feat(metamcp/STDIO): support per-server env and stdioSecretEnv (resolved from K8s Secrets at provision time); docs + schema; bump 0.1.14

Author: masterkain

charts/metamcp/Chart.yaml

@@ -2,7 +2,7 @@ apiVersion: v2
 name: metamcp
 description: MetaMCP aggregator Helm chart for Kubernetes
 type: application
-version: 0.1.13
+version: 0.1.14
 appVersion: "latest"
 icon: https://icoretech.github.io/helm/charts/metamcp/logo.png
 keywords:

charts/metamcp/README.md

@@ -193,3 +193,23 @@ Provisioning authentication
 - Minimal e2e (in-cluster URLs, no Ingress): `examples/e2e.yaml`
 - Cache PVC per server (requires default StorageClass): `examples/provision-pvc.yaml`
 - Advanced options (resources, HPA, probes, volumes, init containers): `examples/provision-advanced.yaml`
+# STDIO server with env and Secret-backed env
+
+provision:
+  enabled: true
+  servers:
+    - name: figma
+      type: STDIO
+      command: "npx"
+      args: ["-y", "figma-developer-mcp", "--stdio"]
+      # Plain env (non-secret)
+      env:
+        LOG_LEVEL: debug
+      # Secret-backed env: the provision Job reads Secret/<name> key=<key> and sets VAR=value when creating the server
+      stdioSecretEnv:
+        FIGMA_API_KEY:
+          name: figma-mcp-env
+          key: FIGMA_API_KEY
+        FIGMA_PERSONAL_ACCESS_TOKEN:
+          name: figma-mcp-env
+          key: FIGMA_PERSONAL_ACCESS_TOKEN

charts/metamcp/README.md.gotmpl

@@ -135,3 +135,23 @@ Provisioning authentication
 - Minimal e2e (in-cluster URLs, no Ingress): `examples/e2e.yaml`
 - Cache PVC per server (requires default StorageClass): `examples/provision-pvc.yaml`
 - Advanced options (resources, HPA, probes, volumes, init containers): `examples/provision-advanced.yaml`
+# STDIO server with env and Secret-backed env
+
+provision:
+  enabled: true
+  servers:
+    - name: figma
+      type: STDIO
+      command: "npx"
+      args: ["-y", "figma-developer-mcp", "--stdio"]
+      # Plain env (non-secret)
+      env:
+        LOG_LEVEL: debug
+      # Secret-backed env: the provision Job reads Secret/<name> key=<key> and sets VAR=value when creating the server
+      stdioSecretEnv:
+        FIGMA_API_KEY:
+          name: figma-mcp-env
+          key: FIGMA_API_KEY
+        FIGMA_PERSONAL_ACCESS_TOKEN:
+          name: figma-mcp-env
+          key: FIGMA_PERSONAL_ACCESS_TOKEN

charts/metamcp/scripts/provision.py

@@ -3,6 +3,7 @@
 import http.cookiejar as cookiejar
 import socket
 from urllib.parse import urlparse
+import base64
 
 def log(msg):
     print(f"[provision] {msg}", flush=True)
@@ -160,7 +161,19 @@ def trpc_post_batch(path, body):
             body['command'] = cmd
             if isinstance(args, list) and args:
                 body['args'] = args
-        if s.get('env'): body['env'] = s['env']
+        env_map = {}
+        if s.get('env') and isinstance(s['env'], dict):
+            env_map.update({k:str(v) for k,v in s['env'].items()})
+        # Resolve stdioSecretEnv: { VAR: { name: <secret>, key: <key> (defaults to VAR) } }
+        sec = s.get('stdioSecretEnv')
+        if sec and isinstance(sec, dict):
+            for var, ref in sec.items():
+                if isinstance(ref, dict) and ref.get('name'):
+                    val = k8s_get_secret_val(ref['name'], ref.get('key') or var)
+                    if val is not None:
+                        env_map[var] = val
+        if env_map:
+            body['env'] = env_map
     r = trpc_post('/trpc/frontend/frontend.mcpServers.create', body)
     if r.ok:
         try:
@@ -294,3 +307,18 @@ def list_servers():
             trpc_post('/trpc/frontend/frontend.mcpServers.update', payload)
 except Exception:
     pass
+def k8s_get_secret_val(name: str, key: str):
+    try:
+        token = open('/var/run/secrets/kubernetes.io/serviceaccount/token','r').read().strip()
+        cacert = '/var/run/secrets/kubernetes.io/serviceaccount/ca.crt'
+        ns = NS
+        url = f"https://kubernetes.default.svc/api/v1/namespaces/{ns}/secrets/{name}"
+        r = requests.get(url, headers={'Authorization': f'Bearer {token}'}, verify=cacert, timeout=5)
+        if r.status_code == 200:
+            data = r.json().get('data',{})
+            b = data.get(key)
+            if b:
+                return base64.b64decode(b).decode()
+    except Exception:
+        pass
+    return None

charts/metamcp/values.schema.json

@@ -48,6 +48,17 @@
               "extraEnv": { "type": "array", "items": { "type": "object" } },
               "envFrom": { "type": "array", "items": { "type": "object" } },
               "secretEnv": { "type": "object", "additionalProperties": { "type": "string" } }
+              ,"stdioSecretEnv": {
+                "type": "object",
+                "additionalProperties": {
+                  "type": "object",
+                  "properties": {
+                    "name": { "type": "string" },
+                    "key": { "type": "string" }
+                  },
+                  "required": ["name"]
+                }
+              }
               ,"port": { "type": ["integer","null"], "minimum": 1 }
               ,"resources": { "type": "object" }
               ,"securityContext": { "type": "object" }
@@ -158,8 +169,7 @@
             },
             "allOf": [
               { "if": { "properties": { "type": { "const": "STDIO" } } }, "then": { "required": ["command"] } },
-              { "if": { "properties": { "type": { "const": "STDIO" } } }, "then": { "not": { "required": ["cache"] } } },
-              { "if": { "properties": { "type": { "const": "STDIO" } } }, "then": { "not": { "anyOf": [ { "required": ["envFrom"] }, { "required": ["secretEnv"] } ] } } }
+              { "if": { "properties": { "type": { "const": "STDIO" } } }, "then": { "not": { "required": ["cache"] } } }
             ]
           }
         },