Skip to content

Update module github.com/stacklok/toolhive to v0.21.0#125

Merged
jhrozek merged 1 commit intomainfrom
renovate/github.com-stacklok-toolhive-0.x
Apr 17, 2026
Merged

Update module github.com/stacklok/toolhive to v0.21.0#125
jhrozek merged 1 commit intomainfrom
renovate/github.com-stacklok-toolhive-0.x

Conversation

@renovate
Copy link
Copy Markdown
Contributor

@renovate renovate bot commented Apr 16, 2026
edited
Loading

This PR contains the following updates:

Package Change Age Confidence
github.com/stacklok/toolhive v0.20.0v0.21.0 age confidence

Release Notes

stacklok/toolhive (github.com/stacklok/toolhive)

v0.21.0

Compare Source

🚀 ToolHive v0.21.0 is live!

This release removes deprecated CRD fields ahead of v1beta1 API promotion, adds Cedar role-based authorization support, introduces new registry API endpoints, and fixes several bugs including OTLP endpoint path encoding and operator reconcile loops.

⚠️ Breaking Changes

  • Inline telemetry field removed from MCPServer and MCPRemoteProxy — manifests using spec.telemetry must migrate to telemetryConfigRef with an MCPTelemetryConfig resource (migration guide)
  • Inline oidcConfig field removed from MCPServer and MCPRemoteProxy — manifests using spec.oidcConfig must migrate to oidcConfigRef with an MCPOIDCConfig resource (migration guide)
  • Inline incomingAuth.oidcConfig removed from VirtualMCPServer — manifests using spec.incomingAuth.oidcConfig must migrate to oidcConfigRef (migration guide)
  • config.groupRef fallback and external_auth_config_ref enum removed — VirtualMCPServer now requires spec.groupRef and the snake_case enum value is gone (migration guide)
  • thv group run no longer supports registry-based groups — use thv group create and thv run --group instead (migration guide)
Migration guide: Inline telemetry field removal

Affects any MCPServer, MCPRemoteProxy, or VirtualMCPServer manifest using the inline spec.telemetry block. The TelemetryConfig and OpenTelemetryConfig CRD types are also removed.

Before
apiVersion: toolhive.stacklok.com/v1alpha1
kind: MCPServer
metadata:
  name: my-server
spec:
  telemetry:
    openTelemetry:
      enabled: true
      endpoint: "http://otel-collector:4318"
      serviceName: "my-server"
After
apiVersion: toolhive.stacklok.com/v1alpha1
kind: MCPTelemetryConfig
metadata:
  name: my-telemetry
spec:
  openTelemetry:
    enabled: true
    endpoint: "http://otel-collector:4318"
---
apiVersion: toolhive.stacklok.com/v1alpha1
kind: MCPServer
metadata:
  name: my-server
spec:
  telemetryConfigRef:
    name: my-telemetry
    serviceName: "my-server"
Migration steps
  1. Create an MCPTelemetryConfig resource with your existing telemetry settings
  2. Replace spec.telemetry with spec.telemetryConfigRef.name pointing to the new resource
  3. Apply both resources — the MCPTelemetryConfig can be shared across multiple servers

PR: #​4819 — Part of #​4827

Migration guide: Inline oidcConfig removal (MCPServer / MCPRemoteProxy)

Affects any MCPServer or MCPRemoteProxy manifest using the inline spec.oidcConfig field.

Before
apiVersion: toolhive.stacklok.com/v1alpha1
kind: MCPServer
metadata:
  name: my-server
spec:
  oidcConfig:
    type: kubernetes
    kubernetes:
      issuer: "https://idp.example.com"
      audience: "my-audience"
After
apiVersion: toolhive.stacklok.com/v1alpha1
kind: MCPOIDCConfig
metadata:
  name: my-oidc
spec:
  type: kubernetesServiceAccount
  kubernetesServiceAccount:
    issuer: "https://idp.example.com"
---
apiVersion: toolhive.stacklok.com/v1alpha1
kind: MCPServer
metadata:
  name: my-server
spec:
  oidcConfigRef:
    name: my-oidc
    audience: "my-audience"
Migration steps
  1. Create an MCPOIDCConfig resource with your existing OIDC settings
  2. Replace spec.oidcConfig with spec.oidcConfigRef.name pointing to the new resource
  3. Apply both resources — the MCPOIDCConfig can be shared across multiple servers

PR: #​4820 — Closes #​4829

Migration guide: Inline oidcConfig removal (VirtualMCPServer)

Affects any VirtualMCPServer manifest using spec.incomingAuth.oidcConfig.

Before
apiVersion: toolhive.stacklok.com/v1alpha1
kind: VirtualMCPServer
metadata:
  name: my-vmcp
spec:
  incomingAuth:
    type: oidc
    oidcConfig:
      type: kubernetes
      kubernetes:
        issuer: "https://idp.example.com"
        audience: "my-audience"
After
apiVersion: toolhive.stacklok.com/v1alpha1
kind: MCPOIDCConfig
metadata:
  name: my-oidc
spec:
  type: kubernetesServiceAccount
  kubernetesServiceAccount:
    issuer: "https://idp.example.com"
---
apiVersion: toolhive.stacklok.com/v1alpha1
kind: VirtualMCPServer
metadata:
  name: my-vmcp
spec:
  incomingAuth:
    type: oidc
    oidcConfigRef:
      name: my-oidc
      audience: "my-audience"
Migration steps
  1. Create an MCPOIDCConfig resource with your existing OIDC settings
  2. Replace spec.incomingAuth.oidcConfig with spec.incomingAuth.oidcConfigRef.name
  3. Apply both resources

PR: #​4822 — Closes #​4830

Migration guide: config.groupRef fallback and enum removal

Affects VirtualMCPServer manifests that relied on spec.config.group as a fallback (instead of spec.groupRef) or used the snake_case external_auth_config_ref enum value.

Before
apiVersion: toolhive.stacklok.com/v1alpha1
kind: VirtualMCPServer
metadata:
  name: my-vmcp
spec:
  config:
    group: "my-group"
  outgoingAuth:
    backends:
      - type: external_auth_config_ref
        name: my-auth
After
apiVersion: toolhive.stacklok.com/v1alpha1
kind: VirtualMCPServer
metadata:
  name: my-vmcp
spec:
  groupRef:
    name: my-group
  outgoingAuth:
    backends:
      - type: externalAuthConfigRef
        name: my-auth
Migration steps
  1. Move spec.config.group to spec.groupRef.name (now required)
  2. Replace external_auth_config_ref with externalAuthConfigRef in outgoingAuth.backends[*].type
  3. Apply the updated manifest

PR: #​4834 — Closes #​4831

Migration guide: Registry-based group deployment removed

Affects users running thv group run to deploy server groups defined in registry JSON files.

Before
thv group run my-registry-group
After
thv group create my-group
thv run --group my-group server1
thv run --group my-group server2
Migration steps
  1. Create a runtime group with thv group create <name>
  2. Run each server individually with thv run --group <name> <server>
  3. Runtime groups (thv group create/list/rm) and the groups API are unaffected

PR: #​4873 — Fixes #​4867

🆕 New Features

  • Cedar authorizer now supports a RoleClaimName field for extracting IdP roles (e.g. Entra ID roles claim) separately from group claims (#​4847)
  • New oidcConfigRef.resourceUrl field lets users specify the public URL for OAuth protected resource metadata when servers are exposed via Ingress (#​4855)
  • New GET /api/v1beta/skills/content endpoint retrieves SKILL.md content from OCI, git, and registry sources without installing the skill (#​4810)
  • New v0.1 server browse endpoints (GET /registry/{name}/v0.1/servers and GET /registry/{name}/v0.1/servers/{serverName}/versions/latest) matching upstream MCP registry spec (#​4871)
  • Cedar authorizer now stores serverName to scope policies per-MCP-server, enabling rules like resource in MCP::"<server>" (#​4861)
  • Introduce Starlark script engine package (pkg/script/) as the foundation for vMCP code mode — internal only, not yet wired to the server (#​4748)

🐛 Bug Fixes

  • OTLP endpoint URLs with custom paths (Langfuse, LangSmith) no longer get URL-encoded slashes, fixing trace export to these backends (#​4815)
  • Fix VirtualMCPServer reconcile loop (~10 updates/sec) caused by non-deterministic env var ordering with 4+ MCPExternalAuthConfigs (#​4783)
  • OIDC discovery failure no longer blocks the local key provider in embedded auth server scenarios (#​4774)
  • thv registry login no longer re-prompts the browser OAuth flow after the user has already authenticated (#​4893)
  • Skills API ?limit=N where N > 200 now correctly clamps to 200 instead of silently falling back to 50 (#​4802)
  • ValidatingCache.Get on an expired entry now returns the freshly loaded value instead of (zero, false), eliminating unnecessary retries (#​4798)
  • Restored vMCP session metadata is now persisted to Redis, preventing stale per-backend session IDs in cross-pod scenarios (#​4842)
  • Fix BackendReconciler field index registration order — SetupIndexes is now called before SetupWithManager to prevent watch predicates from failing silently (#​4724)

🧹 Misc

  • Remove orphaned OIDCConfigRef type, OIDCConfigurable interface, and related resolver code (dead code after inline oidcConfig removal) (#​4846)
  • Remove Upsert from DataStorage interface — had zero production callers after prior migration to explicit Create/Update (#​4797)
  • Remove stale OpenShift values overlay from Helm chart (#​4817)
  • Add horizontal scaling integration and e2e tests for Redis-backed vMCP session sharing (#​4724)
  • Add integration test for default audience without resource parameter (#​4818)
  • Fix flaky port reuse test by allocating a free port at runtime instead of hardcoding 9090 (#​4812)
  • Fix lint issues with mcpgroup (#​4838)
  • Change UpdateConfig callback signature to return error for future validation support (#​4845, #​4858)
  • Enforce go.mod patch version check in Taskfile and CI (#​4864)
  • Add color annotations to Claude Code agent definitions (#​4853)
  • Add /release-notes skill for automated release note generation (#​4852)

📦 Dependencies

Module Version
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp 1.43.0
github.com/stacklok/toolhive-catalog v0.20260416.0
Full commit log

What's Changed

Full Changelog: stacklok/toolhive@v0.20.0...v0.21.0

🔗 Full changelog: stacklok/toolhive@v0.20.0...v0.21.0

Configuration

📅 Schedule: (UTC)

  • Branch creation
    • At any time (no schedule defined)
  • Automerge
    • At any time (no schedule defined)

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate
Copy link
Copy Markdown
Contributor Author

renovate bot commented Apr 16, 2026

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

  • 8 additional dependencies were updated

Details:

Package Change
github.com/coreos/go-oidc/v3 v3.17.0 -> v3.18.0
github.com/mark3labs/mcp-go v0.47.1 -> v0.48.0
github.com/modelcontextprotocol/registry v1.5.0 -> v1.6.0
github.com/prometheus/procfs v0.19.2 -> v0.20.1
go.opentelemetry.io/otel/exporters/otlp/otlptrace v1.41.0 -> v1.43.0
go.opentelemetry.io/otel/exporters/otlp/otlptrace/otlptracehttp v1.41.0 -> v1.43.0
go.opentelemetry.io/otel/exporters/prometheus v0.63.0 -> v0.65.0
go.yaml.in/yaml/v2 v2.4.3 -> v2.4.4

@renovate renovate bot force-pushed the renovate/github.com-stacklok-toolhive-0.x branch from 6d4e46e to 5b49e74 Compare April 17, 2026 07:02
@jhrozek jhrozek merged commit 8058433 into main Apr 17, 2026
8 checks passed
@jhrozek jhrozek deleted the renovate/github.com-stacklok-toolhive-0.x branch April 17, 2026 10:01
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jhrozek jhrozek jhrozek approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jhrozek