stacklok / toolhive / 18788768011
51%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 298
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 47.326% (+0.06%) from 47.271%
18788768011

push

github

web-flow 
Add SecretKeyRef support to InlineOIDCConfig for enhanced secret management (#2324)

* Add SecretKeyRef support to InlineOIDCConfig for enhanced secret management

Add Kubernetes-native secret reference support to InlineOIDCConfig,
following the pattern established by MCPExternalAuthConfig. This enables
secure OIDC client secret management without exposing secrets in YAML
manifests or ConfigMaps.

Changes:
- Add ClientSecretRef field to InlineOIDCConfig CRD type
- Deprecate plaintext ClientSecret field (backward compatible)
- Update OIDC resolver to skip embedding secrets when using SecretKeyRef
- Create GenerateOIDCClientSecretEnvVar function for secret validation
- Integrate secret injection in MCPServer and MCPRemoteProxy controllers
- Update token validator to load secrets from TOOLHIVE_OIDC_CLIENT_SECRET
- Bump CRD chart version from 0.0.43 to 0.0.44
- Update architecture documentation and add example manifests

Security benefits:
- Secrets managed via Kubernetes RBAC
- Integration with external secret operators (Vault, AWS Secrets Manager)
- Secrets not exposed in YAML manifests or Git history
- Consistent pattern across all ToolHive secret management

Resolves: #2321

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* Bump operator chart version to 0.3.2 for CRD compatibility

The operator chart version needs to be bumped when CRDs are updated to ensure
compatibility during Helm chart testing.

This fixes the Helm chart test failure where the operator pod was crashing
due to CRD version mismatch.

* Add comprehensive tests for OIDC ClientSecretRef functionality

Add unit tests to verify:
- GenerateOIDCClientSecretEnvVar function with various scenarios
- OIDC resolver behavior with ClientSecretRef
- Precedence when both ClientSecret and ClientSecretRef are provided
- Backward compatibility with existing ClientSecret field

All tests pass successfully.

🤖 Generated with [Claude Code](... (continued)

39 of 69 new or added lines in 5 files covered. (56.52%)

4 existing lines in 1 file now uncovered.

18936 of 40012 relevant lines covered (47.33%)

15.57 hits per line

New Missed Lines in Diff

Lines Coverage File
4
89.52
 -1.35% cmd/thv-operator/controllers/mcpremoteproxy_deployment.go
6
0.0
 0.0% cmd/thv-operator/api/v1alpha1/zz_generated.deepcopy.go
20
55.36
 -0.75% cmd/thv-operator/controllers/mcpserver_controller.go

Uncovered Existing Lines

Lines Coverage File
4
65.26
 10.53% pkg/secrets/keyring/keyctl_linux.go
Jobs
ID Job ID Ran Files Coverage
1 18788768011.1 298
47.33
 GitHub Action Run
Source Files on build 18788768011