Skip to content

adds a ServiceAccount attribute to the MCPServer CRD #1453

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 6 commits into from
Aug 18, 2025
Merged

adds a ServiceAccount attribute to the MCPServer CRD #1453

merged 6 commits into from
Aug 18, 2025

Conversation

ChrisJBurns
Copy link
Collaborator

@ChrisJBurns ChrisJBurns commented Aug 15, 2025
edited
Loading

As part of #654, we want to be able to create dedicated ServiceAccount's for MCP servers instead of sharing the ToolHive ProxyRunner ServiceAccount. This PR adds the serviceAccount attribute to the MCPServer CRD and bumps the CRD Helm Chart version.

The idea is that if a ServiceAccount name is given in the MCPServer CR, ToolHive Operator will create the MCP Server pods to use it. Otherwise if the field is omitted from the MCPServer CR, the ToolHive Operator will create the ServiceAccount automatically.

Changes Breakdown

  • ServiceAccount CRD attribute addition
  • Additional RBAC resource logic that creates the ServiceAccount if not specified in the CR, or to use it if it is specified
  • The podTemplateSpec generation logic has been refactored. Instead of directly producing the patch sent to the ProxyRunner via the --k8s-pod-patch flag, we now use a dedicated MCPServerPodTemplateSpecBuilder. This builder uses .With[FieldName] methods to construct the template spec dynamically, allowing for more complex configurations in the future. The change also makes testing easier, podTemplateSpec creation can now be validated directly through the mcpserver_podtemplatespec_builder_test.go unit tests, rather than indirectly via higher-level stack functions.
  • Added the serviceAccount test expectations to the Chainsaw E2E tests.

Ref: #654

@ChrisJBurns
adds serviceAccount field
ed02922 
Signed-off-by: ChrisJBurns <[email protected]>
@ChrisJBurns
updates description of service account field
f12e869 
Signed-off-by: ChrisJBurns <[email protected]>
@ChrisJBurns
typo
a8ad043 
Signed-off-by: ChrisJBurns <[email protected]>
jhrozek
jhrozek previously approved these changes Aug 15, 2025
View reviewed changes
Copy link
Contributor

@jhrozek jhrozek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

awesome, this will make e.g. the vault integration much more streamlined

@ChrisJBurns ChrisJBurns changed the title adds a ServiceAccount attribute to the MCPServer CRD adds a ServiceAccount attribute to the MCPServer CRD Aug 15, 2025
JAORMX
JAORMX previously approved these changes Aug 15, 2025
View reviewed changes
@ChrisJBurns
lint and crd docs
afc969d 
Signed-off-by: ChrisJBurns <[email protected]>
@JAORMX JAORMX merged commit b64030e into main Aug 18, 2025
30 checks passed
@JAORMX JAORMX deleted the adds-sa-crd-attribute branch August 18, 2025 12:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@JAORMX JAORMX JAORMX approved these changes

@jhrozek jhrozek jhrozek approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ChrisJBurns @JAORMX @jhrozek