21457153807
61%

Ran 28 Jan 2026 10:10PM UTC

Jobs 1

Files 481

Run time 1min

Badge

Embed ▾

Committed 28 Jan 2026 10:02PM UTC coverage: 60.428% (+0.1%) from 60.301%

Build # 21457153807

Build Type

push

github

Committed by

web-flow

Commit Message

Add headerForward to MCPRemoteProxy CRD (#3458)

* Allow TOOLHIVE_SECRETS_PROVIDER env var to bypass SetupCompleted check

Previously, GetProviderType() checked SetupCompleted before checking
the environment variable, causing Kubernetes deployments to fail when
using environment-injected secrets (header forward secrets).

Reorder the checks so the environment variable is checked first,
allowing Kubernetes deployments to specify TOOLHIVE_SECRETS_PROVIDER=environment
without requiring local secrets setup.

* Add headerForward to MCPRemoteProxy CRD

Add support for forwarding custom headers to remote MCP servers via
MCPRemoteProxy. Headers can be specified as plaintext values or
resolved from Kubernetes Secrets at runtime.

spec.headerForward:
  addPlaintextHeaders:     # Static headers (non-sensitive)
    X-Tenant-ID: "tenant-123"
  addHeadersFromSecret:    # Headers from K8s Secrets
    - headerName: "X-API-Key"
      valueSecretRef:
        name: api-key-secret
        key: api-key

- Operator creates env vars with SecretKeyRef for secret-backed headers
- Operator sets TOOLHIVE_SECRETS_PROVIDER=environment to enable
  the EnvironmentProvider in the runner
- RunConfig stores secret identifiers (not values)
- Runner resolves secrets via EnvironmentProvider at startup
- Header forward middleware adds headers to outgoing requests

- Secret values never stored in ConfigMaps (only identifiers)
- kubectl describe shows "<set to key 'x' in secret 'y'>"
- resolvedHeaders field is not serialized to disk

Tested in kind cluster with various scenarios:
- Plaintext headers only
- Secret-backed headers only
- Mixed plaintext and secret headers
- Multiple secrets, multiple keys from same secret
- Missing secret (graceful failure)

Related: #3316

Run Details

98 of 113 new or added lines in 5 files covered. (86.73%)

2 existing lines in 1 file now uncovered.

39056 of 64632 relevant lines covered (60.43%)

77.43 hits per line

New Missed Lines in Diff

Lines	Coverage	∆	File
1	86.47	0.94%	cmd/thv-operator/controllers/mcpremoteproxy_runconfig.go
14	36.41	0.68%	cmd/thv-operator/api/v1alpha1/zz_generated.deepcopy.go

Uncovered Existing Lines

Lines	Coverage	∆	File
2	94.67	-1.33%	pkg/vmcp/composer/dag_executor.go

Jobs

ID	Job ID	Ran	Files	Coverage
1	21457153807.1	28 Jan 2026 10:10PM UTC	481	60.43	GitHub Action Run

stacklok / toolhive / 21457153807
61%

README BADGES
x

Markdown

Textile

RDoc

HTML

Rst

New Missed Lines in Diff

Uncovered Existing Lines

Jobs

Source Files on build 21457153807

stacklok / toolhive / 21457153807 61%

README BADGES x

Markdown

Textile

RDoc

HTML

Rst

New Missed Lines in Diff

Uncovered Existing Lines

Jobs

Source Files on build 21457153807

stacklok / toolhive / 21457153807
61%

README BADGES
x