Skip to content

Add resource limits to critical containers (card-vault, keymanager) #178

New issue
New issue
Open
#179
Open
Add resource limits to critical containers (card-vault, keymanager)#178
#179
Labels
enhancementNew feature or request
@inventvenkat

Description

@inventvenkat
inventvenkat
opened on Aug 6, 2025

Problem Statement / Feature Requirement

The hyperswitch-card-vault and hyperswitch-keymanager containers currently have resource requests configured but no resource limits defined. This configuration allows these critical security components to potentially consume unlimited CPU and memory resources, which can lead to resource contention and impact cluster stability in production environments.

Context and Background

Current Resource Configuration:

  • hyperswitch-card-vault:
    • Requests: 100m CPU, 200Mi memory
    • Limits: None configured
  • hyperswitch-keymanager:
    • Requests: 400m CPU, 400Mi memory
    • Limits: None configured

Production Environment Details:

  • Running in production environment with monitoring data available
  • Resource workload patterns based on business needs
  • No resource-related incidents reported yet
  • No cluster-level resource quotas to consider

Security Implications:
These containers handle sensitive operations (card vaulting and key management), making resource stability crucial for security and compliance.

Acceptance Criteria

  • Add configurable resource limits to hyperswitch-card-vault container
  • Add configurable resource limits to hyperswitch-keymanager container
  • Implement limits in both deployment templates (templates/deployment.yaml)
  • Add corresponding values.yaml configuration with sensible defaults
  • Set default CPU limit to 1000m (1 core) for both containers
  • Set default memory limit to 1Gi for both containers
  • Ensure limits are configurable via Helm values
  • Maintain backward compatibility with existing deployments
  • Update chart documentation to reflect new resource limit options
  • Verify HPA compatibility (keymanager has HPA configured)

Technical Considerations

Current Deployment Template Locations:

  • Card-vault: /charts/incubator/hyperswitch-card-vault/templates/deployment.yaml (lines 189-192)
  • Keymanager: /charts/incubator/hyperswitch-keymanager/templates/deployment.yaml (lines 126-129)

Current Values.yaml Configuration:

  • Card-vault: /charts/incubator/hyperswitch-card-vault/values.yaml (lines 167-169)
  • Keymanager: /charts/incubator/hyperswitch-keymanager/values.yaml (lines 67-69)

HPA Compatibility:

  • Keymanager has HPA configured with CPU/memory utilization targets
  • Resource limits are required for HPA to function properly with percentage-based metrics
  • Current HPA is disabled by default (autoscaling.enabled: false)

Template Structure Consideration:
Both charts use similar but slightly different resource configuration approaches. The implementation should maintain consistency with each chart's existing patterns.

Potential Implementation Approach

1. Update Deployment Templates:

# For both card-vault and keymanager deployment.yaml
resources:
  {{- if .Values.server.resources }}
  {{- toYaml .Values.server.resources | nindent 12 }}
  {{- else }}
  requests:
    cpu: <current-request-value>
    memory: <current-memory-value>
  limits:
    cpu: {{ .Values.server.resources.limits.cpu | default "1000m" }}
    memory: {{ .Values.server.resources.limits.memory | default "1Gi" }}
  {{- end }}

2. Update Values.yaml Files:

# Add to server configuration section
server:
  resources:
    requests:
      cpu: <existing-value>
      memory: <existing-value>
    limits:
      cpu: "1000m"  # 1 core
      memory: "1Gi"  # 1GB

3. Implementation Order:

  1. Update hyperswitch-card-vault chart
  2. Update hyperswitch-keymanager chart
  3. Test with different resource configurations
  4. Validate HPA functionality with keymanager
  5. Update documentation

Additional Information

Related Files:

  • /charts/incubator/hyperswitch-card-vault/templates/deployment.yaml
  • /charts/incubator/hyperswitch-card-vault/values.yaml
  • /charts/incubator/hyperswitch-keymanager/templates/deployment.yaml
  • /charts/incubator/hyperswitch-keymanager/values.yaml
  • /charts/incubator/hyperswitch-keymanager/templates/hpa.yaml

Validation Strategy:

  • Deploy with default resource limits
  • Test resource limit enforcement
  • Verify existing functionality remains intact
  • Validate HPA behavior with limits configured
  • Confirm backward compatibility

Benefits:

  • Improved cluster resource management
  • Prevention of resource starvation scenarios
  • Better predictability for capacity planning
  • Enhanced security through resource isolation
  • Proper HPA functionality when enabled

🤖 Generated with Claude Code

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions