From f9045840d909f29e3e83765569cf5c840d4e2796 Mon Sep 17 00:00:00 2001 From: Sanskarzz Date: Thu, 19 Feb 2026 16:56:46 +0530 Subject: [PATCH 1/6] ref: support multi port like docker Signed-off-by: Sanskarzz --- cmd/thv/app/run_flags.go | 4 ++ pkg/container/docker/client.go | 26 +++++++----- pkg/networking/port.go | 45 +++++++++++++++++++++ pkg/networking/port_test.go | 74 ++++++++++++++++++++++++++++++++++ pkg/runner/config.go | 3 ++ pkg/runner/config_builder.go | 8 ++++ pkg/runner/runner.go | 1 + pkg/runtime/setup.go | 30 +++++++++++++- 8 files changed, 181 insertions(+), 10 deletions(-) diff --git a/cmd/thv/app/run_flags.go b/cmd/thv/app/run_flags.go index 4dc84c7939..9a7e8a9b2f 100644 --- a/cmd/thv/app/run_flags.go +++ b/cmd/thv/app/run_flags.go @@ -45,6 +45,7 @@ type RunFlags struct { ProxyPort int TargetPort int TargetHost string + Publish []string // Server configuration Name string @@ -154,6 +155,8 @@ func AddRunFlags(cmd *cobra.Command, config *RunFlags) { "target-host", transport.LocalhostIPv4, "Host to forward traffic to (only applicable to SSE or Streamable HTTP transport)") + cmd.Flags().StringArrayVarP(&config.Publish, "publish", "p", []string{}, + "Publish a container's port(s) to the host (format: hostPort:containerPort)") cmd.Flags().StringVar( &config.PermissionProfile, "permission-profile", @@ -606,6 +609,7 @@ func buildRunnerConfig( LoadGlobal: runFlags.IgnoreGlobally, PrintOverlays: runFlags.PrintOverlays, }), + runner.WithPublish(runFlags.Publish), } // Load tools override configuration diff --git a/pkg/container/docker/client.go b/pkg/container/docker/client.go index 8652e896a1..91f7c91a15 100644 --- a/pkg/container/docker/client.go +++ b/pkg/container/docker/client.go @@ -1619,7 +1619,7 @@ func generatePortBindings(labels map[string]string, portBindings map[string][]runtime.PortBinding) (map[string][]runtime.PortBinding, int, error) { var hostPort int // check if we need to map to a random port of not - if _, ok := labels["toolhive-auxiliary"]; ok && labels["toolhive-auxiliary"] == "true" { + if _, ok := labels[ToolhiveAuxiliaryWorkloadLabel]; ok && labels[ToolhiveAuxiliaryWorkloadLabel] == LabelValueTrue { // find first port var err error for _, bindings := range portBindings { @@ -1633,17 +1633,25 @@ func generatePortBindings(labels map[string]string, } } } else { - // bind to a random host port - hostPort = networking.FindAvailable() - if hostPort == 0 { - return nil, 0, fmt.Errorf("could not find an available port") - } - // first port binding needs to map to the host port + // For consistency, we only use FindAvailable for the primary port if it's not already set for key, bindings := range portBindings { if len(bindings) > 0 { - bindings[0].HostPort = fmt.Sprintf("%d", hostPort) - portBindings[key] = bindings + hostPortStr := bindings[0].HostPort + if hostPortStr == "" || hostPortStr == "0" { + hostPort = networking.FindAvailable() + if hostPort == 0 { + return nil, 0, fmt.Errorf("could not find an available port") + } + bindings[0].HostPort = fmt.Sprintf("%d", hostPort) + portBindings[key] = bindings + } else { + var err error + hostPort, err = strconv.Atoi(hostPortStr) + if err != nil { + return nil, 0, fmt.Errorf("failed to convert host port %s to int: %w", hostPortStr, err) + } + } break } } diff --git a/pkg/networking/port.go b/pkg/networking/port.go index fc79adb2ad..19ba93fef8 100644 --- a/pkg/networking/port.go +++ b/pkg/networking/port.go @@ -12,6 +12,9 @@ import ( "math/big" "net" + "strconv" + "strings" + gopsutilnet "github.com/shirou/gopsutil/v4/net" ) @@ -201,3 +204,45 @@ func GetProcessOnPort(port int) (int, error) { } return 0, nil } + +// ParsePortSpec parses a port specification string in the format "hostPort:containerPort" or just "containerPort". +// Returns the host port string and container port integer. +// If only a container port is provided, a random available host port is selected. +func ParsePortSpec(portSpec string) (string, int, error) { + slog.Debug("Parsing port spec", "spec", portSpec) + // Check if it's in host:container format + if strings.Contains(portSpec, ":") { + parts := strings.Split(portSpec, ":") + if len(parts) != 2 { + return "", 0, fmt.Errorf("invalid port specification: %s (expected 'hostPort:containerPort')", portSpec) + } + + hostPortStr := parts[0] + containerPortStr := parts[1] + + // Verify host port is a valid integer (or empty string if we supported random host port with :, but here we expect explicit) + if _, err := strconv.Atoi(hostPortStr); err != nil { + return "", 0, fmt.Errorf("invalid host port in spec '%s': %w", portSpec, err) + } + + containerPort, err := strconv.Atoi(containerPortStr) + if err != nil { + return "", 0, fmt.Errorf("invalid container port in spec '%s': %w", portSpec, err) + } + + return hostPortStr, containerPort, nil + } + + // Try parsing as just container port + containerPort, err := strconv.Atoi(portSpec) + if err == nil { + // Find a random available host port + hostPort := FindAvailable() + if hostPort == 0 { + return "", 0, fmt.Errorf("could not find an available port for container port %d", containerPort) + } + return fmt.Sprintf("%d", hostPort), containerPort, nil + } + + return "", 0, fmt.Errorf("invalid port specification: %s (expected 'hostPort:containerPort' or 'containerPort')", portSpec) +} diff --git a/pkg/networking/port_test.go b/pkg/networking/port_test.go index 6a88f3cf4d..04aa8a96fa 100644 --- a/pkg/networking/port_test.go +++ b/pkg/networking/port_test.go @@ -134,3 +134,77 @@ func TestGetProcessOnPort_PortInUse(t *testing.T) { require.NoError(t, err) assert.NotZero(t, pid, "port is in use, GetProcessOnPort should return the process PID") } + +func TestParsePortSpec(t *testing.T) { + t.Parallel() + + tests := []struct { + name string + portSpec string + expectedHostPort string + expectedContainer int + wantError bool + }{ + { + name: "host:container", + portSpec: "8003:8001", + expectedHostPort: "8003", + expectedContainer: 8001, + wantError: false, + }, + { + name: "container only", + portSpec: "8001", + expectedHostPort: "", // Random + expectedContainer: 8001, + wantError: false, + }, + { + name: "invalid format", + portSpec: "invalid", + expectedHostPort: "", + expectedContainer: 0, + wantError: true, + }, + { + name: "invalid host port", + portSpec: "abc:8001", + expectedHostPort: "", + expectedContainer: 0, + wantError: true, + }, + } + + for _, tt := range tests { + tt := tt + t.Run(tt.name, func(t *testing.T) { + t.Parallel() + + hostPort, containerPort, err := networking.ParsePortSpec(tt.portSpec) + + if tt.wantError { + if err == nil { + t.Errorf("ParsePortSpec(%s) expected error but got nil", tt.portSpec) + } + return + } + + if err != nil { + t.Errorf("ParsePortSpec(%s) unexpected error: %v", tt.portSpec, err) + return + } + + if tt.expectedHostPort != "" && hostPort != tt.expectedHostPort { + t.Errorf("ParsePortSpec(%s) hostPort = %s, want %s", tt.portSpec, hostPort, tt.expectedHostPort) + } + + if tt.expectedHostPort == "" && hostPort == "" { + t.Errorf("ParsePortSpec(%s) hostPort is empty, want random port", tt.portSpec) + } + + if containerPort != tt.expectedContainer { + t.Errorf("ParsePortSpec(%s) containerPort = %d, want %d", tt.portSpec, containerPort, tt.expectedContainer) + } + }) + } +} diff --git a/pkg/runner/config.go b/pkg/runner/config.go index f0f14a30e0..b34bb41ecd 100644 --- a/pkg/runner/config.go +++ b/pkg/runner/config.go @@ -83,6 +83,9 @@ type RunConfig struct { // TargetHost is the host to forward traffic to (only applicable to SSE transport) TargetHost string `json:"target_host,omitempty" yaml:"target_host,omitempty"` + // Publish lists ports to publish to the host in format "hostPort:containerPort" + Publish []string `json:"publish,omitempty" yaml:"publish,omitempty"` + // PermissionProfileNameOrPath is the name or path of the permission profile PermissionProfileNameOrPath string `json:"permission_profile_name_or_path,omitempty" yaml:"permission_profile_name_or_path,omitempty"` //nolint:lll diff --git a/pkg/runner/config_builder.go b/pkg/runner/config_builder.go index b1373a79bd..e0f80e060e 100644 --- a/pkg/runner/config_builder.go +++ b/pkg/runner/config_builder.go @@ -174,6 +174,14 @@ func WithTargetHost(targetHost string) RunConfigBuilderOption { } } +// WithPublish sets the published ports +func WithPublish(publish []string) RunConfigBuilderOption { + return func(b *runConfigBuilder) error { + b.config.Publish = publish + return nil + } +} + // WithDebug sets debug mode func WithDebug(debug bool) RunConfigBuilderOption { return func(b *runConfigBuilder) error { diff --git a/pkg/runner/runner.go b/pkg/runner/runner.go index f9e107f617..d20d51ea0f 100644 --- a/pkg/runner/runner.go +++ b/pkg/runner/runner.go @@ -312,6 +312,7 @@ func (r *Runner) Run(ctx context.Context) error { r.Config.Host, r.Config.TargetPort, r.Config.TargetHost, + r.Config.Publish, scalingConfig, ) if err != nil { diff --git a/pkg/runtime/setup.go b/pkg/runtime/setup.go index 1e6a57d671..f2c30a00dc 100644 --- a/pkg/runtime/setup.go +++ b/pkg/runtime/setup.go @@ -13,6 +13,7 @@ import ( "github.com/stacklok/toolhive-core/permissions" rt "github.com/stacklok/toolhive/pkg/container/runtime" "github.com/stacklok/toolhive/pkg/ignore" + "github.com/stacklok/toolhive/pkg/networking" "github.com/stacklok/toolhive/pkg/transport/types" ) @@ -50,6 +51,7 @@ func Setup( host string, targetPort int, targetHost string, + publishedPorts []string, scalingConfig *rt.ScalingConfig, ) (*SetupResult, error) { // Add transport-specific environment variables @@ -74,6 +76,26 @@ func Setup( containerOptions := rt.NewDeployWorkloadOptions() containerOptions.K8sPodTemplatePatch = k8sPodTemplatePatch containerOptions.IgnoreConfig = ignoreConfig + + // Process published ports + for _, portSpec := range publishedPorts { + hostPort, containerPort, err := networking.ParsePortSpec(portSpec) + if err != nil { + return nil, fmt.Errorf("failed to parse published port '%s': %w", portSpec, err) + } + + // Add to exposed ports + containerPortStr := fmt.Sprintf("%d/tcp", containerPort) + containerOptions.ExposedPorts[containerPortStr] = struct{}{} + + // Add to port bindings + // Check if we already have bindings for this port + bindings := containerOptions.PortBindings[containerPortStr] + bindings = append(bindings, rt.PortBinding{ + HostPort: hostPort, + }) + containerOptions.PortBindings[containerPortStr] = bindings + } containerOptions.ScalingConfig = scalingConfig if transportType == types.TransportTypeStdio { @@ -92,7 +114,13 @@ func Setup( } // Set the port bindings - containerOptions.PortBindings[containerPortStr] = portBindings + // Note: if the user explicitly publishes the target port using --publish, + // we append the default transport binding to the list of bindings for that port. + if _, ok := containerOptions.PortBindings[containerPortStr]; ok { + containerOptions.PortBindings[containerPortStr] = append(containerOptions.PortBindings[containerPortStr], portBindings...) + } else { + containerOptions.PortBindings[containerPortStr] = portBindings + } } // Create the container From 2f8800204217ace598073367847ae43219db6a91 Mon Sep 17 00:00:00 2001 From: Sanskarzz Date: Thu, 19 Feb 2026 19:03:37 +0530 Subject: [PATCH 2/6] fix: add docs Signed-off-by: Sanskarzz --- docs/cli/thv_run.md | 1 + docs/server/docs.go | 495 +++++++++++++++++++++------------------ docs/server/swagger.json | 495 +++++++++++++++++++++------------------ docs/server/swagger.yaml | 431 ++++++++++++++++++---------------- 4 files changed, 760 insertions(+), 662 deletions(-) diff --git a/docs/cli/thv_run.md b/docs/cli/thv_run.md index 68b8ca5f68..a308e589aa 100644 --- a/docs/cli/thv_run.md +++ b/docs/cli/thv_run.md @@ -155,6 +155,7 @@ thv run [flags] SERVER_OR_IMAGE_OR_PROTOCOL [-- ARGS...] --print-resolved-overlays Debug: show resolved container paths for tmpfs overlays (default false) --proxy-mode string Proxy mode for stdio (streamable-http or sse (deprecated, will be removed)) (default "streamable-http") --proxy-port int Port for the HTTP proxy to listen on (host port) + -p, --publish stringArray Publish a container's port(s) to the host (format: hostPort:containerPort) --remote-auth Enable OAuth/OIDC authentication to remote MCP server (default false) --remote-auth-authorize-url string OAuth authorization endpoint URL (alternative to --remote-auth-issuer for non-OIDC OAuth) --remote-auth-bearer-token string Bearer token for remote server authentication (alternative to OAuth) diff --git a/docs/server/docs.go b/docs/server/docs.go index a5c12c4f4c..02e24e4289 100644 --- a/docs/server/docs.go +++ b/docs/server/docs.go @@ -8,63 +8,6 @@ const docTemplate = `{ "schemes": {{ marshal .Schemes }}, "components": { "schemas": { - "auth.TokenValidatorConfig": { - "description": "DEPRECATED: Middleware configuration.\nOIDCConfig contains OIDC configuration", - "properties": { - "allowPrivateIP": { - "description": "AllowPrivateIP allows JWKS/OIDC endpoints on private IP addresses", - "type": "boolean" - }, - "audience": { - "description": "Audience is the expected audience for the token", - "type": "string" - }, - "authTokenFile": { - "description": "AuthTokenFile is the path to file containing bearer token for authentication", - "type": "string" - }, - "cacertPath": { - "description": "CACertPath is the path to the CA certificate bundle for HTTPS requests", - "type": "string" - }, - "clientID": { - "description": "ClientID is the OIDC client ID", - "type": "string" - }, - "clientSecret": { - "description": "ClientSecret is the optional OIDC client secret for introspection", - "type": "string" - }, - "insecureAllowHTTP": { - "description": "InsecureAllowHTTP allows HTTP (non-HTTPS) OIDC issuers for development/testing\nWARNING: This is insecure and should NEVER be used in production", - "type": "boolean" - }, - "introspectionURL": { - "description": "IntrospectionURL is the optional introspection endpoint for validating tokens", - "type": "string" - }, - "issuer": { - "description": "Issuer is the OIDC issuer URL (e.g., https://accounts.google.com)", - "type": "string" - }, - "jwksurl": { - "description": "JWKSURL is the URL to fetch the JWKS from", - "type": "string" - }, - "resourceURL": { - "description": "ResourceURL is the explicit resource URL for OAuth discovery (RFC 9728)", - "type": "string" - }, - "scopes": { - "description": "Scopes is the list of OAuth scopes to advertise in the well-known endpoint (RFC 9728)\nIf empty, defaults to [\"openid\"]", - "items": { - "type": "string" - }, - "type": "array" - } - }, - "type": "object" - }, "github_com_stacklok_toolhive-core_registry_types.Registry": { "description": "Full registry data", "properties": { @@ -147,6 +90,63 @@ const docTemplate = `{ }, "type": "object" }, + "github_com_stacklok_toolhive_pkg_auth.TokenValidatorConfig": { + "description": "DEPRECATED: Middleware configuration.\nOIDCConfig contains OIDC configuration", + "properties": { + "allowPrivateIP": { + "description": "AllowPrivateIP allows JWKS/OIDC endpoints on private IP addresses", + "type": "boolean" + }, + "audience": { + "description": "Audience is the expected audience for the token", + "type": "string" + }, + "authTokenFile": { + "description": "AuthTokenFile is the path to file containing bearer token for authentication", + "type": "string" + }, + "cacertPath": { + "description": "CACertPath is the path to the CA certificate bundle for HTTPS requests", + "type": "string" + }, + "clientID": { + "description": "ClientID is the OIDC client ID", + "type": "string" + }, + "clientSecret": { + "description": "ClientSecret is the optional OIDC client secret for introspection", + "type": "string" + }, + "insecureAllowHTTP": { + "description": "InsecureAllowHTTP allows HTTP (non-HTTPS) OIDC issuers for development/testing\nWARNING: This is insecure and should NEVER be used in production", + "type": "boolean" + }, + "introspectionURL": { + "description": "IntrospectionURL is the optional introspection endpoint for validating tokens", + "type": "string" + }, + "issuer": { + "description": "Issuer is the OIDC issuer URL (e.g., https://accounts.google.com)", + "type": "string" + }, + "jwksurl": { + "description": "JWKSURL is the URL to fetch the JWKS from", + "type": "string" + }, + "resourceURL": { + "description": "ResourceURL is the explicit resource URL for OAuth discovery (RFC 9728)", + "type": "string" + }, + "scopes": { + "description": "Scopes is the list of OAuth scopes to advertise in the well-known endpoint (RFC 9728)\nIf empty, defaults to [\"openid\"]", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, "github_com_stacklok_toolhive_pkg_auth_awssts.Config": { "description": "AWSStsConfig contains AWS STS token exchange configuration for accessing AWS services", "properties": { @@ -471,7 +471,7 @@ const docTemplate = `{ "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver.SigningKeyRunConfig" }, "storage": { - "$ref": "#/components/schemas/storage.RunConfig" + "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver_storage.RunConfig" }, "token_lifespans": { "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver.TokenLifespanRunConfig" @@ -633,6 +633,107 @@ const docTemplate = `{ }, "type": "object" }, + "github_com_stacklok_toolhive_pkg_authserver_storage.ACLUserRunConfig": { + "description": "ACLUserConfig contains ACL user authentication configuration.", + "properties": { + "password_env_var": { + "description": "PasswordEnvVar is the environment variable containing the Redis password.", + "type": "string" + }, + "username_env_var": { + "description": "UsernameEnvVar is the environment variable containing the Redis username.", + "type": "string" + } + }, + "type": "object" + }, + "github_com_stacklok_toolhive_pkg_authserver_storage.RedisRunConfig": { + "description": "RedisConfig is the Redis-specific configuration when Type is \"redis\".", + "properties": { + "acl_user_config": { + "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver_storage.ACLUserRunConfig" + }, + "auth_type": { + "description": "AuthType must be \"aclUser\" - only ACL user authentication is supported.", + "type": "string" + }, + "dial_timeout": { + "description": "DialTimeout is the timeout for establishing connections (e.g., \"5s\").", + "type": "string" + }, + "key_prefix": { + "description": "KeyPrefix for multi-tenancy, typically \"thv:auth:{ns}:{name}:\".", + "type": "string" + }, + "read_timeout": { + "description": "ReadTimeout is the timeout for read operations (e.g., \"3s\").", + "type": "string" + }, + "sentinel_config": { + "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver_storage.SentinelRunConfig" + }, + "sentinel_tls": { + "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver_storage.RedisTLSRunConfig" + }, + "tls": { + "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver_storage.RedisTLSRunConfig" + }, + "write_timeout": { + "description": "WriteTimeout is the timeout for write operations (e.g., \"3s\").", + "type": "string" + } + }, + "type": "object" + }, + "github_com_stacklok_toolhive_pkg_authserver_storage.RedisTLSRunConfig": { + "description": "SentinelTLS configures TLS for Sentinel connections.\nFalls back to TLS config when nil.", + "properties": { + "ca_cert_file": { + "description": "CACertFile is the path to a PEM-encoded CA certificate file.", + "type": "string" + }, + "insecure_skip_verify": { + "description": "InsecureSkipVerify skips certificate verification.", + "type": "boolean" + } + }, + "type": "object" + }, + "github_com_stacklok_toolhive_pkg_authserver_storage.RunConfig": { + "description": "Storage configures the storage backend for the auth server.\nIf nil, defaults to in-memory storage.", + "properties": { + "redis_config": { + "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver_storage.RedisRunConfig" + }, + "type": { + "description": "Type specifies the storage backend type. Defaults to \"memory\".", + "type": "string" + } + }, + "type": "object" + }, + "github_com_stacklok_toolhive_pkg_authserver_storage.SentinelRunConfig": { + "description": "SentinelConfig contains Sentinel-specific configuration.", + "properties": { + "db": { + "description": "DB is the Redis database number (default: 0).", + "type": "integer" + }, + "master_name": { + "description": "MasterName is the name of the Redis Sentinel master.", + "type": "string" + }, + "sentinel_addrs": { + "description": "SentinelAddrs is the list of Sentinel addresses (host:port).", + "items": { + "type": "string" + }, + "type": "array", + "uniqueItems": false + } + }, + "type": "object" + }, "github_com_stacklok_toolhive_pkg_authz.Config": { "description": "DEPRECATED: Middleware configuration.\nAuthzConfig contains the authorization configuration", "properties": { @@ -736,6 +837,50 @@ const docTemplate = `{ }, "type": "object" }, + "github_com_stacklok_toolhive_pkg_container_runtime.WorkloadStatus": { + "description": "Current status of the workload", + "enum": [ + "running", + "stopped", + "error", + "starting", + "stopping", + "unhealthy", + "removing", + "unknown", + "unauthenticated", + "running", + "stopped", + "error", + "starting", + "stopping", + "unhealthy", + "removing", + "unknown", + "unauthenticated", + "running", + "stopped", + "error", + "starting", + "stopping", + "unhealthy", + "removing", + "unknown", + "unauthenticated" + ], + "type": "string", + "x-enum-varnames": [ + "WorkloadStatusRunning", + "WorkloadStatusStopped", + "WorkloadStatusError", + "WorkloadStatusStarting", + "WorkloadStatusStopping", + "WorkloadStatusUnhealthy", + "WorkloadStatusRemoving", + "WorkloadStatusUnknown", + "WorkloadStatusUnauthenticated" + ] + }, "github_com_stacklok_toolhive_pkg_container_templates.RuntimeConfig": { "description": "RuntimeConfig allows overriding the default runtime configuration\nfor this specific workload (base images and packages)", "properties": { @@ -796,19 +941,7 @@ const docTemplate = `{ "type": "string" }, "status": { - "description": "Status is the current status of the workload.", - "enum": [ - "running", - "stopped", - "error", - "starting", - "stopping", - "unhealthy", - "removing", - "unknown", - "unauthenticated" - ], - "type": "string" + "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_container_runtime.WorkloadStatus" }, "status_context": { "description": "StatusContext provides additional context about the workload's status.\nThe exact meaning is determined by the status and the underlying runtime.", @@ -823,14 +956,7 @@ const docTemplate = `{ "uniqueItems": false }, "transport_type": { - "description": "TransportType is the type of transport used for this workload.", - "enum": [ - "stdio", - "sse", - "streamable-http", - "inspector" - ], - "type": "string" + "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_transport_types.TransportType" }, "url": { "description": "URL is the URL of the workload exposed by the ToolHive proxy.", @@ -979,7 +1105,7 @@ const docTemplate = `{ "type": "string" }, "ignore_config": { - "$ref": "#/components/schemas/ignore.Config" + "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_ignore.Config" }, "image": { "description": "Image is the Docker image to run", @@ -1000,7 +1126,7 @@ const docTemplate = `{ "middleware_configs": { "description": "MiddlewareConfigs contains the list of middleware to apply to the transport\nand the configuration for each middleware.", "items": { - "$ref": "#/components/schemas/types.MiddlewareConfig" + "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_transport_types.MiddlewareConfig" }, "type": "array", "uniqueItems": false @@ -1010,7 +1136,7 @@ const docTemplate = `{ "type": "string" }, "oidc_config": { - "$ref": "#/components/schemas/auth.TokenValidatorConfig" + "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_auth.TokenValidatorConfig" }, "permission_profile_name_or_path": { "description": "PermissionProfileNameOrPath is the name or path of the permission profile", @@ -1021,12 +1147,15 @@ const docTemplate = `{ "type": "integer" }, "proxy_mode": { - "description": "ProxyMode is the proxy mode for stdio transport (\"sse\" or \"streamable-http\")\nNote: \"sse\" is deprecated; use \"streamable-http\" instead.", - "enum": [ - "sse", - "streamable-http" - ], - "type": "string" + "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_transport_types.ProxyMode" + }, + "publish": { + "description": "Publish lists ports to publish to the host in format \"hostPort:containerPort\"", + "items": { + "type": "string" + }, + "type": "array", + "uniqueItems": false }, "remote_auth_config": { "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_auth_remote.Config" @@ -1087,14 +1216,7 @@ const docTemplate = `{ "type": "object" }, "transport": { - "description": "Transport is the transport mode (stdio, sse, or streamable-http)", - "enum": [ - "stdio", - "sse", - "streamable-http", - "inspector" - ], - "type": "string" + "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_transport_types.TransportType" }, "trust_proxy_headers": { "description": "TrustProxyHeaders indicates whether to trust X-Forwarded-* headers from reverse proxies", @@ -1382,20 +1504,57 @@ const docTemplate = `{ }, "type": "object" }, - "ignore.Config": { - "description": "IgnoreConfig contains configuration for ignore processing", + "github_com_stacklok_toolhive_pkg_transport_types.MiddlewareConfig": { "properties": { - "loadGlobal": { - "description": "Whether to load global ignore patterns", - "type": "boolean" + "parameters": { + "description": "Parameters is a JSON object containing the middleware parameters.\nIt is stored as a raw message to allow flexible parameter types.", + "type": "object" }, - "printOverlays": { - "description": "Whether to print resolved overlay paths for debugging", - "type": "boolean" + "type": { + "description": "Type is a string representing the middleware type.", + "type": "string" } }, "type": "object" }, + "github_com_stacklok_toolhive_pkg_transport_types.ProxyMode": { + "description": "ProxyMode is the proxy mode for stdio transport (\"sse\" or \"streamable-http\")\nNote: \"sse\" is deprecated; use \"streamable-http\" instead.", + "enum": [ + "sse", + "streamable-http", + "sse", + "streamable-http" + ], + "type": "string", + "x-enum-varnames": [ + "ProxyModeSSE", + "ProxyModeStreamableHTTP" + ] + }, + "github_com_stacklok_toolhive_pkg_transport_types.TransportType": { + "description": "Transport is the transport mode (stdio, sse, or streamable-http)", + "enum": [ + "stdio", + "sse", + "streamable-http", + "inspector", + "stdio", + "sse", + "streamable-http", + "inspector", + "stdio", + "sse", + "streamable-http", + "inspector" + ], + "type": "string", + "x-enum-varnames": [ + "TransportTypeStdio", + "TransportTypeSSE", + "TransportTypeStreamableHTTP", + "TransportTypeInspector" + ] + }, "permissions.InboundNetworkPermissions": { "description": "Inbound defines inbound network permissions", "properties": { @@ -2456,19 +2615,7 @@ const docTemplate = `{ "description": "Response containing workload status information", "properties": { "status": { - "description": "Current status of the workload", - "enum": [ - "running", - "stopped", - "error", - "starting", - "stopping", - "unhealthy", - "removing", - "unknown", - "unauthenticated" - ], - "type": "string" + "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_container_runtime.WorkloadStatus" } }, "type": "object" @@ -2882,120 +3029,6 @@ const docTemplate = `{ } }, "type": "object" - }, - "storage.ACLUserRunConfig": { - "description": "ACLUserConfig contains ACL user authentication configuration.", - "properties": { - "password_env_var": { - "description": "PasswordEnvVar is the environment variable containing the Redis password.", - "type": "string" - }, - "username_env_var": { - "description": "UsernameEnvVar is the environment variable containing the Redis username.", - "type": "string" - } - }, - "type": "object" - }, - "storage.RedisRunConfig": { - "description": "RedisConfig is the Redis-specific configuration when Type is \"redis\".", - "properties": { - "acl_user_config": { - "$ref": "#/components/schemas/storage.ACLUserRunConfig" - }, - "auth_type": { - "description": "AuthType must be \"aclUser\" - only ACL user authentication is supported.", - "type": "string" - }, - "dial_timeout": { - "description": "DialTimeout is the timeout for establishing connections (e.g., \"5s\").", - "type": "string" - }, - "key_prefix": { - "description": "KeyPrefix for multi-tenancy, typically \"thv:auth:{ns}:{name}:\".", - "type": "string" - }, - "read_timeout": { - "description": "ReadTimeout is the timeout for read operations (e.g., \"3s\").", - "type": "string" - }, - "sentinel_config": { - "$ref": "#/components/schemas/storage.SentinelRunConfig" - }, - "sentinel_tls": { - "$ref": "#/components/schemas/storage.RedisTLSRunConfig" - }, - "tls": { - "$ref": "#/components/schemas/storage.RedisTLSRunConfig" - }, - "write_timeout": { - "description": "WriteTimeout is the timeout for write operations (e.g., \"3s\").", - "type": "string" - } - }, - "type": "object" - }, - "storage.RedisTLSRunConfig": { - "description": "SentinelTLS configures TLS for Sentinel connections.\nFalls back to TLS config when nil.", - "properties": { - "ca_cert_file": { - "description": "CACertFile is the path to a PEM-encoded CA certificate file.", - "type": "string" - }, - "insecure_skip_verify": { - "description": "InsecureSkipVerify skips certificate verification.", - "type": "boolean" - } - }, - "type": "object" - }, - "storage.RunConfig": { - "description": "Storage configures the storage backend for the auth server.\nIf nil, defaults to in-memory storage.", - "properties": { - "redis_config": { - "$ref": "#/components/schemas/storage.RedisRunConfig" - }, - "type": { - "description": "Type specifies the storage backend type. Defaults to \"memory\".", - "type": "string" - } - }, - "type": "object" - }, - "storage.SentinelRunConfig": { - "description": "SentinelConfig contains Sentinel-specific configuration.", - "properties": { - "db": { - "description": "DB is the Redis database number (default: 0).", - "type": "integer" - }, - "master_name": { - "description": "MasterName is the name of the Redis Sentinel master.", - "type": "string" - }, - "sentinel_addrs": { - "description": "SentinelAddrs is the list of Sentinel addresses (host:port).", - "items": { - "type": "string" - }, - "type": "array", - "uniqueItems": false - } - }, - "type": "object" - }, - "types.MiddlewareConfig": { - "properties": { - "parameters": { - "description": "Parameters is a JSON object containing the middleware parameters.\nIt is stored as a raw message to allow flexible parameter types.", - "type": "object" - }, - "type": { - "description": "Type is a string representing the middleware type.", - "type": "string" - } - }, - "type": "object" } } }, diff --git a/docs/server/swagger.json b/docs/server/swagger.json index f20887b4c5..cd30dfefbc 100644 --- a/docs/server/swagger.json +++ b/docs/server/swagger.json @@ -1,63 +1,6 @@ { "components": { "schemas": { - "auth.TokenValidatorConfig": { - "description": "DEPRECATED: Middleware configuration.\nOIDCConfig contains OIDC configuration", - "properties": { - "allowPrivateIP": { - "description": "AllowPrivateIP allows JWKS/OIDC endpoints on private IP addresses", - "type": "boolean" - }, - "audience": { - "description": "Audience is the expected audience for the token", - "type": "string" - }, - "authTokenFile": { - "description": "AuthTokenFile is the path to file containing bearer token for authentication", - "type": "string" - }, - "cacertPath": { - "description": "CACertPath is the path to the CA certificate bundle for HTTPS requests", - "type": "string" - }, - "clientID": { - "description": "ClientID is the OIDC client ID", - "type": "string" - }, - "clientSecret": { - "description": "ClientSecret is the optional OIDC client secret for introspection", - "type": "string" - }, - "insecureAllowHTTP": { - "description": "InsecureAllowHTTP allows HTTP (non-HTTPS) OIDC issuers for development/testing\nWARNING: This is insecure and should NEVER be used in production", - "type": "boolean" - }, - "introspectionURL": { - "description": "IntrospectionURL is the optional introspection endpoint for validating tokens", - "type": "string" - }, - "issuer": { - "description": "Issuer is the OIDC issuer URL (e.g., https://accounts.google.com)", - "type": "string" - }, - "jwksurl": { - "description": "JWKSURL is the URL to fetch the JWKS from", - "type": "string" - }, - "resourceURL": { - "description": "ResourceURL is the explicit resource URL for OAuth discovery (RFC 9728)", - "type": "string" - }, - "scopes": { - "description": "Scopes is the list of OAuth scopes to advertise in the well-known endpoint (RFC 9728)\nIf empty, defaults to [\"openid\"]", - "items": { - "type": "string" - }, - "type": "array" - } - }, - "type": "object" - }, "github_com_stacklok_toolhive-core_registry_types.Registry": { "description": "Full registry data", "properties": { @@ -140,6 +83,63 @@ }, "type": "object" }, + "github_com_stacklok_toolhive_pkg_auth.TokenValidatorConfig": { + "description": "DEPRECATED: Middleware configuration.\nOIDCConfig contains OIDC configuration", + "properties": { + "allowPrivateIP": { + "description": "AllowPrivateIP allows JWKS/OIDC endpoints on private IP addresses", + "type": "boolean" + }, + "audience": { + "description": "Audience is the expected audience for the token", + "type": "string" + }, + "authTokenFile": { + "description": "AuthTokenFile is the path to file containing bearer token for authentication", + "type": "string" + }, + "cacertPath": { + "description": "CACertPath is the path to the CA certificate bundle for HTTPS requests", + "type": "string" + }, + "clientID": { + "description": "ClientID is the OIDC client ID", + "type": "string" + }, + "clientSecret": { + "description": "ClientSecret is the optional OIDC client secret for introspection", + "type": "string" + }, + "insecureAllowHTTP": { + "description": "InsecureAllowHTTP allows HTTP (non-HTTPS) OIDC issuers for development/testing\nWARNING: This is insecure and should NEVER be used in production", + "type": "boolean" + }, + "introspectionURL": { + "description": "IntrospectionURL is the optional introspection endpoint for validating tokens", + "type": "string" + }, + "issuer": { + "description": "Issuer is the OIDC issuer URL (e.g., https://accounts.google.com)", + "type": "string" + }, + "jwksurl": { + "description": "JWKSURL is the URL to fetch the JWKS from", + "type": "string" + }, + "resourceURL": { + "description": "ResourceURL is the explicit resource URL for OAuth discovery (RFC 9728)", + "type": "string" + }, + "scopes": { + "description": "Scopes is the list of OAuth scopes to advertise in the well-known endpoint (RFC 9728)\nIf empty, defaults to [\"openid\"]", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, "github_com_stacklok_toolhive_pkg_auth_awssts.Config": { "description": "AWSStsConfig contains AWS STS token exchange configuration for accessing AWS services", "properties": { @@ -464,7 +464,7 @@ "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver.SigningKeyRunConfig" }, "storage": { - "$ref": "#/components/schemas/storage.RunConfig" + "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver_storage.RunConfig" }, "token_lifespans": { "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver.TokenLifespanRunConfig" @@ -626,6 +626,107 @@ }, "type": "object" }, + "github_com_stacklok_toolhive_pkg_authserver_storage.ACLUserRunConfig": { + "description": "ACLUserConfig contains ACL user authentication configuration.", + "properties": { + "password_env_var": { + "description": "PasswordEnvVar is the environment variable containing the Redis password.", + "type": "string" + }, + "username_env_var": { + "description": "UsernameEnvVar is the environment variable containing the Redis username.", + "type": "string" + } + }, + "type": "object" + }, + "github_com_stacklok_toolhive_pkg_authserver_storage.RedisRunConfig": { + "description": "RedisConfig is the Redis-specific configuration when Type is \"redis\".", + "properties": { + "acl_user_config": { + "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver_storage.ACLUserRunConfig" + }, + "auth_type": { + "description": "AuthType must be \"aclUser\" - only ACL user authentication is supported.", + "type": "string" + }, + "dial_timeout": { + "description": "DialTimeout is the timeout for establishing connections (e.g., \"5s\").", + "type": "string" + }, + "key_prefix": { + "description": "KeyPrefix for multi-tenancy, typically \"thv:auth:{ns}:{name}:\".", + "type": "string" + }, + "read_timeout": { + "description": "ReadTimeout is the timeout for read operations (e.g., \"3s\").", + "type": "string" + }, + "sentinel_config": { + "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver_storage.SentinelRunConfig" + }, + "sentinel_tls": { + "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver_storage.RedisTLSRunConfig" + }, + "tls": { + "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver_storage.RedisTLSRunConfig" + }, + "write_timeout": { + "description": "WriteTimeout is the timeout for write operations (e.g., \"3s\").", + "type": "string" + } + }, + "type": "object" + }, + "github_com_stacklok_toolhive_pkg_authserver_storage.RedisTLSRunConfig": { + "description": "SentinelTLS configures TLS for Sentinel connections.\nFalls back to TLS config when nil.", + "properties": { + "ca_cert_file": { + "description": "CACertFile is the path to a PEM-encoded CA certificate file.", + "type": "string" + }, + "insecure_skip_verify": { + "description": "InsecureSkipVerify skips certificate verification.", + "type": "boolean" + } + }, + "type": "object" + }, + "github_com_stacklok_toolhive_pkg_authserver_storage.RunConfig": { + "description": "Storage configures the storage backend for the auth server.\nIf nil, defaults to in-memory storage.", + "properties": { + "redis_config": { + "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver_storage.RedisRunConfig" + }, + "type": { + "description": "Type specifies the storage backend type. Defaults to \"memory\".", + "type": "string" + } + }, + "type": "object" + }, + "github_com_stacklok_toolhive_pkg_authserver_storage.SentinelRunConfig": { + "description": "SentinelConfig contains Sentinel-specific configuration.", + "properties": { + "db": { + "description": "DB is the Redis database number (default: 0).", + "type": "integer" + }, + "master_name": { + "description": "MasterName is the name of the Redis Sentinel master.", + "type": "string" + }, + "sentinel_addrs": { + "description": "SentinelAddrs is the list of Sentinel addresses (host:port).", + "items": { + "type": "string" + }, + "type": "array", + "uniqueItems": false + } + }, + "type": "object" + }, "github_com_stacklok_toolhive_pkg_authz.Config": { "description": "DEPRECATED: Middleware configuration.\nAuthzConfig contains the authorization configuration", "properties": { @@ -729,6 +830,50 @@ }, "type": "object" }, + "github_com_stacklok_toolhive_pkg_container_runtime.WorkloadStatus": { + "description": "Current status of the workload", + "enum": [ + "running", + "stopped", + "error", + "starting", + "stopping", + "unhealthy", + "removing", + "unknown", + "unauthenticated", + "running", + "stopped", + "error", + "starting", + "stopping", + "unhealthy", + "removing", + "unknown", + "unauthenticated", + "running", + "stopped", + "error", + "starting", + "stopping", + "unhealthy", + "removing", + "unknown", + "unauthenticated" + ], + "type": "string", + "x-enum-varnames": [ + "WorkloadStatusRunning", + "WorkloadStatusStopped", + "WorkloadStatusError", + "WorkloadStatusStarting", + "WorkloadStatusStopping", + "WorkloadStatusUnhealthy", + "WorkloadStatusRemoving", + "WorkloadStatusUnknown", + "WorkloadStatusUnauthenticated" + ] + }, "github_com_stacklok_toolhive_pkg_container_templates.RuntimeConfig": { "description": "RuntimeConfig allows overriding the default runtime configuration\nfor this specific workload (base images and packages)", "properties": { @@ -789,19 +934,7 @@ "type": "string" }, "status": { - "description": "Status is the current status of the workload.", - "enum": [ - "running", - "stopped", - "error", - "starting", - "stopping", - "unhealthy", - "removing", - "unknown", - "unauthenticated" - ], - "type": "string" + "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_container_runtime.WorkloadStatus" }, "status_context": { "description": "StatusContext provides additional context about the workload's status.\nThe exact meaning is determined by the status and the underlying runtime.", @@ -816,14 +949,7 @@ "uniqueItems": false }, "transport_type": { - "description": "TransportType is the type of transport used for this workload.", - "enum": [ - "stdio", - "sse", - "streamable-http", - "inspector" - ], - "type": "string" + "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_transport_types.TransportType" }, "url": { "description": "URL is the URL of the workload exposed by the ToolHive proxy.", @@ -972,7 +1098,7 @@ "type": "string" }, "ignore_config": { - "$ref": "#/components/schemas/ignore.Config" + "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_ignore.Config" }, "image": { "description": "Image is the Docker image to run", @@ -993,7 +1119,7 @@ "middleware_configs": { "description": "MiddlewareConfigs contains the list of middleware to apply to the transport\nand the configuration for each middleware.", "items": { - "$ref": "#/components/schemas/types.MiddlewareConfig" + "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_transport_types.MiddlewareConfig" }, "type": "array", "uniqueItems": false @@ -1003,7 +1129,7 @@ "type": "string" }, "oidc_config": { - "$ref": "#/components/schemas/auth.TokenValidatorConfig" + "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_auth.TokenValidatorConfig" }, "permission_profile_name_or_path": { "description": "PermissionProfileNameOrPath is the name or path of the permission profile", @@ -1014,12 +1140,15 @@ "type": "integer" }, "proxy_mode": { - "description": "ProxyMode is the proxy mode for stdio transport (\"sse\" or \"streamable-http\")\nNote: \"sse\" is deprecated; use \"streamable-http\" instead.", - "enum": [ - "sse", - "streamable-http" - ], - "type": "string" + "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_transport_types.ProxyMode" + }, + "publish": { + "description": "Publish lists ports to publish to the host in format \"hostPort:containerPort\"", + "items": { + "type": "string" + }, + "type": "array", + "uniqueItems": false }, "remote_auth_config": { "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_auth_remote.Config" @@ -1080,14 +1209,7 @@ "type": "object" }, "transport": { - "description": "Transport is the transport mode (stdio, sse, or streamable-http)", - "enum": [ - "stdio", - "sse", - "streamable-http", - "inspector" - ], - "type": "string" + "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_transport_types.TransportType" }, "trust_proxy_headers": { "description": "TrustProxyHeaders indicates whether to trust X-Forwarded-* headers from reverse proxies", @@ -1375,20 +1497,57 @@ }, "type": "object" }, - "ignore.Config": { - "description": "IgnoreConfig contains configuration for ignore processing", + "github_com_stacklok_toolhive_pkg_transport_types.MiddlewareConfig": { "properties": { - "loadGlobal": { - "description": "Whether to load global ignore patterns", - "type": "boolean" + "parameters": { + "description": "Parameters is a JSON object containing the middleware parameters.\nIt is stored as a raw message to allow flexible parameter types.", + "type": "object" }, - "printOverlays": { - "description": "Whether to print resolved overlay paths for debugging", - "type": "boolean" + "type": { + "description": "Type is a string representing the middleware type.", + "type": "string" } }, "type": "object" }, + "github_com_stacklok_toolhive_pkg_transport_types.ProxyMode": { + "description": "ProxyMode is the proxy mode for stdio transport (\"sse\" or \"streamable-http\")\nNote: \"sse\" is deprecated; use \"streamable-http\" instead.", + "enum": [ + "sse", + "streamable-http", + "sse", + "streamable-http" + ], + "type": "string", + "x-enum-varnames": [ + "ProxyModeSSE", + "ProxyModeStreamableHTTP" + ] + }, + "github_com_stacklok_toolhive_pkg_transport_types.TransportType": { + "description": "Transport is the transport mode (stdio, sse, or streamable-http)", + "enum": [ + "stdio", + "sse", + "streamable-http", + "inspector", + "stdio", + "sse", + "streamable-http", + "inspector", + "stdio", + "sse", + "streamable-http", + "inspector" + ], + "type": "string", + "x-enum-varnames": [ + "TransportTypeStdio", + "TransportTypeSSE", + "TransportTypeStreamableHTTP", + "TransportTypeInspector" + ] + }, "permissions.InboundNetworkPermissions": { "description": "Inbound defines inbound network permissions", "properties": { @@ -2449,19 +2608,7 @@ "description": "Response containing workload status information", "properties": { "status": { - "description": "Current status of the workload", - "enum": [ - "running", - "stopped", - "error", - "starting", - "stopping", - "unhealthy", - "removing", - "unknown", - "unauthenticated" - ], - "type": "string" + "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_container_runtime.WorkloadStatus" } }, "type": "object" @@ -2875,120 +3022,6 @@ } }, "type": "object" - }, - "storage.ACLUserRunConfig": { - "description": "ACLUserConfig contains ACL user authentication configuration.", - "properties": { - "password_env_var": { - "description": "PasswordEnvVar is the environment variable containing the Redis password.", - "type": "string" - }, - "username_env_var": { - "description": "UsernameEnvVar is the environment variable containing the Redis username.", - "type": "string" - } - }, - "type": "object" - }, - "storage.RedisRunConfig": { - "description": "RedisConfig is the Redis-specific configuration when Type is \"redis\".", - "properties": { - "acl_user_config": { - "$ref": "#/components/schemas/storage.ACLUserRunConfig" - }, - "auth_type": { - "description": "AuthType must be \"aclUser\" - only ACL user authentication is supported.", - "type": "string" - }, - "dial_timeout": { - "description": "DialTimeout is the timeout for establishing connections (e.g., \"5s\").", - "type": "string" - }, - "key_prefix": { - "description": "KeyPrefix for multi-tenancy, typically \"thv:auth:{ns}:{name}:\".", - "type": "string" - }, - "read_timeout": { - "description": "ReadTimeout is the timeout for read operations (e.g., \"3s\").", - "type": "string" - }, - "sentinel_config": { - "$ref": "#/components/schemas/storage.SentinelRunConfig" - }, - "sentinel_tls": { - "$ref": "#/components/schemas/storage.RedisTLSRunConfig" - }, - "tls": { - "$ref": "#/components/schemas/storage.RedisTLSRunConfig" - }, - "write_timeout": { - "description": "WriteTimeout is the timeout for write operations (e.g., \"3s\").", - "type": "string" - } - }, - "type": "object" - }, - "storage.RedisTLSRunConfig": { - "description": "SentinelTLS configures TLS for Sentinel connections.\nFalls back to TLS config when nil.", - "properties": { - "ca_cert_file": { - "description": "CACertFile is the path to a PEM-encoded CA certificate file.", - "type": "string" - }, - "insecure_skip_verify": { - "description": "InsecureSkipVerify skips certificate verification.", - "type": "boolean" - } - }, - "type": "object" - }, - "storage.RunConfig": { - "description": "Storage configures the storage backend for the auth server.\nIf nil, defaults to in-memory storage.", - "properties": { - "redis_config": { - "$ref": "#/components/schemas/storage.RedisRunConfig" - }, - "type": { - "description": "Type specifies the storage backend type. Defaults to \"memory\".", - "type": "string" - } - }, - "type": "object" - }, - "storage.SentinelRunConfig": { - "description": "SentinelConfig contains Sentinel-specific configuration.", - "properties": { - "db": { - "description": "DB is the Redis database number (default: 0).", - "type": "integer" - }, - "master_name": { - "description": "MasterName is the name of the Redis Sentinel master.", - "type": "string" - }, - "sentinel_addrs": { - "description": "SentinelAddrs is the list of Sentinel addresses (host:port).", - "items": { - "type": "string" - }, - "type": "array", - "uniqueItems": false - } - }, - "type": "object" - }, - "types.MiddlewareConfig": { - "properties": { - "parameters": { - "description": "Parameters is a JSON object containing the middleware parameters.\nIt is stored as a raw message to allow flexible parameter types.", - "type": "object" - }, - "type": { - "description": "Type is a string representing the middleware type.", - "type": "string" - } - }, - "type": "object" } } }, diff --git a/docs/server/swagger.yaml b/docs/server/swagger.yaml index 6e8bbfef49..4d64a99455 100644 --- a/docs/server/swagger.yaml +++ b/docs/server/swagger.yaml @@ -1,57 +1,5 @@ components: schemas: - auth.TokenValidatorConfig: - description: |- - DEPRECATED: Middleware configuration. - OIDCConfig contains OIDC configuration - properties: - allowPrivateIP: - description: AllowPrivateIP allows JWKS/OIDC endpoints on private IP addresses - type: boolean - audience: - description: Audience is the expected audience for the token - type: string - authTokenFile: - description: AuthTokenFile is the path to file containing bearer token for - authentication - type: string - cacertPath: - description: CACertPath is the path to the CA certificate bundle for HTTPS - requests - type: string - clientID: - description: ClientID is the OIDC client ID - type: string - clientSecret: - description: ClientSecret is the optional OIDC client secret for introspection - type: string - insecureAllowHTTP: - description: |- - InsecureAllowHTTP allows HTTP (non-HTTPS) OIDC issuers for development/testing - WARNING: This is insecure and should NEVER be used in production - type: boolean - introspectionURL: - description: IntrospectionURL is the optional introspection endpoint for - validating tokens - type: string - issuer: - description: Issuer is the OIDC issuer URL (e.g., https://accounts.google.com) - type: string - jwksurl: - description: JWKSURL is the URL to fetch the JWKS from - type: string - resourceURL: - description: ResourceURL is the explicit resource URL for OAuth discovery - (RFC 9728) - type: string - scopes: - description: |- - Scopes is the list of OAuth scopes to advertise in the well-known endpoint (RFC 9728) - If empty, defaults to ["openid"] - items: - type: string - type: array - type: object github_com_stacklok_toolhive-core_registry_types.Registry: description: Full registry data properties: @@ -141,6 +89,58 @@ components: +optional type: integer type: object + github_com_stacklok_toolhive_pkg_auth.TokenValidatorConfig: + description: |- + DEPRECATED: Middleware configuration. + OIDCConfig contains OIDC configuration + properties: + allowPrivateIP: + description: AllowPrivateIP allows JWKS/OIDC endpoints on private IP addresses + type: boolean + audience: + description: Audience is the expected audience for the token + type: string + authTokenFile: + description: AuthTokenFile is the path to file containing bearer token for + authentication + type: string + cacertPath: + description: CACertPath is the path to the CA certificate bundle for HTTPS + requests + type: string + clientID: + description: ClientID is the OIDC client ID + type: string + clientSecret: + description: ClientSecret is the optional OIDC client secret for introspection + type: string + insecureAllowHTTP: + description: |- + InsecureAllowHTTP allows HTTP (non-HTTPS) OIDC issuers for development/testing + WARNING: This is insecure and should NEVER be used in production + type: boolean + introspectionURL: + description: IntrospectionURL is the optional introspection endpoint for + validating tokens + type: string + issuer: + description: Issuer is the OIDC issuer URL (e.g., https://accounts.google.com) + type: string + jwksurl: + description: JWKSURL is the URL to fetch the JWKS from + type: string + resourceURL: + description: ResourceURL is the explicit resource URL for OAuth discovery + (RFC 9728) + type: string + scopes: + description: |- + Scopes is the list of OAuth scopes to advertise in the well-known endpoint (RFC 9728) + If empty, defaults to ["openid"] + items: + type: string + type: array + type: object github_com_stacklok_toolhive_pkg_auth_awssts.Config: description: AWSStsConfig contains AWS STS token exchange configuration for accessing AWS services @@ -460,7 +460,7 @@ components: signing_key_config: $ref: '#/components/schemas/github_com_stacklok_toolhive_pkg_authserver.SigningKeyRunConfig' storage: - $ref: '#/components/schemas/storage.RunConfig' + $ref: '#/components/schemas/github_com_stacklok_toolhive_pkg_authserver_storage.RunConfig' token_lifespans: $ref: '#/components/schemas/github_com_stacklok_toolhive_pkg_authserver.TokenLifespanRunConfig' upstreams: @@ -622,6 +622,86 @@ components: If not specified, defaults to GET. type: string type: object + github_com_stacklok_toolhive_pkg_authserver_storage.ACLUserRunConfig: + description: ACLUserConfig contains ACL user authentication configuration. + properties: + password_env_var: + description: PasswordEnvVar is the environment variable containing the Redis + password. + type: string + username_env_var: + description: UsernameEnvVar is the environment variable containing the Redis + username. + type: string + type: object + github_com_stacklok_toolhive_pkg_authserver_storage.RedisRunConfig: + description: RedisConfig is the Redis-specific configuration when Type is "redis". + properties: + acl_user_config: + $ref: '#/components/schemas/github_com_stacklok_toolhive_pkg_authserver_storage.ACLUserRunConfig' + auth_type: + description: AuthType must be "aclUser" - only ACL user authentication is + supported. + type: string + dial_timeout: + description: DialTimeout is the timeout for establishing connections (e.g., + "5s"). + type: string + key_prefix: + description: KeyPrefix for multi-tenancy, typically "thv:auth:{ns}:{name}:". + type: string + read_timeout: + description: ReadTimeout is the timeout for read operations (e.g., "3s"). + type: string + sentinel_config: + $ref: '#/components/schemas/github_com_stacklok_toolhive_pkg_authserver_storage.SentinelRunConfig' + sentinel_tls: + $ref: '#/components/schemas/github_com_stacklok_toolhive_pkg_authserver_storage.RedisTLSRunConfig' + tls: + $ref: '#/components/schemas/github_com_stacklok_toolhive_pkg_authserver_storage.RedisTLSRunConfig' + write_timeout: + description: WriteTimeout is the timeout for write operations (e.g., "3s"). + type: string + type: object + github_com_stacklok_toolhive_pkg_authserver_storage.RedisTLSRunConfig: + description: |- + SentinelTLS configures TLS for Sentinel connections. + Falls back to TLS config when nil. + properties: + ca_cert_file: + description: CACertFile is the path to a PEM-encoded CA certificate file. + type: string + insecure_skip_verify: + description: InsecureSkipVerify skips certificate verification. + type: boolean + type: object + github_com_stacklok_toolhive_pkg_authserver_storage.RunConfig: + description: |- + Storage configures the storage backend for the auth server. + If nil, defaults to in-memory storage. + properties: + redis_config: + $ref: '#/components/schemas/github_com_stacklok_toolhive_pkg_authserver_storage.RedisRunConfig' + type: + description: Type specifies the storage backend type. Defaults to "memory". + type: string + type: object + github_com_stacklok_toolhive_pkg_authserver_storage.SentinelRunConfig: + description: SentinelConfig contains Sentinel-specific configuration. + properties: + db: + description: 'DB is the Redis database number (default: 0).' + type: integer + master_name: + description: MasterName is the name of the Redis Sentinel master. + type: string + sentinel_addrs: + description: SentinelAddrs is the list of Sentinel addresses (host:port). + items: + type: string + type: array + uniqueItems: false + type: object github_com_stacklok_toolhive_pkg_authz.Config: description: |- DEPRECATED: Middleware configuration. @@ -712,6 +792,47 @@ components: name: $ref: '#/components/schemas/github_com_stacklok_toolhive_pkg_client.ClientApp' type: object + github_com_stacklok_toolhive_pkg_container_runtime.WorkloadStatus: + description: Current status of the workload + enum: + - running + - stopped + - error + - starting + - stopping + - unhealthy + - removing + - unknown + - unauthenticated + - running + - stopped + - error + - starting + - stopping + - unhealthy + - removing + - unknown + - unauthenticated + - running + - stopped + - error + - starting + - stopping + - unhealthy + - removing + - unknown + - unauthenticated + type: string + x-enum-varnames: + - WorkloadStatusRunning + - WorkloadStatusStopped + - WorkloadStatusError + - WorkloadStatusStarting + - WorkloadStatusStopping + - WorkloadStatusUnhealthy + - WorkloadStatusRemoving + - WorkloadStatusUnknown + - WorkloadStatusUnauthenticated github_com_stacklok_toolhive_pkg_container_templates.RuntimeConfig: description: |- RuntimeConfig allows overriding the default runtime configuration @@ -778,18 +899,7 @@ components: restart) type: string status: - description: Status is the current status of the workload. - enum: - - running - - stopped - - error - - starting - - stopping - - unhealthy - - removing - - unknown - - unauthenticated - type: string + $ref: '#/components/schemas/github_com_stacklok_toolhive_pkg_container_runtime.WorkloadStatus' status_context: description: |- StatusContext provides additional context about the workload's status. @@ -802,13 +912,7 @@ components: type: array uniqueItems: false transport_type: - description: TransportType is the type of transport used for this workload. - enum: - - stdio - - sse - - streamable-http - - inspector - type: string + $ref: '#/components/schemas/github_com_stacklok_toolhive_pkg_transport_types.TransportType' url: description: URL is the URL of the workload exposed by the ToolHive proxy. type: string @@ -932,7 +1036,7 @@ components: description: Host is the host for the HTTP proxy type: string ignore_config: - $ref: '#/components/schemas/ignore.Config' + $ref: '#/components/schemas/github_com_stacklok_toolhive_pkg_ignore.Config' image: description: Image is the Docker image to run type: string @@ -955,14 +1059,14 @@ components: MiddlewareConfigs contains the list of middleware to apply to the transport and the configuration for each middleware. items: - $ref: '#/components/schemas/types.MiddlewareConfig' + $ref: '#/components/schemas/github_com_stacklok_toolhive_pkg_transport_types.MiddlewareConfig' type: array uniqueItems: false name: description: Name is the name of the MCP server type: string oidc_config: - $ref: '#/components/schemas/auth.TokenValidatorConfig' + $ref: '#/components/schemas/github_com_stacklok_toolhive_pkg_auth.TokenValidatorConfig' permission_profile_name_or_path: description: PermissionProfileNameOrPath is the name or path of the permission profile @@ -971,13 +1075,13 @@ components: description: Port is the port for the HTTP proxy to listen on (host port) type: integer proxy_mode: - description: |- - ProxyMode is the proxy mode for stdio transport ("sse" or "streamable-http") - Note: "sse" is deprecated; use "streamable-http" instead. - enum: - - sse - - streamable-http - type: string + $ref: '#/components/schemas/github_com_stacklok_toolhive_pkg_transport_types.ProxyMode' + publish: + description: Publish lists ports to publish to the host in format "hostPort:containerPort" + items: + type: string + type: array + uniqueItems: false remote_auth_config: $ref: '#/components/schemas/github_com_stacklok_toolhive_pkg_auth_remote.Config' remote_url: @@ -1031,13 +1135,7 @@ components: ToolsOverride is a map from an actual tool to its overridden name and/or description type: object transport: - description: Transport is the transport mode (stdio, sse, or streamable-http) - enum: - - stdio - - sse - - streamable-http - - inspector - type: string + $ref: '#/components/schemas/github_com_stacklok_toolhive_pkg_transport_types.TransportType' trust_proxy_headers: description: TrustProxyHeaders indicates whether to trust X-Forwarded-* headers from reverse proxies @@ -1305,16 +1403,51 @@ components: +optional type: boolean type: object - ignore.Config: - description: IgnoreConfig contains configuration for ignore processing + github_com_stacklok_toolhive_pkg_transport_types.MiddlewareConfig: properties: - loadGlobal: - description: Whether to load global ignore patterns - type: boolean - printOverlays: - description: Whether to print resolved overlay paths for debugging - type: boolean + parameters: + description: |- + Parameters is a JSON object containing the middleware parameters. + It is stored as a raw message to allow flexible parameter types. + type: object + type: + description: Type is a string representing the middleware type. + type: string type: object + github_com_stacklok_toolhive_pkg_transport_types.ProxyMode: + description: |- + ProxyMode is the proxy mode for stdio transport ("sse" or "streamable-http") + Note: "sse" is deprecated; use "streamable-http" instead. + enum: + - sse + - streamable-http + - sse + - streamable-http + type: string + x-enum-varnames: + - ProxyModeSSE + - ProxyModeStreamableHTTP + github_com_stacklok_toolhive_pkg_transport_types.TransportType: + description: Transport is the transport mode (stdio, sse, or streamable-http) + enum: + - stdio + - sse + - streamable-http + - inspector + - stdio + - sse + - streamable-http + - inspector + - stdio + - sse + - streamable-http + - inspector + type: string + x-enum-varnames: + - TransportTypeStdio + - TransportTypeSSE + - TransportTypeStreamableHTTP + - TransportTypeInspector permissions.InboundNetworkPermissions: description: Inbound defines inbound network permissions properties: @@ -2116,18 +2249,7 @@ components: description: Response containing workload status information properties: status: - description: Current status of the workload - enum: - - running - - stopped - - error - - starting - - stopping - - unhealthy - - removing - - unknown - - unauthenticated - type: string + $ref: '#/components/schemas/github_com_stacklok_toolhive_pkg_container_runtime.WorkloadStatus' type: object registry.EnvVar: properties: @@ -2517,97 +2639,6 @@ components: predicate_type: type: string type: object - storage.ACLUserRunConfig: - description: ACLUserConfig contains ACL user authentication configuration. - properties: - password_env_var: - description: PasswordEnvVar is the environment variable containing the Redis - password. - type: string - username_env_var: - description: UsernameEnvVar is the environment variable containing the Redis - username. - type: string - type: object - storage.RedisRunConfig: - description: RedisConfig is the Redis-specific configuration when Type is "redis". - properties: - acl_user_config: - $ref: '#/components/schemas/storage.ACLUserRunConfig' - auth_type: - description: AuthType must be "aclUser" - only ACL user authentication is - supported. - type: string - dial_timeout: - description: DialTimeout is the timeout for establishing connections (e.g., - "5s"). - type: string - key_prefix: - description: KeyPrefix for multi-tenancy, typically "thv:auth:{ns}:{name}:". - type: string - read_timeout: - description: ReadTimeout is the timeout for read operations (e.g., "3s"). - type: string - sentinel_config: - $ref: '#/components/schemas/storage.SentinelRunConfig' - sentinel_tls: - $ref: '#/components/schemas/storage.RedisTLSRunConfig' - tls: - $ref: '#/components/schemas/storage.RedisTLSRunConfig' - write_timeout: - description: WriteTimeout is the timeout for write operations (e.g., "3s"). - type: string - type: object - storage.RedisTLSRunConfig: - description: |- - SentinelTLS configures TLS for Sentinel connections. - Falls back to TLS config when nil. - properties: - ca_cert_file: - description: CACertFile is the path to a PEM-encoded CA certificate file. - type: string - insecure_skip_verify: - description: InsecureSkipVerify skips certificate verification. - type: boolean - type: object - storage.RunConfig: - description: |- - Storage configures the storage backend for the auth server. - If nil, defaults to in-memory storage. - properties: - redis_config: - $ref: '#/components/schemas/storage.RedisRunConfig' - type: - description: Type specifies the storage backend type. Defaults to "memory". - type: string - type: object - storage.SentinelRunConfig: - description: SentinelConfig contains Sentinel-specific configuration. - properties: - db: - description: 'DB is the Redis database number (default: 0).' - type: integer - master_name: - description: MasterName is the name of the Redis Sentinel master. - type: string - sentinel_addrs: - description: SentinelAddrs is the list of Sentinel addresses (host:port). - items: - type: string - type: array - uniqueItems: false - type: object - types.MiddlewareConfig: - properties: - parameters: - description: |- - Parameters is a JSON object containing the middleware parameters. - It is stored as a raw message to allow flexible parameter types. - type: object - type: - description: Type is a string representing the middleware type. - type: string - type: object externalDocs: description: "" url: "" From c9255458f1cc3623c72edfc4010dd011b04979e2 Mon Sep 17 00:00:00 2001 From: Sanskarzz Date: Sun, 8 Mar 2026 19:44:17 +0530 Subject: [PATCH 3/6] fix: used require assertions Signed-off-by: Sanskarzz --- pkg/container/docker/client_helpers_test.go | 36 +++++++++++++++++++++ pkg/networking/port_test.go | 34 +++++++------------ 2 files changed, 47 insertions(+), 23 deletions(-) diff --git a/pkg/container/docker/client_helpers_test.go b/pkg/container/docker/client_helpers_test.go index 477f8fce4c..a8f98c6b21 100644 --- a/pkg/container/docker/client_helpers_test.go +++ b/pkg/container/docker/client_helpers_test.go @@ -118,6 +118,42 @@ func TestGeneratePortBindings_NonAuxiliaryAssignsRandomPortAndMutatesFirstBindin assert.Equal(t, 1, countMatches, "expected exactly one first binding to be updated to hostPort=%s", expected) } +func TestGeneratePortBindings_NonAuxiliaryKeepsExplicitHostPort(t *testing.T) { + t.Parallel() + + labels := map[string]string{} // not auxiliary + in := map[string][]runtime.PortBinding{ + "8080/tcp": { + {HostIP: "", HostPort: "9090"}, + }, + } + out, hostPort, err := generatePortBindings(labels, in) + require.NoError(t, err) + require.Equal(t, 9090, hostPort) + + require.Contains(t, out, "8080/tcp") + require.Len(t, out["8080/tcp"], 1) + assert.Equal(t, "9090", out["8080/tcp"][0].HostPort) +} + +func TestGeneratePortBindings_NonAuxiliaryAssignsRandomPortForZero(t *testing.T) { + t.Parallel() + + labels := map[string]string{} // not auxiliary + in := map[string][]runtime.PortBinding{ + "8080/tcp": { + {HostIP: "", HostPort: "0"}, + }, + } + out, hostPort, err := generatePortBindings(labels, in) + require.NoError(t, err) + require.NotZero(t, hostPort) + + require.Contains(t, out, "8080/tcp") + require.Len(t, out["8080/tcp"], 1) + assert.Equal(t, fmt.Sprintf("%d", hostPort), out["8080/tcp"][0].HostPort) +} + func TestAddEgressEnvVars_SetsAll(t *testing.T) { t.Parallel() diff --git a/pkg/networking/port_test.go b/pkg/networking/port_test.go index 04aa8a96fa..69f0d8b8b1 100644 --- a/pkg/networking/port_test.go +++ b/pkg/networking/port_test.go @@ -71,15 +71,12 @@ func TestValidateCallbackPort(t *testing.T) { err := networking.ValidateCallbackPort(tt.port, tt.clientID) if tt.wantError { - if err == nil { - t.Errorf("ValidateCallbackPort() expected error but got nil") - } else if tt.errorMsg != "" && err.Error() != tt.errorMsg { - t.Errorf("ValidateCallbackPort() error = %v, want %v", err.Error(), tt.errorMsg) + require.Error(t, err) + if tt.errorMsg != "" { + require.EqualError(t, err, tt.errorMsg) } } else { - if err != nil { - t.Errorf("ValidateCallbackPort() unexpected error = %v", err) - } + require.NoError(t, err) } }) } @@ -183,28 +180,19 @@ func TestParsePortSpec(t *testing.T) { hostPort, containerPort, err := networking.ParsePortSpec(tt.portSpec) if tt.wantError { - if err == nil { - t.Errorf("ParsePortSpec(%s) expected error but got nil", tt.portSpec) - } - return - } - - if err != nil { - t.Errorf("ParsePortSpec(%s) unexpected error: %v", tt.portSpec, err) + require.Error(t, err, "ParsePortSpec(%s) expected error", tt.portSpec) return } - if tt.expectedHostPort != "" && hostPort != tt.expectedHostPort { - t.Errorf("ParsePortSpec(%s) hostPort = %s, want %s", tt.portSpec, hostPort, tt.expectedHostPort) - } + require.NoError(t, err, "ParsePortSpec(%s) unexpected error", tt.portSpec) - if tt.expectedHostPort == "" && hostPort == "" { - t.Errorf("ParsePortSpec(%s) hostPort is empty, want random port", tt.portSpec) + if tt.expectedHostPort != "" { + require.Equal(t, tt.expectedHostPort, hostPort, "ParsePortSpec(%s) unexpected host port", tt.portSpec) + } else { + require.NotEmpty(t, hostPort, "ParsePortSpec(%s) hostPort is empty, want random port", tt.portSpec) } - if containerPort != tt.expectedContainer { - t.Errorf("ParsePortSpec(%s) containerPort = %d, want %d", tt.portSpec, containerPort, tt.expectedContainer) - } + require.Equal(t, tt.expectedContainer, containerPort, "ParsePortSpec(%s) unexpected container port", tt.portSpec) }) } } From d5903d64e2220fd3f7abedcbd33a40a576c0ef85 Mon Sep 17 00:00:00 2001 From: Sanskarzz Date: Fri, 13 Mar 2026 11:25:44 +0530 Subject: [PATCH 4/6] fix: assert non-zero Signed-off-by: Sanskarzz --- pkg/container/docker/client_helpers_test.go | 1 + 1 file changed, 1 insertion(+) diff --git a/pkg/container/docker/client_helpers_test.go b/pkg/container/docker/client_helpers_test.go index a8f98c6b21..7a5de202a1 100644 --- a/pkg/container/docker/client_helpers_test.go +++ b/pkg/container/docker/client_helpers_test.go @@ -151,6 +151,7 @@ func TestGeneratePortBindings_NonAuxiliaryAssignsRandomPortForZero(t *testing.T) require.Contains(t, out, "8080/tcp") require.Len(t, out["8080/tcp"], 1) + assert.NotEqual(t, "0", out["8080/tcp"][0].HostPort) assert.Equal(t, fmt.Sprintf("%d", hostPort), out["8080/tcp"][0].HostPort) } From 4974b6096c6a3c3469f701fc372f940b0b6c540a Mon Sep 17 00:00:00 2001 From: Sanskarzz Date: Wed, 18 Mar 2026 17:26:38 +0530 Subject: [PATCH 5/6] fix: lint Signed-off-by: Sanskarzz --- pkg/networking/port.go | 1 - 1 file changed, 1 deletion(-) diff --git a/pkg/networking/port.go b/pkg/networking/port.go index 19ba93fef8..b6bf5f3e03 100644 --- a/pkg/networking/port.go +++ b/pkg/networking/port.go @@ -11,7 +11,6 @@ import ( "log/slog" "math/big" "net" - "strconv" "strings" From 15e7c0483f656a94deb3762fc781402b375f7333 Mon Sep 17 00:00:00 2001 From: Sanskarzz Date: Thu, 19 Mar 2026 03:01:32 +0530 Subject: [PATCH 6/6] fix: swag docs Signed-off-by: Sanskarzz --- docs/server/docs.go | 487 +++++++++++++++++++-------------------- docs/server/swagger.json | 487 +++++++++++++++++++-------------------- docs/server/swagger.yaml | 425 ++++++++++++++++------------------ 3 files changed, 662 insertions(+), 737 deletions(-) diff --git a/docs/server/docs.go b/docs/server/docs.go index 02e24e4289..cb0eaa7f4f 100644 --- a/docs/server/docs.go +++ b/docs/server/docs.go @@ -8,6 +8,63 @@ const docTemplate = `{ "schemes": {{ marshal .Schemes }}, "components": { "schemas": { + "auth.TokenValidatorConfig": { + "description": "DEPRECATED: Middleware configuration.\nOIDCConfig contains OIDC configuration", + "properties": { + "allowPrivateIP": { + "description": "AllowPrivateIP allows JWKS/OIDC endpoints on private IP addresses", + "type": "boolean" + }, + "audience": { + "description": "Audience is the expected audience for the token", + "type": "string" + }, + "authTokenFile": { + "description": "AuthTokenFile is the path to file containing bearer token for authentication", + "type": "string" + }, + "cacertPath": { + "description": "CACertPath is the path to the CA certificate bundle for HTTPS requests", + "type": "string" + }, + "clientID": { + "description": "ClientID is the OIDC client ID", + "type": "string" + }, + "clientSecret": { + "description": "ClientSecret is the optional OIDC client secret for introspection", + "type": "string" + }, + "insecureAllowHTTP": { + "description": "InsecureAllowHTTP allows HTTP (non-HTTPS) OIDC issuers for development/testing\nWARNING: This is insecure and should NEVER be used in production", + "type": "boolean" + }, + "introspectionURL": { + "description": "IntrospectionURL is the optional introspection endpoint for validating tokens", + "type": "string" + }, + "issuer": { + "description": "Issuer is the OIDC issuer URL (e.g., https://accounts.google.com)", + "type": "string" + }, + "jwksurl": { + "description": "JWKSURL is the URL to fetch the JWKS from", + "type": "string" + }, + "resourceURL": { + "description": "ResourceURL is the explicit resource URL for OAuth discovery (RFC 9728)", + "type": "string" + }, + "scopes": { + "description": "Scopes is the list of OAuth scopes to advertise in the well-known endpoint (RFC 9728)\nIf empty, defaults to [\"openid\"]", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, "github_com_stacklok_toolhive-core_registry_types.Registry": { "description": "Full registry data", "properties": { @@ -90,63 +147,6 @@ const docTemplate = `{ }, "type": "object" }, - "github_com_stacklok_toolhive_pkg_auth.TokenValidatorConfig": { - "description": "DEPRECATED: Middleware configuration.\nOIDCConfig contains OIDC configuration", - "properties": { - "allowPrivateIP": { - "description": "AllowPrivateIP allows JWKS/OIDC endpoints on private IP addresses", - "type": "boolean" - }, - "audience": { - "description": "Audience is the expected audience for the token", - "type": "string" - }, - "authTokenFile": { - "description": "AuthTokenFile is the path to file containing bearer token for authentication", - "type": "string" - }, - "cacertPath": { - "description": "CACertPath is the path to the CA certificate bundle for HTTPS requests", - "type": "string" - }, - "clientID": { - "description": "ClientID is the OIDC client ID", - "type": "string" - }, - "clientSecret": { - "description": "ClientSecret is the optional OIDC client secret for introspection", - "type": "string" - }, - "insecureAllowHTTP": { - "description": "InsecureAllowHTTP allows HTTP (non-HTTPS) OIDC issuers for development/testing\nWARNING: This is insecure and should NEVER be used in production", - "type": "boolean" - }, - "introspectionURL": { - "description": "IntrospectionURL is the optional introspection endpoint for validating tokens", - "type": "string" - }, - "issuer": { - "description": "Issuer is the OIDC issuer URL (e.g., https://accounts.google.com)", - "type": "string" - }, - "jwksurl": { - "description": "JWKSURL is the URL to fetch the JWKS from", - "type": "string" - }, - "resourceURL": { - "description": "ResourceURL is the explicit resource URL for OAuth discovery (RFC 9728)", - "type": "string" - }, - "scopes": { - "description": "Scopes is the list of OAuth scopes to advertise in the well-known endpoint (RFC 9728)\nIf empty, defaults to [\"openid\"]", - "items": { - "type": "string" - }, - "type": "array" - } - }, - "type": "object" - }, "github_com_stacklok_toolhive_pkg_auth_awssts.Config": { "description": "AWSStsConfig contains AWS STS token exchange configuration for accessing AWS services", "properties": { @@ -471,7 +471,7 @@ const docTemplate = `{ "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver.SigningKeyRunConfig" }, "storage": { - "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver_storage.RunConfig" + "$ref": "#/components/schemas/storage.RunConfig" }, "token_lifespans": { "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver.TokenLifespanRunConfig" @@ -633,107 +633,6 @@ const docTemplate = `{ }, "type": "object" }, - "github_com_stacklok_toolhive_pkg_authserver_storage.ACLUserRunConfig": { - "description": "ACLUserConfig contains ACL user authentication configuration.", - "properties": { - "password_env_var": { - "description": "PasswordEnvVar is the environment variable containing the Redis password.", - "type": "string" - }, - "username_env_var": { - "description": "UsernameEnvVar is the environment variable containing the Redis username.", - "type": "string" - } - }, - "type": "object" - }, - "github_com_stacklok_toolhive_pkg_authserver_storage.RedisRunConfig": { - "description": "RedisConfig is the Redis-specific configuration when Type is \"redis\".", - "properties": { - "acl_user_config": { - "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver_storage.ACLUserRunConfig" - }, - "auth_type": { - "description": "AuthType must be \"aclUser\" - only ACL user authentication is supported.", - "type": "string" - }, - "dial_timeout": { - "description": "DialTimeout is the timeout for establishing connections (e.g., \"5s\").", - "type": "string" - }, - "key_prefix": { - "description": "KeyPrefix for multi-tenancy, typically \"thv:auth:{ns}:{name}:\".", - "type": "string" - }, - "read_timeout": { - "description": "ReadTimeout is the timeout for read operations (e.g., \"3s\").", - "type": "string" - }, - "sentinel_config": { - "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver_storage.SentinelRunConfig" - }, - "sentinel_tls": { - "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver_storage.RedisTLSRunConfig" - }, - "tls": { - "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver_storage.RedisTLSRunConfig" - }, - "write_timeout": { - "description": "WriteTimeout is the timeout for write operations (e.g., \"3s\").", - "type": "string" - } - }, - "type": "object" - }, - "github_com_stacklok_toolhive_pkg_authserver_storage.RedisTLSRunConfig": { - "description": "SentinelTLS configures TLS for Sentinel connections.\nFalls back to TLS config when nil.", - "properties": { - "ca_cert_file": { - "description": "CACertFile is the path to a PEM-encoded CA certificate file.", - "type": "string" - }, - "insecure_skip_verify": { - "description": "InsecureSkipVerify skips certificate verification.", - "type": "boolean" - } - }, - "type": "object" - }, - "github_com_stacklok_toolhive_pkg_authserver_storage.RunConfig": { - "description": "Storage configures the storage backend for the auth server.\nIf nil, defaults to in-memory storage.", - "properties": { - "redis_config": { - "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver_storage.RedisRunConfig" - }, - "type": { - "description": "Type specifies the storage backend type. Defaults to \"memory\".", - "type": "string" - } - }, - "type": "object" - }, - "github_com_stacklok_toolhive_pkg_authserver_storage.SentinelRunConfig": { - "description": "SentinelConfig contains Sentinel-specific configuration.", - "properties": { - "db": { - "description": "DB is the Redis database number (default: 0).", - "type": "integer" - }, - "master_name": { - "description": "MasterName is the name of the Redis Sentinel master.", - "type": "string" - }, - "sentinel_addrs": { - "description": "SentinelAddrs is the list of Sentinel addresses (host:port).", - "items": { - "type": "string" - }, - "type": "array", - "uniqueItems": false - } - }, - "type": "object" - }, "github_com_stacklok_toolhive_pkg_authz.Config": { "description": "DEPRECATED: Middleware configuration.\nAuthzConfig contains the authorization configuration", "properties": { @@ -837,50 +736,6 @@ const docTemplate = `{ }, "type": "object" }, - "github_com_stacklok_toolhive_pkg_container_runtime.WorkloadStatus": { - "description": "Current status of the workload", - "enum": [ - "running", - "stopped", - "error", - "starting", - "stopping", - "unhealthy", - "removing", - "unknown", - "unauthenticated", - "running", - "stopped", - "error", - "starting", - "stopping", - "unhealthy", - "removing", - "unknown", - "unauthenticated", - "running", - "stopped", - "error", - "starting", - "stopping", - "unhealthy", - "removing", - "unknown", - "unauthenticated" - ], - "type": "string", - "x-enum-varnames": [ - "WorkloadStatusRunning", - "WorkloadStatusStopped", - "WorkloadStatusError", - "WorkloadStatusStarting", - "WorkloadStatusStopping", - "WorkloadStatusUnhealthy", - "WorkloadStatusRemoving", - "WorkloadStatusUnknown", - "WorkloadStatusUnauthenticated" - ] - }, "github_com_stacklok_toolhive_pkg_container_templates.RuntimeConfig": { "description": "RuntimeConfig allows overriding the default runtime configuration\nfor this specific workload (base images and packages)", "properties": { @@ -941,7 +796,19 @@ const docTemplate = `{ "type": "string" }, "status": { - "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_container_runtime.WorkloadStatus" + "description": "Status is the current status of the workload.", + "enum": [ + "running", + "stopped", + "error", + "starting", + "stopping", + "unhealthy", + "removing", + "unknown", + "unauthenticated" + ], + "type": "string" }, "status_context": { "description": "StatusContext provides additional context about the workload's status.\nThe exact meaning is determined by the status and the underlying runtime.", @@ -956,7 +823,14 @@ const docTemplate = `{ "uniqueItems": false }, "transport_type": { - "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_transport_types.TransportType" + "description": "TransportType is the type of transport used for this workload.", + "enum": [ + "stdio", + "sse", + "streamable-http", + "inspector" + ], + "type": "string" }, "url": { "description": "URL is the URL of the workload exposed by the ToolHive proxy.", @@ -1105,7 +979,7 @@ const docTemplate = `{ "type": "string" }, "ignore_config": { - "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_ignore.Config" + "$ref": "#/components/schemas/ignore.Config" }, "image": { "description": "Image is the Docker image to run", @@ -1126,7 +1000,7 @@ const docTemplate = `{ "middleware_configs": { "description": "MiddlewareConfigs contains the list of middleware to apply to the transport\nand the configuration for each middleware.", "items": { - "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_transport_types.MiddlewareConfig" + "$ref": "#/components/schemas/types.MiddlewareConfig" }, "type": "array", "uniqueItems": false @@ -1136,7 +1010,7 @@ const docTemplate = `{ "type": "string" }, "oidc_config": { - "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_auth.TokenValidatorConfig" + "$ref": "#/components/schemas/auth.TokenValidatorConfig" }, "permission_profile_name_or_path": { "description": "PermissionProfileNameOrPath is the name or path of the permission profile", @@ -1147,7 +1021,12 @@ const docTemplate = `{ "type": "integer" }, "proxy_mode": { - "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_transport_types.ProxyMode" + "description": "ProxyMode is the proxy mode for stdio transport (\"sse\" or \"streamable-http\")\nNote: \"sse\" is deprecated; use \"streamable-http\" instead.", + "enum": [ + "sse", + "streamable-http" + ], + "type": "string" }, "publish": { "description": "Publish lists ports to publish to the host in format \"hostPort:containerPort\"", @@ -1216,7 +1095,14 @@ const docTemplate = `{ "type": "object" }, "transport": { - "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_transport_types.TransportType" + "description": "Transport is the transport mode (stdio, sse, or streamable-http)", + "enum": [ + "stdio", + "sse", + "streamable-http", + "inspector" + ], + "type": "string" }, "trust_proxy_headers": { "description": "TrustProxyHeaders indicates whether to trust X-Forwarded-* headers from reverse proxies", @@ -1504,57 +1390,20 @@ const docTemplate = `{ }, "type": "object" }, - "github_com_stacklok_toolhive_pkg_transport_types.MiddlewareConfig": { + "ignore.Config": { + "description": "IgnoreConfig contains configuration for ignore processing", "properties": { - "parameters": { - "description": "Parameters is a JSON object containing the middleware parameters.\nIt is stored as a raw message to allow flexible parameter types.", - "type": "object" + "loadGlobal": { + "description": "Whether to load global ignore patterns", + "type": "boolean" }, - "type": { - "description": "Type is a string representing the middleware type.", - "type": "string" + "printOverlays": { + "description": "Whether to print resolved overlay paths for debugging", + "type": "boolean" } }, "type": "object" }, - "github_com_stacklok_toolhive_pkg_transport_types.ProxyMode": { - "description": "ProxyMode is the proxy mode for stdio transport (\"sse\" or \"streamable-http\")\nNote: \"sse\" is deprecated; use \"streamable-http\" instead.", - "enum": [ - "sse", - "streamable-http", - "sse", - "streamable-http" - ], - "type": "string", - "x-enum-varnames": [ - "ProxyModeSSE", - "ProxyModeStreamableHTTP" - ] - }, - "github_com_stacklok_toolhive_pkg_transport_types.TransportType": { - "description": "Transport is the transport mode (stdio, sse, or streamable-http)", - "enum": [ - "stdio", - "sse", - "streamable-http", - "inspector", - "stdio", - "sse", - "streamable-http", - "inspector", - "stdio", - "sse", - "streamable-http", - "inspector" - ], - "type": "string", - "x-enum-varnames": [ - "TransportTypeStdio", - "TransportTypeSSE", - "TransportTypeStreamableHTTP", - "TransportTypeInspector" - ] - }, "permissions.InboundNetworkPermissions": { "description": "Inbound defines inbound network permissions", "properties": { @@ -2615,7 +2464,19 @@ const docTemplate = `{ "description": "Response containing workload status information", "properties": { "status": { - "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_container_runtime.WorkloadStatus" + "description": "Current status of the workload", + "enum": [ + "running", + "stopped", + "error", + "starting", + "stopping", + "unhealthy", + "removing", + "unknown", + "unauthenticated" + ], + "type": "string" } }, "type": "object" @@ -3029,6 +2890,120 @@ const docTemplate = `{ } }, "type": "object" + }, + "storage.ACLUserRunConfig": { + "description": "ACLUserConfig contains ACL user authentication configuration.", + "properties": { + "password_env_var": { + "description": "PasswordEnvVar is the environment variable containing the Redis password.", + "type": "string" + }, + "username_env_var": { + "description": "UsernameEnvVar is the environment variable containing the Redis username.", + "type": "string" + } + }, + "type": "object" + }, + "storage.RedisRunConfig": { + "description": "RedisConfig is the Redis-specific configuration when Type is \"redis\".", + "properties": { + "acl_user_config": { + "$ref": "#/components/schemas/storage.ACLUserRunConfig" + }, + "auth_type": { + "description": "AuthType must be \"aclUser\" - only ACL user authentication is supported.", + "type": "string" + }, + "dial_timeout": { + "description": "DialTimeout is the timeout for establishing connections (e.g., \"5s\").", + "type": "string" + }, + "key_prefix": { + "description": "KeyPrefix for multi-tenancy, typically \"thv:auth:{ns}:{name}:\".", + "type": "string" + }, + "read_timeout": { + "description": "ReadTimeout is the timeout for read operations (e.g., \"3s\").", + "type": "string" + }, + "sentinel_config": { + "$ref": "#/components/schemas/storage.SentinelRunConfig" + }, + "sentinel_tls": { + "$ref": "#/components/schemas/storage.RedisTLSRunConfig" + }, + "tls": { + "$ref": "#/components/schemas/storage.RedisTLSRunConfig" + }, + "write_timeout": { + "description": "WriteTimeout is the timeout for write operations (e.g., \"3s\").", + "type": "string" + } + }, + "type": "object" + }, + "storage.RedisTLSRunConfig": { + "description": "SentinelTLS configures TLS for Sentinel connections.\nFalls back to TLS config when nil.", + "properties": { + "ca_cert_file": { + "description": "CACertFile is the path to a PEM-encoded CA certificate file.", + "type": "string" + }, + "insecure_skip_verify": { + "description": "InsecureSkipVerify skips certificate verification.", + "type": "boolean" + } + }, + "type": "object" + }, + "storage.RunConfig": { + "description": "Storage configures the storage backend for the auth server.\nIf nil, defaults to in-memory storage.", + "properties": { + "redis_config": { + "$ref": "#/components/schemas/storage.RedisRunConfig" + }, + "type": { + "description": "Type specifies the storage backend type. Defaults to \"memory\".", + "type": "string" + } + }, + "type": "object" + }, + "storage.SentinelRunConfig": { + "description": "SentinelConfig contains Sentinel-specific configuration.", + "properties": { + "db": { + "description": "DB is the Redis database number (default: 0).", + "type": "integer" + }, + "master_name": { + "description": "MasterName is the name of the Redis Sentinel master.", + "type": "string" + }, + "sentinel_addrs": { + "description": "SentinelAddrs is the list of Sentinel addresses (host:port).", + "items": { + "type": "string" + }, + "type": "array", + "uniqueItems": false + } + }, + "type": "object" + }, + "types.MiddlewareConfig": { + "properties": { + "parameters": { + "description": "Parameters is a JSON object containing the middleware parameters.\nIt is stored as a raw message to allow flexible parameter types.", + "type": "object" + }, + "type": { + "description": "Type is a string representing the middleware type.", + "type": "string" + } + }, + "type": "object" } } }, diff --git a/docs/server/swagger.json b/docs/server/swagger.json index cd30dfefbc..0adf577973 100644 --- a/docs/server/swagger.json +++ b/docs/server/swagger.json @@ -1,6 +1,63 @@ { "components": { "schemas": { + "auth.TokenValidatorConfig": { + "description": "DEPRECATED: Middleware configuration.\nOIDCConfig contains OIDC configuration", + "properties": { + "allowPrivateIP": { + "description": "AllowPrivateIP allows JWKS/OIDC endpoints on private IP addresses", + "type": "boolean" + }, + "audience": { + "description": "Audience is the expected audience for the token", + "type": "string" + }, + "authTokenFile": { + "description": "AuthTokenFile is the path to file containing bearer token for authentication", + "type": "string" + }, + "cacertPath": { + "description": "CACertPath is the path to the CA certificate bundle for HTTPS requests", + "type": "string" + }, + "clientID": { + "description": "ClientID is the OIDC client ID", + "type": "string" + }, + "clientSecret": { + "description": "ClientSecret is the optional OIDC client secret for introspection", + "type": "string" + }, + "insecureAllowHTTP": { + "description": "InsecureAllowHTTP allows HTTP (non-HTTPS) OIDC issuers for development/testing\nWARNING: This is insecure and should NEVER be used in production", + "type": "boolean" + }, + "introspectionURL": { + "description": "IntrospectionURL is the optional introspection endpoint for validating tokens", + "type": "string" + }, + "issuer": { + "description": "Issuer is the OIDC issuer URL (e.g., https://accounts.google.com)", + "type": "string" + }, + "jwksurl": { + "description": "JWKSURL is the URL to fetch the JWKS from", + "type": "string" + }, + "resourceURL": { + "description": "ResourceURL is the explicit resource URL for OAuth discovery (RFC 9728)", + "type": "string" + }, + "scopes": { + "description": "Scopes is the list of OAuth scopes to advertise in the well-known endpoint (RFC 9728)\nIf empty, defaults to [\"openid\"]", + "items": { + "type": "string" + }, + "type": "array" + } + }, + "type": "object" + }, "github_com_stacklok_toolhive-core_registry_types.Registry": { "description": "Full registry data", "properties": { @@ -83,63 +140,6 @@ }, "type": "object" }, - "github_com_stacklok_toolhive_pkg_auth.TokenValidatorConfig": { - "description": "DEPRECATED: Middleware configuration.\nOIDCConfig contains OIDC configuration", - "properties": { - "allowPrivateIP": { - "description": "AllowPrivateIP allows JWKS/OIDC endpoints on private IP addresses", - "type": "boolean" - }, - "audience": { - "description": "Audience is the expected audience for the token", - "type": "string" - }, - "authTokenFile": { - "description": "AuthTokenFile is the path to file containing bearer token for authentication", - "type": "string" - }, - "cacertPath": { - "description": "CACertPath is the path to the CA certificate bundle for HTTPS requests", - "type": "string" - }, - "clientID": { - "description": "ClientID is the OIDC client ID", - "type": "string" - }, - "clientSecret": { - "description": "ClientSecret is the optional OIDC client secret for introspection", - "type": "string" - }, - "insecureAllowHTTP": { - "description": "InsecureAllowHTTP allows HTTP (non-HTTPS) OIDC issuers for development/testing\nWARNING: This is insecure and should NEVER be used in production", - "type": "boolean" - }, - "introspectionURL": { - "description": "IntrospectionURL is the optional introspection endpoint for validating tokens", - "type": "string" - }, - "issuer": { - "description": "Issuer is the OIDC issuer URL (e.g., https://accounts.google.com)", - "type": "string" - }, - "jwksurl": { - "description": "JWKSURL is the URL to fetch the JWKS from", - "type": "string" - }, - "resourceURL": { - "description": "ResourceURL is the explicit resource URL for OAuth discovery (RFC 9728)", - "type": "string" - }, - "scopes": { - "description": "Scopes is the list of OAuth scopes to advertise in the well-known endpoint (RFC 9728)\nIf empty, defaults to [\"openid\"]", - "items": { - "type": "string" - }, - "type": "array" - } - }, - "type": "object" - }, "github_com_stacklok_toolhive_pkg_auth_awssts.Config": { "description": "AWSStsConfig contains AWS STS token exchange configuration for accessing AWS services", "properties": { @@ -464,7 +464,7 @@ "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver.SigningKeyRunConfig" }, "storage": { - "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver_storage.RunConfig" + "$ref": "#/components/schemas/storage.RunConfig" }, "token_lifespans": { "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver.TokenLifespanRunConfig" @@ -626,107 +626,6 @@ }, "type": "object" }, - "github_com_stacklok_toolhive_pkg_authserver_storage.ACLUserRunConfig": { - "description": "ACLUserConfig contains ACL user authentication configuration.", - "properties": { - "password_env_var": { - "description": "PasswordEnvVar is the environment variable containing the Redis password.", - "type": "string" - }, - "username_env_var": { - "description": "UsernameEnvVar is the environment variable containing the Redis username.", - "type": "string" - } - }, - "type": "object" - }, - "github_com_stacklok_toolhive_pkg_authserver_storage.RedisRunConfig": { - "description": "RedisConfig is the Redis-specific configuration when Type is \"redis\".", - "properties": { - "acl_user_config": { - "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver_storage.ACLUserRunConfig" - }, - "auth_type": { - "description": "AuthType must be \"aclUser\" - only ACL user authentication is supported.", - "type": "string" - }, - "dial_timeout": { - "description": "DialTimeout is the timeout for establishing connections (e.g., \"5s\").", - "type": "string" - }, - "key_prefix": { - "description": "KeyPrefix for multi-tenancy, typically \"thv:auth:{ns}:{name}:\".", - "type": "string" - }, - "read_timeout": { - "description": "ReadTimeout is the timeout for read operations (e.g., \"3s\").", - "type": "string" - }, - "sentinel_config": { - "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver_storage.SentinelRunConfig" - }, - "sentinel_tls": { - "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver_storage.RedisTLSRunConfig" - }, - "tls": { - "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver_storage.RedisTLSRunConfig" - }, - "write_timeout": { - "description": "WriteTimeout is the timeout for write operations (e.g., \"3s\").", - "type": "string" - } - }, - "type": "object" - }, - "github_com_stacklok_toolhive_pkg_authserver_storage.RedisTLSRunConfig": { - "description": "SentinelTLS configures TLS for Sentinel connections.\nFalls back to TLS config when nil.", - "properties": { - "ca_cert_file": { - "description": "CACertFile is the path to a PEM-encoded CA certificate file.", - "type": "string" - }, - "insecure_skip_verify": { - "description": "InsecureSkipVerify skips certificate verification.", - "type": "boolean" - } - }, - "type": "object" - }, - "github_com_stacklok_toolhive_pkg_authserver_storage.RunConfig": { - "description": "Storage configures the storage backend for the auth server.\nIf nil, defaults to in-memory storage.", - "properties": { - "redis_config": { - "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_authserver_storage.RedisRunConfig" - }, - "type": { - "description": "Type specifies the storage backend type. Defaults to \"memory\".", - "type": "string" - } - }, - "type": "object" - }, - "github_com_stacklok_toolhive_pkg_authserver_storage.SentinelRunConfig": { - "description": "SentinelConfig contains Sentinel-specific configuration.", - "properties": { - "db": { - "description": "DB is the Redis database number (default: 0).", - "type": "integer" - }, - "master_name": { - "description": "MasterName is the name of the Redis Sentinel master.", - "type": "string" - }, - "sentinel_addrs": { - "description": "SentinelAddrs is the list of Sentinel addresses (host:port).", - "items": { - "type": "string" - }, - "type": "array", - "uniqueItems": false - } - }, - "type": "object" - }, "github_com_stacklok_toolhive_pkg_authz.Config": { "description": "DEPRECATED: Middleware configuration.\nAuthzConfig contains the authorization configuration", "properties": { @@ -830,50 +729,6 @@ }, "type": "object" }, - "github_com_stacklok_toolhive_pkg_container_runtime.WorkloadStatus": { - "description": "Current status of the workload", - "enum": [ - "running", - "stopped", - "error", - "starting", - "stopping", - "unhealthy", - "removing", - "unknown", - "unauthenticated", - "running", - "stopped", - "error", - "starting", - "stopping", - "unhealthy", - "removing", - "unknown", - "unauthenticated", - "running", - "stopped", - "error", - "starting", - "stopping", - "unhealthy", - "removing", - "unknown", - "unauthenticated" - ], - "type": "string", - "x-enum-varnames": [ - "WorkloadStatusRunning", - "WorkloadStatusStopped", - "WorkloadStatusError", - "WorkloadStatusStarting", - "WorkloadStatusStopping", - "WorkloadStatusUnhealthy", - "WorkloadStatusRemoving", - "WorkloadStatusUnknown", - "WorkloadStatusUnauthenticated" - ] - }, "github_com_stacklok_toolhive_pkg_container_templates.RuntimeConfig": { "description": "RuntimeConfig allows overriding the default runtime configuration\nfor this specific workload (base images and packages)", "properties": { @@ -934,7 +789,19 @@ "type": "string" }, "status": { - "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_container_runtime.WorkloadStatus" + "description": "Status is the current status of the workload.", + "enum": [ + "running", + "stopped", + "error", + "starting", + "stopping", + "unhealthy", + "removing", + "unknown", + "unauthenticated" + ], + "type": "string" }, "status_context": { "description": "StatusContext provides additional context about the workload's status.\nThe exact meaning is determined by the status and the underlying runtime.", @@ -949,7 +816,14 @@ "uniqueItems": false }, "transport_type": { - "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_transport_types.TransportType" + "description": "TransportType is the type of transport used for this workload.", + "enum": [ + "stdio", + "sse", + "streamable-http", + "inspector" + ], + "type": "string" }, "url": { "description": "URL is the URL of the workload exposed by the ToolHive proxy.", @@ -1098,7 +972,7 @@ "type": "string" }, "ignore_config": { - "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_ignore.Config" + "$ref": "#/components/schemas/ignore.Config" }, "image": { "description": "Image is the Docker image to run", @@ -1119,7 +993,7 @@ "middleware_configs": { "description": "MiddlewareConfigs contains the list of middleware to apply to the transport\nand the configuration for each middleware.", "items": { - "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_transport_types.MiddlewareConfig" + "$ref": "#/components/schemas/types.MiddlewareConfig" }, "type": "array", "uniqueItems": false @@ -1129,7 +1003,7 @@ "type": "string" }, "oidc_config": { - "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_auth.TokenValidatorConfig" + "$ref": "#/components/schemas/auth.TokenValidatorConfig" }, "permission_profile_name_or_path": { "description": "PermissionProfileNameOrPath is the name or path of the permission profile", @@ -1140,7 +1014,12 @@ "type": "integer" }, "proxy_mode": { - "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_transport_types.ProxyMode" + "description": "ProxyMode is the proxy mode for stdio transport (\"sse\" or \"streamable-http\")\nNote: \"sse\" is deprecated; use \"streamable-http\" instead.", + "enum": [ + "sse", + "streamable-http" + ], + "type": "string" }, "publish": { "description": "Publish lists ports to publish to the host in format \"hostPort:containerPort\"", @@ -1209,7 +1088,14 @@ "type": "object" }, "transport": { - "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_transport_types.TransportType" + "description": "Transport is the transport mode (stdio, sse, or streamable-http)", + "enum": [ + "stdio", + "sse", + "streamable-http", + "inspector" + ], + "type": "string" }, "trust_proxy_headers": { "description": "TrustProxyHeaders indicates whether to trust X-Forwarded-* headers from reverse proxies", @@ -1497,57 +1383,20 @@ }, "type": "object" }, - "github_com_stacklok_toolhive_pkg_transport_types.MiddlewareConfig": { + "ignore.Config": { + "description": "IgnoreConfig contains configuration for ignore processing", "properties": { - "parameters": { - "description": "Parameters is a JSON object containing the middleware parameters.\nIt is stored as a raw message to allow flexible parameter types.", - "type": "object" + "loadGlobal": { + "description": "Whether to load global ignore patterns", + "type": "boolean" }, - "type": { - "description": "Type is a string representing the middleware type.", - "type": "string" + "printOverlays": { + "description": "Whether to print resolved overlay paths for debugging", + "type": "boolean" } }, "type": "object" }, - "github_com_stacklok_toolhive_pkg_transport_types.ProxyMode": { - "description": "ProxyMode is the proxy mode for stdio transport (\"sse\" or \"streamable-http\")\nNote: \"sse\" is deprecated; use \"streamable-http\" instead.", - "enum": [ - "sse", - "streamable-http", - "sse", - "streamable-http" - ], - "type": "string", - "x-enum-varnames": [ - "ProxyModeSSE", - "ProxyModeStreamableHTTP" - ] - }, - "github_com_stacklok_toolhive_pkg_transport_types.TransportType": { - "description": "Transport is the transport mode (stdio, sse, or streamable-http)", - "enum": [ - "stdio", - "sse", - "streamable-http", - "inspector", - "stdio", - "sse", - "streamable-http", - "inspector", - "stdio", - "sse", - "streamable-http", - "inspector" - ], - "type": "string", - "x-enum-varnames": [ - "TransportTypeStdio", - "TransportTypeSSE", - "TransportTypeStreamableHTTP", - "TransportTypeInspector" - ] - }, "permissions.InboundNetworkPermissions": { "description": "Inbound defines inbound network permissions", "properties": { @@ -2608,7 +2457,19 @@ "description": "Response containing workload status information", "properties": { "status": { - "$ref": "#/components/schemas/github_com_stacklok_toolhive_pkg_container_runtime.WorkloadStatus" + "description": "Current status of the workload", + "enum": [ + "running", + "stopped", + "error", + "starting", + "stopping", + "unhealthy", + "removing", + "unknown", + "unauthenticated" + ], + "type": "string" } }, "type": "object" @@ -3022,6 +2883,120 @@ } }, "type": "object" + }, + "storage.ACLUserRunConfig": { + "description": "ACLUserConfig contains ACL user authentication configuration.", + "properties": { + "password_env_var": { + "description": "PasswordEnvVar is the environment variable containing the Redis password.", + "type": "string" + }, + "username_env_var": { + "description": "UsernameEnvVar is the environment variable containing the Redis username.", + "type": "string" + } + }, + "type": "object" + }, + "storage.RedisRunConfig": { + "description": "RedisConfig is the Redis-specific configuration when Type is \"redis\".", + "properties": { + "acl_user_config": { + "$ref": "#/components/schemas/storage.ACLUserRunConfig" + }, + "auth_type": { + "description": "AuthType must be \"aclUser\" - only ACL user authentication is supported.", + "type": "string" + }, + "dial_timeout": { + "description": "DialTimeout is the timeout for establishing connections (e.g., \"5s\").", + "type": "string" + }, + "key_prefix": { + "description": "KeyPrefix for multi-tenancy, typically \"thv:auth:{ns}:{name}:\".", + "type": "string" + }, + "read_timeout": { + "description": "ReadTimeout is the timeout for read operations (e.g., \"3s\").", + "type": "string" + }, + "sentinel_config": { + "$ref": "#/components/schemas/storage.SentinelRunConfig" + }, + "sentinel_tls": { + "$ref": "#/components/schemas/storage.RedisTLSRunConfig" + }, + "tls": { + "$ref": "#/components/schemas/storage.RedisTLSRunConfig" + }, + "write_timeout": { + "description": "WriteTimeout is the timeout for write operations (e.g., \"3s\").", + "type": "string" + } + }, + "type": "object" + }, + "storage.RedisTLSRunConfig": { + "description": "SentinelTLS configures TLS for Sentinel connections.\nFalls back to TLS config when nil.", + "properties": { + "ca_cert_file": { + "description": "CACertFile is the path to a PEM-encoded CA certificate file.", + "type": "string" + }, + "insecure_skip_verify": { + "description": "InsecureSkipVerify skips certificate verification.", + "type": "boolean" + } + }, + "type": "object" + }, + "storage.RunConfig": { + "description": "Storage configures the storage backend for the auth server.\nIf nil, defaults to in-memory storage.", + "properties": { + "redis_config": { + "$ref": "#/components/schemas/storage.RedisRunConfig" + }, + "type": { + "description": "Type specifies the storage backend type. Defaults to \"memory\".", + "type": "string" + } + }, + "type": "object" + }, + "storage.SentinelRunConfig": { + "description": "SentinelConfig contains Sentinel-specific configuration.", + "properties": { + "db": { + "description": "DB is the Redis database number (default: 0).", + "type": "integer" + }, + "master_name": { + "description": "MasterName is the name of the Redis Sentinel master.", + "type": "string" + }, + "sentinel_addrs": { + "description": "SentinelAddrs is the list of Sentinel addresses (host:port).", + "items": { + "type": "string" + }, + "type": "array", + "uniqueItems": false + } + }, + "type": "object" + }, + "types.MiddlewareConfig": { + "properties": { + "parameters": { + "description": "Parameters is a JSON object containing the middleware parameters.\nIt is stored as a raw message to allow flexible parameter types.", + "type": "object" + }, + "type": { + "description": "Type is a string representing the middleware type.", + "type": "string" + } + }, + "type": "object" } } }, diff --git a/docs/server/swagger.yaml b/docs/server/swagger.yaml index 4d64a99455..cf634e687c 100644 --- a/docs/server/swagger.yaml +++ b/docs/server/swagger.yaml @@ -1,5 +1,57 @@ components: schemas: + auth.TokenValidatorConfig: + description: |- + DEPRECATED: Middleware configuration. + OIDCConfig contains OIDC configuration + properties: + allowPrivateIP: + description: AllowPrivateIP allows JWKS/OIDC endpoints on private IP addresses + type: boolean + audience: + description: Audience is the expected audience for the token + type: string + authTokenFile: + description: AuthTokenFile is the path to file containing bearer token for + authentication + type: string + cacertPath: + description: CACertPath is the path to the CA certificate bundle for HTTPS + requests + type: string + clientID: + description: ClientID is the OIDC client ID + type: string + clientSecret: + description: ClientSecret is the optional OIDC client secret for introspection + type: string + insecureAllowHTTP: + description: |- + InsecureAllowHTTP allows HTTP (non-HTTPS) OIDC issuers for development/testing + WARNING: This is insecure and should NEVER be used in production + type: boolean + introspectionURL: + description: IntrospectionURL is the optional introspection endpoint for + validating tokens + type: string + issuer: + description: Issuer is the OIDC issuer URL (e.g., https://accounts.google.com) + type: string + jwksurl: + description: JWKSURL is the URL to fetch the JWKS from + type: string + resourceURL: + description: ResourceURL is the explicit resource URL for OAuth discovery + (RFC 9728) + type: string + scopes: + description: |- + Scopes is the list of OAuth scopes to advertise in the well-known endpoint (RFC 9728) + If empty, defaults to ["openid"] + items: + type: string + type: array + type: object github_com_stacklok_toolhive-core_registry_types.Registry: description: Full registry data properties: @@ -89,58 +141,6 @@ components: +optional type: integer type: object - github_com_stacklok_toolhive_pkg_auth.TokenValidatorConfig: - description: |- - DEPRECATED: Middleware configuration. - OIDCConfig contains OIDC configuration - properties: - allowPrivateIP: - description: AllowPrivateIP allows JWKS/OIDC endpoints on private IP addresses - type: boolean - audience: - description: Audience is the expected audience for the token - type: string - authTokenFile: - description: AuthTokenFile is the path to file containing bearer token for - authentication - type: string - cacertPath: - description: CACertPath is the path to the CA certificate bundle for HTTPS - requests - type: string - clientID: - description: ClientID is the OIDC client ID - type: string - clientSecret: - description: ClientSecret is the optional OIDC client secret for introspection - type: string - insecureAllowHTTP: - description: |- - InsecureAllowHTTP allows HTTP (non-HTTPS) OIDC issuers for development/testing - WARNING: This is insecure and should NEVER be used in production - type: boolean - introspectionURL: - description: IntrospectionURL is the optional introspection endpoint for - validating tokens - type: string - issuer: - description: Issuer is the OIDC issuer URL (e.g., https://accounts.google.com) - type: string - jwksurl: - description: JWKSURL is the URL to fetch the JWKS from - type: string - resourceURL: - description: ResourceURL is the explicit resource URL for OAuth discovery - (RFC 9728) - type: string - scopes: - description: |- - Scopes is the list of OAuth scopes to advertise in the well-known endpoint (RFC 9728) - If empty, defaults to ["openid"] - items: - type: string - type: array - type: object github_com_stacklok_toolhive_pkg_auth_awssts.Config: description: AWSStsConfig contains AWS STS token exchange configuration for accessing AWS services @@ -460,7 +460,7 @@ components: signing_key_config: $ref: '#/components/schemas/github_com_stacklok_toolhive_pkg_authserver.SigningKeyRunConfig' storage: - $ref: '#/components/schemas/github_com_stacklok_toolhive_pkg_authserver_storage.RunConfig' + $ref: '#/components/schemas/storage.RunConfig' token_lifespans: $ref: '#/components/schemas/github_com_stacklok_toolhive_pkg_authserver.TokenLifespanRunConfig' upstreams: @@ -622,86 +622,6 @@ components: If not specified, defaults to GET. type: string type: object - github_com_stacklok_toolhive_pkg_authserver_storage.ACLUserRunConfig: - description: ACLUserConfig contains ACL user authentication configuration. - properties: - password_env_var: - description: PasswordEnvVar is the environment variable containing the Redis - password. - type: string - username_env_var: - description: UsernameEnvVar is the environment variable containing the Redis - username. - type: string - type: object - github_com_stacklok_toolhive_pkg_authserver_storage.RedisRunConfig: - description: RedisConfig is the Redis-specific configuration when Type is "redis". - properties: - acl_user_config: - $ref: '#/components/schemas/github_com_stacklok_toolhive_pkg_authserver_storage.ACLUserRunConfig' - auth_type: - description: AuthType must be "aclUser" - only ACL user authentication is - supported. - type: string - dial_timeout: - description: DialTimeout is the timeout for establishing connections (e.g., - "5s"). - type: string - key_prefix: - description: KeyPrefix for multi-tenancy, typically "thv:auth:{ns}:{name}:". - type: string - read_timeout: - description: ReadTimeout is the timeout for read operations (e.g., "3s"). - type: string - sentinel_config: - $ref: '#/components/schemas/github_com_stacklok_toolhive_pkg_authserver_storage.SentinelRunConfig' - sentinel_tls: - $ref: '#/components/schemas/github_com_stacklok_toolhive_pkg_authserver_storage.RedisTLSRunConfig' - tls: - $ref: '#/components/schemas/github_com_stacklok_toolhive_pkg_authserver_storage.RedisTLSRunConfig' - write_timeout: - description: WriteTimeout is the timeout for write operations (e.g., "3s"). - type: string - type: object - github_com_stacklok_toolhive_pkg_authserver_storage.RedisTLSRunConfig: - description: |- - SentinelTLS configures TLS for Sentinel connections. - Falls back to TLS config when nil. - properties: - ca_cert_file: - description: CACertFile is the path to a PEM-encoded CA certificate file. - type: string - insecure_skip_verify: - description: InsecureSkipVerify skips certificate verification. - type: boolean - type: object - github_com_stacklok_toolhive_pkg_authserver_storage.RunConfig: - description: |- - Storage configures the storage backend for the auth server. - If nil, defaults to in-memory storage. - properties: - redis_config: - $ref: '#/components/schemas/github_com_stacklok_toolhive_pkg_authserver_storage.RedisRunConfig' - type: - description: Type specifies the storage backend type. Defaults to "memory". - type: string - type: object - github_com_stacklok_toolhive_pkg_authserver_storage.SentinelRunConfig: - description: SentinelConfig contains Sentinel-specific configuration. - properties: - db: - description: 'DB is the Redis database number (default: 0).' - type: integer - master_name: - description: MasterName is the name of the Redis Sentinel master. - type: string - sentinel_addrs: - description: SentinelAddrs is the list of Sentinel addresses (host:port). - items: - type: string - type: array - uniqueItems: false - type: object github_com_stacklok_toolhive_pkg_authz.Config: description: |- DEPRECATED: Middleware configuration. @@ -792,47 +712,6 @@ components: name: $ref: '#/components/schemas/github_com_stacklok_toolhive_pkg_client.ClientApp' type: object - github_com_stacklok_toolhive_pkg_container_runtime.WorkloadStatus: - description: Current status of the workload - enum: - - running - - stopped - - error - - starting - - stopping - - unhealthy - - removing - - unknown - - unauthenticated - - running - - stopped - - error - - starting - - stopping - - unhealthy - - removing - - unknown - - unauthenticated - - running - - stopped - - error - - starting - - stopping - - unhealthy - - removing - - unknown - - unauthenticated - type: string - x-enum-varnames: - - WorkloadStatusRunning - - WorkloadStatusStopped - - WorkloadStatusError - - WorkloadStatusStarting - - WorkloadStatusStopping - - WorkloadStatusUnhealthy - - WorkloadStatusRemoving - - WorkloadStatusUnknown - - WorkloadStatusUnauthenticated github_com_stacklok_toolhive_pkg_container_templates.RuntimeConfig: description: |- RuntimeConfig allows overriding the default runtime configuration @@ -899,7 +778,18 @@ components: restart) type: string status: - $ref: '#/components/schemas/github_com_stacklok_toolhive_pkg_container_runtime.WorkloadStatus' + description: Status is the current status of the workload. + enum: + - running + - stopped + - error + - starting + - stopping + - unhealthy + - removing + - unknown + - unauthenticated + type: string status_context: description: |- StatusContext provides additional context about the workload's status. @@ -912,7 +802,13 @@ components: type: array uniqueItems: false transport_type: - $ref: '#/components/schemas/github_com_stacklok_toolhive_pkg_transport_types.TransportType' + description: TransportType is the type of transport used for this workload. + enum: + - stdio + - sse + - streamable-http + - inspector + type: string url: description: URL is the URL of the workload exposed by the ToolHive proxy. type: string @@ -1036,7 +932,7 @@ components: description: Host is the host for the HTTP proxy type: string ignore_config: - $ref: '#/components/schemas/github_com_stacklok_toolhive_pkg_ignore.Config' + $ref: '#/components/schemas/ignore.Config' image: description: Image is the Docker image to run type: string @@ -1059,14 +955,14 @@ components: MiddlewareConfigs contains the list of middleware to apply to the transport and the configuration for each middleware. items: - $ref: '#/components/schemas/github_com_stacklok_toolhive_pkg_transport_types.MiddlewareConfig' + $ref: '#/components/schemas/types.MiddlewareConfig' type: array uniqueItems: false name: description: Name is the name of the MCP server type: string oidc_config: - $ref: '#/components/schemas/github_com_stacklok_toolhive_pkg_auth.TokenValidatorConfig' + $ref: '#/components/schemas/auth.TokenValidatorConfig' permission_profile_name_or_path: description: PermissionProfileNameOrPath is the name or path of the permission profile @@ -1075,7 +971,13 @@ components: description: Port is the port for the HTTP proxy to listen on (host port) type: integer proxy_mode: - $ref: '#/components/schemas/github_com_stacklok_toolhive_pkg_transport_types.ProxyMode' + description: |- + ProxyMode is the proxy mode for stdio transport ("sse" or "streamable-http") + Note: "sse" is deprecated; use "streamable-http" instead. + enum: + - sse + - streamable-http + type: string publish: description: Publish lists ports to publish to the host in format "hostPort:containerPort" items: @@ -1135,7 +1037,13 @@ components: ToolsOverride is a map from an actual tool to its overridden name and/or description type: object transport: - $ref: '#/components/schemas/github_com_stacklok_toolhive_pkg_transport_types.TransportType' + description: Transport is the transport mode (stdio, sse, or streamable-http) + enum: + - stdio + - sse + - streamable-http + - inspector + type: string trust_proxy_headers: description: TrustProxyHeaders indicates whether to trust X-Forwarded-* headers from reverse proxies @@ -1403,51 +1311,16 @@ components: +optional type: boolean type: object - github_com_stacklok_toolhive_pkg_transport_types.MiddlewareConfig: + ignore.Config: + description: IgnoreConfig contains configuration for ignore processing properties: - parameters: - description: |- - Parameters is a JSON object containing the middleware parameters. - It is stored as a raw message to allow flexible parameter types. - type: object - type: - description: Type is a string representing the middleware type. - type: string + loadGlobal: + description: Whether to load global ignore patterns + type: boolean + printOverlays: + description: Whether to print resolved overlay paths for debugging + type: boolean type: object - github_com_stacklok_toolhive_pkg_transport_types.ProxyMode: - description: |- - ProxyMode is the proxy mode for stdio transport ("sse" or "streamable-http") - Note: "sse" is deprecated; use "streamable-http" instead. - enum: - - sse - - streamable-http - - sse - - streamable-http - type: string - x-enum-varnames: - - ProxyModeSSE - - ProxyModeStreamableHTTP - github_com_stacklok_toolhive_pkg_transport_types.TransportType: - description: Transport is the transport mode (stdio, sse, or streamable-http) - enum: - - stdio - - sse - - streamable-http - - inspector - - stdio - - sse - - streamable-http - - inspector - - stdio - - sse - - streamable-http - - inspector - type: string - x-enum-varnames: - - TransportTypeStdio - - TransportTypeSSE - - TransportTypeStreamableHTTP - - TransportTypeInspector permissions.InboundNetworkPermissions: description: Inbound defines inbound network permissions properties: @@ -2249,7 +2122,18 @@ components: description: Response containing workload status information properties: status: - $ref: '#/components/schemas/github_com_stacklok_toolhive_pkg_container_runtime.WorkloadStatus' + description: Current status of the workload + enum: + - running + - stopped + - error + - starting + - stopping + - unhealthy + - removing + - unknown + - unauthenticated + type: string type: object registry.EnvVar: properties: @@ -2639,6 +2523,97 @@ components: predicate_type: type: string type: object + storage.ACLUserRunConfig: + description: ACLUserConfig contains ACL user authentication configuration. + properties: + password_env_var: + description: PasswordEnvVar is the environment variable containing the Redis + password. + type: string + username_env_var: + description: UsernameEnvVar is the environment variable containing the Redis + username. + type: string + type: object + storage.RedisRunConfig: + description: RedisConfig is the Redis-specific configuration when Type is "redis". + properties: + acl_user_config: + $ref: '#/components/schemas/storage.ACLUserRunConfig' + auth_type: + description: AuthType must be "aclUser" - only ACL user authentication is + supported. + type: string + dial_timeout: + description: DialTimeout is the timeout for establishing connections (e.g., + "5s"). + type: string + key_prefix: + description: KeyPrefix for multi-tenancy, typically "thv:auth:{ns}:{name}:". + type: string + read_timeout: + description: ReadTimeout is the timeout for read operations (e.g., "3s"). + type: string + sentinel_config: + $ref: '#/components/schemas/storage.SentinelRunConfig' + sentinel_tls: + $ref: '#/components/schemas/storage.RedisTLSRunConfig' + tls: + $ref: '#/components/schemas/storage.RedisTLSRunConfig' + write_timeout: + description: WriteTimeout is the timeout for write operations (e.g., "3s"). + type: string + type: object + storage.RedisTLSRunConfig: + description: |- + SentinelTLS configures TLS for Sentinel connections. + Falls back to TLS config when nil. + properties: + ca_cert_file: + description: CACertFile is the path to a PEM-encoded CA certificate file. + type: string + insecure_skip_verify: + description: InsecureSkipVerify skips certificate verification. + type: boolean + type: object + storage.RunConfig: + description: |- + Storage configures the storage backend for the auth server. + If nil, defaults to in-memory storage. + properties: + redis_config: + $ref: '#/components/schemas/storage.RedisRunConfig' + type: + description: Type specifies the storage backend type. Defaults to "memory". + type: string + type: object + storage.SentinelRunConfig: + description: SentinelConfig contains Sentinel-specific configuration. + properties: + db: + description: 'DB is the Redis database number (default: 0).' + type: integer + master_name: + description: MasterName is the name of the Redis Sentinel master. + type: string + sentinel_addrs: + description: SentinelAddrs is the list of Sentinel addresses (host:port). + items: + type: string + type: array + uniqueItems: false + type: object + types.MiddlewareConfig: + properties: + parameters: + description: |- + Parameters is a JSON object containing the middleware parameters. + It is stored as a raw message to allow flexible parameter types. + type: object + type: + description: Type is a string representing the middleware type. + type: string + type: object externalDocs: description: "" url: ""