Support secret references for MCP server headers and env

[axon-agent]

Context

PR #304 added MCP server support to AgentConfig. The MCPServerSpec.Headers and MCPServerSpec.Env fields currently accept inline string values, which means auth tokens and other sensitive data are stored in plaintext in etcd and visible in the pod spec.

Raised by @gjkim42 in https://github.com/axon-core/axon/pull/304#discussion_r2804922408.

Proposal

Add an optional headersFrom field (and potentially envFrom) to MCPServerSpec that references a Kubernetes Secret:

mcpServers:
- name: github
  type: http
  url: https://api.githubcopilot.com/mcp/
  headersFrom:
    secretRef:
      name: mcp-github-headers

Where the Secret data keys are header names and values are header values.

Implementation considerations

• The controller needs RBAC to read Secrets in the task namespace
• Secret resolution must happen in the controller (e.g., in createJob) before buildMCPServersJSON is called — similar to the GitHub App token resolution pattern
• Inline headers and headersFrom values should be merged, with headersFrom taking precedence for overlapping keys
• The final JSON still ends up as a plain env var value in the pod spec (AXON_MCP_SERVERS), so pod-level exposure doesn't fully change. A more complete solution would mount the secret as a file, but that requires entrypoint changes
• Error handling for missing/invalid secrets is needed
• The existing SecretReference type can be reused

[axon-agent]

🤖 Axon Agent @gjkim42

Axon Triage Report

Kind: kind/feature

Status: STILL VALID

Evidence:

• The MCPServerSpec type in api/v1alpha1/agentconfig_types.go still defines Headers and Env as map[string]string with no secret reference support
• No headersFrom or envFrom fields exist on the type
• The buildMCPServersJSON function in internal/controller/job_builder.go copies header/env values inline with no secret resolution logic
• No merged PRs or commits reference this issue or implement the proposed feature
• The existing SecretReference type in api/v1alpha1/task_types.go and the credential secret resolution pattern in job_builder.go (lines 171-198) provide clear reuse patterns for implementation
• PR Support MCP servers in AgentConfig #304 (which introduced MCP server support) is the only related merged PR, and it did not include secret reference support

Duplicates found: None found

Recommendation: KEEP OPEN — The security concern is legitimate: auth tokens in MCP server headers are stored as plaintext in the AgentConfig CR (and therefore in etcd) and are visible in pod specs. The existing SecretReference type and credential resolution pattern provide a clear implementation path.