chore(deps): update dependency stacklok/toolhive to v0.23.1

[renovate]

This PR contains the following updates:

Package	Update	Change
stacklok/toolhive	minor	v0.22.0 → v0.23.1

---

Release Notes

stacklok/toolhive (stacklok/toolhive)

v0.23.1

Compare Source

What's Changed

• Propagate auth errors through stale cache fallback by @​reyortiz3 in #​4981
• Unify docs-website release pipeline: new assets + retire dispatch chain by @​rdimitrov in #​4982
• Add advisory CRD schema compatibility CI check by @​ChrisJBurns in #​4980
• Release v0.23.1 by @​stacklokbot in #​4985

Full Changelog: stacklok/toolhive@v0.23.0...v0.23.1

v0.23.0

Compare Source

🚀 Toolhive v0.23.0 is live!

A milestone release: ToolHive's CRD API graduates from v1alpha1 to v1beta1, signaling API stability — with a zero-downtime upgrade path that keeps existing v1alpha1 resources working untouched. Two targeted operator bug fixes round out the release.

🔄 Deprecations

• toolhive.stacklok.dev/v1alpha1 deprecated in favour of toolhive.stacklok.dev/v1beta1 — will be removed in a future release (#​4849). Both versions are served simultaneously; existing resources continue to work untouched. kubectl now prints a deprecation warning on every access to a v1alpha1 resource — migrate manifests to apiVersion: toolhive.stacklok.dev/v1beta1 at your own pace.

Migration guide: CRD graduation to v1beta1

All 12 ToolHive CRD kinds (MCPServer, MCPGroup, MCPRegistry, MCPRemoteProxy, MCPToolConfig, MCPExternalAuthConfig, VirtualMCPServer, VirtualMCPGroup, VirtualMCPCompositeToolDefinition, and their peers) are now served at both v1alpha1 and v1beta1. The schemas are identical — only the version string differs — so there is no data-format migration to perform.

Who is affected: anyone with manifests pinned to apiVersion: toolhive.stacklok.dev/v1alpha1.

Before

apiVersion: toolhive.stacklok.dev/v1alpha1
kind: MCPServer
metadata:
  name: my-server
spec:
  # ...

After

apiVersion: toolhive.stacklok.dev/v1beta1
kind: MCPServer
metadata:
  name: my-server
spec:
  # ...

Migration steps

1. Upgrade the operator and CRDs charts to v0.23.0 — no resource deletion or recreation is required. All existing v1alpha1 resources survive the upgrade with unchanged Deployment UIDs.
2. Update your manifests to use apiVersion: toolhive.stacklok.dev/v1beta1 and re-apply them. Kubernetes stores the new version in etcd; the object's status.storedVersions will advance to include v1beta1.
3. Once all stored objects have been re-applied at v1beta1, a future release will drop the v1alpha1 entry from the CRDs. Migrate at your convenience before then.

PR: #​4849 — Closes #​2556

🆕 New Features

• CRDs now serve toolhive.stacklok.dev/v1beta1 as the storage version, with v1alpha1 kept served-and-deprecated for zero-downtime upgrades (#​4849).
• Server-scoped Cedar policies like resource in MCP::"<server-name>" now work — resource entities (Tool, Prompt, Resource) carry the MCP server as a parent UID so Cedar's in operator can traverse the hierarchy (#​4965).

🐛 Bug Fixes

• MCPExternalAuthConfig upstream providers with redirectUri omitted now get the documented {resourceUrl}/oauth/callback default applied by the operator, instead of failing at runtime with redirect_uri is required. Applies to both MCPServer and VirtualMCPServer flows (#​4905).

Full commit log

What's Changed

• Set MCP parent on resource entities for server-scoped policies by @​jhrozhttps://github.com/stacklok/toolhive/pull/4965l/4965
• Default redirectUri on upstream providers as documented in CRD by @​tgrunnaghttps://github.com/stacklok/toolhive/pull/4905l/4905
• Graduate CRDs from v1alpha1 to v1beta1 by @​ChrisJBurhttps://github.com/stacklok/toolhive/pull/4849l/4849
• Release v0.23.0 by @​stacklokbhttps://github.com/stacklok/toolhive/pull/4973l/4973

🔗 Full changelog: stacklok/toolhive@v0.22.0...v0.23.0

---

Configuration

📅 Schedule: (in timezone Europe/London)

• Branch creation
  • ""
• Automerge
  • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.