fix: Support Kubernetes versions with vendor suffixes in Helm chart #1010
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Fixes IBM#931 by changing kubeVersion constraint from '>=1.21.0' to '>=1.21.0-0'. This allows Helm to properly handle vendor-specific version suffixes like '1.31.10-eks-931bdca' from AWS EKS and other Kubernetes distributions. The '-0' suffix tells Helm's semantic versioning parser to accept any version >= 1.21.0 including those with pre-release/build metadata suffixes. Signed-off-by: Diego Riosalido <driosalido@gmail.com>
crivetimihai
approved these changes
Sep 15, 2025
Member
crivetimihai
left a comment
crivetimihai
left a comment
There was a problem hiding this comment.
Thank you, rebased and merged
Nayana-R-Gowda
pushed a commit
to Nayana-R-Gowda/mcp-context-forge
that referenced
this pull request
Sep 23, 2025
…BM#1010) * fix: Support Kubernetes versions with vendor suffixes in Helm chart Fixes IBM#931 by changing kubeVersion constraint from '>=1.21.0' to '>=1.21.0-0'. This allows Helm to properly handle vendor-specific version suffixes like '1.31.10-eks-931bdca' from AWS EKS and other Kubernetes distributions. The '-0' suffix tells Helm's semantic versioning parser to accept any version >= 1.21.0 including those with pre-release/build metadata suffixes. Signed-off-by: Diego Riosalido <driosalido@gmail.com> * chore: Bump chart version to 0.7.0 --------- Signed-off-by: Diego Riosalido <driosalido@gmail.com> Co-authored-by: Mihai Criveti <crivetimihai@gmail.com>
CrazyDubya
added a commit
to CrazyDubya/mcp-context-forge
that referenced
this pull request
Nov 15, 2025
* fix: Support Kubernetes versions with vendor suffixes in Helm chart (#1010)
* fix: Support Kubernetes versions with vendor suffixes in Helm chart
Fixes #931 by changing kubeVersion constraint from '>=1.21.0' to '>=1.21.0-0'.
This allows Helm to properly handle vendor-specific version suffixes like
'1.31.10-eks-931bdca' from AWS EKS and other Kubernetes distributions.
The '-0' suffix tells Helm's semantic versioning parser to accept any version
>= 1.21.0 including those with pre-release/build metadata suffixes.
Signed-off-by: Diego Riosalido <driosalido@gmail.com>
* chore: Bump chart version to 0.7.0
---------
Signed-off-by: Diego Riosalido <driosalido@gmail.com>
Co-authored-by: Mihai Criveti <crivetimihai@gmail.com>
* Update AGENTS.md
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Token scoping issue (#1014)
* added token scoping middleware to streamable http middleware
Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com>
* improved raising response for errors
Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com>
* updated test cases
Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com>
* minor change
Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com>
* added docstring
Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com>
---------
Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com>
* Updated wrapper configurations (#1015)
Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com>
* fix: jwt audience verification should be independent from token expiration (#1017)
* fix: jwt audience verfication should be independent from token expiration
Signed-off-by: Philip Miglinci <pmig@glasskube.com>
* Rebase
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
---------
Signed-off-by: Philip Miglinci <pmig@glasskube.com>
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
Co-authored-by: Mihai Criveti <crivetimihai@gmail.com>
* feat: add tool metadata and http headers to plugin tool hooks (#854)
* rebase: rebased with main, fixing merge conflicts
Signed-off-by: Teryl Taylor <terylt@ibm.com>
* fix: plugin cleanup to support multiple external plugins.
Signed-off-by: Teryl Taylor <terylt@ibm.com>
* fix(lint): fixed linting issues
Signed-off-by: Teryl Taylor <terylt@ibm.com>
* feat(error): update error handling with enforce_ignore_error
Signed-off-by: Teryl Taylor <terylt@ibm.com>
* fix(plugins): updated documentation and addressed PR comments.
Signed-off-by: Teryl Taylor <terylt@ibm.com>
* fix(lint): fixed linting issue
Signed-off-by: Teryl Taylor <terylt@ibm.com>
* feat(plugins): added initial http header hooks.
Signed-off-by: Teryl Taylor <terylt@ibm.com>
* fix(comments): update docstrings to fix linting.
Signed-off-by: Teryl Taylor <terylt@ibm.com>
* fix: linting issue.
Signed-off-by: Teryl Taylor <terylt@ibm.com>
* feat: added hooks to the plugin manager for http pre/post header requests.
Signed-off-by: Teryl Taylor <terylt@ibm.com>
* feat: added tool metadata and headers to tool payloads.
Signed-off-by: Teryl Taylor <terylt@ibm.com>
* fix: fixed model to support passing tool metadata.
Signed-off-by: Teryl Taylor <terylt@ibm.com>
* feat: added example header plugin for tools.
Signed-off-by: Teryl Taylor <terylt@ibm.com>
* fix: refactored ToolMetaData, GatewayMetadata, removed http hooks, fixed test cases
Signed-off-by: Teryl Taylor <terylt@ibm.com>
* adding handlers for pluginerror and pluginviolationerror
Signed-off-by: Shriti Priya <shritip@ibm.com>
* fix for headers pydantic error in tool, plugin violation error handler
Signed-off-by: Shriti Priya <shritip@ibm.com>
* Error handling changes with test cases modification
Signed-off-by: Shriti Priya <shritip@ibm.com>
* fixing flake8 issues
Signed-off-by: Shriti Priya <shritip@ibm.com>
* refactored error handling in prompt and resource services, added unit tests for meta data, fixed existing tests.
Signed-off-by: Teryl Taylor <terylt@ibm.com>
* fix: made original_name optional
Signed-off-by: Teryl Taylor <terylt@ibm.com>
* tests(tools): added test to check both gateway and tool metadata
Signed-off-by: Teryl Taylor <terylt@ibm.com>
* tests(headers): added tool header tests
Signed-off-by: Teryl Taylor <terylt@ibm.com>
* tests(tool_post_invoke): tests cases for tool post invoke metadata.
Signed-off-by: Teryl Taylor <terylt@ibm.com>
* fix(tool): check whether tools payload headers are None
Signed-off-by: Teryl Taylor <terylt@ibm.com>
* docs(plugins): added some documentation on the headers and meta data.
Signed-off-by: Teryl Taylor <terylt@ibm.com>
* fix: updated error response values
Signed-off-by: Teryl Taylor <terylt@ibm.com>
* Rebase
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
---------
Signed-off-by: Teryl Taylor <terylt@ibm.com>
Signed-off-by: Shriti Priya <shritip@ibm.com>
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
Co-authored-by: Teryl Taylor <terylt@ibm.com>
Co-authored-by: Shriti Priya <shritip@ibm.com>
Co-authored-by: Mihai Criveti <crivetimihai@gmail.com>
* fixed duplication of app_root_path for static files (#1028)
Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com>
* Update MANIFEST.in
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Update MANIFEST.in
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Add Dynamic Client Registration Tutorial (#1029)
* Add Dynamic Client Registration Tutorial
Signed-off-by: Philip Miglinci <pmig@glasskube.com>
* docs: clarify swimlane chart, remove docker compose service name
Signed-off-by: Philip Miglinci <pmig@glasskube.com>
* docs: extend README, update ToC
Signed-off-by: Philip Miglinci <pmig@glasskube.com>
* docs: add a docs sectino about dcr
Signed-off-by: Philip Miglinci <pmig@glasskube.com>
* Update docs for build
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
---------
Signed-off-by: Philip Miglinci <pmig@glasskube.com>
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
Co-authored-by: Jakob Steiner <jakob.steiner@glasskube.eu>
Co-authored-by: Mihai Criveti <crivetimihai@gmail.com>
* Update docs with .env.example and new PLATFORM_ADMIN_EMAIL
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Feat 534/config validation startup checks (#976)
* Adding config validation and startup checks
Signed-off-by: Veeresh K <veeruveeresh1522@gmail.com>
* added config validation and security checks
Signed-off-by: Veeresh K <veeruveeresh1522@gmail.com>
* testcases are fixed
Signed-off-by: Veeresh K <veeruveeresh1522@gmail.com>
* correct pylint warnings
Signed-off-by: Veeresh K <veeruveeresh1522@gmail.com>
* Rebase and change defaults to not exit app
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
---------
Signed-off-by: Veeresh K <veeruveeresh1522@gmail.com>
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
Co-authored-by: Mihai Criveti <crivetimihai@gmail.com>
* removed permission (#1036)
Signed-off-by: rakdutta <rakhibiswas@yahoo.com>
* whitesource
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* ICA Vault Plugin: Replaces the Bearer token with a token received from backend (#1027)
* Plugin first version
Signed-off-by: popagruia <adrian.popa@ro.ibm.com>
* Fixed logging
Signed-off-by: popagruia <adrian.popa@ro.ibm.com>
* fix: improve vault plugin implementation
- Fixed linting issues (removed unused import, fixed whitespace)
- Added missing __init__.py file for proper Python package structure
- Fixed typos in documentation (system_tag_prefix, vault_handling)
- Added vault plugin registration to plugins/config.yaml
- Improved plugin description clarity
* fix: improve vault plugin error handling and robustness
- Added proper error handling for missing/invalid vault header
- Fixed incorrect docstring (was copied from PII filter)
- Added proper database session cleanup with try/finally
- Added validation for oauth_config token_url field
- Improved logging for debugging
---------
Signed-off-by: popagruia <adrian.popa@ro.ibm.com>
Co-authored-by: popagruia <adrian.popa@ro.ibm.com>
Co-authored-by: Mihai Criveti <crivetimihai@gmail.com>
* Support for Content-Type: application/x-www-form-urlencoded (#1026)
* add support for application/x-www-form-urlencoded content type
Signed-off-by: Mohan Lakshmaiah <mohalaks@in.ibm.com>
* url_encoded test cases update
Signed-off-by: Mohan Lakshmaiah <mohalaks@in.ibm.com>
* fixing doctest
Signed-off-by: Mohan Lakshmaiah <mohalaks@in.ibm.com>
* docs: add FORGE_CONTENT_TYPE environment variable to README
- Document new env variable in Basic configuration section
- Add usage note for URL-encoded form data support
- Closes #978
* rebase
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
---------
Signed-off-by: Mohan Lakshmaiah <mohalaks@in.ibm.com>
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
Co-authored-by: Mohan Lakshmaiah <mohalaks@in.ibm.com>
Co-authored-by: Mihai Criveti <crivetimihai@gmail.com>
* feat(helm): add image pull secrets support and enhance ingress TLS configuration (#1038)
- Add global imagePullSecrets support across all deployments (mcpgateway, postgres, redis, pgadmin, redis-commander, mcp-fast-time-server, and migration job)
- Fix template syntax in _helpers.tpl for fullnameOverride (add missing dash)
- Add TLS configuration support to ingress with schema validation
- Improve pgAdmin probe configuration with longer timeouts and delays for better stability
- Update values.yaml with TLS configuration options and cert-manager annotations
This enables deployment in environments requiring private registry authentication
and adds support for HTTPS/TLS termination at the ingress level.
Co-authored-by: Naveed, Muhammad Shahrukh [JJCUS] <mnaveed4@its.jnj.com>
* Update docs
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Update docs
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Update docs
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Pandoc MCP Server (#1044)
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Massive mcp server and plugin update (#1051)
* MCP Servers and Plugins
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Formatting
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Update Readme
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Update plugin
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Update plugins
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Update docs
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Update chmod
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Update headers
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Update headers
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
---------
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* OAuth token multitenancy closes #1078 (user-scoped tokens) and #1023 (token refresh) (#1084)
* Fix oauth token multitenancy
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Fix oauth token multitenancy
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Fix oauth token multitenancy
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Fix oauth token multitenancy
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Fix oauth token multitenancy
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Update alembic migration - fix 0.7.0 upgrade
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Closes #1023 - implement token refresh
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Closes #1023 - implement token refresh
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
---------
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Documentation update readmes (#1087)
* Documentation updates
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Documentation updates
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
---------
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Documentation updates (#1088)
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Documentation updates (#1089)
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Test tokens (#1090)
* Test tokens
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* llms-mcp-server-python
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
---------
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Update mcp servers (#1091)
* Update MCP Servers
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Update MCP Servers
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Update MCP Servers
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Update MCP Servers
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Update MCP Servers
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Update MCP Servers
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Update MCP Servers
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
---------
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* PM MCP Server
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* PM MCP Server
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* PM MCP Server
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Fixes OAuth after addition of signature to state (#1097)
* copied from main
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* testing changes
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* Fix oauth code
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* Fix tests in test_oauth_router
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* Linting fixes
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* remove debug_team_dropdown.md
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* String issue fixed
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
---------
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* feat: add opa policy input data mapping support (#1102)
* feat: add opa policy input data mapping support
Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com>
* chore: drop debugging print statement
Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com>
---------
Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com>
* fix: multi-arch support for opa server (#1106)
Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com>
* docs: add Terraform MCP Server and Gateway integration guide (#1083)
This commit adds documentation explaining the Terraform MCP Server,
its key features, and how to integrate it with the MCP Gateway. The
content is based on the official documentation and adapted for usage
and reference.
Signed-off-by: Alexander Cobas Rodríguez <alexander.cobas@ibm.com>
* copied from main
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* testing changes
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* Linting fixes
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* remove debug_team_dropdown.md
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* copied from fix-oauth
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* OAuth for test gateway
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* testing
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* testing
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* Fix tests
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* Update doctest for check_health_for_gatways
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* Linting fixes
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* Fix pylint issues
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* UI multi tenancy gaps (#1040)
* visibility fix, team id in consistency fix, other minor fixes
* fixed test cases
* lint web fixes
Signed-off-by: Satya <tsp.0713@gmail.com>
* updated tools view metadata
* metadata visibility check Tools, A2A
Signed-off-by: Satya <tsp.0713@gmail.com>
* rebase
Signed-off-by: Satya <tsp.0713@gmail.com>
* lint-web fix
Signed-off-by: Satya <tsp.0713@gmail.com>
* fix for private visibility to user specific
Signed-off-by: Satya <tsp.0713@gmail.com>
---------
Signed-off-by: Satya <tsp.0713@gmail.com>
* The system executed 5 runs with a 0% success rate, an average response time of 0.393 ms, and an error rate of 0%. (#1103)
Signed-off-by: NAYANAR <nayana.r5@ibm.com>
Co-authored-by: NAYANAR <nayana.r5@ibm.com>
* Pass auth headers when gateway auth is None (#1115)
* code change as in issue
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* Update tests
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* Update README.md
* WIP: Plugin Framework Specification Document (#1118)
* docs: initial revision plugins spec
Signed-off-by: Teryl Taylor <terylt@ibm.com>
* docs(spec): moved plugin spec and broke into subpages.
Signed-off-by: Teryl Taylor <terylt@ibm.com>
* docs(spec): added some administrative hooks to spec
Signed-off-by: Teryl Taylor <terylt@ibm.com>
* (feat): Markdown fixes and added future hooks.
Signed-off-by: Ian Molloy <molloyim@us.ibm.com>
---------
Signed-off-by: Teryl Taylor <terylt@ibm.com>
Signed-off-by: Ian Molloy <molloyim@us.ibm.com>
Co-authored-by: Teryl Taylor <terylt@ibm.com>
Co-authored-by: Ian Molloy <molloyim@us.ibm.com>
* plugins spec update
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* jwt-extract-issue
Signed-off-by: Santhana Krishnan <a.santhana.k@gmail.com>
* Rebase
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* feat: add webhook notification plugin (#1113)
Adds comprehensive webhook notification system for MCP Gateway events.
Features:
- HTTP webhook notifications for events, violations, and state changes
- Multiple authentication methods (Bearer, API Key, HMAC signatures)
- Retry logic with exponential backoff
- Customizable payload templates per event type
- Event filtering and concurrent webhook delivery
- Comprehensive test coverage (unit + integration)
- Full documentation and testing guide
Supported Events:
- Tool execution (success/error)
- PII detection violations
- Rate limit violations
- Resource fetch operations
- Prompt fetch operations
Configuration:
- Added WebhookNotification plugin to plugins/config.yaml
- Disabled problematic ClamAV and AI Artifacts plugins
- Example webhook.site integration for testing
* Fix: Global Tools not listed for A2A Agents (Issue #841) (#1123)
* a2a
Signed-off-by: rakdutta <rakhibiswas@yahoo.com>
* a2a
Signed-off-by: rakdutta <rakhibiswas@yahoo.com>
* a2a tool testing
Signed-off-by: rakdutta <rakhibiswas@yahoo.com>
* test
Signed-off-by: rakdutta <rakhibiswas@yahoo.com>
* test
Signed-off-by: rakdutta <rakhibiswas@yahoo.com>
* return
Signed-off-by: rakdutta <rakhibiswas@yahoo.com>
* Rebase
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
---------
Signed-off-by: rakdutta <rakhibiswas@yahoo.com>
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
Co-authored-by: Mihai Criveti <crivetimihai@gmail.com>
* fix auth value db constraint (#1120)
Signed-off-by: Shoumi <shoumimukherjee@gmail.com>
* Fix tool refresh for OAuth (#1119)
* Update deduplicated tools
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* Linting fixes
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* Lint fix
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* Clean up code
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* Fix addition and deletion
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* Fix some lint issues
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* Linting fixes
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* Add tests
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* Fix test
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* fix: remove trailing whitespace from tests
---------
Co-authored-by: Mihai Criveti <crivetimihai@gmail.com>
* feat: add content moderation plugin with IBM support (#1114)
* feat: add content moderation plugin with IBM support
Add comprehensive content moderation plugin supporting:
- IBM Watson Natural Language Understanding
- IBM Granite Guardian via Ollama
- OpenAI, Azure Content Safety, AWS Comprehend
- Pattern-based fallback for offline operation
- Configurable thresholds and actions (block/warn/redact)
- Content caching and audit logging
- Multiple moderation hooks with intelligent fallbacks
* plugins update
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* fix tests
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
---------
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
Co-authored-by: Mihai Criveti <crivetimihai@gmail.com>
* Implementation for Issue #1035: Add team column to admin tables (#1107)
* team add in tool list table
Signed-off-by: rakdutta <rakhibiswas@yahoo.com>
* gateway
Signed-off-by: rakdutta <rakhibiswas@yahoo.com>
* server
Signed-off-by: rakdutta <rakhibiswas@yahoo.com>
* prompt
Signed-off-by: rakdutta <rakhibiswas@yahoo.com>
* resource
Signed-off-by: rakdutta <rakhibiswas@yahoo.com>
* resource
Signed-off-by: rakdutta <rakhibiswas@yahoo.com>
* doctest
Signed-off-by: rakdutta <rakhibiswas@yahoo.com>
* pytest
Signed-off-by: rakdutta <rakhibiswas@yahoo.com>
* pytest
Signed-off-by: rakdutta <rakhibiswas@yahoo.com>
* ruff isort
Signed-off-by: rakdutta <rakhibiswas@yahoo.com>
* remove print
Signed-off-by: rakdutta <rakhibiswas@yahoo.com>
* rebase and test
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* rebase and test
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
---------
Signed-off-by: rakdutta <rakhibiswas@yahoo.com>
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
Co-authored-by: Mihai Criveti <crivetimihai@gmail.com>
* feat: add ENABLE_OVERWRITE_BASE_HEADERS environment variable and docu… (#1080)
* feat: add ENABLE_OVERWRITE_BASE_HEADERS environment variable and documentation
- Add ENABLE_OVERWRITE_BASE_HEADERS configuration option to .env.example
- Document ENABLE_OVERWRITE_BASE_HEADERS in README.md configuration table
- Update Helm values.yaml to include ENABLE_OVERWRITE_BASE_HEADERS setting
- Add ENABLE_OVERWRITE_BASE_HEADERS documentation to proxy authentication guides
- Update header passthrough documentation with base headers override section
- Add environment variable mapping in config.py for proper .env file reading
- Implement base header override logic in passthrough_headers.py
- Add logging for header override status in main.py startup
- Include comprehensive unit tests for base header override functionality
- Fix trailing newlines in various documentation files
This enables advanced users to allow passthrough headers to override gateway
base headers like Content-Type when ENABLE_OVERWRITE_BASE_HEADERS=true, while
maintaining secure defaults (disabled by default).
* rebase and test
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
---------
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
Co-authored-by: Naveed, Muhammad Shahrukh [JJCUS] <mnaveed4@its.jnj.com>
Co-authored-by: Mihai Criveti <crivetimihai@gmail.com>
* Feature 285/pydantic v2 config validation (#1110)
* added validate env, test coverage scripts
Signed-off-by: Veeresh K <veeruveeresh1522@gmail.com>
* added documentation
Signed-off-by: Veeresh K <veeruveeresh1522@gmail.com>
* configuration reference doc
Signed-off-by: Veeresh K <veeruveeresh1522@gmail.com>
* fixed lint issue
Signed-off-by: Veeresh K <veeruveeresh1522@gmail.com>
* Fix docstrings and validation scripts
Signed-off-by: Veeresh K <veeruveeresh1522@gmail.com>
* rebase and test
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* fix: revert password validation to 8 char minimum and LOG_TO_FILE default
- Changed minimum password length requirement from 12 to 8 characters
- Restored LOG_TO_FILE default to false in .env.example
- Updated documentation to reflect correct password requirements
- Maintains backward compatibility with existing configurations
* fix: make password validation respect configured values
- Password validation now uses PASSWORD_MIN_LENGTH config (default 8)
- Fixed boolean format consistency in .env.example (all lowercase)
- Password requirements default to false (not enforced)
- Validation warnings adapt to actual configured minimums
- No more hardcoded validation values
---------
Signed-off-by: Veeresh K <veeruveeresh1522@gmail.com>
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
Co-authored-by: Mihai Criveti <crivetimihai@gmail.com>
* Sticky Header Bar for easy access to team and other functionality (#1021)
* Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com>
* fixed stylelinting
Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com>
* fix: handle Pydantic v2 SecretStr in JWT token creation
After the Pydantic v2 migration, jwt_secret_key and auth_encryption_secret
are now SecretStr objects. This fix ensures we extract the actual string
value when passing to JWT encode/decode functions.
Fixes login failure with 'Expected a string value' error.
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* rebase and test
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* fix: revert unintended .env.example password change
* rebase and test
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
---------
Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com>
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
Co-authored-by: Mihai Criveti <crivetimihai@gmail.com>
* fix: add metrics recording for prompts, resources, and servers (#1127)
* fix: add metrics recording for prompts, resources, and servers
Implements missing metrics recording functionality to track:
- Prompt template invocations with response times and error tracking
- Resource read operations with success/failure metrics
- Server/gateway forwarding operations with performance metrics
All metrics now properly record execution counts, response times,
and error messages for comprehensive observability.
Closes #699
* fix: remove duplicate prompt metrics recording from API layer
The prompt endpoints in main.py were recording metrics directly,
causing double-counting since the service layer now also records metrics.
Removed duplicate recording to ensure metrics are only recorded once
per execution at the service layer where they belong.
Also cleaned up unused imports (time, select, DbPrompt).
* fix: correct doctest expected output format
* fix: remove duplicate tool metrics recording in _invoke_a2a_tool
The _invoke_a2a_tool method was recording metrics directly, causing
double-counting since invoke_tool (which calls _invoke_a2a_tool) also
records metrics. Removed the duplicate recording to ensure metrics are
only recorded once per tool invocation.
* fix: update doctest to avoid module path issues
* fix: resolve pylint R1705 no-else-return issue
* Add email_team_member_history table for tracking team member actions (#1012)
* member history
Signed-off-by: rakdutta <rakhibiswas@yahoo.com>
* doctest
Signed-off-by: rakdutta <rakhibiswas@yahoo.com>
* doctest
Signed-off-by: rakdutta <rakhibiswas@yahoo.com>
* interrogate
Signed-off-by: rakdutta <rakhibiswas@yahoo.com>
* migration and pytest
Signed-off-by: rakdutta <rakhibiswas@yahoo.com>
* team_member_id add
Signed-off-by: rakdutta <rakhibiswas@yahoo.com>
* team member history
Signed-off-by: rakdutta <rakhibiswas@yahoo.com>
* hist approved join
Signed-off-by: rakdutta <rakhibiswas@yahoo.com>
* alembic revision
Signed-off-by: rakdutta <rakhibiswas@yahoo.com>
* fix: reconcile team member history tracking after rebase
- Update test expectations to account for additional commits in history tracking
- Ensure consistent action names across all services (use 'added' not 'member-added')
- Fix conflicts from rebase against latest main branch
* rebase and test
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* fix: improve alembic migration for cross-database compatibility
- Replace utc_now() import with inline datetime.now(timezone.utc) for portability
- Use database-agnostic boolean condition (TRUE OR 1) for SQLite/PostgreSQL/MySQL
- Generate unique UUIDs for history records during migration
- Simplify SQL query to avoid nested subqueries that may not work in all databases
- Ensure proper handling of NULL role values with fallback to 'member'
* fix: use database-specific boolean comparison in migration
PostgreSQL requires strict type matching for boolean columns.
Use TRUE for PostgreSQL and 1 for MySQL/SQLite to ensure
compatibility across all supported databases.
Fixes migration error: 'operator does not exist: boolean = integer'
* fix: use server_default instead of default in oauth migration
PostgreSQL requires server_default for column defaults in Alembic
migrations. Using Python-side default causes issues during table
creation.
- Change default=False to server_default=sa.false() for boolean
- Change default=sa.func.now() to server_default=sa.func.now()
Fixes: 'current transaction is aborted' error during migration
* Fix postgres issues
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* fix: resolve Bandit B608 SQL injection warning in migration
Replace f-string SQL query construction with separate static queries
for each database dialect. This eliminates the potential SQL injection
vector flagged by Bandit, even though the original code was safe since
we controlled the values.
- Use separate sa.text() calls for PostgreSQL vs MySQL/SQLite
- No dynamic string interpolation in SQL queries
- Maintains database-specific boolean handling
Fixes Bandit warning: B608 hardcoded_sql_expressions
* Set secure cookies to false for default .env
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* fix: prevent transaction abort in OAuth migration
The migration was trying to drop an index that might not exist, and
even though it caught the exception, PostgreSQL aborts the entire
transaction when any error occurs. This causes all subsequent
operations to fail with 'current transaction is aborted'.
Fixed by:
- Checking if index exists before attempting to drop it
- Database-specific queries to check index existence
- No exceptions thrown, preventing transaction abort
This ensures the migration runs successfully on PostgreSQL, MySQL,
and SQLite whether the index exists or not.
* Fix DB migration
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Fix compose
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
---------
Signed-off-by: rakdutta <rakhibiswas@yahoo.com>
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
Co-authored-by: Mihai Criveti <crivetimihai@gmail.com>
* Fix: Get /a2a/ returns 500 due to datatype mistmatch (#1128)
* Update a2a_service.py
Signed-off-by: Alyssa Novelia <alyssanovelia@gmail.com>
* add signature
Signed-off-by: Alyssa Novelia <alyssanovelia@gmail.com>
* fix: Update all callers to use user_info parameter
The list_agents_for_user function signature was changed to accept
user_info instead of user_email, but the callers weren't updated.
This caused pylint errors E1123 and E1120.
Updated all 3 call sites:
- mcpgateway/main.py:1779
- mcpgateway/admin.py:2156
- mcpgateway/admin.py:8648
All callers still pass the extracted email string (backward compatible),
and the function handles both string and dict formats.
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
---------
Signed-off-by: Alyssa Novelia <alyssanovelia@gmail.com>
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
Co-authored-by: Mihai Criveti <crivetimihai@gmail.com>
* PR for Plugin Management API and UI to Admin Dashboard - closes #1129 (#1130)
* Plugins UI
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Plugins UI fixed
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Plugins UI fixed
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
---------
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* pylint
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Fix resource filter (#1131)
Signed-off-by: Mihai Criveti <crmihai1@ie.ibm.com>
* Update tests
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* Fix header propagation so we don's send X-Vault-Headers to mcp server (#1134)
* Fix header propagation so we don's send X-Vault-Headers to mcp server
* remove old del
* Added a test example
---------
Co-authored-by: popagruia <adrian.popa@ro.ibm.com>
* comment limit for tools
Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com>
* minor fix
Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com>
* Local Catalog of MCP servers for MCP Registry & Marketplace (295) (#1132)
* Local registry
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Update catalog
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Fix catalog
Signed-off-by: Mihai Criveti <crmihai1@ie.ibm.com>
* Fix catalog
Signed-off-by: Mihai Criveti <crmihai1@ie.ibm.com>
* Fix catalog
Signed-off-by: Mihai Criveti <crmihai1@ie.ibm.com>
* Fix catalog
Signed-off-by: Mihai Criveti <crmihai1@ie.ibm.com>
* Fix catalog
Signed-off-by: Mihai Criveti <crmihai1@ie.ibm.com>
* streamable http tools registration variable consistency
Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com>
* linting fixes
Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com>
* minor vulture fix
Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com>
* Rebase and lint
Signed-off-by: Mihai Criveti <crmihai1@ie.ibm.com>
* Rebase and lint
Signed-off-by: Mihai Criveti <crmihai1@ie.ibm.com>
* Rebase and lint
Signed-off-by: Mihai Criveti <crmihai1@ie.ibm.com>
* Rebase and lint
Signed-off-by: Mihai Criveti <crmihai1@ie.ibm.com>
---------
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
Signed-off-by: Mihai Criveti <crmihai1@ie.ibm.com>
Signed-off-by: Keval Mahajan <mahajankeval23@gmail.com>
Co-authored-by: Keval Mahajan <mahajankeval23@gmail.com>
* docs: revise and consolidate plugin specification and design docs (#1139)
* docs: fix inconsistencies
Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com>
* docs: revise and refactor plugin specification docs
Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com>
* docs: update adr references
Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com>
* docs: update toc
Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com>
* docs: update nav
Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com>
* docs: update plugins spec
Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com>
* docs: update diagrams
Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com>
---------
Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com>
* Fix encode in SecretStr (#1133)
* Fix SecretStr encode
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* Fix typo
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* Fix oauth tests
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* Fix linting issues
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* feat: add LLMGuard security guardrails plugin (#1018)
* making cryptography version compatible with llmguard
Signed-off-by: Shriti Priya <shritip@ibm.com>
* lower bound
Signed-off-by: Shriti Priya <shritip@ibm.com>
* Initial plugin implementation using llmguard
Signed-off-by: Shriti Priya <shritip@ibm.com>
* changes for input and output filters
Signed-off-by: Shriti Priya <shritip@ibm.com>
* documentation on functions of llmguard.py
Signed-off-by: Shriti Priya <shritip@ibm.com>
* Adding documentation and minor bug fixes
Signed-off-by: Shriti Priya <shritip@ibm.com>
* linting changes
Signed-off-by: Shriti Priya <shritip@ibm.com>
* Updating cryptogrpahy dependency in conatinerfile for llmguard
Signed-off-by: Shriti Priya <shritip@ibm.com>
* Reverting the cryptogrpahy package version in root pyproject.toml
Signed-off-by: Shriti Priya <shritip@ibm.com>
* Updating manifest.in file
Signed-off-by: Shriti Priya <shritip@ibm.com>
* adding make test in container
Signed-off-by: Shriti Priya <shritip@ibm.com>
* fix: fixed retry on client plugin connection.
Signed-off-by: Teryl Taylor <terylt@ibm.com>
* Changing port for llmguard
Signed-off-by: Shriti Priya <shritip@ibm.com>
* Pre-caching the scanners during container build
Signed-off-by: Shriti Priya <shritip@ibm.com>
* test cases
Signed-off-by: Shriti Priya <shritip@ibm.com>
* filters and sanitizers
Signed-off-by: Shriti Priya <shritip@ibm.com>
* Vault caching for anonymize and deanoymize, examples
Signed-off-by: Shriti Priya <shritip@ibm.com>
* vault caching and expiry ttl, vault leak detection and redis caching
Signed-off-by: Shriti Priya <shritip@ibm.com>
* adding test cases
Signed-off-by: Shriti Priya <shritip@ibm.com>
* Adding test cases for vault and sanitizers
Signed-off-by: Shriti Priya <shritip@ibm.com>
* Documentation and test cases for LLMGuardPlugin
Signed-off-by: Shriti Priya <shritip@ibm.com>
* Updating readme for plugin
Signed-off-by: Shriti Priya <shritip@ibm.com>
* Updating readme for plugin
Signed-off-by: Shriti Priya <shritip@ibm.com>
* Updating readme for plugin
Signed-off-by: Shriti Priya <shritip@ibm.com>
* Updating readme for plugin
Signed-off-by: Shriti Priya <shritip@ibm.com>
* Updating yaml formatting in documentation
Signed-off-by: Shriti Priya <shritip@ibm.com>
* Adding some examples, test cases for complex policiies and documentation update
Signed-off-by: Shriti Priya <shritip@ibm.com>
* Pandoc MCP Server (#1044)
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Massive mcp server and plugin update (#1051)
* MCP Servers and Plugins
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Formatting
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Update Readme
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Update plugin
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Update plugins
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Update docs
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Update chmod
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Update headers
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Update headers
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
---------
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* OAuth token multitenancy closes #1078 (user-scoped tokens) and #1023 (token refresh) (#1084)
* Fix oauth token multitenancy
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Fix oauth token multitenancy
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Fix oauth token multitenancy
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Fix oauth token multitenancy
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Fix oauth token multitenancy
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Update alembic migration - fix 0.7.0 upgrade
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Closes #1023 - implement token refresh
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Closes #1023 - implement token refresh
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
---------
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Documentation update readmes (#1087)
* Documentation updates
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Documentation updates
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
---------
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Documentation updates (#1088)
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Documentation updates (#1089)
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Test tokens (#1090)
* Test tokens
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* llms-mcp-server-python
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
---------
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Update mcp servers (#1091)
* Update MCP Servers
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Update MCP Servers
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Update MCP Servers
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Update MCP Servers
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Update MCP Servers
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Update MCP Servers
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Update MCP Servers
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
---------
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* PM MCP Server
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* PM MCP Server
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* PM MCP Server
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Fixes OAuth after addition of signature to state (#1097)
* copied from main
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* testing changes
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* Fix oauth code
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* Fix tests in test_oauth_router
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* Linting fixes
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* remove debug_team_dropdown.md
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* String issue fixed
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
---------
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* feat: add opa policy input data mapping support (#1102)
* feat: add opa policy input data mapping support
Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com>
* chore: drop debugging print statement
Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com>
---------
Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com>
* fix: multi-arch support for opa server (#1106)
Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com>
* docs: add Terraform MCP Server and Gateway integration guide (#1083)
This commit adds documentation explaining the Terraform MCP Server,
its key features, and how to integrate it with the MCP Gateway. The
content is based on the official documentation and adapted for usage
and reference.
Signed-off-by: Alexander Cobas Rodríguez <alexander.cobas@ibm.com>
* copied from main
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* testing changes
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* Linting fixes
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* remove debug_team_dropdown.md
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* copied from fix-oauth
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* OAuth for test gateway
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* testing
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* testing
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* Fix tests
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* Update doctest for check_health_for_gatways
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* Linting fixes
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* Fix pylint issues
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* UI multi tenancy gaps (#1040)
* visibility fix, team id in consistency fix, other minor fixes
* fixed test cases
* lint web fixes
Signed-off-by: Satya <tsp.0713@gmail.com>
* updated tools view metadata
* metadata visibility check Tools, A2A
Signed-off-by: Satya <tsp.0713@gmail.com>
* rebase
Signed-off-by: Satya <tsp.0713@gmail.com>
* lint-web fix
Signed-off-by: Satya <tsp.0713@gmail.com>
* fix for private visibility to user specific
Signed-off-by: Satya <tsp.0713@gmail.com>
---------
Signed-off-by: Satya <tsp.0713@gmail.com>
* The system executed 5 runs with a 0% success rate, an average response time of 0.393 ms, and an error rate of 0%. (#1103)
Signed-off-by: NAYANAR <nayana.r5@ibm.com>
Co-authored-by: NAYANAR <nayana.r5@ibm.com>
* Pass auth headers when gateway auth is None (#1115)
* code change as in issue
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* Update tests
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* Update README.md
* Update README.md
Signed-off-by: Shriti Priya <shritip@ibm.com>
* Update README.md
Signed-off-by: Shriti Priya <shritip@ibm.com>
* WIP: Plugin Framework Specification Document (#1118)
* docs: initial revision plugins spec
Signed-off-by: Teryl Taylor <terylt@ibm.com>
* docs(spec): moved plugin spec and broke into subpages.
Signed-off-by: Teryl Taylor <terylt@ibm.com>
* docs(spec): added some administrative hooks to spec
Signed-off-by: Teryl Taylor <terylt@ibm.com>
* (feat): Markdown fixes and added future hooks.
Signed-off-by: Ian Molloy <molloyim@us.ibm.com>
---------
Signed-off-by: Teryl Taylor <terylt@ibm.com>
Signed-off-by: Ian Molloy <molloyim@us.ibm.com>
Co-authored-by: Teryl Taylor <terylt@ibm.com>
Co-authored-by: Ian Molloy <molloyim@us.ibm.com>
* plugins spec update
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
* Removing files
Signed-off-by: Shriti Priya <shritip@ibm.com>
* Removing files
Signed-off-by: Shriti Priya <shritip@ibm.com>
* Adding default allow response
Signed-off-by: Shriti Priya <shritip@ibm.com>
* Linting fixes, caching regex and toxicity filter, docker-compose edits
Signed-off-by: Shriti Priya <shritip@ibm.com>
* Update README.md
Signed-off-by: Shriti Priya <shritip@ibm.com>
* Update README.md
Signed-off-by: Shriti Priya <shritip@ibm.com>
* Update README.md
Signed-off-by: Shriti Priya <shritip@ibm.com>
* fix: solve linting issues
Signed-off-by: Shriti Priya <shritip@ibm.com>
---------
Signed-off-by: Shriti Priya <shritip@ibm.com>
Signed-off-by: Teryl Taylor <terylt@ibm.com>
Signed-off-by: Mihai Criveti <crivetimihai@gmail.com>
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com>
Signed-off-by: Alexander Cobas Rodríguez <alexander.cobas@ibm.com>
Signed-off-by: Satya <tsp.0713@gmail.com>
Signed-off-by: NAYANAR <nayana.r5@ibm.com>
Signed-off-by: Ian Molloy <molloyim@us.ibm.com>
Co-authored-by: Teryl Taylor <terylt@ibm.com>
Co-authored-by: Mihai Criveti <crivetimihai@gmail.com>
Co-authored-by: Madhav Kandukuri <madhav165@users.noreply.github.com>
Co-authored-by: Frederico Araujo <araujof@users.noreply.github.com>
Co-authored-by: alex-cobas <alexander.cobas@ibm.com>
Co-authored-by: Madhav Kandukuri <madhav165@gmail.com>
Co-authored-by: Satya <tsp.0713@gmail.com>
Co-authored-by: Nayana R Gowda <nayana.r7813@gmail.com>
Co-authored-by: NAYANAR <nayana.r5@ibm.com>
Co-authored-by: terylt <30874627+terylt@users.noreply.github.com>
Co-authored-by: Ian Molloy <molloyim@us.ibm.com>
* Fix catalog search (#1144)
* Fix catalog serve
Signed-off-by: Mihai Criveti <crmihai1@ie.ibm.com>
* Fix catalog serve
Signed-off-by: Mihai Criveti <crmihai1@ie.ibm.com>
* Fix disabled plugins listing
Signed-off-by: Mihai Criveti <crmihai1@ie.ibm.com>
* Fix disabled plugins listing
Signed-off-by: Mihai Criveti <crmihai1@ie.ibm.com>
* Fix disabled plugins listing
Signed-off-by: Mihai Criveti <crmihai1@ie.ibm.com>
* Fix disabled plugins listing
Signed-off-by: Mihai Criveti <crmihai1@ie.ibm.com>
* Fix disabled plugins listing
Signed-off-by: Mihai Criveti <crmihai1@ie.ibm.com>
---------
Signed-off-by: Mihai Criveti <crmihai1@ie.ibm.com>
* Fix disabled plugins listing
Signed-off-by: Mihai Criveti <crmihai1@ie.ibm.com>
* Pass headers from plugin to server connection functions (#1142)
* Fix SecretStr encode
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* Fix linting issues
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* Pass headers to connect to server functions
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* Linting fixes
Signed-off-by: Madhav Kandukuri <madhav165@gmail.com>
* fix: preserve tools/resources/prompts when editing OAuth2 gateways without URL change (#1146)
* fix: preserve tools/resources/prompts when editing OAuth2 gateways without URL change
Fixes #1025
Problem:
When editing an MCP server with OAuth2 authentication (e.g., adding tags or
updating description), all tools, resources, and prompts would disappear from
the gateway. Users had to manually click 'Fetch Tools' to restore them.
Root Cause:
The admin UI sends all gateway fields (including the unchanged URL) during edits.
The code was checking 'if gateway_update.url is not None' to determine whether
to re-fetch tools from the server. Since the URL was always present (even when
unchanged), it would attempt to re-initialize the gateway connection.
For OAuth2 servers using authorization_code grant type, this re-initialization
would fail because:
1. The context doesn't have the user's OAuth token
2. Re-fetch returns 0 tools
3. The cleanup logic deletes all existing tools as 'no longer available'
Solution:
Check if the URL value actually changed, not just if it was provided:
url_changed = (gateway_update.url is not None and
self.normalize_url(str(gateway_update.url)) != gateway.url)
Only re-fetch tools when the URL truly changed. This preserves existing tools,
resources, and prompts for OAuth2-authenticated gateways when editing other
fields like tags, description, visibility, etc.
Testing:
Verified with Asana MCP Server:
- Created OAuth2 gateway with Asana
- Completed OAuth flow and fetched 42 tools
- Edited gateway tags
- ✅ Tools persisted (previously would have been deleted)
Signed-off-by: Manav Gupta <manavg@gmail.com>
* rebase
Signed-off-by: Mihai Criveti <crmihai1@ie.ibm.com>
---------
Signed-off-by: Manav Gupta <manavg@gmail.com>
Signed-off-by: Mihai Criveti <crmihai1@ie.ibm.com>
Co-authored-by: Mihai Criveti <crmihai1@ie.ibm.com>
* docs: update plugins usage and document built-in plugins (#1147)
* docs: normalized plugin names
Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com>
* docs: update to plugins docs
Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com>
* docs: add available plugins page
Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com>
---------
Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com>
* Update UX (#1152)
Signed-off-by: Mihai Criveti <crmihai1@ie.ibm.com>
* Update ux catalogs (#1153)
* Update UX filters mcp servers
Signed-off-by: Mihai Criveti <crmihai1@ie.ibm.com>
* Update partial for mcp registry
Signed-off-by: Mihai Criveti <crmihai1@ie.ibm.com>
* Update partial for mcp registry
Signed-off-by: Mihai Criveti <crmihai1@ie.ibm.com>
* Update partial for mcp registry
Signed-off-by: Mihai Criveti <crmihai1@ie.ibm.com>
---------
Signed-off-by: Mihai Criveti <crmihai1@ie.ibm.com>
* fix: piifilter dead code (#1149)
Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com>
* fix: remove unused variable (#1150)
Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com>
* fix: lint issues across plugins (#1151)
Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com>
* Config tab (#1154)
* Config tab
Signed-off-by: Mihai Criveti <crmihai1@ie.ibm.com>
* Config tab
Signed-off-by: Mihai Criveti <crmihai1@ie.ibm.com>
* Add fast time server
Signed-off-by: Mihai Criveti <crmihai1@ie.ibm.com>
* Pylint
Signed-off-by: Mihai Criveti <crmihai1@ie.ibm.com>
---------
Signed-off-by: Mihai Criveti <crmihai1@ie.ibm.com>
* Config tab (#1155)
* Config tab
Signed-off-by: Mihai Criveti <crmihai1@ie.ibm.com>
* Config tab
Signed-off-by: Mihai Criveti <crmihai1@ie.ibm.com>
* Add fast time server
Signed-off-by: Mihai Criveti <crmihai1@ie.ibm.com>
* Pylint
Signed-off-by: Mihai Criveti <crmihai1@ie.ibm.com>
---------
Signed-off-by: Mihai Criveti <crmihai1@ie.ibm.com>
* docs: normalize project name (#1157)
Signed-off-by: Frederico Araujo <frederico.araujo@ibm.com>
* Add scale.md (#1165)
* Add scale docs
Signed-off-by: Mihai Criveti <crmihai1@ie.ibm.com>
* Add scale docs
Signed-off-by: Mihai Criveti <crmihai1@ie.ibm.com>
---------
Signed-off-by: Mihai Criveti <crmihai1@ie.ibm.com>
* feat: Implement OAuth Dynamic Client Registration (DCR) and PKCE support (#1158)
* test: Add TDD Red Phase tests for DCR and PKCE (RFC 7591, 7636)
Add comprehensive test suite for OAuth Dynamic Client Registration and PKCE
following Test-Driven Development (Red Phase). All tests will fail until
implementation is complete.
Tests Added:
- test_oauth_manager_pkce.py (22 tests)
* PKCE parameter generation (RFC 7636)
* Authorization URL with code_challenge
* State storage with code_verifier
* Token exchange with PKCE validation
* Security properties validation
- test_dcr_service.py (35 tests)
* AS metadata discovery (RFC 8414)
* Client registration (RFC 7591)
* Get-or-register pattern
* Update/delete operations
* Issuer validation and error handling
- test_dcr_flow_integration.py (12 tests)
* Complete PKCE flow with database
* Complete DCR flow end-to-end
* Security validations (replay prevention, expiry)
* Error handling scenarios
All tests use shared test_db fixture from tests/conftest.py.
Related to #979
Test Status: 🔴 RED - Tests will fail until implementation
* feat: Implement PKCE and DCR core functionality (TDD Green Phase)
Implement OAuth Dynamic Client Registration and PKCE support following
RFCs 7591, 7636, and 8414. This is the TDD Green Phase implementation.
Test Results: 27/45 tests passing (60%)
- PKCE tests: 17/22 passing (77%)
- DCR tests: 10/23 passing (43%)
Changes:
1. PKCE Support (RFC 7636):
- Add code_verifier column to oauth_states table
- Implement _generate_pkce_params() for PKCE generation
- Implement _create_authorization_url_with_pkce()
- Update _store_authorization_state() to store code_verifier
- Implement _validate_and_retrieve_state() to return state data
- Update _exchange_code_for_tokens() to include code_verifier
- Wire PKCE through initiate/complete authorization flows
2. DCR Service (RFC 7591):
- Create DcrService with AS metadata discovery (RFC 8414)
- Implement register_client() for dynamic registration
- Implement get_or_register_client() pattern
- Implement update_client_registration()
- Implement delete_client_registration()
- Add metadata caching for performance
- Add DcrError exception class
3. Database Models:
- Add RegisteredOAuthClient model for DCR storage
- Add code_verifier to OAuthState model
- Add relationship to Gateway model
4. Configuration:
- Add 10 DCR configuration settings
- Add oauth_discovery_enabled setting
- Add oauth_preferred_code_challenge_method setting
5. Database Migrations:
- Migration 61ee11c482d6: Add code_verifier column
- Migration 2f67b12600b4: Add registered_oauth_clients table
Remaining work:
- Fix mocking issues in some tests (module-level variable patches)
- Add admin DCR router (Phase 1.4)
- Update OAuth router integration
- Documentation updates
Related to #979
* fix: Fix unit test mocking issues for PKCE and DCR tests
Fix failing unit tests by correcting mock setups:
Test Results: 33/45 passing (73% - up from 60%)
- PKCE tests: 22/22 passing (100%) ✅
- DCR tests: 11/23 passing (48%)
Changes:
- Fix _state_lock patching (module-level vs instance)
- Fix aiohttp.ClientSession mocking for async context managers
- Add token_storage mock for initiate_authorization_code_flow test
- Fix issuer mismatch in discovery test mocks
- Clear metadata cache in caching test
All PKCE tests now passing. Remaining DCR test failures are due
to mock setup complexity, not implementation bugs.
Related to #979
* fix: Fix remaining DCR test issues - ALL TESTS PASSING ✅
Fix final test issues to achieve 100% test pass rate:
Test Results: 45/45 passing (100%) ✅✅✅
- PKCE tests: 22/22 passing (100%)
- DCR tests: 23/23 passing (100%)
Changes:
- Fix aiohttp.ClientSession mocking for discovery tests
- Clear metadata cache in tests for isolation
- Use unique gateway_id and issuer for each test (avoid UNIQUE constraints)
- Add Gateway objects to database before RegisteredOAuthClient
- Fix Gateway model attributes (use slug/url instead of server_url/command)
- Properly encrypt registration_access_token in update tests
- Update encrypted secret assertions (check length instead of prefix)
All unit tests for PKCE and DCR now passing!
Related to #979
* fix: Fix test_dcr_implementation.sh heredoc issues
Fix script hanging by:
- Remove 'set -e' to allow test counting instead of immediate exit
- Replace problematic heredocs with single-line Python commands
- Suppress stderr warnings (security warnings from config)
- Use grep for file content checks instead of Python heredocs
Script now runs to completion and reports:
- 5 tests passed (PKCE, DCR service, database, config)
- 2 tests failed (admin router not yet implemented)
- Warnings for documentation (Phase 1.4 tasks)
Related to #979
* feat: Implement Phase 1.4 - Integrate DCR into OAuth router
- Auto-detect missing client_id when gateway has issuer
- Auto-trigger DCR client registration when DCR is enabled
- Store registered credentials and update gateway oauth_config
- Add admin endpoints for viewing/managing registered OAuth clients
- Integrate with existing PKCE implementation in OAuthManager
Endpoints added:
- GET /oauth/registered-clients - List all registered clients
- GET /oauth/registered-clients/{gateway_id} - Get client for gateway
- DELETE /oauth/registered-clients/{client_id} - Delete registered client
Closes #979 Phase 1.4
* fix: Set auth_type=oauth when DCR auto-registers client
When DCR automatically registers a client, we now also update the
gateway's auth_type field to 'oauth' to ensure subsequent connections
know to use OAuth authentication.
This ensures the gateway initialization logic correctly skips immediate
connection attempts for OAuth authorization code flows.
* fix: Auto-detect OAuth and add OAuth option to UI
- Added 'OAuth 2.0' option to auth_type dropdown in admin UI
- Auto-detect auth_type='oauth' when oauth_config is present
- Applied to both create and edit gateway endpoints
- Users no longer need to manually select OAuth auth type
This fixes the issue where OAuth-protected MCP servers (like Reddit MCP)
would fail to register because auth_type wasn't automatically set.
* feat: Assemble OAuth config from UI form fields + add issuer field
Backend changes (admin.py):
- Collect individual OAuth fields from UI form
- Assemble into oauth_config object
- Support both JSON string (API) and form fields (UI)
- Applied to both create and edit endpoints
UI changes (admin.html):
- Added oauth_issuer field (required for DCR)
- Updated Client ID placeholder for DCR
- Added help text explaining DCR auto-registration
- Applied to both Add and Edit gateway forms
Now users can configure OAuth gateways via UI with proper
DCR support. If client_id is empty but issuer is provided,
DCR will auto-register the client.
* feat: Add DCR help text and debug logging
- Added blue help text to Client Secret field explaining DCR
- Applied to both Add and Edit forms
- Added debug logging to show complete oauth_config assembly
- Made OAuth authorization code fields always visible
This makes it clear to users that Client ID and Client Secret
can be left empty when using DCR.
* debug: Add form field debugging to trace oauth_config issue
Added logging to see what oauth_config_json and individual OAuth
fields are being received from the form submission.
* fix: Disable JavaScript OAuth config assembly, let backend handle it
The JavaScript in admin.js was intercepting the form submission and
assembling oauth_config with incorrect field names (token_url instead
of token_endpoint). This caused the backend to receive pre-assembled
but incorrect OAuth configuration.
Changes:
- Commented out OAuth config assembly in handleAddGatewayFormSubmit
- Commented out OAuth config assembly in handleEditGatewayFormSubmit
- Individual OAuth form fields now pass through to backend
- Backend (admin.py) correctly assembles with proper field names
- Supports DCR when client_id/client_secret are empty
This fixes the issue where grant_type was always 'client_credentials'
instead of respecting the user's selection of 'authorization_code'.
* fix: Make Authorization Code the default OAuth grant type
Changed the default selection in the grant type dropdown from
'client_credentials' to 'authorization_code' since that's the most
common use case for OAuth-protected MCP servers and the flow we're
testing for DCR/PKCE.
Users can still select Client Credentials if needed, but Authorization
Code is now the default for both Add and Edit gateway forms.
* fix: Accept HTTP 200 for DCR registration (RFC 7591 compatibility)
Some OAuth servers (like systemprompt-mcp-server) return HTTP 200 OK
instead of HTTP 201 Created for successful client registration, even
though RFC 7591 specifies 201.
Changed the DCR service to accept both 200 and 201 as successful
responses to improve compatibility with real-world OAuth servers.
This allows DCR to work with the Reddit MCP server (systemprompt)
which registers public clients (no client_secret) and returns 200.
* fix: Support public clients (no secret) and fix OAuth field names
Two critical fixes for DCR with public clients:
1. Handle public clients without client_secret:
- Check if client_secret_encrypted is None before decrypting
- Only add client_secret to oauth_config if it exists
- This supports PKCE-only flows (RFC 7636)
2. Fix OAuth field name inconsistency:
- Changed 'token_endpoint' -> 'token_url'
- Changed 'authorization_endpoint' -> 'authorization_url'
- OAuthManager expects these field names
- Applied to both admin.py (form assembly) and oauth_router.py (DCR)
This allows DCR to work with public OAuth clients like the Reddit
MCP server (systemprompt-mcp-server) which uses PKCE without secrets.
* feat: Implement OAuth Dynamic Client Registration (DCR) and PKCE support
Implements Phase 1 of RFC 7591 (DCR) and RFC 7636 (PKCE) support for
OAuth-protected MCP servers, as specified in issue #979.
Core Implementation:
- Added DcrService for AS metadata discovery (RFC 8414) and client registration (RFC 7591)
- Implemented PKCE (Proof Key for Code Exchange) in OAuthManager for Authorization Code flows
- Integrated DCR into oauth_router to auto-register when issuer present but client_id missing
- Added RegisteredOAuthClient model to store DCR registrations with encrypted credentials
- Added code_verifier field to OAuthState model for PKCE support
- Created Alembic migrations for new database schema
Configuration:
- Added DCR settings: dcr_enabled, dcr_auto_register_on_missing_credentials, dcr_default_scopes
- Added OAuth discovery settings: oauth_discovery_enabled, oauth_preferred_code_challenge_method
- Added DCR security settings: dcr_allowed_issuers, dcr_token_endpoint_auth_method
OAuth Enhancements:
- Support for public OAuth clients (PKCE-only, no client_secret)
- Accept both HTTP 200 and 201 for DCR registration responses
- Fixed OAuth field name inconsistencies (authorization_url/token_url vs authorization_endpoint/token_endpoint)
- Skip strict URL validation for OAuth-protected servers
- Support both SSE and STREAMABLEHTTP transports for OAuth servers
UI/UX Improvements:
- Added OAuth 2.0 option to auth_type dropdown in admin UI
- Added oauth_issuer field for DCR configuration
- Made Authorization Code the default grant type
- Added help text for Client ID and Client Secret fields explaining DCR
- Backend now assembles oauth_config from individual form fields
- Auto-detects auth_type="oauth" when OAuth config is present
- Made OAuth authorization fields always visible when OAuth 2.0 is selected
Testing:
- 22 PKCE unit tests covering parameter generation, state storage, token exchange
- 23 DCR unit tests covering AS discovery, client registration, error handling
- 8 integration tests covering end-to-end DCR and PKCE flows
- All 53 tests passing with proper database session isolation and aiohttp mocking
- Imported OAuthState and RegisteredOAuthClient models in test conftest for schema creation
Bug Fixes:
- Fixed JavaScript in admin.js that was incorrectly assembling oauth_config
- Handle missing client_secret for public clients in token exchange
- Only decrypt client_secret if present (avoid NoneType errors)
- Clear metadata cache in tests for proper isolation
- Added debug logging for OAuth config assembly
Validation:
- Tested end-to-end with systemprompt-mcp-server (Reddit MCP)
- Successfully completed DCR + PKCE + OAuth flow with real-world server
- Verified token encryption/decryption works correctly
- Confirmed PKCE code_challenge and code_verifier flow
Closes #979 (Phase 1.4 - Integration into OAuth router)
* fix: Remove unused imports in dcr_service.py
Removed unused imports to fix ruff and flake8 linting errors:
- timedelta (not used in the file)
- Optional (not used in the file)
All other imports (datetime, timezone, Any, Dict, List) are used.
* fix: Update existing OAuth tests for PKCE implementation
Updated existing OAuth tests to match the new PKCE implementation:
1. test_initiate_authorization_code_flow_success:
- Now expects PKCE parameters in authorization URL
- Removed mocking of old _create_authorization_url method
- Validates code_challenge and code_challenge_method presence
2. test_complete_authorization_code_flow_success:
- Updated _exchange_code_for_tokens call to include code_verifier
- Stores code_verifier with state for PKCE validation
3. test_complete_authorization_code_flow_no_token_storag…
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Fixes Helm chart installation failures on Kubernetes distributions with vendor-specific version suffixes.
Problem
The current
kubeVersion: ">=1.21.0"constraint inChart.yamlfails to handle vendor-specific version suffixes like:1.31.10-eks-931bdca1.30.0-gke.1234Solution
Changed
kubeVersionconstraint from>=1.21.0to>=1.21.0-0to properly support semantic versioning with pre-release/build metadata suffixes.Testing
helm lintvalidationCloses
Fixes #931