stacklok / toolhive / 21457153807 / 1
60%
main: 60%

DEFAULT BRANCH: main
Ran
Files 481
Run time 14s
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 60.428% (+0.1%) from 60.301%
21457153807.1

push

github

web-flow 
Add headerForward to MCPRemoteProxy CRD (#3458)

* Allow TOOLHIVE_SECRETS_PROVIDER env var to bypass SetupCompleted check

Previously, GetProviderType() checked SetupCompleted before checking
the environment variable, causing Kubernetes deployments to fail when
using environment-injected secrets (header forward secrets).

Reorder the checks so the environment variable is checked first,
allowing Kubernetes deployments to specify TOOLHIVE_SECRETS_PROVIDER=environment
without requiring local secrets setup.

* Add headerForward to MCPRemoteProxy CRD

Add support for forwarding custom headers to remote MCP servers via
MCPRemoteProxy. Headers can be specified as plaintext values or
resolved from Kubernetes Secrets at runtime.

spec.headerForward:
  addPlaintextHeaders:     # Static headers (non-sensitive)
    X-Tenant-ID: "tenant-123"
  addHeadersFromSecret:    # Headers from K8s Secrets
    - headerName: "X-API-Key"
      valueSecretRef:
        name: api-key-secret
        key: api-key

- Operator creates env vars with SecretKeyRef for secret-backed headers
- Operator sets TOOLHIVE_SECRETS_PROVIDER=environment to enable
  the EnvironmentProvider in the runner
- RunConfig stores secret identifiers (not values)
- Runner resolves secrets via EnvironmentProvider at startup
- Header forward middleware adds headers to outgoing requests

- Secret values never stored in ConfigMaps (only identifiers)
- kubectl describe shows "<set to key 'x' in secret 'y'>"
- resolvedHeaders field is not serialized to disk

Tested in kind cluster with various scenarios:
- Plaintext headers only
- Secret-backed headers only
- Mixed plaintext and secret headers
- Multiple secrets, multiple keys from same secret
- Missing secret (graceful failure)

Related: #3316

39056 of 64632 relevant lines covered (60.43%)

77.43 hits per line

Source Files on job 21457153807.1