Support secret references for MCP server headers and env#431
Open
axon-agent[bot] wants to merge 4 commits intomainfrom
Open
Support secret references for MCP server headers and env#431axon-agent[bot] wants to merge 4 commits intomainfrom
axon-agent[bot] wants to merge 4 commits intomainfrom
Conversation
Add headersFrom and envFrom fields to MCPServerSpec that reference Kubernetes Secrets. The controller resolves these secrets in createJob before building the MCP servers JSON, merging secret values into inline headers/env maps with secret values taking precedence for overlapping keys. Fixes #313 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
github-actions
bot
added
needs-actor
needs-kind
![cubic-dev-ai[bot]](https://avatars.githubusercontent.com/in/1082092?s=60&v=4){kind=small}
gjkim42
requested changes
Feb 25, 2026
api/v1alpha1/agentconfig_types.go
Outdated
| // Values from HeadersFrom take precedence over inline Headers for | ||
| // overlapping keys. | ||
| // +optional | ||
| HeadersFrom *SecretReference `json:"headersFrom,omitempty"` |
Collaborator
There was a problem hiding this comment.
Is it better to have secretFef field in HeadersFrom?
Wrap SecretReference in a SecretValuesSource struct so that headersFrom and envFrom use a nested secretRef field. This follows the same pattern as Credentials.SecretRef and makes the API extensible for future non-secret sources. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Author
|
🤖 Axon Agent @gjkim42 Addressed the review feedback in d5853ed: Introduced a headersFrom:
secretRef:
name: mcp-github-headersThis also makes the API extensible for future non-secret sources (e.g., configMapRef). |
gjkim42
requested changes
Feb 25, 2026
Collaborator
gjkim42
left a comment
gjkim42
left a comment
There was a problem hiding this comment.
Add integration or e2e tests for this.
/reset-worker
Implements comment-based workflow control from #417 to support autonomous workflows on repositories where label permissions are unavailable. - Adds triggerComment field to GitHubIssues spec: include issues only when a comment matches (e.g., /axon pick-up). Also acts as resume command when used with excludeComments. - Adds excludeComments field ([]string): exclude issues with a comment matching any of these strings. Supports multiple exclusion patterns, consistent with excludeLabels. - Comments scanned in reverse chronological order; most recent wins. - Commands must appear on their own line to avoid false matches in prose. - Labels remain the default; comment-based control is a fallback. Files changed: - api/v1alpha1/taskspawner_types.go: new comment fields on GitHubIssues - api/v1alpha1/zz_generated.deepcopy.go: auto-generated - cmd/axon-spawner/main.go: comment field passthrough to GitHubSource - internal/source/github.go: passesCommentFilter, containsCommand, containsAnyCommand logic - install-crd.yaml, internal/manifests/install-crd.yaml: CRD updates - Test files with comprehensive unit and integration coverage Closes #417 Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Adds envtest-based integration tests covering headersFrom/envFrom secret resolution in the Task controller, as requested in review. Tests cover: - headersFrom: secret headers merged into AXON_MCP_SERVERS JSON - envFrom: secret env vars merged into AXON_MCP_SERVERS JSON - Missing secret causes Task to fail with MCPSecretFailed event - Secret values take precedence over inline values for overlapping keys Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
gjkim42
requested changes
Feb 26, 2026
Collaborator
gjkim42
left a comment
gjkim42
left a comment
There was a problem hiding this comment.
rebase on origin/main. you should not have unwanted patches
/reset-worker
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
headersFromandenvFromfields toMCPServerSpecthat reference Kubernetes Secrets for storing sensitive values (auth tokens, passwords) instead of inline plaintextcreateJobbefore building the MCP servers JSON, merging secret values into inline headers/env maps with secret values taking precedence for overlapping keysSecretValuesSourcewrapper struct with a nestedsecretReffield, consistent with theCredentials.SecretRefpattern and extensible for future non-secret sourcesExample usage:
Test plan
resolveMCPServerSecretscovering: headersFrom resolution, envFrom resolution, precedence of secret values over inline values, missing secret error handling, no-op when no secret refsmake verifypassesmake testpassesFixes #313
🤖 Generated with Claude Code