Add default resource limits and separate proxy runner resource config #3067

4t8dd · 2025-12-16T12:35:13Z

Add default resource limits and separate proxy runner resource configuration

Implements default resource limits for MCP server and VirtualMCP server containers to prevent resource monopolization, with intelligent merging of user-provided values and separate resource configuration for proxy runner containers.

Per issue #2873, vmcp and MCP server containers lacked default resource limits, creating security and operational risks where misbehaving containers could exhaust node resources and affect other workloads.

Additionally, MCPServer deployments have two containers (MCP server + proxy runner) but only had one resource field (spec.resources), creating ambiguity about which container the resources applied to.

MCP server container: 500m/100m CPU, 512Mi/128Mi memory
Proxy runner container: 200m/50m CPU, 256Mi/64Mi memory (lighter weight)
VirtualMCP server container: 500m/100m CPU, 512Mi/128Mi memory
Defaults are intelligently merged with user-provided values
Add spec.proxyRunnerResources field for proxy runner container configuration
Existing spec.resources applies to MCP server container
Clear separation eliminates ambiguity between the two containers

MCP server resources are composed from three sources:

Defaults → spec.resources → spec.podTemplateSpec (highest precedence)

Proxy runner resources are composed from:

Defaults → spec.proxyRunnerResources
Add resourceRequirementsForMCPServer(): Merges defaults with spec.resources
Add resourceRequirementsForProxyRunner(): Merges defaults with spec.proxyRunnerResources
Update deploymentNeedsUpdate(): Checks both MCP and proxy resources separately
Add PodTemplateSpecBuilder.WithResources(): Merges resources intelligently
Add shared utility functions in pkg/controllerutil/resources.go
Add regression tests for deploymentNeedsUpdate() resource changes (4 tests)
Add tests for resource merging in PodTemplateSpecBuilder (2 tests)
Add tests for default resources and merging (3 tests)
Add VirtualMCPServer deployment tests (10 tests)
Total: 19 new tests ensuring no reconciliation loops
Add proxyRunnerResources field to MCPServer CRD
Regenerate deepcopy methods and CRD manifests
Bump Helm chart version: 0.0.75 → 0.0.76
Update example YAML with clear comments
Document default values and composition precedence

MCPServer (2 containers):

spec.resources → MCP server container (via pod template patch)
spec.proxyRunnerResources → Proxy runner container (in deployment)

VirtualMCPServer (1 container):

spec.resources → VirtualMCP server container
Prevents resource exhaustion by providing sensible defaults
Clear separation: separate fields for separate containers in MCPServer
User can customize each container independently
Intelligent merging allows partial overrides
Prevents reconciliation loops through proper update detection

Fixes #2873

github-actions

Large PR Detected

This PR exceeds 1000 lines of changes and requires justification before it can be reviewed.

How to unblock this PR:

Add a section to your PR description with the following format:

## Large PR Justification

[Explain why this PR must be large, such as:]
- Generated code that cannot be split
- Large refactoring that must be atomic
- Multiple related changes that would break if separated
- Migration or data transformation

Alternative:

Consider splitting this PR into smaller, focused changes (< 1000 lines each) for easier review and reduced risk.

See our Contributing Guidelines for more details.

This review will be automatically dismissed once you add the justification section.

codecov · 2025-12-16T12:38:20Z

Codecov Report

❌ Patch coverage is 91.50943% with 9 lines in your changes missing coverage. Please review.
✅ Project coverage is 57.12%. Comparing base (7788288) to head (0fa5067).

Files with missing lines	Patch %	Lines
cmd/thv-operator/pkg/controllerutil/resources.go	84.78%	5 Missing and 2 partials ⚠️
...perator/controllers/virtualmcpserver_deployment.go	92.59%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3067      +/-   ##
==========================================
+ Coverage   56.82%   57.12%   +0.29%     
==========================================
  Files         335      335              
  Lines       33474    33548      +74     
==========================================
+ Hits        19022    19164     +142     
+ Misses      12868    12793      -75     
- Partials     1584     1591       +7

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

…uration Implements default resource limits for MCP server and VirtualMCP server containers to prevent resource monopolization, with intelligent merging of user-provided values and separate resource configuration for proxy runner containers. Per issue stacklok#2873, vmcp and MCP server containers lacked default resource limits, creating security and operational risks where misbehaving containers could exhaust node resources and affect other workloads. Additionally, MCPServer deployments have two containers (MCP server + proxy runner) but only had one resource field (`spec.resources`), creating ambiguity about which container the resources applied to. - MCP server container: 500m/100m CPU, 512Mi/128Mi memory - Proxy runner container: 200m/50m CPU, 256Mi/64Mi memory (lighter weight) - VirtualMCP server container: 500m/100m CPU, 512Mi/128Mi memory - Defaults are intelligently merged with user-provided values - Add `spec.proxyRunnerResources` field for proxy runner container configuration - Existing `spec.resources` applies to MCP server container - Clear separation eliminates ambiguity between the two containers MCP server resources are composed from three sources: - Defaults → `spec.resources` → `spec.podTemplateSpec` (highest precedence) Proxy runner resources are composed from: - Defaults → `spec.proxyRunnerResources` - Add `resourceRequirementsForMCPServer()`: Merges defaults with spec.resources - Add `resourceRequirementsForProxyRunner()`: Merges defaults with spec.proxyRunnerResources - Update `deploymentNeedsUpdate()`: Checks both MCP and proxy resources separately - Add `PodTemplateSpecBuilder.WithResources()`: Merges resources intelligently - Add shared utility functions in `pkg/controllerutil/resources.go` - Add regression tests for `deploymentNeedsUpdate()` resource changes (4 tests) - Add tests for resource merging in PodTemplateSpecBuilder (2 tests) - Add tests for default resources and merging (3 tests) - Add VirtualMCPServer deployment tests (10 tests) - Total: 19 new tests ensuring no reconciliation loops - Add `proxyRunnerResources` field to MCPServer CRD - Regenerate deepcopy methods and CRD manifests - Bump Helm chart version: 0.0.75 → 0.0.76 - Update example YAML with clear comments - Document default values and composition precedence **MCPServer (2 containers):** - `spec.resources` → MCP server container (via pod template patch) - `spec.proxyRunnerResources` → Proxy runner container (in deployment) **VirtualMCPServer (1 container):** - `spec.resources` → VirtualMCP server container - Prevents resource exhaustion by providing sensible defaults - Clear separation: separate fields for separate containers in MCPServer - User can customize each container independently - Intelligent merging allows partial overrides - Prevents reconciliation loops through proper update detection Fixes stacklok#2873 Signed-off-by: 4t8dd <wanger.xyz@gmail.com>

github-actions bot added the size/XL Extra large PR: 1000+ lines changed label Dec 16, 2025

github-actions bot requested changes Dec 16, 2025

View reviewed changes

4t8dd changed the title ~~Add default resource limits and separate proxy runner resource config…~~ Add default resource limits and separate proxy runner resource config Dec 16, 2025

4t8dd force-pushed the issue-2873-vmcp-default-resources branch from 8283172 to 2820b32 Compare December 16, 2025 13:19