stacklok / toolhive / 18554684175
59%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 288
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 46.696% (+0.05%) from 46.65%
18554684175

push

github

web-flow 
Add MCPExternalAuthConfig CRD and controller (#2150)

* Add MCPExternalAuthConfig CRD and controller

Implement external authentication configuration for MCP servers via a new
MCPExternalAuthConfig custom resource. This enables MCP servers to exchange
incoming authentication tokens for tokens that can be used with external
services via RFC-8693 OAuth 2.0 Token Exchange.

The MCPExternalAuthConfig is namespace-scoped and can only be referenced by
MCPServers in the same namespace. The controller implements a finalizer to
prevent deletion while referenced, and uses hash-based change detection to
efficiently trigger MCPServer reconciliation when configuration changes.

Configuration is injected into MCPServer deployments via RunConfig ConfigMap
with the OAuth client secret provided through a TOOLHIVE_TOKEN_EXCHANGE_CLIENT_SECRET
environment variable that references a Kubernetes Secret, following security
best practices.

The controller follows the same pattern as MCPToolConfig, including:
- ReferencingServers status field for tracking which MCPServers reference the config
- Proper reconcile flow that updates status with referencing servers
- Correct SetupWithManager watch handler that reconciles only the specific
  MCPServers that reference a changed ExternalAuthConfig (not all configs in namespace)
- Status updates during deletion when config is still referenced

Includes comprehensive unit tests (83% coverage), integration tests, E2E
Chainsaw tests, and example manifests.

Co-Authored-By: Jakub Hrozek <jakub@stacklok.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Juan Antonio Osorio <ozz@stacklok.com>
Signed-off-by: Juan Antonio Osorio <ozz@stacklok.com>

* Refactor config controllers to use shared generic helpers

Extract duplicate code from MCPToolConfig and MCPExternalAuthConfig
controllers into reusable generic helper functions.

This change introduces two generic helper functions in config_helpers.go:
- CalculateConfigHash[T an... (continued)

262 of 497 new or added lines in 8 files covered. (52.72%)

3 existing lines in 1 file now uncovered.

17862 of 38252 relevant lines covered (46.7%)

15.77 hits per line

New Missed Lines in Diff

Lines Coverage File
2
78.86
 2.35% cmd/thv-operator/controllers/mcpserver_runconfig.go
14
0.0
 0.0% cmd/thv-operator/main.go
53
58.47
 -0.51% cmd/thv-operator/controllers/mcpserver_controller.go
57
64.15
 cmd/thv-operator/controllers/mcpexternalauthconfig_controller.go
109
0.0
 0.0% cmd/thv-operator/api/v1alpha1/zz_generated.deepcopy.go

Uncovered Existing Lines

Lines Coverage File
3
72.39
 -1.12% pkg/ignore/processor.go
Jobs
ID Job ID Ran Files Coverage
1 18554684175.1 288
46.7
 GitHub Action Run
Source Files on build 18554684175