27585030890

Committed 16 Jun 2026 12:13AM UTC coverage: 66.72% (+0.02%) from 66.702%

Build # 27585030890

Build Type

push

github

Committed by

web-flow

Commit Message

Add replicas and sessionStorage to MCPRemoteProxy for HA (#5237)

* Wire SessionStorage into MCPRemoteProxy for HA support

When MCPRemoteProxy runs with multiple replicas behind a load balancer
that doesn't preserve client-IP affinity (e.g. AWS ALB across multiple
AZs), every non-initialize request fails with `Session not found` because
the transparent proxy validates `Mcp-Session-Id` against pod-local
in-memory state on every hop. From transparent_proxy.go:

    // Guard: reject non-initialize requests with unknown session IDs.
    // When multiple proxyrunner replicas share a Redis session store,
    // a valid session will always be found.

The transport layer already supports a Redis-backed session store via
runner.ScalingConfig.SessionRedis — MCPServer and VirtualMCPServer wire
it through. MCPRemoteProxy simply never populated it.

This change ports the symmetric work from MCPServer (PR #4368) and
VirtualMCPServer (PR #4367) to MCPRemoteProxy:

- Add MCPRemoteProxySpec.SessionStorage field (same SessionStorageConfig
  shape used by MCPServer / VirtualMCPServer)
- populateScalingConfigForRemoteProxy: write the non-sensitive Redis
  parameters (address/db/keyPrefix) into runner.ScalingConfig.SessionRedis
- buildRedisPasswordEnvVarForRemoteProxy: inject THV_SESSION_REDIS_PASSWORD
  on the proxy Deployment via SecretKeyRef when sessionStorage.passwordRef
  is set, so the password never lands in the RunConfig ConfigMap

Tests:
- TestPopulateScalingConfigForRemoteProxy mirrors TestPopulateScalingConfig
  from mcpserver_runconfig_test.go (4 cases including a check that the
  password never leaks into the serialized SessionRedis)
- TestBuildRedisPasswordEnvVarForRemoteProxy mirrors TestBuildRedisPasswordEnvVar
  from virtualmcpserver_deployment_test.go (4 cases covering the matrix
  of nil/memory/redis-no-pwd/redis-with-pwd)

Generated:
- zz_generated.deepcopy.go (controller-gen v0.17.3)
- toolhive.stacklok.dev_mcpremoteproxies.yaml CRD schema (controll... (continued)

Coverage Stats

79 of 83 new or added lines in 4 files covered. (95.18%)

9 existing lines in 3 files now uncovered.

68566 of 102767 relevant lines covered (66.72%)

63.98 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

81.13

/pkg/transport/proxy/httpsse/http_proxy.go

stacklok / toolhive / 27585030890

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source Not Available

Source File
Press 'n' to go to next uncovered line, 'b' for previous