v1.0.17 - Okta Identity Provider, Security Hardening, and OTLP Metrics Export
Upgrading from v1.0.16
This section covers everything you need to know to upgrade from v1.0.16 to v1.0.17.
Breaking Changes
1. Local Admin Credentials Removed
The ADMIN_USER and ADMIN_PASSWORD environment variables have been removed. All authentication now requires an identity provider (Keycloak, Entra ID, Okta, or AgentCore).
- Action Required: Remove these variables from your
.envfile - Migration: Use identity provider accounts for admin access
2. Registry Container Port Changes (Helm/Kubernetes Only)
The registry service now uses non-privileged ports:
-
HTTP:
80→8080 -
HTTPS:
443→8443 -
Action Required for Kubernetes/Helm: Update any external port references or ingress configurations
-
No Action Required: Docker Compose and Terraform/ECS deployments automatically map these ports
3. MongoDB Init Container Removed (Helm/Kubernetes Only)
The wait-for-mongodb init container has been removed from auth-server and registry deployments. MongoDB readiness is now handled through application-level retries and health checks.
- Action Required: None - MongoDB connection retry logic is built into the applications
- Benefit: Faster pod startup times and reduced security surface
New Environment Variables
| Variable | Default | Description |
|---|---|---|
OKTA_DOMAIN |
- | Okta organization domain (e.g., dev-123456.okta.com) |
OKTA_CLIENT_ID |
- | Okta OAuth2 application client ID |
OKTA_CLIENT_SECRET |
- | Okta OAuth2 application client secret |
OKTA_M2M_CLIENT_ID |
(uses OKTA_CLIENT_ID) |
Optional: Separate M2M client ID |
OKTA_M2M_CLIENT_SECRET |
(uses OKTA_CLIENT_SECRET) |
Optional: Separate M2M client secret |
OKTA_API_TOKEN |
- | Optional: Okta Admin API token for IAM operations |
OKTA_AUTH_SERVER_ID |
(uses default) | Optional: Custom authorization server ID |
OTEL_OTLP_ENDPOINT |
- | OTLP endpoint URL for direct metrics push (e.g., https://otlp.datadoghq.com) |
OTEL_EXPORTER_OTLP_HEADERS |
- | OTLP headers (e.g., dd-api-key=YOUR_KEY) |
OTEL_OTLP_EXPORT_INTERVAL_MS |
30000 |
Metrics export interval in milliseconds |
OTEL_EXPORTER_OTLP_METRICS_TEMPORALITY_PREFERENCE |
cumulative |
Metric temporality: cumulative or delta |
Upgrade Instructions
Docker Compose
cd mcp-gateway-registry
git pull origin main
git checkout v1.0.17
# Review new env vars in .env.example and update your .env if needed
# Remove ADMIN_USER and ADMIN_PASSWORD if present
# Rebuild and restart:
./build_and_run.shKubernetes / Helm (EKS)
cd mcp-gateway-registry
git pull origin main
git checkout v1.0.17
# Update values.yaml if needed, then upgrade:
cd charts/mcp-gateway-registry-stack
helm upgrade mcp-gateway . -f your-values.yamlTerraform / ECS
cd mcp-gateway-registry
git pull origin main
git checkout v1.0.17
# Update your .tfvars with any new variables
cd terraform/aws-ecs
terraform plan
terraform applyDockerHub Images
Pre-built images are available:
docker pull mcpgateway/registry:v1.0.17
docker pull mcpgateway/auth-server:v1.0.17
docker pull mcpgateway/currenttime-server:v1.0.17
docker pull mcpgateway/realserverfaketools-server:v1.0.17
docker pull mcpgateway/mcpgw-server:v1.0.17
docker pull mcpgateway/fininfo-server:v1.0.17
docker pull mcpgateway/metrics-service:v1.0.17Major Features
Okta Identity Provider Support
Complete integration of Okta as a supported identity provider alongside Keycloak, Entra ID, and Amazon Bedrock AgentCore.
Key Capabilities:
- Full OAuth 2.0/OIDC authentication flow with Okta
- Machine-to-machine (M2M) token generation for automated workflows
- User and group synchronization via Okta API
- IAM group mapping and authorization
- Support for custom authorization servers
- Optional separate M2M client credentials
- Helm chart configuration support
Configuration:
- Set
AUTH_PROVIDER=oktain your environment - Configure required variables:
OKTA_DOMAIN,OKTA_CLIENT_ID,OKTA_CLIENT_SECRET - Optional IAM features require
OKTA_API_TOKEN
Infrastructure Security Hardening
Comprehensive security improvements across deployment methods (Docker Compose, Helm/Kubernetes, Terraform/ECS).
Security Enhancements:
- Container Security: Non-root user execution, dropped capabilities, read-only root filesystems
- Secrets Management: Removed hardcoded credentials, AWS Secrets Manager integration for ECS
- Network Security: Localhost binding for development, private IP binding for production
- Health Checks: Liveness and readiness probes for all services
- Resource Limits: CPU and memory constraints for all containers
- Logging: Structured logging with AWS CloudWatch integration
Deployment-Specific Improvements:
- Helm/Kubernetes: SecurityContext enforcement, pod security standards compliance
- Terraform/ECS: IAM role refinement, VPC security group tightening, ALB access logging
- Docker Compose: TLS certificate management, nginx security headers
Direct OTLP Metrics Export
Push OpenTelemetry metrics directly to external observability platforms (Datadog, New Relic, Grafana Cloud, Honeycomb) via OTLP/HTTP.
Key Features:
- Parallel export to both Prometheus and OTLP endpoints
- Configurable export intervals
- Support for cumulative and delta metric temporality
- Pre-configured examples for major platforms
- No additional collector required
Supported Platforms:
- Datadog (US1/EU1 regions)
- New Relic
- Grafana Cloud
- Honeycomb
- Any OTLP-compatible platform
Configuration:
- Set
OTEL_OTLP_ENDPOINTto your platform's OTLP endpoint - Add platform-specific headers in
OTEL_EXPORTER_OTLP_HEADERS - Adjust temporality for Datadog:
OTEL_EXPORTER_OTLP_METRICS_TEMPORALITY_PREFERENCE=delta
What's New
Security Fixes
- Shell Injection Prevention: Replaced
execSyncwithexecFileSyncto prevent command injection attacks (#655) - Semgrep Findings: Addressed static analysis findings including SQL injection patterns, hardcoded credentials, and insecure randomness (#651)
- CSRF Protection: Added Cross-Site Request Forgery protection with flexible token validation (#635)
- Hardcoded Secrets Removal: Eliminated hardcoded database passwords and API tokens (#633)
- Network Binding Security: Servers now bind to localhost in development, private IPs in production (#604)
- Subprocess Security: Implemented hardcoded command patterns with proper validation (#577)
- SQL Injection Prevention: Parameterized queries and allowlist validation for dynamic identifiers (#579)
Authentication & Identity
- Complete Okta identity provider integration with M2M support (#644, #657)
- Removed local username/password authentication (#591)
- Fixed Keycloak SSO logout with
id_token_hintparameter (#592) - Removed old admin username/password references (#627)
Agent Management
- Fixed agent enable/disable 500 error after container restart (#621, #622)
- Resolved health status race condition for enabled services (#639)
- Agent enabled state now persists to repository on toggle (#622)
Search & Discovery
- Fixed FAISS search initialization and entity type handling (#646)
- Improved semantic search accuracy and performance
Deployment & Configuration
- Helm charts now support Okta configuration (#657)
- OpenTelemetry ConfigMap for registry metrics configuration (#638)
- MongoDB credentials passed to configure job (#630)
- Conditional environment variable handling (#640)
- Docker security hardening and ECS Fargate production fixes (#624)
Infrastructure
- Created writable
/app/certsdirectory for DocumentDB CA bundle (#632) - Fixed nginx X-Forwarded-Port mapping and proxy buffer permissions (#631)
- Federation server reconciliation and DELETE endpoint fixes (#576)
Frontend Improvements
- ESC key now closes modals in the UI (#596)
- Uptime display with system stats tooltip (#567)
- IAM tool selector improvements and path normalization (#570)
Documentation
- Added Direct OTLP Push Export documentation (#637)
- Updated roadmap with March 2026 milestones (#653)
- Added modern type hints (PEP 604/585) guidance (#582)
- Comprehensive subprocess and SQL security guidelines (#580)
- Enterprise Security Posture documentation
- AWS Show & Tell video added to demo videos
Bug Fixes
- Fixed FAISS search broken initialization and wrong entity types (#646)
- Fixed agent enable/disable 500 error after container restart (#621)
- Fixed agent enabled state persistence on toggle (#622)
- Eliminated health status race condition for enabled services (#639)
- Fixed writable /app/certs directory for DocumentDB CA bundle (#632)
- Fixed nginx X-Forwarded-Port mapping and proxy buffer permissions (#631)
- Fixed Keycloak SSO logout with id_token_hint (issue #490) (#592)
- Fixed mcpgw API compatibility and Service Connect (#588)
- Fixed federation server reconciliation and DELETE endpoint (issue #539) (#576)
- Resolved Bandit B105 findings (issue #525) (#571)
- Fixed IAM tool selector, path normalization, and UI permission sync (#570)
- Resolved Bandit B404/B307/B310 findings (issue #526) (#568)
- Preserved encrypted federation tokens during peer updates (#564)
- Fixed Bandit B101 configuration for test files (#565)
Pull Requests Included
| PR | Title |
|---|---|
| #657 | add okta envvars to charts |
| #655 | fix: replace execSync with execFileSync to prevent shell injection |
| #653 | docs: update roadmap with March 2026 milestones |
| #651 | fix: implement Semgrep security findings fixes (issue #650) |
| #648 | chore(deps): bump langgraph from 1.0.9 to 1.0.10rc1 |
| #647 | chore(deps): bump flatted from 3.3.3 to 3.4.1 in /frontend |
| #646 | fix: FAISS search broken - missing initialization and wrong entity types |
| #645 | chore(deps): bump orjson from 3.11.5 to 3.11.6 |
| #644 | feat: Add Okta as an Identity Provider |
| #643 | chore(deps): bump black from 25.12.0 to 26.3.1 in /metrics-service |
| #642 | feat: complete infrastructure security hardening implementation (issue #603) |
| #640 | only set envvars if available |
| #639 | fix: eliminate health status race condition for enabled services (#612) |
| #638 | create otel configmap for registry and add variables in values |
| #637 | docs: add Direct OTLP Push Export documentation for metrics |
| #635 | fix: add CSRF protection, flexible validation, and security scan directories |
| #633 | fix: remove hardcoded secret and improve credentials security |
| #632 | fix: create writable /app/certs directory for DocumentDB CA bundle |
| #631 | fix: nginx X-Forwarded-Port mapping and proxy buffer permissions |
| #630 | pass mongodb credentials to configure job |
| #629 | update helm charts for hardening PR |
| #627 | remove old references to admin username/password |
| #624 | Docker security hardening and ECS Fargate production fixes |
| #622 | fix: persist agent enabled state to repository on toggle |
| #621 | fix: agent enable/disable 500 after container restart |
| #606 | remove mcpgw install script |
| #604 | fix(security): address test code and network binding security findings (issue #599) |
| #596 | esc now closes modals in the UI |
| #592 | Fix Keycloak SSO logout with id_token_hint (issue #490) |
| #591 | Remove local username password |
| #590 | update mcpgw deployment and dockerfile |
| #589 | chore(deps): bump fast-xml-parser and @aws-sdk/xml-builder in /cli |
| #588 | fix: mcpgw API compatibility, security hardening, and Service Connect |
| #586 | add mcpgw build and charts |
| #585 | feat: add macOS setup and teardown Claude skill |
| #584 | Rewrite mcpgw MCP server to use registry HTTP APIs (issue #583) |
| #582 | docs: add modern type hints (PEP 604/585) and pre-commit hook guidance |
| #580 | docs: add comprehensive subprocess and SQL security guidelines to CLAUDE.md |
| #579 | 522 address sql injection in metrics |
| #578 | more ruff fixes |
| #577 | 523 address bandit finding subprocess |
| #576 | feat: add federation server reconciliation and fix DELETE endpoint (issue #539) |
| #575 | feat: searchable audit log filters and statistics dashboard (#572) |
| #571 | fix: resolve Bandit B105 findings (issue #525) |
| #570 | fix(iam): tool selector, path normalization, and UI permission sync in IAM Groups |
| #568 | fix: resolve Bandit B404/B307/B310 findings (issue #526) |
| #567 | feat: add uptime display with system stats tooltip (#566) |
| #565 | fix(security): configure Bandit B101 skip for test files |
| #564 | fix: preserve encrypted federation tokens during peer updates (#561) |
| #563 | chore(deps): bump awscli from 1.44.4 to 1.44.38 |
Security Dependency Updates
| Package | Previous | Updated | Scope |
|---|---|---|---|
| langgraph | 1.0.9 | 1.0.10rc1 | Python |
| flatted | 3.3.3 | 3.4.1 | frontend (npm) |
| black | 25.12.0 | 26.3.1 | metrics-service |
| orjson | 3.11.5 | 3.11.6 | Python |
| fast-xml-parser | - | (updated) | cli (npm) |
| @aws-sdk/xml-builder | - | (updated) | cli (npm) |
| awscli | 1.44.4 | 1.44.38 | Infrastructure |
Contributors
Thank you to all contributors for this release:
- Amit Arora (@aroraai)
- Omri Shiv (@omrishiv)
- Wallace Printz (@printw)
- Harshit Kumar Gupta (@harshit-knit)
- Abhishek Singh (@abkrsinh)
- Spidershield-contrib (@Spidershield-contrib)
- Prateek Sinha (@shekharprateek)
- dependabot[bot] (@dependabot)
Support
Full Changelog: v1.0.16...v1.0.17
What's Changed
- esc now closes modals in the UI by @omrishiv in #596
- Remove local username password by @omrishiv in #591
- fix(security): address test code and network binding security findings (issue #599) by @aarora79 in #604
- remove old references to admin username/password by @omrishiv in #627
- Docker security hardening and ECS Fargate production fixes by @aarora79 in #624
- fix: nginx X-Forwarded-Port mapping and proxy buffer permissions by @aarora79 in #631
- pass mongodb credentials to configure job by @omrishiv in #630
- fix: add CSRF protection, flexible validation, and security scan directories by @aarora79 in #635
- fix: persist agent enabled state to repository on toggle by @WPrintz in #622
- fix: agent enable/disable 500 after container restart by @WPrintz in #621
- feat: Enable OTLP push export through Docker Compose and Terraform/ECS (#543) by @abkrsinh in #560
- docs: add Direct OTLP Push Export documentation for metrics by @aarora79 in #637
- create otel configmap for registry and add variables in values by @omrishiv in #638
- only set envvars if available by @omrishiv in #640
- fix: eliminate health status race condition for enabled services (#612) by @shekharprateek in #639
- feat: complete infrastructure security hardening implementation (issue #603) by @aarora79 in #642
- fix: FAISS search broken - missing initialization and wrong entity types by @harshitkgupta in #646
- chore(deps): bump orjson from 3.11.5 to 3.11.6 by @dependabot[bot] in #645
- chore(deps): bump black from 25.12.0 to 26.3.1 in /metrics-service by @dependabot[bot] in #643
- chore(deps): bump flatted from 3.3.3 to 3.4.1 in /frontend by @dependabot[bot] in #647
- chore(deps): bump langgraph from 1.0.9 to 1.0.10rc1 by @dependabot[bot] in #648
- fix: implement Semgrep security findings fixes (issue #650) by @aarora79 in #651
- docs: update roadmap with March 2026 milestones by @aarora79 in #653
- fix: replace execSync with execFileSync to prevent shell injection by @spidershield-contrib in #655
- feat: Add Okta as an Identity Provider by @abkrsinh in #644
- add okta envvars to charts by @omrishiv in #657
New Contributors
- @shekharprateek made their first contribution in #639
- @spidershield-contrib made their first contribution in #655
Full Changelog: v1.0.16...v1.0.17
Contributors
omrishiv, harshitkgupta, and 6 other contributors