updates

Author: masterkain

charts/metamcp/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: metamcp
 description: MetaMCP aggregator Helm chart for Kubernetes
 type: application
-version: 0.1.16
+version: 0.1.19
 appVersion: "latest"
 icon: https://icoretech.github.io/helm/charts/metamcp/logo.png
 keywords:

charts/metamcp/README.md

@@ -205,11 +205,10 @@ provision:
       # Plain env (non-secret)
       env:
         LOG_LEVEL: debug
-      # Secret-backed env: the provision Job reads Secret/<name> key=<key> and sets VAR=value when creating the server
-      stdioSecretEnv:
-        FIGMA_API_KEY:
-          name: figma-mcp-env
-          key: FIGMA_API_KEY
-        FIGMA_PERSONAL_ACCESS_TOKEN:
-          name: figma-mcp-env
-          key: FIGMA_PERSONAL_ACCESS_TOKEN
+      # Secret-backed env for STDIO: use envFrom
+      # The provision Job reads Secret/figma-mcp-env and injects all key/values
+      # into the MetaMCP server config (not into a Pod), so the STDIO process
+      # sees them when MetaMCP launches it.
+      envFrom:
+        - secretRef:
+            name: figma-mcp-env

charts/metamcp/README.md.gotmpl

@@ -147,11 +147,7 @@ provision:
       # Plain env (non-secret)
       env:
         LOG_LEVEL: debug
-      # Secret-backed env: the provision Job reads Secret/<name> key=<key> and sets VAR=value when creating the server
-      stdioSecretEnv:
-        FIGMA_API_KEY:
-          name: figma-mcp-env
-          key: FIGMA_API_KEY
-        FIGMA_PERSONAL_ACCESS_TOKEN:
-          name: figma-mcp-env
-          key: FIGMA_PERSONAL_ACCESS_TOKEN
+      # Secret-backed env for STDIO: use envFrom to pull all keys from a Secret/ConfigMap
+      envFrom:
+        - secretRef:
+            name: figma-mcp-env

charts/metamcp/scripts/provision.py

@@ -59,15 +59,31 @@ def signin(retries=8, delay=1.5):
         r = sess.post(f"{BACKEND}/api/auth/sign-in/email", headers={'Content-Type':'application/json','Host': SVC}, json={'email': ADMIN_EMAIL,'password': ADMIN_PASSWORD}, timeout=6)
         if r.status_code == 200:
             try:
-                # Accept cookie from response plus token header fallback
+                # Accept token from JSON (multiple possible shapes) or fall back to session cookie
                 host = SVC.split(':')[0]
-                token = r.json().get('token')
+                token = None
+                try:
+                    j = r.json()
+                    token = (
+                        j.get('token')
+                        or j.get('sessionToken')
+                        or (j.get('data') or {}).get('token')
+                        or (j.get('data') or {}).get('sessionToken')
+                    )
+                except Exception:
+                    token = None
+                if not token:
+                    # try to read cookie set by server and mirror it under our in-cluster host
+                    for c in sess.cookies:
+                        if c.name == 'better-auth.session_token' and c.value:
+                            token = c.value
+                            break
                 if token:
                     try:
                         sess.cookies.set('better-auth.session_token', token, domain=host, path='/')
                     except Exception:
                         sess.cookies.set('better-auth.session_token', token)
-                sess.headers['Authorization'] = f"Bearer {token}"
+                    sess.headers['Authorization'] = f"Bearer {token}"
                 # Persist cookies to mozilla jar and reload next time
                 try:
                     mozjar.clear()
@@ -208,14 +224,7 @@ def k8s_get_configmap_data(name: str):
         env_map = {}
         if s.get('env') and isinstance(s['env'], dict):
             env_map.update({k:str(v) for k,v in s['env'].items()})
-        # Resolve stdioSecretEnv: { VAR: { name: <secret>, key: <key> (defaults to VAR) } }
-        sec = s.get('stdioSecretEnv')
-        if sec and isinstance(sec, dict):
-            for var, ref in sec.items():
-                if isinstance(ref, dict) and ref.get('name'):
-                    val = k8s_get_secret_val(ref['name'], ref.get('key') or var)
-                    if val is not None:
-                        env_map[var] = val
+        # STDIO envFrom: resolve Secrets/ConfigMaps into env for MetaMCP-registered servers
         # Resolve envFrom (Secrets/ConfigMaps): pull all key=val pairs into env
         for src in (s.get('envFrom') or []):
             if not isinstance(src, dict):
@@ -359,18 +368,4 @@ def list_servers():
             trpc_post('/trpc/frontend/frontend.mcpServers.update', payload)
 except Exception:
     pass
-def k8s_get_secret_val(name: str, key: str):
-    try:
-        token = open('/var/run/secrets/kubernetes.io/serviceaccount/token','r').read().strip()
-        cacert = '/var/run/secrets/kubernetes.io/serviceaccount/ca.crt'
-        ns = NS
-        url = f"https://kubernetes.default.svc/api/v1/namespaces/{ns}/secrets/{name}"
-        r = requests.get(url, headers={'Authorization': f'Bearer {token}'}, verify=cacert, timeout=5)
-        if r.status_code == 200:
-            data = r.json().get('data',{})
-            b = data.get(key)
-            if b:
-                return base64.b64decode(b).decode()
-    except Exception:
-        pass
-    return None
+ 

charts/metamcp/templates/hpa.yaml

@@ -27,10 +27,4 @@ spec:
           type: Utilization
           averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
     {{- end }}
-    - type: Resource
-      resource:
-        name: memory
-        target:
-          type: Utilization
-          averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage | default 80 }}
 {{- end }}

charts/metamcp/templates/provision-config.yaml

@@ -18,8 +18,9 @@ data:
       {{- $hasDeploy := or (hasKey $s "node") (or (hasKey $s "python") (hasKey $s "image")) -}}
       {{- $port := (default 3001 $s.port) -}}
       {{- $svcBase := (printf "%s-%s.%s.svc.cluster.local:%d" $fullname $name $ns ($port | int)) -}}
-      {{- /* Build minimal server dict for the job */ -}}
+      {{- /* Build server dict for the job, including STDIO env sources */ -}}
       {{- $item := dict "name" $name "enabled" (default true $s.enabled) "type" $s.type "url" $s.url "bearerToken" $s.bearerToken "headers" ($s.headers | default (dict)) "command" ($s.command | default "") "args" ($s.args | default (list)) "env" ($s.env | default (dict)) -}}
+      {{- if (hasKey $s "envFrom") }}{{- $_ := set $item "envFrom" ($s.envFrom | default (list)) -}}{{- end -}}
       {{- if $hasDeploy }}{{- $_ := set $item "serviceBase" $svcBase -}}{{- end -}}
       {{- $outServers = append $outServers $item -}}
     {{- end -}}

charts/metamcp/values.schema.json

@@ -48,17 +48,6 @@
               "extraEnv": { "type": "array", "items": { "type": "object" } },
               "envFrom": { "type": "array", "items": { "type": "object" } },
               "secretEnv": { "type": "object", "additionalProperties": { "type": "string" } }
-              ,"stdioSecretEnv": {
-                "type": "object",
-                "additionalProperties": {
-                  "type": "object",
-                  "properties": {
-                    "name": { "type": "string" },
-                    "key": { "type": "string" }
-                  },
-                  "required": ["name"]
-                }
-              }
               ,"port": { "type": ["integer","null"], "minimum": 1 }
               ,"resources": { "type": "object" }
               ,"securityContext": { "type": "object" }