feat: set TOOLHIVE_SECRETS_PROVIDER=none for K8s proxy runner pods (#684)

JAORMX · web-flow · commit a800f25448ba · 2025-06-09T15:57:03.000+03:00
diff --git a/cmd/thv-operator/controllers/mcpserver_controller.go b/cmd/thv-operator/controllers/mcpserver_controller.go
@@ -431,6 +431,12 @@ func (r *MCPServerReconciler) deploymentForMCPServer(m *mcpv1alpha1.MCPServer) *
 		})
 	}
 
+	// Add TOOLHIVE_SECRETS_PROVIDER=none for Kubernetes deployments
+	env = append(env, corev1.EnvVar{
+		Name:  "TOOLHIVE_SECRETS_PROVIDER",
+		Value: "none",
+	})
+
 	// Prepare container volume mounts
 	volumeMounts := []corev1.VolumeMount{}
 	volumes := []corev1.Volume{}
diff --git a/cmd/thv-operator/controllers/mcpserver_pod_template_test.go b/cmd/thv-operator/controllers/mcpserver_pod_template_test.go
@@ -131,6 +131,48 @@ func TestDeploymentForMCPServerWithPodTemplateSpec(t *testing.T) {
 	assert.True(t, podTemplatePatchFound, "Pod template patch should be included in the args")
 }
 
+func TestDeploymentForMCPServerSecretsProviderEnv(t *testing.T) {
+	t.Parallel()
+	// Create a test MCPServer
+	mcpServer := &mcpv1alpha1.MCPServer{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test-mcp-server",
+			Namespace: "default",
+		},
+		Spec: mcpv1alpha1.MCPServerSpec{
+			Image:     "test-image:latest",
+			Transport: "stdio",
+			Port:      8080,
+		},
+	}
+
+	// Register the scheme
+	s := scheme.Scheme
+	s.AddKnownTypes(mcpv1alpha1.GroupVersion, &mcpv1alpha1.MCPServer{})
+	s.AddKnownTypes(mcpv1alpha1.GroupVersion, &mcpv1alpha1.MCPServerList{})
+
+	// Create a reconciler with the scheme
+	r := &MCPServerReconciler{
+		Scheme: s,
+	}
+
+	// Call deploymentForMCPServer
+	deployment := r.deploymentForMCPServer(mcpServer)
+	require.NotNil(t, deployment, "Deployment should not be nil")
+
+	// Check that the TOOLHIVE_SECRETS_PROVIDER environment variable is set to "none"
+	container := deployment.Spec.Template.Spec.Containers[0]
+	secretsProviderEnvFound := false
+	for _, env := range container.Env {
+		if env.Name == "TOOLHIVE_SECRETS_PROVIDER" {
+			secretsProviderEnvFound = true
+			assert.Equal(t, "none", env.Value, "TOOLHIVE_SECRETS_PROVIDER should be set to 'none'")
+			break
+		}
+	}
+	assert.True(t, secretsProviderEnvFound, "TOOLHIVE_SECRETS_PROVIDER environment variable should be present")
+}
+
 // Helper functions
 func boolPtr(b bool) *bool {
 	return &b
