From 7aefe0febaafeb2c24caa5f9c4d8f9e14d39ff71 Mon Sep 17 00:00:00 2001 From: david-yu Date: Fri, 20 Mar 2026 09:31:15 -0700 Subject: [PATCH 1/2] docs: Add config-watcher sidecar resource configuration section Add a new section to the Manage Pod Resources page that describes how to configure CPU and memory resources for the config-watcher sidecar container. Includes examples for both Operator and Helm deployments, explains when explicit resources are needed (LimitRange, ResourceQuota, Guaranteed QoS), and provides recommended values. Co-Authored-By: Claude Opus 4.6 (1M context) --- .../pages/kubernetes/k-manage-resources.adoc | 96 +++++++++++++++++++ 1 file changed, 96 insertions(+) diff --git a/modules/manage/pages/kubernetes/k-manage-resources.adoc b/modules/manage/pages/kubernetes/k-manage-resources.adoc index 72a40cc770..b9eade8bf9 100644 --- a/modules/manage/pages/kubernetes/k-manage-resources.adoc +++ b/modules/manage/pages/kubernetes/k-manage-resources.adoc @@ -509,6 +509,102 @@ resources: cores: 200m ---- +[[config-watcher]] +== Configure config-watcher sidecar resources + +Each Redpanda Pod includes a config-watcher sidecar container that monitors for SASL user changes and configuration updates. The sidecar polls a Secret for user credential changes and synchronizes them with the running brokers. + +The config-watcher sidecar does not set any CPU or memory resource requests or limits by default. For most clusters, this is acceptable because the sidecar is lightweight. In practice, it typically consumes single-digit millicores of CPU and approximately 20-40 Mi of memory. + +However, you should configure explicit resource requests and limits for the config-watcher sidecar in the following cases: + +- Your namespace enforces a https://kubernetes.io/docs/concepts/policy/limit-range/[LimitRange^] policy that requires all containers to specify resource requests or limits. +- Your namespace enforces a https://kubernetes.io/docs/concepts/policy/resource-quotas/[ResourceQuota^] that accounts for resource requests across all containers. +- You want to ensure the <> for your Redpanda Pods. Kubernetes requires every container in a Pod to have matching requests and limits to qualify. + +[tabs] +====== +Operator:: ++ +-- +.`redpanda-cluster.yaml` +[,yaml] +---- +apiVersion: cluster.redpanda.com/v1alpha2 +kind: Redpanda +metadata: + name: redpanda +spec: + chartRef: {} + clusterSpec: + statefulset: + sideCars: + configWatcher: + resources: + requests: + cpu: 10m <1> + memory: 64Mi <2> + limits: + cpu: 100m + memory: 128Mi +---- + +```bash +kubectl apply -f redpanda-cluster.yaml --namespace +``` + +-- +Helm:: ++ +-- +[tabs] +==== +--values:: ++ +.`config-watcher-resources.yaml` +[,yaml] +---- +statefulset: + sideCars: + configWatcher: + resources: + requests: + cpu: 10m <1> + memory: 64Mi <2> + limits: + cpu: 100m + memory: 128Mi +---- ++ +```bash +helm upgrade --install redpanda redpanda/redpanda --namespace --create-namespace \ + --values config-watcher-resources.yaml --reuse-values +``` + +--set:: ++ +```bash +helm upgrade --install redpanda redpanda/redpanda --namespace --create-namespace \ + --set statefulset.sideCars.configWatcher.resources.requests.cpu=10m \ + --set statefulset.sideCars.configWatcher.resources.requests.memory=64Mi \ + --set statefulset.sideCars.configWatcher.resources.limits.cpu=100m \ + --set statefulset.sideCars.configWatcher.resources.limits.memory=128Mi +``` + +==== +-- +====== + +<1> A CPU request of `10m` (10 millicores) is sufficient for typical config-watcher workloads. The sidecar spends most of its time idle between polling intervals. +<2> A memory request of `64Mi` provides headroom for the sidecar process. Actual usage is typically 20-40 Mi. + +When the StatefulSet is deployed, verify that the sidecar container has the expected resource configuration: + +[source,bash] +---- +kubectl --namespace get pod -o jsonpath='{.spec.containers[?(@.name=="sidecar")].resources}{"\n"}' +---- + include::shared:partial$suggested-reading.adoc[] - xref:reference:k-redpanda-helm-spec.adoc#resources[Redpanda Helm Specification] From 4a6c3eb828b8e2523b835a2135ac19be6a02fbaf Mon Sep 17 00:00:00 2001 From: micheleRP Date: Mon, 23 Mar 2026 19:39:42 -0600 Subject: [PATCH 2/2] Style edits for config-watcher sidecar section - Fix container name in verification command: sidecar -> config-watcher - Use imperative voice instead of "you should" - Use * list markers to match rest of file - Use MiB in prose, clarify ambiguous pronoun Co-Authored-By: Claude Opus 4.6 (1M context) --- .../manage/pages/kubernetes/k-manage-resources.adoc | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/modules/manage/pages/kubernetes/k-manage-resources.adoc b/modules/manage/pages/kubernetes/k-manage-resources.adoc index b9eade8bf9..1dc99eff1e 100644 --- a/modules/manage/pages/kubernetes/k-manage-resources.adoc +++ b/modules/manage/pages/kubernetes/k-manage-resources.adoc @@ -514,13 +514,13 @@ resources: Each Redpanda Pod includes a config-watcher sidecar container that monitors for SASL user changes and configuration updates. The sidecar polls a Secret for user credential changes and synchronizes them with the running brokers. -The config-watcher sidecar does not set any CPU or memory resource requests or limits by default. For most clusters, this is acceptable because the sidecar is lightweight. In practice, it typically consumes single-digit millicores of CPU and approximately 20-40 Mi of memory. +The config-watcher sidecar does not set any CPU or memory resource requests or limits by default. For most clusters, this is acceptable because the sidecar is lightweight. In practice, the sidecar typically consumes single-digit millicores of CPU and approximately 20-40 MiB of memory. -However, you should configure explicit resource requests and limits for the config-watcher sidecar in the following cases: +Configure explicit resource requests and limits for the config-watcher sidecar in the following cases: -- Your namespace enforces a https://kubernetes.io/docs/concepts/policy/limit-range/[LimitRange^] policy that requires all containers to specify resource requests or limits. -- Your namespace enforces a https://kubernetes.io/docs/concepts/policy/resource-quotas/[ResourceQuota^] that accounts for resource requests across all containers. -- You want to ensure the <> for your Redpanda Pods. Kubernetes requires every container in a Pod to have matching requests and limits to qualify. +* Your namespace enforces a https://kubernetes.io/docs/concepts/policy/limit-range/[LimitRange^] policy that requires all containers to specify resource requests or limits. +* Your namespace enforces a https://kubernetes.io/docs/concepts/policy/resource-quotas/[ResourceQuota^] that accounts for resource requests across all containers. +* You want to ensure the <> for your Redpanda Pods. Kubernetes requires every container in a Pod to have matching requests and limits to qualify. [tabs] ====== @@ -602,7 +602,7 @@ When the StatefulSet is deployed, verify that the sidecar container has the expe [source,bash] ---- -kubectl --namespace get pod -o jsonpath='{.spec.containers[?(@.name=="sidecar")].resources}{"\n"}' +kubectl --namespace get pod -o jsonpath='{.spec.containers[?(@.name=="config-watcher")].resources}{"\n"}' ---- include::shared:partial$suggested-reading.adoc[]