PRD: Upstream Helm charts missing container resources templating (BAE, verifier, desmos, envoy)

[groundnuty]

Problem

Several pods in dome-prod cannot receive resource requests/limits through values.yaml because their upstream Helm charts don't template container resources. ArgoCD shows Synced because the rendered manifests match between desired and observed state — the values are consumed by the chart but never reach the pod spec.

Affected pods

Maria's post-#2492 audit identified these as still having empty resources: {}. After #2500, the remaining cases are all upstream chart limitations:

Pod	Chart	Version
bae-marketplace-biz-ecosystem-charging-backend	fiware/business-api-ecosystem	0.11.21
bae-marketplace-biz-ecosystem-logic-proxy	fiware/business-api-ecosystem	0.11.21
desmos	access-node/desmos subchart	1.1.4
tm-forum-api-envoy	access-node/tm-forum-api (envoy template)	0.14.14
verifier-marketplace-dome-verifier	in2workspace/dome-verifier	1.2.25

Verified by pulling each chart and grepping the templates — no {{- toYaml .Values.*.resources }} on any container spec.

Why this matters

• Scheduler accounts 0 CPU/0 memory for these pods — contributed to the 2026-04-07 node overcommit
• No limits means one runaway pod can starve co-located workloads
• Verifier peaked at 264m CPU / 476Mi memory (highest CPU spiker in marketplace) with no cap

30-day peak usage (for future sizing)

Pod	Peak CPU	Peak Memory
bae-charging-backend	10m	79Mi
bae-logic-proxy	100m	331Mi
desmos	26m	587Mi
tm-forum-api-envoy	17m	19Mi
verifier	264m	476Mi

Options

1. Newer chart versions

Check whether upstream has added resources support since the pinned versions:

helm search repo fiware/business-api-ecosystem --versions
helm search repo in2workspace/dome-verifier --versions
helm search repo dome-marketplace/access-node --versions

Test in dev2/sbx, roll forward if available. Low effort if versions exist.

2. Upstream contributions

For charts we own or have upstream access to, add templating:

resources:
  {{- toYaml .Values.resources | nindent 12 }}

Repos:

• DOME access-node: https://github.com/DOME-Marketplace/access-node
• in2workspace dome-verifier: https://github.com/in2workspace/helm-charts
• FIWARE charts: https://github.com/FIWARE/helm-charts

3. ArgoCD Kustomize post-render patches

Apply strategic merge patches after Helm renders. Keeps upstream charts untouched but adds a layer of indirection per Application. Good escape hatch when upstream won't move.

4. Fork charts

Maintain a DOME-owned fork with resources support. Avoid unless upstream is unresponsive — fork maintenance cost adds up.

Recommended sequence

1. Merge PRD: Fix Helm values paths for resource requests (follow-up to #2492) #2500 to capture what's fixable now.
2. Check for newer chart versions (Option 1). Lowest cost, potentially closes the gap entirely.
3. For charts DOME owns, submit upstream PRs (Option 2).
4. For anything still unfixed after a reasonable waiting period, apply Kustomize patches (Option 3).

Related

• PRD: Right-size resource requests based on Prometheus data #2491, PRD: Add missing resource requests to marketplace pods #2492 — initial resource request PRs
• PRD: Fix Helm values paths for resource requests (follow-up to #2492) #2500 — path fixes for charts that support resources
• PRD: Add pod anti-affinity to spread critical services across nodes #2498 — anti-affinity for critical services
• PRD: PodDisruptionBudgets require HA (2+ replicas) for stateful services #2497 — PDB + HA analysis