25115328447

Committed 29 Apr 2026 02:37PM UTC coverage: 64.105% (+0.02%) from 64.084%

Build # 25115328447

Build Type

push

github

Committed by

web-flow

Commit Message

Add operator-level defaultImagePullSecrets across all controllers (#5105)

* Add operator-level defaultImagePullSecrets plumbing

Cluster operators frequently need a registry pull secret applied to every
workload the operator spawns (proxy runners, registry API, vMCP servers,
embedding servers). Today the chart only exposes imagePullSecrets for the
operator's own pod, forcing users to set the secret on every CR or to
mutate the namespace-default ServiceAccount.

This change introduces a chart value, operator.defaultImagePullSecrets,
that the operator picks up at startup via THV_DEFAULT_IMAGE_PULL_SECRETS
and applies as a default to every workload it spawns. All five
workload-spawning reconcilers consume the shared imagepullsecrets.Defaults
value and merge it with the per-CR list at workload-construction time:
MCPServer, MCPRemoteProxy, MCPRegistry (via registryapi.manager),
VirtualMCPServer, and EmbeddingServer.

Precedence rule: per-CR imagePullSecrets take priority on name collisions;
chart-level entries are appended additively and deduped by Name. The
CR-level slice is never mutated. EmbeddingServer places the chart
defaults on the base PodSpec and lets strategic-merge-patch additively
union the user's PodTemplateSpec entries (PodSpec.ImagePullSecrets is
declared with patchStrategy:"merge",patchMergeKey:"name").

Drift detection on every controller routes through the same merge helper
as the construction site so chart defaults do not flag perpetual
reconcile loops. The Helm template renders operator.env before
chart-managed env vars so a user-supplied entry cannot silently override
a reserved name like THV_DEFAULT_IMAGE_PULL_SECRETS — Kubernetes keeps
the last entry on a duplicate-named env. The startup parser logs a
diagnostic when the env var is set but parses to nothing (typos like
" , " or ",,,") so the misconfiguration is visible.

Part of #5102

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Address review: TOOLHIVE_ ... (continued)

Coverage Stats

68 of 119 new or added lines in 12 files covered. (57.14%)

12 existing lines in 2 files now uncovered.

60663 of 94630 relevant lines covered (64.11%)

59.9 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

94.59

/cmd/thv-operator/pkg/imagepullsecrets/defaults.go

stacklok / toolhive / 25115328447

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source Not Available

Source File
Press 'n' to go to next uncovered line, 'b' for previous