Deploy ToolHive Operator into OpenShift (#1063)

    * Update helm chart resources and seccompProfile type values for OKD environment.
    * Update MCPServer Deployment with check for XDG_CONFIG_HOME and HOME env vars being set.
    * Add PlatformDetector interface with detection implementation for Kubernetes and OpenShift.
    * Update behaviour of tests now requiring in cluster to skip locally.

Signed-off-by: Roddie Kieley <[email protected]>
Co-authored-by: Cursor o3 <[email protected]>
Co-authored-by: Cursor claude-4 <[email protected]>

Author: RoddieKieley

cmd/thv-operator/controllers/mcpserver_controller.go

@@ -556,6 +556,8 @@ func (r *MCPServerReconciler) deploymentForMCPServer(m *mcpv1alpha1.MCPServer) *
 		}
 	}
 
+	env = ensureRequiredEnvVars(env)
+
 	dep := &appsv1.Deployment{
 		ObjectMeta: metav1.ObjectMeta{
 			Name:        m.Name,
@@ -625,6 +627,36 @@ func (r *MCPServerReconciler) deploymentForMCPServer(m *mcpv1alpha1.MCPServer) *
 	return dep
 }
 
+func ensureRequiredEnvVars(env []corev1.EnvVar) []corev1.EnvVar {
+	// Check for the existence of the XDG_CONFIG_HOME and HOME environment variables
+	// and set them to /tmp if they don't exist
+	xdgConfigHomeFound := false
+	homeFound := false
+	for _, envVar := range env {
+		if envVar.Name == "XDG_CONFIG_HOME" {
+			xdgConfigHomeFound = true
+		}
+		if envVar.Name == "HOME" {
+			homeFound = true
+		}
+	}
+	if !xdgConfigHomeFound {
+		logger.Debugf("XDG_CONFIG_HOME not found, setting to /tmp")
+		env = append(env, corev1.EnvVar{
+			Name:  "XDG_CONFIG_HOME",
+			Value: "/tmp",
+		})
+	}
+	if !homeFound {
+		logger.Debugf("HOME not found, setting to /tmp")
+		env = append(env, corev1.EnvVar{
+			Name:  "HOME",
+			Value: "/tmp",
+		})
+	}
+	return env
+}
+
 func createServiceName(mcpServerName string) string {
 	return fmt.Sprintf("mcp-%s-proxy", mcpServerName)
 }
@@ -822,20 +854,9 @@ func deploymentNeedsUpdate(deployment *appsv1.Deployment, mcpServer *mcpv1alpha1
 			return true
 		}
 
-		// Check if the tools filter has changed
-		if mcpServer.Spec.ToolsFilter == nil {
-			for _, arg := range container.Args {
-				if strings.HasPrefix(arg, "--tools=") {
-					return true
-				}
-			}
-		} else {
-			slices.Sort(mcpServer.Spec.ToolsFilter)
-			toolsFilterArg := fmt.Sprintf("--tools=%s", strings.Join(mcpServer.Spec.ToolsFilter, ","))
-			found = slices.Contains(container.Args, toolsFilterArg)
-			if !found {
-				return true
-			}
+		// Check if the tools filter has changed (order-independent)
+		if !equalToolsFilter(mcpServer.Spec.ToolsFilter, container.Args) {
+			return true
 		}
 
 		// Check if the pod template spec has changed
@@ -890,6 +911,8 @@ func deploymentNeedsUpdate(deployment *appsv1.Deployment, mcpServer *mcpv1alpha1
 				})
 			}
 		}
+		// Add default environment variables that are always injected
+		expectedProxyEnv = ensureRequiredEnvVars(expectedProxyEnv)
 		if !reflect.DeepEqual(container.Env, expectedProxyEnv) {
 			return true
 		}
@@ -952,8 +975,10 @@ func deploymentNeedsUpdate(deployment *appsv1.Deployment, mcpServer *mcpv1alpha1
 	}
 
 	// Check if the service account name has changed
+	// ServiceAccountName: treat empty (not yet set) as equal to the expected default
 	expectedServiceAccountName := proxyRunnerServiceAccountName(mcpServer.Name)
-	if deployment.Spec.Template.Spec.ServiceAccountName != expectedServiceAccountName {
+	currentServiceAccountName := deployment.Spec.Template.Spec.ServiceAccountName
+	if currentServiceAccountName != "" && currentServiceAccountName != expectedServiceAccountName {
 		return true
 	}
 
@@ -1568,3 +1593,38 @@ func (r *MCPServerReconciler) SetupWithManager(mgr ctrl.Manager) error {
 		Owns(&corev1.Service{}).
 		Complete(r)
 }
+
+// equalToolsFilter returns true when the desired toolsFilter slice and the
+// currently-applied `--tools=` argument in the container args represent the
+// same unordered set of tools.
+func equalToolsFilter(spec []string, args []string) bool {
+	// Build canonical form for spec
+	specCanon := canonicalToolsList(spec)
+
+	// Extract current tools argument (if any) from args
+	var currentArg string
+	for _, a := range args {
+		if strings.HasPrefix(a, "--tools=") {
+			currentArg = strings.TrimPrefix(a, "--tools=")
+			break
+		}
+	}
+
+	if specCanon == "" && currentArg == "" {
+		return true // both unset/empty
+	}
+
+	// Canonicalise current list
+	currentCanon := canonicalToolsList(strings.Split(strings.TrimSpace(currentArg), ","))
+	return specCanon == currentCanon
+}
+
+// canonicalToolsList sorts a slice and joins it with commas; empty slice yields "".
+func canonicalToolsList(list []string) string {
+	if len(list) == 0 || (len(list) == 1 && list[0] == "") {
+		return ""
+	}
+	cp := slices.Clone(list)
+	slices.Sort(cp)
+	return strings.Join(cp, ",")
+}

cmd/thv-operator/controllers/mcpserver_resource_overrides_test.go

@@ -288,14 +288,18 @@ func TestResourceOverrides(t *testing.T) {
 				var expectedEnvVars map[string]string
 				if tt.name == "with proxy environment variables" {
 					expectedEnvVars = map[string]string{
-						"HTTP_PROXY": "http://proxy.example.com:8080",
-						"NO_PROXY":   "localhost,127.0.0.1",
-						"CUSTOM_ENV": "custom-value",
+						"HTTP_PROXY":      "http://proxy.example.com:8080",
+						"NO_PROXY":        "localhost,127.0.0.1",
+						"CUSTOM_ENV":      "custom-value",
+						"XDG_CONFIG_HOME": "/tmp",
+						"HOME":            "/tmp",
 					}
 				} else {
 					expectedEnvVars = map[string]string{
 						"LOG_LEVEL":       "debug",
 						"METRICS_ENABLED": "true",
+						"XDG_CONFIG_HOME": "/tmp",
+						"HOME":            "/tmp",
 					}
 				}
 
@@ -374,8 +378,9 @@ func TestDeploymentNeedsUpdateServiceAccount(t *testing.T) {
 			Namespace: "default",
 		},
 		Spec: mcpv1alpha1.MCPServerSpec{
-			Image: "test-image",
-			Port:  8080,
+			Image:     "test-image",
+			Port:      8080,
+			Transport: "stdio",
 		},
 	}
 
@@ -634,6 +639,7 @@ func TestDeploymentNeedsUpdateToolsFilter(t *testing.T) {
 				Spec: mcpv1alpha1.MCPServerSpec{
 					Image:       "test-image",
 					Port:        8080,
+					Transport:   "stdio",
 					ToolsFilter: tt.initialToolsFilter,
 				},
 			}

deploy/charts/operator/values.yaml

@@ -42,13 +42,14 @@ operator:
   # -- Pod security context settings
   podSecurityContext:
     runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
 
   # -- Container security context settings for the operator
   containerSecurityContext:
     allowPrivilegeEscalation: false
     readOnlyRootFilesystem: true
     runAsNonRoot: true
-    runAsUser: 1000
     capabilities:
       drop:
       - ALL
@@ -85,10 +86,10 @@ operator:
   resources:
     limits:
       cpu: 500m
-      memory: 128Mi
+      memory: 384Mi
     requests:
       cpu: 10m
-      memory: 64Mi
+      memory: 192Mi
 
   # -- RBAC configuration for the operator
   rbac:

pkg/container/kubernetes/client.go

@@ -246,17 +246,31 @@ func (c *Client) DeployWorkload(ctx context.Context,
 	}
 
 	// Ensure the pod template has required configuration (labels, etc.)
-	podTemplateSpec = ensurePodTemplateConfig(podTemplateSpec, containerLabels)
+	// Get a config to talk to the apiserver
+	cfg, err := rest.InClusterConfig()
+	if err != nil {
+		return 0, fmt.Errorf("error getting in-cluster config for APIServer: %w", err)
+	}
+
+	// Detect platform type
+	platformDetector := NewDefaultPlatformDetector()
+	platform, err := platformDetector.DetectPlatform(cfg)
+	if err != nil {
+		return 0, fmt.Errorf("can't determine api server type: %w", err)
+	}
+
+	podTemplateSpec = ensurePodTemplateConfig(podTemplateSpec, containerLabels, platform)
 
 	// Configure the MCP container
-	err := configureMCPContainer(
+	err = configureMCPContainer(
 		podTemplateSpec,
 		image,
 		command,
 		attachStdio,
 		envVarList,
 		transportType,
 		options,
+		platform,
 	)
 	if err != nil {
 		return 0, err
@@ -891,6 +905,7 @@ func createPodTemplateFromPatch(patchJSON string) (*corev1apply.PodTemplateSpecA
 func ensurePodTemplateConfig(
 	podTemplateSpec *corev1apply.PodTemplateSpecApplyConfiguration,
 	containerLabels map[string]string,
+	platform Platform,
 ) *corev1apply.PodTemplateSpecApplyConfiguration {
 	podTemplateSpec = ensureObjectMetaApplyConfigurationExists(podTemplateSpec)
 	// Ensure the pod template has labels
@@ -940,6 +955,31 @@ func ensurePodTemplateConfig(
 			podTemplateSpec.Spec.SecurityContext = podTemplateSpec.Spec.SecurityContext.WithRunAsGroup(int64(1000))
 		}
 	}
+
+	if platform == PlatformOpenShift {
+		if podTemplateSpec.Spec.SecurityContext.RunAsUser != nil {
+			podTemplateSpec.Spec.SecurityContext.RunAsUser = nil
+		}
+
+		if podTemplateSpec.Spec.SecurityContext.RunAsGroup != nil {
+			podTemplateSpec.Spec.SecurityContext.RunAsGroup = nil
+		}
+
+		if podTemplateSpec.Spec.SecurityContext.FSGroup != nil {
+			podTemplateSpec.Spec.SecurityContext.FSGroup = nil
+		}
+
+		if podTemplateSpec.Spec.SecurityContext.SeccompProfile == nil {
+			podTemplateSpec.Spec.SecurityContext.SeccompProfile =
+				corev1apply.SeccompProfile().WithType(
+					corev1.SeccompProfileTypeRuntimeDefault)
+		} else {
+			podTemplateSpec.Spec.SecurityContext.SeccompProfile =
+				podTemplateSpec.Spec.SecurityContext.SeccompProfile.WithType(
+					corev1.SeccompProfileTypeRuntimeDefault)
+		}
+	}
+
 	return podTemplateSpec
 }
 
@@ -985,7 +1025,18 @@ func configureContainer(
 	command []string,
 	attachStdio bool,
 	envVars []*corev1apply.EnvVarApplyConfiguration,
+	platform Platform,
 ) {
+	logger.Infof("Configuring container %s with image %s", *container.Name, image)
+	logger.Infof("Command: ")
+	for _, arg := range command {
+		logger.Infof("Arg: %s", arg)
+	}
+	logger.Infof("AttachStdio: %v", attachStdio)
+	for _, envVar := range envVars {
+		logger.Infof("EnvVar: %s=%s", *envVar.Name, *envVar.Value)
+	}
+
 	container.WithImage(image).
 		WithArgs(command...).
 		WithStdin(attachStdio).
@@ -1029,6 +1080,34 @@ func configureContainer(
 			container.SecurityContext = container.SecurityContext.WithAllowPrivilegeEscalation(false)
 		}
 	}
+
+	if platform == PlatformOpenShift {
+		logger.Infof("Setting OpenShift security context requirements to container %s", *container.Name)
+
+		if container.SecurityContext.RunAsUser != nil {
+			container.SecurityContext.RunAsUser = nil
+		}
+
+		if container.SecurityContext.RunAsGroup != nil {
+			container.SecurityContext.RunAsGroup = nil
+		}
+
+		if container.SecurityContext.SeccompProfile == nil {
+			container.SecurityContext.SeccompProfile =
+				corev1apply.SeccompProfile().WithType(
+					corev1.SeccompProfileTypeRuntimeDefault)
+		} else {
+			container.SecurityContext.SeccompProfile =
+				container.SecurityContext.SeccompProfile.WithType(
+					corev1.SeccompProfileTypeRuntimeDefault)
+		}
+
+		if container.SecurityContext.Capabilities == nil {
+			container.SecurityContext.Capabilities = &corev1apply.CapabilitiesApplyConfiguration{
+				Drop: []corev1.Capability{"ALL"},
+			}
+		}
+	}
 }
 
 // configureMCPContainer configures the MCP container in the pod template
@@ -1040,6 +1119,7 @@ func configureMCPContainer(
 	envVarList []*corev1apply.EnvVarApplyConfiguration,
 	transportType string,
 	options *runtime.DeployWorkloadOptions,
+	platform Platform,
 ) error {
 	// Get the "mcp" container if it exists
 	mcpContainer := getMCPContainer(podTemplateSpec)
@@ -1049,7 +1129,7 @@ func configureMCPContainer(
 		mcpContainer = corev1apply.Container().WithName("mcp")
 
 		// Configure the container
-		configureContainer(mcpContainer, image, command, attachStdio, envVarList)
+		configureContainer(mcpContainer, image, command, attachStdio, envVarList, platform)
 
 		// Configure ports if needed
 		if options != nil && transportType == string(transtypes.TransportTypeSSE) {
@@ -1064,7 +1144,7 @@ func configureMCPContainer(
 		podTemplateSpec.Spec.WithContainers(mcpContainer)
 	} else {
 		// Configure the existing container
-		configureContainer(mcpContainer, image, command, attachStdio, envVarList)
+		configureContainer(mcpContainer, image, command, attachStdio, envVarList, platform)
 
 		// Configure ports if needed
 		if options != nil && transportType == string(transtypes.TransportTypeSSE) {