the resource requirements for the ToolHive proxy runner container.
+	// The proxy runner is the infrastructure container that manages the MCP server container.
+	// If not specified, defaults to 50m/200m CPU and 64Mi/256Mi memory (lighter than MCP server defaults).
+	// +optional
+	ProxyRunnerResources ResourceRequirements `json:"proxyRunnerResources,omitempty"`
+
 	// Secrets are references to secrets to mount in the MCP server container
 	// +optional
 	Secrets []SecretRef `json:"secrets,omitempty"`

cmd/thv-operator/api/v1alpha1/zz_generated.deepcopy.go

@@ -18,7 +18,6 @@ import (
 	rbacv1 "k8s.io/api/rbac/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/api/meta"
-	"k8s.io/apimachinery/pkg/api/resource"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/types"
@@ -928,9 +927,13 @@ func (r *MCPServerReconciler) deploymentForMCPServer(
 			defaultSA := mcpServerServiceAccountName(m.Name)
 			serviceAccount = &defaultSA
 		}
+		// Convert MCP server resources to Kubernetes format
+		mcpResources := resourceRequirementsForMCPServer(m)
+
 		finalPodTemplateSpec := builder.
 			WithServiceAccount(serviceAccount).
 			WithSecrets(m.Spec.Secrets).
+			WithResources(mcpResources).
 			Build()
 		// Add pod template patch if we have one
 		if finalPodTemplateSpec != nil {
@@ -1062,26 +1065,9 @@ func (r *MCPServerReconciler) deploymentForMCPServer(
 		volumes = append(volumes, *authzVolume)
 	}
 
-	// Prepare container resources
-	resources := corev1.ResourceRequirements{}
-	if m.Spec.Resources.Limits.CPU != "" || m.Spec.Resources.Limits.Memory != "" {
-		resources.Limits = corev1.ResourceList{}
-		if m.Spec.Resources.Limits.CPU != "" {
-			resources.Limits[corev1.ResourceCPU] = resource.MustParse(m.Spec.Resources.Limits.CPU)
-		}
-		if m.Spec.Resources.Limits.Memory != "" {
-			resources.Limits[corev1.ResourceMemory] = resource.MustParse(m.Spec.Resources.Limits.Memory)
-		}
-	}
-	if m.Spec.Resources.Requests.CPU != "" || m.Spec.Resources.Requests.Memory != "" {
-		resources.Requests = corev1.ResourceList{}
-		if m.Spec.Resources.Requests.CPU != "" {
-			resources.Requests[corev1.ResourceCPU] = resource.MustParse(m.Spec.Resources.Requests.CPU)
-		}
-		if m.Spec.Resources.Requests.Memory != "" {
-			resources.Requests[corev1.ResourceMemory] = resource.MustParse(m.Spec.Resources.Requests.Memory)
-		}
-	}
+	// Prepare container resources for the proxy runner container
+	// Note: This is separate from MCP server container resources (which are in the pod template patch)
+	resources := resourceRequirementsForProxyRunner(m)
 
 	// Prepare deployment metadata with overrides
 	deploymentLabels := ls
@@ -1528,9 +1514,13 @@ func (r *MCPServerReconciler) deploymentNeedsUpdate(
 			return true
 		}
 
+		// Convert MCP server resources to Kubernetes format (same as in deploymentForMCPServer)
+		mcpResources := resourceRequirementsForMCPServer(mcpServer)
+
 		expectedPodTemplateSpec := builder.
 			WithServiceAccount(serviceAccount).
 			WithSecrets(mcpServer.Spec.Secrets).
+			WithResources(mcpResources).
 			Build()
 
 		// Find the current pod template patch in the container args
@@ -1560,8 +1550,8 @@ func (r *MCPServerReconciler) deploymentNeedsUpdate(
 			return true
 		}
 
-		// Check if the resource requirements have changed
-		if !reflect.DeepEqual(container.Resources, resourceRequirementsForMCPServer(mcpServer)) {
+		// Check if the proxy runner container resource requirements have changed
+		if !reflect.DeepEqual(container.Resources, resourceRequirementsForProxyRunner(mcpServer)) {
 			return true
 		}
 	}
@@ -1656,28 +1646,25 @@ func serviceNeedsUpdate(service *corev1.Service, mcpServer *mcpv1alpha1.MCPServe
 	return false
 }
 
-// resourceRequirementsForMCPServer returns the resource requirements for the MCPServer
+// resourceRequirementsForMCPServer returns the resource requirements for the MCP server container
+// with intelligent merging of defaults and user-provided values
 func resourceRequirementsForMCPServer(m *mcpv1alpha1.MCPServer) corev1.ResourceRequirements {
-	resources := corev1.ResourceRequirements{}
-	if m.Spec.Resources.Limits.CPU != "" || m.Spec.Resources.Limits.Memory != "" {
-		resources.Limits = corev1.ResourceList{}
-		if m.Spec.Resources.Limits.CPU != "" {
-			resources.Limits[corev1.ResourceCPU] = resource.MustParse(m.Spec.Resources.Limits.CPU)
-		}
-		if m.Spec.Resources.Limits.Memory != "" {
-			resources.Limits[corev1.ResourceMemory] = resource.MustParse(m.Spec.Resources.Limits.Memory)
-		}
-	}
-	if m.Spec.Resources.Requests.CPU != "" || m.Spec.Resources.Requests.Memory != "" {
-		resources.Requests = corev1.ResourceList{}
-		if m.Spec.Resources.Requests.CPU != "" {
-			resources.Requests[corev1.ResourceCPU] = resource.MustParse(m.Spec.Resources.Requests.CPU)
-		}
-		if m.Spec.Resources.Requests.Memory != "" {
-			resources.Requests[corev1.ResourceMemory] = resource.MustParse(m.Spec.Resources.Requests.Memory)
-		}
-	}
-	return resources
+	defaultResources := ctrlutil.BuildDefaultResourceRequirements()
+	userResources := ctrlutil.BuildResourceRequirements(m.Spec.Resources)
+	return ctrlutil.MergeResourceRequirements(defaultResources, userResources)
+}
+
+// resourceRequirementsForProxyRunner returns the resource requirements for the proxy runner container
+// with intelligent merging of defaults and user-provided values
+func resourceRequirementsForProxyRunner(m *mcpv1alpha1.MCPServer) corev1.ResourceRequirements {
+	// Get default proxy runner resources (lighter than MCP server defaults)
+	defaultProxyResources := ctrlutil.BuildDefaultProxyRunnerResourceRequirements()
+
+	// Get user-defined proxy resources from the dedicated field
+	userProxyResources := ctrlutil.BuildResourceRequirements(m.Spec.ProxyRunnerResources)
+
+	// Merge defaults with user-defined values
+	return ctrlutil.MergeResourceRequirements(defaultProxyResources, userProxyResources)
 }
 
 // mcpServerServiceAccountName returns the service account name for the mcp server