feat(chart,api): allow resource requests/limits for API-managed pods

contrib/chart/templates/workloads.yaml

@@ -309,6 +309,46 @@ spec:
               value: {{ .Values.ironProxy.service.managementPort | quote }}
             - name: KUBERNETES_IRON_PROXY_HEALTH_PORT
               value: {{ .Values.ironProxy.service.healthPort | quote }}
+{{- with .Values.ironProxy.apiResources.limits }}
+{{- if .cpu }}
+            - name: KUBERNETES_API_PROXY_CPU_LIMIT
+              value: {{ .cpu | quote }}
+{{- end }}
+{{- if .memory }}
+            - name: KUBERNETES_API_PROXY_MEMORY_LIMIT
+              value: {{ .memory | quote }}
+{{- end }}
+{{- end }}
+{{- with .Values.ironProxy.apiResources.requests }}
+{{- if .cpu }}
+            - name: KUBERNETES_API_PROXY_CPU_REQUEST
+              value: {{ .cpu | quote }}
+{{- end }}
+{{- if .memory }}
+            - name: KUBERNETES_API_PROXY_MEMORY_REQUEST
+              value: {{ .memory | quote }}
+{{- end }}
+{{- end }}
+{{- with .Values.ironProxy.sandboxResources.limits }}
+{{- if .cpu }}
+            - name: KUBERNETES_SANDBOX_PROXY_CPU_LIMIT
+              value: {{ .cpu | quote }}
+{{- end }}
+{{- if .memory }}
+            - name: KUBERNETES_SANDBOX_PROXY_MEMORY_LIMIT
+              value: {{ .memory | quote }}
+{{- end }}
+{{- end }}
+{{- with .Values.ironProxy.sandboxResources.requests }}
+{{- if .cpu }}
+            - name: KUBERNETES_SANDBOX_PROXY_CPU_REQUEST
+              value: {{ .cpu | quote }}
+{{- end }}
+{{- if .memory }}
+            - name: KUBERNETES_SANDBOX_PROXY_MEMORY_REQUEST
+              value: {{ .memory | quote }}
+{{- end }}
+{{- end }}
 {{- if .Values.toolServer.enabled }}
             # Tool-server runs as a sidecar against the API image; uvicorn
             # target is overridden to api.tool_server_app.
@@ -318,12 +358,52 @@ spec:
               value: {{ .Values.api.image.pullPolicy | quote }}
             - name: KUBERNETES_TOOL_SERVER_PORT
               value: {{ .Values.toolServer.port | quote }}
+{{- with .Values.toolServer.resources.limits }}
+{{- if .cpu }}
+            - name: KUBERNETES_TOOL_SERVER_CPU_LIMIT
+              value: {{ .cpu | quote }}
+{{- end }}
+{{- if .memory }}
+            - name: KUBERNETES_TOOL_SERVER_MEMORY_LIMIT
+              value: {{ .memory | quote }}
+{{- end }}
+{{- end }}
+{{- with .Values.toolServer.resources.requests }}
+{{- if .cpu }}
+            - name: KUBERNETES_TOOL_SERVER_CPU_REQUEST
+              value: {{ .cpu | quote }}
+{{- end }}
+{{- if .memory }}
+            - name: KUBERNETES_TOOL_SERVER_MEMORY_REQUEST
+              value: {{ .memory | quote }}
+{{- end }}
+{{- end }}
 {{- end }}
             # Workflow-run pods reuse the API image and run python -m api.workflow_executor.
             - name: KUBERNETES_WORKFLOW_RUN_IMAGE
               value: {{ printf "%s:%s" .Values.api.image.repository .Values.api.image.tag | quote }}
             - name: KUBERNETES_WORKFLOW_RUN_IMAGE_PULL_POLICY
               value: {{ .Values.api.image.pullPolicy | quote }}
+{{- with .Values.workflowRun.resources.limits }}
+{{- if and .cpu (not (hasKey $apiExtraEnv "KUBERNETES_WORKFLOW_RUN_CPU_LIMIT")) }}
+            - name: KUBERNETES_WORKFLOW_RUN_CPU_LIMIT
+              value: {{ .cpu | quote }}
+{{- end }}
+{{- if and .memory (not (hasKey $apiExtraEnv "KUBERNETES_WORKFLOW_RUN_MEMORY_LIMIT")) }}
+            - name: KUBERNETES_WORKFLOW_RUN_MEMORY_LIMIT
+              value: {{ .memory | quote }}
+{{- end }}
+{{- end }}
+{{- with .Values.workflowRun.resources.requests }}
+{{- if and .cpu (not (hasKey $apiExtraEnv "KUBERNETES_WORKFLOW_RUN_CPU_REQUEST")) }}
+            - name: KUBERNETES_WORKFLOW_RUN_CPU_REQUEST
+              value: {{ .cpu | quote }}
+{{- end }}
+{{- if and .memory (not (hasKey $apiExtraEnv "KUBERNETES_WORKFLOW_RUN_MEMORY_REQUEST")) }}
+            - name: KUBERNETES_WORKFLOW_RUN_MEMORY_REQUEST
+              value: {{ .memory | quote }}
+{{- end }}
+{{- end }}
             - name: FIREWALL_MANAGER_SECRET_SOURCE
               value: {{ .Values.ironProxy.secretSource | quote }}
             - name: FIREWALL_MANAGER_SECRET_TTL

contrib/chart/values.yaml

@@ -31,6 +31,17 @@ ironProxy:
     pgPortRangeEnd: 5471
   secretSource: onepassword
   secretTtl: 10m
+  # Resource requests/limits for iron-proxy Pods, sized independently for the
+  # two kinds of proxy. Empty by default => unconstrained, preserving prior
+  # behavior. Standard k8s resources shape, e.g.:
+  #   apiResources:
+  #     requests: {cpu: 50m, memory: 64Mi}
+  #     limits:   {cpu: 250m, memory: 64Mi}
+  #
+  # The API self-proxy: one long-lived Pod alongside the API.
+  apiResources: {}
+  # Each per-sandbox proxy: one Pod per active sandbox (larger footprint).
+  sandboxResources: {}
 
 # Tool-server sidecar — runs alongside the sandbox container in each sandbox
 # Pod and exposes the same /tools/* surface the API used to. Same image as
@@ -41,6 +52,10 @@ ironProxy:
 toolServer:
   enabled: true
   port: 8001
+  # Resource requests/limits for the tool-server sidecar injected into each
+  # sandbox Pod. Empty by default => unconstrained. Standard k8s resources
+  # shape (see ironProxy.apiResources above).
+  resources: {}
 
 # iron-token-broker — race-free OAuth refresh-token coordinator. Enable when
 # any tool's `oauth_token` secret uses `grant=refresh_token` against an IdP
@@ -179,6 +194,18 @@ sandbox:
       cpu: 100m
       memory: 512Mi
 
+# Workflow-run pods run the API image executing `python -m api.workflow_executor`.
+# Sized independently from the sandbox; the defaults mirror it (requests
+# cpu=100m/memory=512Mi here, plus limits cpu=2/memory=4Gi applied by the API
+# when unset) to preserve the prior behavior from when this pod reused the
+# sandbox sizing.
+workflowRun:
+  resources:
+    limits: {}
+    requests:
+      cpu: 100m
+      memory: 512Mi
+
 repoCache:
   enabled: false
   hostPath: /var/lib/centaur/repos