Tags: stacklok/toolhive
Tags
OAuth client secret migration and backward compatibility for existing… … workloads (#2231) * implement OAuth client secret migration and backward compatibility * refactor client secret * fix linting issue * added coverage and doc comments * add test coverage * fix lintint * removed unused func
Add MCPRemoteProxy CRD definition and schema (#2240) Introduces the MCPRemoteProxy custom resource definition for proxying remote MCP servers in Kubernetes with authentication, authorization, audit logging, and tool filtering capabilities. This CRD enables organizations to deploy centralized proxies for external SaaS MCP services (e.g., Salesforce MCP, GitHub MCP) with visibility, policy enforcement, and audit trails. Key features: - Remote URL configuration with HTTPS validation - Configurable transport (SSE or streamable-http) - Required OIDC authentication for incoming requests - Optional token exchange for remote service authentication - Authorization policy support (inline or ConfigMap) - Audit logging configuration - Tool filtering and renaming via MCPToolConfig references - OpenTelemetry telemetry integration - Resource requirements and overrides Includes: - CRD type definition with kubebuilder markers - Generated deepcopy methods - Generated CRD manifest with OpenAPI v3 schema - Operator-crds chart version bump (0.0.35 -> 0.0.36) - API documentation Note: RBAC permissions will be added when the controller is implemented. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-authored-by: Claude <noreply@anthropic.com>
Add MCPExternalAuthConfig CRD and controller (#2150) * Add MCPExternalAuthConfig CRD and controller Implement external authentication configuration for MCP servers via a new MCPExternalAuthConfig custom resource. This enables MCP servers to exchange incoming authentication tokens for tokens that can be used with external services via RFC-8693 OAuth 2.0 Token Exchange. The MCPExternalAuthConfig is namespace-scoped and can only be referenced by MCPServers in the same namespace. The controller implements a finalizer to prevent deletion while referenced, and uses hash-based change detection to efficiently trigger MCPServer reconciliation when configuration changes. Configuration is injected into MCPServer deployments via RunConfig ConfigMap with the OAuth client secret provided through a TOOLHIVE_TOKEN_EXCHANGE_CLIENT_SECRET environment variable that references a Kubernetes Secret, following security best practices. The controller follows the same pattern as MCPToolConfig, including: - ReferencingServers status field for tracking which MCPServers reference the config - Proper reconcile flow that updates status with referencing servers - Correct SetupWithManager watch handler that reconciles only the specific MCPServers that reference a changed ExternalAuthConfig (not all configs in namespace) - Status updates during deletion when config is still referenced Includes comprehensive unit tests (83% coverage), integration tests, E2E Chainsaw tests, and example manifests. Co-Authored-By: Jakub Hrozek <jakub@stacklok.com> Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: Juan Antonio Osorio <ozz@stacklok.com> Signed-off-by: Juan Antonio Osorio <ozz@stacklok.com> * Refactor config controllers to use shared generic helpers Extract duplicate code from MCPToolConfig and MCPExternalAuthConfig controllers into reusable generic helper functions. This change introduces two generic helper functions in config_helpers.go: - CalculateConfigHash[T any](spec T): Generic hash calculation for any config spec using Kubernetes utilities - FindReferencingMCPServers(): Generic function to find MCPServers that reference a config resource Benefits: - Eliminates ~50 lines of duplicate code - Single source of truth for shared logic - Type-safe with Go generics - Makes future config-style CRDs easier to implement - All existing tests pass with no behavioral changes 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * Add comprehensive tests for external auth RunConfig integration Adds test coverage for the external authentication configuration flow in the operator's RunConfig generation. Tests cover: - addExternalAuthConfigOptions: 5.7% → 97.1% coverage - generateTokenExchangeEnvVars: 0% → 100% coverage - createRunConfigFromMCPServer with external auth: improved to 70.6% The new test suite includes 21 test cases covering: - Token exchange middleware configuration generation - Secret validation and reference handling - Error paths for missing configs, secrets, and invalid types - Edge cases like empty scopes and custom header strategies - Environment variable generation for Kubernetes secrets Overall operator controller coverage increased from 56.7% to 59.4%. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * Use camelCase for MCPExternalAuthConfig JSON fields Change TokenExchangeConfig JSON field names from snake_case to camelCase to match the convention used throughout the codebase: - token_url → tokenUrl - client_id → clientId - client_secret_ref → clientSecretRef - external_token_header_name → externalTokenHeaderName Also change Scope from a space-separated string to Scopes as an array of strings. This aligns with the existing middleware implementation in pkg/auth/tokenexchange/middleware.go which already expects Scopes as []string. Update controller code to use the Scopes array directly instead of converting from a string, and update all tests accordingly. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Juan Antonio Osorio <ozz@stacklok.com> * Bump Helm chart versions for CRD changes Increment operator-crds chart version from 0.0.34 to 0.0.35 and operator chart version from 0.2.22 to 0.2.23 to reflect the addition of the new MCPExternalAuthConfig CRD and updates to the MCPServer CRD. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> --------- Signed-off-by: Juan Antonio Osorio <ozz@stacklok.com> Co-authored-by: Jakub Hrozek <jakub@stacklok.com> Co-authored-by: Claude <noreply@anthropic.com>
Add MCPExternalAuthConfig CRD and controller (#2150) * Add MCPExternalAuthConfig CRD and controller Implement external authentication configuration for MCP servers via a new MCPExternalAuthConfig custom resource. This enables MCP servers to exchange incoming authentication tokens for tokens that can be used with external services via RFC-8693 OAuth 2.0 Token Exchange. The MCPExternalAuthConfig is namespace-scoped and can only be referenced by MCPServers in the same namespace. The controller implements a finalizer to prevent deletion while referenced, and uses hash-based change detection to efficiently trigger MCPServer reconciliation when configuration changes. Configuration is injected into MCPServer deployments via RunConfig ConfigMap with the OAuth client secret provided through a TOOLHIVE_TOKEN_EXCHANGE_CLIENT_SECRET environment variable that references a Kubernetes Secret, following security best practices. The controller follows the same pattern as MCPToolConfig, including: - ReferencingServers status field for tracking which MCPServers reference the config - Proper reconcile flow that updates status with referencing servers - Correct SetupWithManager watch handler that reconciles only the specific MCPServers that reference a changed ExternalAuthConfig (not all configs in namespace) - Status updates during deletion when config is still referenced Includes comprehensive unit tests (83% coverage), integration tests, E2E Chainsaw tests, and example manifests. Co-Authored-By: Jakub Hrozek <jakub@stacklok.com> Co-authored-by: Claude <noreply@anthropic.com> Co-authored-by: Juan Antonio Osorio <ozz@stacklok.com> Signed-off-by: Juan Antonio Osorio <ozz@stacklok.com> * Refactor config controllers to use shared generic helpers Extract duplicate code from MCPToolConfig and MCPExternalAuthConfig controllers into reusable generic helper functions. This change introduces two generic helper functions in config_helpers.go: - CalculateConfigHash[T any](spec T): Generic hash calculation for any config spec using Kubernetes utilities - FindReferencingMCPServers(): Generic function to find MCPServers that reference a config resource Benefits: - Eliminates ~50 lines of duplicate code - Single source of truth for shared logic - Type-safe with Go generics - Makes future config-style CRDs easier to implement - All existing tests pass with no behavioral changes 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * Add comprehensive tests for external auth RunConfig integration Adds test coverage for the external authentication configuration flow in the operator's RunConfig generation. Tests cover: - addExternalAuthConfigOptions: 5.7% → 97.1% coverage - generateTokenExchangeEnvVars: 0% → 100% coverage - createRunConfigFromMCPServer with external auth: improved to 70.6% The new test suite includes 21 test cases covering: - Token exchange middleware configuration generation - Secret validation and reference handling - Error paths for missing configs, secrets, and invalid types - Edge cases like empty scopes and custom header strategies - Environment variable generation for Kubernetes secrets Overall operator controller coverage increased from 56.7% to 59.4%. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * Use camelCase for MCPExternalAuthConfig JSON fields Change TokenExchangeConfig JSON field names from snake_case to camelCase to match the convention used throughout the codebase: - token_url → tokenUrl - client_id → clientId - client_secret_ref → clientSecretRef - external_token_header_name → externalTokenHeaderName Also change Scope from a space-separated string to Scopes as an array of strings. This aligns with the existing middleware implementation in pkg/auth/tokenexchange/middleware.go which already expects Scopes as []string. Update controller code to use the Scopes array directly instead of converting from a string, and update all tests accordingly. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> Signed-off-by: Juan Antonio Osorio <ozz@stacklok.com> * Bump Helm chart versions for CRD changes Increment operator-crds chart version from 0.0.34 to 0.0.35 and operator chart version from 0.2.22 to 0.2.23 to reflect the addition of the new MCPExternalAuthConfig CRD and updates to the MCPServer CRD. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> --------- Signed-off-by: Juan Antonio Osorio <ozz@stacklok.com> Co-authored-by: Jakub Hrozek <jakub@stacklok.com> Co-authored-by: Claude <noreply@anthropic.com>
Enables RunConfig ConfigMap Operator Mode and Bumps toolHive ProxyRun… …ner Images to 0.3.28 (#2191) * enables runconfig configmap default for operator Signed-off-by: ChrisJBurns <29541485+ChrisJBurns@users.noreply.github.com> * bumps chart Signed-off-by: ChrisJBurns <29541485+ChrisJBurns@users.noreply.github.com> * bumps toolhive images Signed-off-by: ChrisJBurns <29541485+ChrisJBurns@users.noreply.github.com> --------- Signed-off-by: ChrisJBurns <29541485+ChrisJBurns@users.noreply.github.com>
Promote MCPRegistry feature (#2136) * docs for MCP registry CRD Signed-off-by: Daniele Martinoli <dmartino@redhat.com> * integrated comments Signed-off-by: Daniele Martinoli <dmartino@redhat.com> * rebased Signed-off-by: Daniele Martinoli <dmartino@redhat.com> * promoted mcpregistry feature Signed-off-by: Daniele Martinoli <dmartino@redhat.com> * bump chart version (operator and crds) Signed-off-by: Daniele Martinoli <dmartino@redhat.com> * lint fix Signed-off-by: Daniele Martinoli <dmartino@redhat.com> * rebased * bump chart version (operator and crds) Signed-off-by: Daniele Martinoli <dmartino@redhat.com> * lint issues Signed-off-by: Daniele Martinoli <dmartino@redhat.com> --------- Signed-off-by: Daniele Martinoli <dmartino@redhat.com>
Promote MCPRegistry feature (#2136) * docs for MCP registry CRD Signed-off-by: Daniele Martinoli <dmartino@redhat.com> * integrated comments Signed-off-by: Daniele Martinoli <dmartino@redhat.com> * rebased Signed-off-by: Daniele Martinoli <dmartino@redhat.com> * promoted mcpregistry feature Signed-off-by: Daniele Martinoli <dmartino@redhat.com> * bump chart version (operator and crds) Signed-off-by: Daniele Martinoli <dmartino@redhat.com> * lint fix Signed-off-by: Daniele Martinoli <dmartino@redhat.com> * rebased * bump chart version (operator and crds) Signed-off-by: Daniele Martinoli <dmartino@redhat.com> * lint issues Signed-off-by: Daniele Martinoli <dmartino@redhat.com> --------- Signed-off-by: Daniele Martinoli <dmartino@redhat.com>
PreviousNext