stacklok / toolhive / 25115328447
65%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 708
Run time 2min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 64.105% (+0.02%) from 64.084%
25115328447

push

github

web-flow 
Add operator-level defaultImagePullSecrets across all controllers (#5105)

* Add operator-level defaultImagePullSecrets plumbing

Cluster operators frequently need a registry pull secret applied to every
workload the operator spawns (proxy runners, registry API, vMCP servers,
embedding servers). Today the chart only exposes imagePullSecrets for the
operator's own pod, forcing users to set the secret on every CR or to
mutate the namespace-default ServiceAccount.

This change introduces a chart value, operator.defaultImagePullSecrets,
that the operator picks up at startup via THV_DEFAULT_IMAGE_PULL_SECRETS
and applies as a default to every workload it spawns. All five
workload-spawning reconcilers consume the shared imagepullsecrets.Defaults
value and merge it with the per-CR list at workload-construction time:
MCPServer, MCPRemoteProxy, MCPRegistry (via registryapi.manager),
VirtualMCPServer, and EmbeddingServer.

Precedence rule: per-CR imagePullSecrets take priority on name collisions;
chart-level entries are appended additively and deduped by Name. The
CR-level slice is never mutated. EmbeddingServer places the chart
defaults on the base PodSpec and lets strategic-merge-patch additively
union the user's PodTemplateSpec entries (PodSpec.ImagePullSecrets is
declared with patchStrategy:"merge",patchMergeKey:"name").

Drift detection on every controller routes through the same merge helper
as the construction site so chart defaults do not flag perpetual
reconcile loops. The Helm template renders operator.env before
chart-managed env vars so a user-supplied entry cannot silently override
a reserved name like THV_DEFAULT_IMAGE_PULL_SECRETS — Kubernetes keeps
the last entry on a duplicate-named env. The startup parser logs a
diagnostic when the env var is set but parses to nothing (typos like
" , " or ",,,") so the misconfiguration is visible.

Part of #5102

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Address review: TOOLHIVE_ ... (continued)

68 of 119 new or added lines in 12 files covered. (57.14%)

12 existing lines in 2 files now uncovered.

60663 of 94630 relevant lines covered (64.11%)

59.9 hits per line

Uncovered Changes

Lines Coverage File
47
7.85
 -0.64% cmd/thv-operator/main.go
2
77.4
 0.0% cmd/thv-operator/controllers/mcpregistry_controller.go
2
94.59
 cmd/thv-operator/pkg/imagepullsecrets/defaults.go

Coverage Regressions

Lines Coverage File
9
22.99
 -0.57% pkg/client/manager.go
3
70.0
 -3.33% pkg/state/local.go
Jobs
ID Job ID Ran Files Coverage
1 25115328447.1 708
64.11
 GitHub Action Run
Source Files on build 25115328447