add option to skip Virtual MCP CRDs and controllers installation

Author: amirejaz

.github/workflows/image-build-and-publish.yml

@@ -103,7 +103,7 @@ jobs:
 
       - name: Extract metadata
         id: meta
-        uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
         with:
           images: ${{ env.BASE_REPO }}
           tags: |
@@ -182,7 +182,7 @@ jobs:
 
       - name: Extract UBI metadata
         id: ubi-meta
-        uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
         with:
           images: ${{ env.BASE_REPO }}
           tags: |
@@ -283,7 +283,7 @@ jobs:
 
       - name: Extract UBI metadata
         id: ubi-meta
-        uses: docker/metadata-action@318604b99e75e41977312d83839a89be02ca4893 # v5.9.0
+        uses: docker/metadata-action@c299e40c65443455700f0fdfc63efafe5b349051 # v5.10.0
         with:
           images: ${{ env.BASE_REPO }}
           tags: |

.github/workflows/operator-ci.yml

@@ -95,7 +95,7 @@ jobs:
       - name: Check for changes
         id: git-check
         run: |
-          git diff --exit-code deploy/charts/operator-crds/crds || echo "crd-changes=true" >> $GITHUB_OUTPUT
+          git diff --exit-code deploy/charts/operator-crds/crd-files || echo "crd-changes=true" >> $GITHUB_OUTPUT
           git diff --exit-code deploy/charts/operator/templates || echo "operator-changes=true" >> $GITHUB_OUTPUT
 
       - name: Fail if CRDs are not up to date

.github/workflows/test-helm-charts.yml

@@ -34,5 +34,13 @@ jobs:
       - name: Create KIND Cluster
         uses: helm/kind-action@92086f6be054225fa813e0a4b13787fc9088faab # v1.13.0
 
+      - name: Cleanup stale cluster-scoped RBAC before CT install
+        run: |
+          echo "Deleting stale cluster-scoped RBAC to avoid Helm ownership conflicts..."
+          kubectl delete clusterrole toolhive-operator-manager-role --ignore-not-found=true
+          kubectl delete clusterrole toolhive-registry-api-role --ignore-not-found=true
+          kubectl delete clusterrolebinding toolhive-operator-manager-rolebinding --ignore-not-found=true
+          kubectl delete clusterrolebinding toolhive-registry-api-rolebinding --ignore-not-found=true
+
       - name: Run chart-testing (install)
         run: ct install --config ct-install.yaml

.github/workflows/validate-proposal-naming.yml

@@ -37,12 +37,13 @@ jobs:
 
       - name: Validate proposal naming
         run: |
-          # Get the list of changed files in docs/proposals
-          CHANGED_FILES=$(git diff --name-only --diff-filter A origin/${{ github.base_ref }}...HEAD | grep '^docs/proposals/')
+          # Get the list of NEW files added in docs/proposals (not modifications to existing files)
+          CHANGED_FILES=$(git diff --name-only --diff-filter=A origin/${{ github.base_ref }}...HEAD | grep '^docs/proposals/' || true)
 
-          # This is here to avoid errors when running this workflow manually without a PR
+          # Skip validation if no new proposal files are being added
+          # (modifications to existing proposals don't need naming validation)
           if [ -z "$CHANGED_FILES" ]; then
-            echo "ℹ️ No proposal files changed in this PR"
+            echo "ℹ️ No new proposal files added in this PR (only modifications to existing proposals or manual trigger)"
             exit 0
           fi
 

README.md

@@ -1,6 +1,6 @@
 <p float="left">
   <picture>
-    <img src="docs/images/toolhive-icon-1024.png" alt="ToolHive Studio logo" height="100" align="middle" />
+    <img src="docs/images/toolhive-icon-1024.png" alt="ToolHive logo" height="100" align="middle" />
   </picture>
   <picture>
     <source media="(prefers-color-scheme: dark)" srcset="docs/images/toolhive-wordmark-white.png">
@@ -108,7 +108,7 @@ Deploy, run, and manage MCP servers locally or in a Kubernetes cluster with secu
 
 Simplify MCP adoption for developers and knowledge workers across your enterprise
 
-- Cross-platform [desktop app](https://github.com/stacklok/toolhive-studio) and browser-based cloud UI
+- Cross-platform [desktop app](https://github.com/stacklok/toolhive-studio) and browser-based [cloud UI](https://github.com/stacklok/toolhive-cloud-ui)
 - Make it easy for admins to curate MCP servers and tools
 - Automate server discovery
 - Install MCP servers with a single click
@@ -153,7 +153,7 @@ Teams and organizations manage MCP servers and registries centrally using famili
 - Enterprise-grade security and observability: OIDC/OAuth SSO, secure token exchange, audit logging, OpenTelemetry, and Prometheus metrics
 - Hybrid registry server: curate from upstream registries, dynamically register local MCP servers, or proxy trusted remote services
 
-**Get started:** [Quickstart](https://docs.stacklok.com/toolhive/tutorials/quickstart-k8s), [How-to guides](https://docs.stacklok.com/toolhive/guides-k8s), [CRD reference](https://docs.stacklok.com/toolhive/reference/crd-spec), \[Example manifests\](./examples/operator/)
+**Get started:** [Quickstart](https://docs.stacklok.com/toolhive/tutorials/quickstart-k8s), [How-to guides](https://docs.stacklok.com/toolhive/guides-k8s), [CRD reference](https://docs.stacklok.com/toolhive/reference/crd-spec), [Example manifests](./examples/operator/)
 
 ### Hybrid
 
@@ -163,16 +163,21 @@ End users access approved MCP servers through a secure, browser-based cloud UI.
 
 Enterprise teams can also leverage ToolHive to integrate MCP servers into custom internal tools, agentic workflows, or chat-based interfaces, using the same runtime and access controls.
 
+<picture>
+  <source media="(prefers-color-scheme: dark)" srcset="docs/images/toolhive-platform-dark.svg">
+  <img src="docs/images/toolhive-platform-light.svg" alt="ToolHive platform diagram" width="800" style="padding: 20px 0" />
+</picture>
+
 ---
 
 ## Contributing
 
-We welcome contributions and feedback from the community\!
+We welcome contributions and feedback from the community!
 
 - 🐛 [Report issues](https://github.com/stacklok/toolhive/issues)
 - 💬 [Join our Discord](https://discord.gg/stacklok)
 
-If you have ideas, suggestions, or want to get involved, check out our contributing guide or open an issue. Join us in making ToolHive even better\!
+If you have ideas, suggestions, or want to get involved, check out our contributing guide or open an issue. Join us in making ToolHive even better!
 
 Contribute to the CLI, API, and Kubernetes Operator (this repo):
 
@@ -183,6 +188,7 @@ Contribute to the CLI, API, and Kubernetes Operator (this repo):
 Contribute to the UI, registry, and docs:
 
 - 💻 [Desktop UI repository](https://github.com/stacklok/toolhive-studio)
+- ☁️ [Cloud UI repository](https://github.com/stacklok/toolhive-cloud-ui)
 - 📦 [ToolHive registry server repository](https://github.com/stacklok/toolhive-registry-server)
 - 🛠️ [ToolHive's built-in registry](https://github.com/stacklok/toolhive-registry)
 - 📚 [Documentation repository](https://github.com/stacklok/docs-website)

cmd/thv-operator/Taskfile.yml

@@ -184,7 +184,7 @@ tasks:
         platforms: [windows]
         ignore_error: true   # Windows has no mkdir -p, so just ignore error if it exists
       - go install sigs.k8s.io/controller-tools/cmd/controller-gen@v0.17.3
-      - $(go env GOPATH)/bin/controller-gen crd webhook paths="./cmd/thv-operator/..." output:crd:artifacts:config=deploy/charts/operator-crds/crds
+      - $(go env GOPATH)/bin/controller-gen crd webhook paths="./cmd/thv-operator/..." output:crd:artifacts:config=deploy/charts/operator-crds/crd-files
       - $(go env GOPATH)/bin/controller-gen rbac:roleName=toolhive-operator-manager-role paths="./cmd/thv-operator/..." output:rbac:artifacts:config=deploy/charts/operator/templates/clusterrole
 
   operator-test:

cmd/thv-operator/api/v1alpha1/mcpexternalauthconfig_types.go

@@ -7,22 +7,33 @@ import (
 // External auth configuration types
 const (
 	// ExternalAuthTypeTokenExchange is the type for RFC-8693 token exchange
-	ExternalAuthTypeTokenExchange = "tokenExchange"
+	ExternalAuthTypeTokenExchange ExternalAuthType = "tokenExchange"
+
+	// ExternalAuthTypeHeaderInjection is the type for custom header injection
+	ExternalAuthTypeHeaderInjection ExternalAuthType = "headerInjection"
 )
 
+// ExternalAuthType represents the type of external authentication
+type ExternalAuthType string
+
 // MCPExternalAuthConfigSpec defines the desired state of MCPExternalAuthConfig.
 // MCPExternalAuthConfig resources are namespace-scoped and can only be referenced by
 // MCPServer resources in the same namespace.
 type MCPExternalAuthConfigSpec struct {
 	// Type is the type of external authentication to configure
-	// +kubebuilder:validation:Enum=tokenExchange
+	// +kubebuilder:validation:Enum=tokenExchange;headerInjection
 	// +kubebuilder:validation:Required
-	Type string `json:"type"`
+	Type ExternalAuthType `json:"type"`
 
 	// TokenExchange configures RFC-8693 OAuth 2.0 Token Exchange
 	// Only used when Type is "tokenExchange"
 	// +optional
 	TokenExchange *TokenExchangeConfig `json:"tokenExchange,omitempty"`
+
+	// HeaderInjection configures custom HTTP header injection
+	// Only used when Type is "headerInjection"
+	// +optional
+	HeaderInjection *HeaderInjectionConfig `json:"headerInjection,omitempty"`
 }
 
 // TokenExchangeConfig holds configuration for RFC-8693 OAuth 2.0 Token Exchange.
@@ -69,6 +80,20 @@ type TokenExchangeConfig struct {
 	ExternalTokenHeaderName string `json:"externalTokenHeaderName,omitempty"`
 }
 
+// HeaderInjectionConfig holds configuration for custom HTTP header injection authentication.
+// This allows injecting a secret-based header value into requests to backend MCP servers.
+// For security reasons, only secret references are supported (no plaintext values).
+type HeaderInjectionConfig struct {
+	// HeaderName is the name of the HTTP header to inject
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:MinLength=1
+	HeaderName string `json:"headerName"`
+
+	// ValueSecretRef references a Kubernetes Secret containing the header value
+	// +kubebuilder:validation:Required
+	ValueSecretRef *SecretKeyRef `json:"valueSecretRef"`
+}
+
 // SecretKeyRef is a reference to a key within a Secret
 type SecretKeyRef struct {
 	// Name is the name of the secret

cmd/thv-operator/api/v1alpha1/mcpregistry_types.go

@@ -392,27 +392,6 @@ func (r *MCPRegistry) GetAPIResourceName() string {
 	return fmt.Sprintf("%s-api", r.Name)
 }
 
-// IsConfigMapRegistrySource returns true if any registry source is a configmap
-func (r *MCPRegistry) IsConfigMapRegistrySource() bool {
-	for _, registry := range r.Spec.Registries {
-		if registry.ConfigMapRef != nil {
-			return true
-		}
-	}
-	return false
-}
-
-// GetConfigMapSourceName returns the name of the first configmap source
-// if present, otherwise returns an empty string
-func (r *MCPRegistry) GetConfigMapSourceName() string {
-	for _, registry := range r.Spec.Registries {
-		if registry.ConfigMapRef != nil {
-			return registry.ConfigMapRef.Name
-		}
-	}
-	return ""
-}
-
 // DeriveOverallPhase determines the overall MCPRegistry phase based on sync and API status
 func (r *MCPRegistry) DeriveOverallPhase() MCPRegistryPhase {
 	syncStatus := r.Status.SyncStatus

cmd/thv-operator/api/v1alpha1/virtualmcpcompositetooldefinition_types.go

@@ -19,10 +19,22 @@ type VirtualMCPCompositeToolDefinitionSpec struct {
 	// +kubebuilder:validation:MinLength=1
 	Description string `json:"description"`
 
-	// Parameters defines the input parameter schema for the workflow
-	// Each key is a parameter name, each value is the parameter specification
+	// Parameters defines the input parameter schema for the workflow in JSON Schema format.
+	// Should be a JSON Schema object with "type": "object" and "properties".
+	// Per MCP specification, this should follow standard JSON Schema for tool inputSchema.
+	// Example:
+	//   {
+	//     "type": "object",
+	//     "properties": {
+	//       "param1": {"type": "string", "default": "value"},
+	//       "param2": {"type": "integer"}
+	//     },
+	//     "required": ["param2"]
+	//   }
 	// +optional
-	Parameters map[string]ParameterSpec `json:"parameters,omitempty"`
+	// +kubebuilder:pruning:PreserveUnknownFields
+	// +kubebuilder:validation:Type=object
+	Parameters *runtime.RawExtension `json:"parameters,omitempty"`
 
 	// Steps defines the workflow step definitions
 	// Steps are executed sequentially in Phase 1
@@ -41,8 +53,7 @@ type VirtualMCPCompositeToolDefinitionSpec struct {
 	// FailureMode defines the failure handling strategy
 	// - abort: Stop execution on first failure (default)
 	// - continue: Continue executing remaining steps
-	// - best_effort: Try all steps, report partial success
-	// +kubebuilder:validation:Enum=abort;continue;best_effort
+	// +kubebuilder:validation:Enum=abort;continue
 	// +kubebuilder:default=abort
 	// +optional
 	FailureMode string `json:"failureMode,omitempty"`

cmd/thv-operator/api/v1alpha1/virtualmcpcompositetooldefinition_webhook.go

@@ -84,12 +84,11 @@ func (r *VirtualMCPCompositeToolDefinition) Validate() error {
 	// Validate failure mode
 	if r.Spec.FailureMode != "" {
 		validModes := map[string]bool{
-			"abort":       true,
-			"continue":    true,
-			"best_effort": true,
+			"abort":    true,
+			"continue": true,
 		}
 		if !validModes[r.Spec.FailureMode] {
-			errors = append(errors, "spec.failureMode must be one of: abort, continue, best_effort")
+			errors = append(errors, "spec.failureMode must be one of: abort, continue")
 		}
 	}
 
@@ -102,59 +101,36 @@ func (r *VirtualMCPCompositeToolDefinition) Validate() error {
 
 // validateParameters validates the parameter schema using JSON Schema validation
 func (r *VirtualMCPCompositeToolDefinition) validateParameters() error {
-	if len(r.Spec.Parameters) == 0 {
+	if r.Spec.Parameters == nil || len(r.Spec.Parameters.Raw) == 0 {
 		return nil // No parameters to validate
 	}
 
-	// Build a JSON Schema object from the parameters
-	// Parameters map to a JSON Schema "properties" object
-	properties := make(map[string]interface{})
-	var required []string
-
-	for paramName, param := range r.Spec.Parameters {
-		if param.Type == "" {
-			return fmt.Errorf("spec.parameters[%s].type is required", paramName)
-		}
-
-		// Build a JSON Schema property definition
-		property := map[string]interface{}{
-			"type": param.Type,
-		}
-
-		if param.Description != "" {
-			property["description"] = param.Description
-		}
-
-		if param.Default != "" {
-			// Parse default value based on type
-			property["default"] = param.Default
-		}
-
-		if param.Required {
-			required = append(required, paramName)
-		}
-
-		properties[paramName] = property
+	// Parameters should be a JSON Schema object in RawExtension format
+	// Unmarshal to validate structure
+	var params map[string]interface{}
+	if err := json.Unmarshal(r.Spec.Parameters.Raw, &params); err != nil {
+		return fmt.Errorf("spec.parameters: invalid JSON: %v", err)
 	}
 
-	// Construct a full JSON Schema document
-	schemaDoc := map[string]interface{}{
-		"type":       "object",
-		"properties": properties,
+	// Validate that it has "type" field
+	typeVal, hasType := params["type"]
+	if !hasType {
+		return fmt.Errorf("spec.parameters: must have 'type' field (should be 'object' for JSON Schema)")
 	}
 
-	if len(required) > 0 {
-		schemaDoc["required"] = required
+	// Type must be a string
+	typeStr, ok := typeVal.(string)
+	if !ok {
+		return fmt.Errorf("spec.parameters: 'type' field must be a string")
 	}
 
-	// Marshal to JSON
-	schemaJSON, err := json.Marshal(schemaDoc)
-	if err != nil {
-		return fmt.Errorf("spec.parameters: failed to marshal schema: %v", err)
+	// Type should be "object" for parameter schemas
+	if typeStr != "object" {
+		return fmt.Errorf("spec.parameters: 'type' must be 'object' (got '%s')", typeStr)
 	}
 
 	// Validate using JSON Schema validator
-	if err := validateJSONSchema(schemaJSON); err != nil {
+	if err := validateJSONSchema(r.Spec.Parameters.Raw); err != nil {
 		return fmt.Errorf("spec.parameters: invalid JSON Schema: %v", err)
 	}