feat(metamcp): support secret-backed remote urls

masterkain · masterkain · commit 9a55ba686659 · 2026-04-04T11:47:33.000+02:00
diff --git a/charts/metamcp/Chart.yaml b/charts/metamcp/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: metamcp
 description: MetaMCP aggregator Helm chart for Kubernetes
 type: application
-version: 0.3.4
+version: 0.3.5
 appVersion: "2.4.22"
 icon: https://icoretech.github.io/helm/charts/metamcp/logo.png
 keywords:
diff --git a/charts/metamcp/README.md b/charts/metamcp/README.md
@@ -38,7 +38,7 @@ Declare everything under `provision.*`:
 - Servers:
   - `type: STDIO` → MetaMCP spawns the process inside its container using `command` + `args` (+ optional `env`). Ensure the MetaMCP image contains the required runtime (e.g., Node/PNPM/NPM or Python/uv).
   - `type: STREAMABLE_HTTP` or `SSE`:
-    - remote: provide `url` (no Pod is created here) + optional `bearerToken`/`headers`.
+    - remote: provide `url` or `urlFrom` (no Pod is created here) + optional `bearerToken`/`headers`.
     - deploy: provide one of `node`/`python`/`image` and optionally `port` (defaults to `3001`);
       the chart creates a Deployment/Service and auto‑derives the URL for registration.
 - Namespaces: group servers by name.
@@ -228,6 +228,19 @@ provision:
             name: metamcp-icoretech-airbroke-headers
 ```
 
+Secret-backed remote URL (Windmill):
+
+```yaml
+provision:
+  enabled: true
+  servers:
+    - name: windmill-icoretech
+      type: SSE
+      urlFrom:
+        - secretRef:
+            name: metamcp-windmill-icoretech-url
+```
+
 ## Configuration reference
 
 <!-- markdownlint-disable MD013 -->
diff --git a/charts/metamcp/README.md.gotmpl b/charts/metamcp/README.md.gotmpl
@@ -38,7 +38,7 @@ Declare everything under `provision.*`:
 - Servers:
   - `type: STDIO` → MetaMCP spawns the process inside its container using `command` + `args` (+ optional `env`). Ensure the MetaMCP image contains the required runtime (e.g., Node/PNPM/NPM or Python/uv).
   - `type: STREAMABLE_HTTP` or `SSE`:
-    - remote: provide `url` (no Pod is created here) + optional `bearerToken`/`headers`.
+    - remote: provide `url` or `urlFrom` (no Pod is created here) + optional `bearerToken`/`headers`.
     - deploy: provide one of `node`/`python`/`image` and optionally `port` (defaults to `3001`);
       the chart creates a Deployment/Service and auto‑derives the URL for registration.
 - Namespaces: group servers by name.
@@ -228,6 +228,19 @@ provision:
             name: metamcp-icoretech-airbroke-headers
 ```
 
+Secret-backed remote URL (Windmill):
+
+```yaml
+provision:
+  enabled: true
+  servers:
+    - name: windmill-icoretech
+      type: SSE
+      urlFrom:
+        - secretRef:
+            name: metamcp-windmill-icoretech-url
+```
+
 ## Configuration reference
 
 <!-- markdownlint-disable MD013 -->
diff --git a/charts/metamcp/ci/urlfrom-values.yaml b/charts/metamcp/ci/urlfrom-values.yaml
@@ -0,0 +1,13 @@
+users:
+  - email: admin@example.com
+    name: Admin
+    password: change-me
+
+provision:
+  enabled: true
+  servers:
+    - name: windmill-icoretech
+      type: SSE
+      urlFrom:
+        - secretRef:
+            name: metamcp-windmill-icoretech-url
diff --git a/charts/metamcp/scripts/provision.py b/charts/metamcp/scripts/provision.py
@@ -73,6 +73,22 @@ def merge_refs(refs):
             merged.update({k: str(v) for k, v in k8s_get_configmap_data(src['configMapRef']['name']).items()})
     return merged
 
+def resolve_remote_url(server):
+    desired_url = server.get('url')
+    if server.get('urlFrom'):
+        desired_url = merge_refs(server.get('urlFrom') or []).get('url') or desired_url
+    if desired_url:
+        return desired_url
+    base = server.get('serviceBase')
+    if base:
+        suffix = '/mcp' if server['type'] == 'STREAMABLE_HTTP' else '/sse'
+        if base.startswith('http://') or base.startswith('https://'):
+            return base + suffix
+        return 'http://' + base + suffix
+    raise RuntimeError(
+        f"server {server.get('name')}: remote server requires url, urlFrom[url], or a deployable serviceBase"
+    )
+
 def load_managed_state():
     data = k8s_get_configmap_data(STATE_CONFIGMAP)
     state = {key: set() for key in STATE_KEYS}
@@ -374,42 +390,33 @@ def delete_server(name, servers_by_name):
     desired_url = None
     desired_headers = None
     if st in ('SSE','STREAMABLE_HTTP'):
-        desired_url = s.get('url')
+        desired_url = resolve_remote_url(s)
         header_map = {}
         if s.get('headers') and isinstance(s['headers'], dict):
             header_map.update({k:str(v) for k,v in s['headers'].items()})
         if s.get('headersFrom'):
             header_map.update(merge_refs(s.get('headersFrom') or []))
         if header_map or s.get('headersFrom'):
             desired_headers = header_map
-        if not desired_url:
-            base = s.get('serviceBase')
-            if base:
-                suffix = '/mcp' if st=='STREAMABLE_HTTP' else '/sse'
-                # ensure scheme
-                if base.startswith('http://') or base.startswith('https://'):
-                    desired_url = base + suffix
-                else:
-                    desired_url = 'http://' + base + suffix
-            # proactive readiness for deployed servers
-            if base:
-                try:
-                    hostport = base.split('://')[-1]
-                    host, port = hostport.split(':')[0], int(hostport.split(':')[1])
-                except Exception:
-                    host, port = None, None
-                if host and port:
-                    log(f"[ready] waiting tcp {host}:{port} …")
-                    max_tries = 8
-                    ok = False
-                    for _ in range(max_tries):
-                        try:
-                            with socket.create_connection((host, port), timeout=1.5):
-                                ok = True
-                                break
-                        except Exception:
-                            time.sleep(1)
-                    log(f"[ready] tcp {host}:{port} -> {'ok' if ok else 'timeout'}")
+        base = s.get('serviceBase')
+        if base:
+            try:
+                hostport = base.split('://')[-1]
+                host, port = hostport.split(':')[0], int(hostport.split(':')[1])
+            except Exception:
+                host, port = None, None
+            if host and port:
+                log(f"[ready] waiting tcp {host}:{port} …")
+                max_tries = 8
+                ok = False
+                for _ in range(max_tries):
+                    try:
+                        with socket.create_connection((host, port), timeout=1.5):
+                            ok = True
+                            break
+                    except Exception:
+                        time.sleep(1)
+                log(f"[ready] tcp {host}:{port} -> {'ok' if ok else 'timeout'}")
         if desired_url:
             body['url'] = desired_url
         if s.get('bearerToken'):
diff --git a/charts/metamcp/scripts/test-render.sh b/charts/metamcp/scripts/test-render.sh
@@ -20,3 +20,11 @@ if ! rg -q '"headersFrom":\[\{"secretRef":\{"name":"metamcp-icoretech-airbroke-h
   sed -n '1,220p' "$OUT" >&2
   exit 1
 fi
+
+helm template t "$CHART" -f "$ROOT/ci/urlfrom-values.yaml" >"$OUT"
+
+if ! rg -q '"urlFrom":\[\{"secretRef":\{"name":"metamcp-windmill-icoretech-url"\}\}\]' "$OUT"; then
+  echo "expected provision.json to preserve urlFrom secret refs for remote servers" >&2
+  sed -n '1,220p' "$OUT" >&2
+  exit 1
+fi
diff --git a/charts/metamcp/templates/provision-config.yaml b/charts/metamcp/templates/provision-config.yaml
@@ -21,6 +21,7 @@ data:
       {{- /* Build server dict for the job, including STDIO env sources */ -}}
       {{- $item := dict "name" $name "enabled" (default true $s.enabled) "type" $s.type "url" $s.url "bearerToken" $s.bearerToken "headers" ($s.headers | default (dict)) "command" ($s.command | default "") "args" ($s.args | default (list)) "env" ($s.env | default (dict)) -}}
       {{- if (hasKey $s "envFrom") }}{{- $_ := set $item "envFrom" ($s.envFrom | default (list)) -}}{{- end -}}
+      {{- if (hasKey $s "urlFrom") }}{{- $_ := set $item "urlFrom" ($s.urlFrom | default (list)) -}}{{- end -}}
       {{- if (hasKey $s "headersFrom") }}{{- $_ := set $item "headersFrom" ($s.headersFrom | default (list)) -}}{{- end -}}
       {{- if $hasDeploy }}{{- $_ := set $item "serviceBase" $svcBase -}}{{- end -}}
       {{- $outServers = append $outServers $item -}}
diff --git a/charts/metamcp/values.schema.json b/charts/metamcp/values.schema.json
@@ -80,6 +80,7 @@
               "enabled": { "type": "boolean", "default": true },
               "type": { "type": "string", "enum": ["SSE", "STREAMABLE_HTTP", "STDIO"] },
               "url": { "type": ["string","null"] },
+              "urlFrom": { "type": "array", "items": { "type": "object" } },
               "bearerToken": { "type": "string" },
               "headers": { "type": "object", "additionalProperties": { "type": "string" } },
               "headersFrom": { "type": "array", "items": { "type": "object" } },
diff --git a/charts/metamcp/values.yaml b/charts/metamcp/values.yaml
@@ -154,6 +154,12 @@ provision:
   #   headersFrom:
   #     - secretRef:
   #         name: errbit-mcp-headers
+  # - name: windmill
+  #   enabled: true
+  #   type: SSE
+  #   urlFrom:
+  #     - secretRef:
+  #         name: windmill-mcp-url
 
   # namespaces: list of { name, servers: [<server-names>] }
   namespaces: []
