fix: ensure that tool headers are resolved within the tools namespace

Currently we default to using the agent namespace - but this no longer holds true so we need to explicitly look at the tools namespace instead.

Signed-off-by: Brian Fox <878612+onematchfox@users.noreply.github.com>

Author: onematchfox

go/api/v1alpha2/remotemcpserver_types.go

@@ -71,21 +71,6 @@ func (t *RemoteMCPServerSpec) Scan(src any) error {
 	return nil
 }
 
-func (s *RemoteMCPServerSpec) ResolveHeaders(ctx context.Context, client client.Client, namespace string) (map[string]string, error) {
-	result := map[string]string{}
-
-	for _, h := range s.HeadersFrom {
-		k, v, err := h.Resolve(ctx, client, namespace)
-		if err != nil {
-			return nil, fmt.Errorf("failed to resolve header: %v", err)
-		}
-
-		result[k] = v
-	}
-
-	return result, nil
-}
-
 var _ driver.Valuer = (*RemoteMCPServerSpec)(nil)
 
 func (t RemoteMCPServerSpec) Value() (driver.Value, error) {
@@ -123,6 +108,22 @@ type RemoteMCPServer struct {
 	Status RemoteMCPServerStatus `json:"status,omitempty"`
 }
 
+// ResolveHeaders resolves all HeadersFrom entries using the object's namespace.
+func (r *RemoteMCPServer) ResolveHeaders(ctx context.Context, client client.Client) (map[string]string, error) {
+	result := map[string]string{}
+
+	for _, h := range r.Spec.HeadersFrom {
+		k, v, err := h.Resolve(ctx, client, r.Namespace)
+		if err != nil {
+			return nil, fmt.Errorf("failed to resolve header: %v", err)
+		}
+
+		result[k] = v
+	}
+
+	return result, nil
+}
+
 // +kubebuilder:object:root=true
 // RemoteMCPServerList contains a list of RemoteMCPServer.
 type RemoteMCPServerList struct {

go/internal/controller/reconciler/reconciler.go

@@ -199,7 +199,7 @@ func (a *kagentReconciler) ReconcileKagentMCPService(ctx context.Context, req ct
 	if remoteService, err := agent_translator.ConvertServiceToRemoteMCPServer(service); err != nil {
 		reconcileLog.Error(err, "failed to convert service to remote mcp service", "service", utils.GetObjectRef(service))
 	} else {
-		if _, err := a.upsertToolServerForRemoteMCPServer(ctx, dbService, remoteService, service.Namespace); err != nil {
+		if _, err := a.upsertToolServerForRemoteMCPServer(ctx, dbService, remoteService); err != nil {
 			return fmt.Errorf("failed to upsert tool server for mcp service %s: %v", utils.GetObjectRef(service), err)
 		}
 	}
@@ -365,7 +365,7 @@ func (a *kagentReconciler) ReconcileKagentMCPServer(ctx context.Context, req ctr
 	if remoteSpec, err := agent_translator.ConvertMCPServerToRemoteMCPServer(mcpServer); err != nil {
 		reconcileLog.Error(err, "failed to convert mcp server to remote mcp server", "mcpServer", utils.GetObjectRef(mcpServer))
 	} else {
-		if _, err := a.upsertToolServerForRemoteMCPServer(ctx, dbServer, remoteSpec, mcpServer.Namespace); err != nil {
+		if _, err := a.upsertToolServerForRemoteMCPServer(ctx, dbServer, remoteSpec); err != nil {
 			return fmt.Errorf("failed to upsert tool server for remote mcp server %s: %v", utils.GetObjectRef(mcpServer), err)
 		}
 	}
@@ -408,7 +408,7 @@ func (a *kagentReconciler) ReconcileKagentRemoteMCPServer(ctx context.Context, r
 		GroupKind:   server.GroupVersionKind().GroupKind().String(),
 	}
 
-	tools, err := a.upsertToolServerForRemoteMCPServer(ctx, dbServer, &server.Spec, server.Namespace)
+	tools, err := a.upsertToolServerForRemoteMCPServer(ctx, dbServer, server)
 	if err != nil {
 		l.Error(err, "failed to upsert tool server for remote mcp server")
 
@@ -638,7 +638,7 @@ func (a *kagentReconciler) upsertAgent(ctx context.Context, agent *v1alpha2.Agen
 	return nil
 }
 
-func (a *kagentReconciler) upsertToolServerForRemoteMCPServer(ctx context.Context, toolServer *database.ToolServer, remoteMcpServer *v1alpha2.RemoteMCPServerSpec, namespace string) ([]*v1alpha2.MCPTool, error) {
+func (a *kagentReconciler) upsertToolServerForRemoteMCPServer(ctx context.Context, toolServer *database.ToolServer, remoteMcpServer *v1alpha2.RemoteMCPServer) ([]*v1alpha2.MCPTool, error) {
 	// lock to prevent races
 	a.upsertLock.Lock()
 	defer a.upsertLock.Unlock()
@@ -647,7 +647,7 @@ func (a *kagentReconciler) upsertToolServerForRemoteMCPServer(ctx context.Contex
 		return nil, fmt.Errorf("failed to store toolServer %s: %v", toolServer.Name, err)
 	}
 
-	tsp, err := a.createMcpTransport(ctx, remoteMcpServer, namespace)
+	tsp, err := a.createMcpTransport(ctx, remoteMcpServer)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create client for toolServer %s: %v", toolServer.Name, err)
 	}
@@ -664,17 +664,17 @@ func (a *kagentReconciler) upsertToolServerForRemoteMCPServer(ctx context.Contex
 	return tools, nil
 }
 
-func (a *kagentReconciler) createMcpTransport(ctx context.Context, s *v1alpha2.RemoteMCPServerSpec, namespace string) (transport.Interface, error) {
-	headers, err := s.ResolveHeaders(ctx, a.kube, namespace)
+func (a *kagentReconciler) createMcpTransport(ctx context.Context, s *v1alpha2.RemoteMCPServer) (transport.Interface, error) {
+	headers, err := s.ResolveHeaders(ctx, a.kube)
 	if err != nil {
 		return nil, err
 	}
 
-	switch s.Protocol {
+	switch s.Spec.Protocol {
 	case v1alpha2.RemoteMCPServerProtocolSse:
-		return transport.NewSSE(s.URL, transport.WithHeaders(headers))
+		return transport.NewSSE(s.Spec.URL, transport.WithHeaders(headers))
 	default:
-		return transport.NewStreamableHTTP(s.URL, transport.WithHTTPHeaders(headers))
+		return transport.NewStreamableHTTP(s.Spec.URL, transport.WithHTTPHeaders(headers))
 	}
 }
 

go/internal/controller/translator/agent/adk_api_translator.go

@@ -512,10 +512,15 @@ func (a *adkApiTranslator) translateInlineAgent(ctx context.Context, agent *v1al
 	}
 
 	for _, tool := range agent.Spec.Declarative.Tools {
+		headers, err := tool.ResolveHeaders(ctx, a.kube, agent.Namespace)
+		if err != nil {
+			return nil, nil, nil, err
+		}
+
 		// Skip tools that are not applicable to the model provider
 		switch {
 		case tool.McpServer != nil:
-			err := a.translateMCPServerTarget(ctx, cfg, agent.Namespace, tool.McpServer, tool.HeadersFrom)
+			err := a.translateMCPServerTarget(ctx, cfg, agent.Namespace, tool.McpServer, headers)
 			if err != nil {
 				return nil, nil, nil, err
 			}
@@ -545,10 +550,6 @@ func (a *adkApiTranslator) translateInlineAgent(ctx context.Context, agent *v1al
 			switch toolAgent.Spec.Type {
 			case v1alpha2.AgentType_BYO, v1alpha2.AgentType_Declarative:
 				url := fmt.Sprintf("http://%s.%s:8080", toolAgent.Name, toolAgent.Namespace)
-				headers, err := tool.ResolveHeaders(ctx, a.kube, agent.Namespace)
-				if err != nil {
-					return nil, nil, nil, err
-				}
 
 				cfg.RemoteAgents = append(cfg.RemoteAgents, adk.RemoteAgentConfig{
 					Name:        utils.ConvertToPythonIdentifier(utils.GetObjectRef(toolAgent)),
@@ -910,48 +911,52 @@ func (a *adkApiTranslator) translateModel(ctx context.Context, namespace, modelC
 	return nil, nil, nil, fmt.Errorf("unknown model provider: %s", model.Spec.Provider)
 }
 
-func (a *adkApiTranslator) translateStreamableHttpTool(ctx context.Context, tool *v1alpha2.RemoteMCPServerSpec, namespace string) (*adk.StreamableHTTPConnectionParams, error) {
-	headers, err := tool.ResolveHeaders(ctx, a.kube, namespace)
+func (a *adkApiTranslator) translateStreamableHttpTool(ctx context.Context, server *v1alpha2.RemoteMCPServer, agentHeaders map[string]string) (*adk.StreamableHTTPConnectionParams, error) {
+	headers, err := server.ResolveHeaders(ctx, a.kube)
 	if err != nil {
 		return nil, err
 	}
+	// Agent headers override tool headers
+	maps.Copy(headers, agentHeaders)
 
 	params := &adk.StreamableHTTPConnectionParams{
-		Url:     tool.URL,
+		Url:     server.Spec.URL,
 		Headers: headers,
 	}
-	if tool.Timeout != nil {
-		params.Timeout = ptr.To(tool.Timeout.Seconds())
+	if server.Spec.Timeout != nil {
+		params.Timeout = ptr.To(server.Spec.Timeout.Seconds())
 	}
-	if tool.SseReadTimeout != nil {
-		params.SseReadTimeout = ptr.To(tool.SseReadTimeout.Seconds())
+	if server.Spec.SseReadTimeout != nil {
+		params.SseReadTimeout = ptr.To(server.Spec.SseReadTimeout.Seconds())
 	}
-	if tool.TerminateOnClose != nil {
-		params.TerminateOnClose = tool.TerminateOnClose
+	if server.Spec.TerminateOnClose != nil {
+		params.TerminateOnClose = server.Spec.TerminateOnClose
 	}
 	return params, nil
 }
 
-func (a *adkApiTranslator) translateSseHttpTool(ctx context.Context, tool *v1alpha2.RemoteMCPServerSpec, namespace string) (*adk.SseConnectionParams, error) {
-	headers, err := tool.ResolveHeaders(ctx, a.kube, namespace)
+func (a *adkApiTranslator) translateSseHttpTool(ctx context.Context, server *v1alpha2.RemoteMCPServer, agentHeaders map[string]string) (*adk.SseConnectionParams, error) {
+	headers, err := server.ResolveHeaders(ctx, a.kube)
 	if err != nil {
 		return nil, err
 	}
+	// Agent headers override tool headers
+	maps.Copy(headers, agentHeaders)
 
 	params := &adk.SseConnectionParams{
-		Url:     tool.URL,
+		Url:     server.Spec.URL,
 		Headers: headers,
 	}
-	if tool.Timeout != nil {
-		params.Timeout = ptr.To(tool.Timeout.Seconds())
+	if server.Spec.Timeout != nil {
+		params.Timeout = ptr.To(server.Spec.Timeout.Seconds())
 	}
-	if tool.SseReadTimeout != nil {
-		params.SseReadTimeout = ptr.To(tool.SseReadTimeout.Seconds())
+	if server.Spec.SseReadTimeout != nil {
+		params.SseReadTimeout = ptr.To(server.Spec.SseReadTimeout.Seconds())
 	}
 	return params, nil
 }
 
-func (a *adkApiTranslator) translateMCPServerTarget(ctx context.Context, agent *adk.AgentConfig, agentNamespace string, toolServer *v1alpha2.McpServerTool, toolHeaders []v1alpha2.ValueRef) error {
+func (a *adkApiTranslator) translateMCPServerTarget(ctx context.Context, agent *adk.AgentConfig, agentNamespace string, toolServer *v1alpha2.McpServerTool, agentHeaders map[string]string) error {
 	gvk := toolServer.GroupKind()
 
 	switch gvk {
@@ -983,14 +988,12 @@ func (a *adkApiTranslator) translateMCPServerTarget(ctx context.Context, agent *
 			return fmt.Errorf("cross-namespace reference to MCPServer %s is not allowed from namespace %s: MCPServer does not support cross-namespace references", mcpServerRef, agentNamespace)
 		}
 
-		spec, err := ConvertMCPServerToRemoteMCPServer(mcpServer)
+		remoteMcpServer, err := ConvertMCPServerToRemoteMCPServer(mcpServer)
 		if err != nil {
 			return err
 		}
 
-		spec.HeadersFrom = append(spec.HeadersFrom, toolHeaders...)
-
-		return a.translateRemoteMCPServerTarget(ctx, agent, agentNamespace, spec, toolServer.ToolNames)
+		return a.translateRemoteMCPServerTarget(ctx, agent, remoteMcpServer, toolServer.ToolNames, agentHeaders)
 	case schema.GroupKind{
 		Group: "",
 		Kind:  "RemoteMCPServer",
@@ -1017,9 +1020,7 @@ func (a *adkApiTranslator) translateMCPServerTarget(ctx context.Context, agent *
 			return fmt.Errorf("cross-namespace reference to RemoteMCPServer %s is not allowed from namespace %s", remoteMcpServerRef, agentNamespace)
 		}
 
-		remoteMcpServer.Spec.HeadersFrom = append(remoteMcpServer.Spec.HeadersFrom, toolHeaders...)
-
-		return a.translateRemoteMCPServerTarget(ctx, agent, agentNamespace, &remoteMcpServer.Spec, toolServer.ToolNames)
+		return a.translateRemoteMCPServerTarget(ctx, agent, remoteMcpServer, toolServer.ToolNames, agentHeaders)
 	case schema.GroupKind{
 		Group: "",
 		Kind:  "Service",
@@ -1043,21 +1044,19 @@ func (a *adkApiTranslator) translateMCPServerTarget(ctx context.Context, agent *
 			return fmt.Errorf("cross-namespace reference to Service %s is not allowed from namespace %s: Service does not support cross-namespace references", svcRef, agentNamespace)
 		}
 
-		spec, err := ConvertServiceToRemoteMCPServer(svc)
+		remoteMcpServer, err := ConvertServiceToRemoteMCPServer(svc)
 		if err != nil {
 			return err
 		}
 
-		spec.HeadersFrom = append(spec.HeadersFrom, toolHeaders...)
-
-		return a.translateRemoteMCPServerTarget(ctx, agent, agentNamespace, spec, toolServer.ToolNames)
+		return a.translateRemoteMCPServerTarget(ctx, agent, remoteMcpServer, toolServer.ToolNames, agentHeaders)
 
 	default:
 		return fmt.Errorf("unknown tool server type: %s", gvk)
 	}
 }
 
-func ConvertServiceToRemoteMCPServer(svc *corev1.Service) (*v1alpha2.RemoteMCPServerSpec, error) {
+func ConvertServiceToRemoteMCPServer(svc *corev1.Service) (*v1alpha2.RemoteMCPServer, error) {
 	// Check wellknown annotations
 	port := int64(0)
 	protocol := string(MCPServiceProtocolDefault)
@@ -1098,27 +1097,39 @@ func ConvertServiceToRemoteMCPServer(svc *corev1.Service) (*v1alpha2.RemoteMCPSe
 	if port == 0 {
 		return nil, fmt.Errorf("no port found for service %s with protocol %s", svc.Name, protocol)
 	}
-	return &v1alpha2.RemoteMCPServerSpec{
-		URL:      fmt.Sprintf("http://%s.%s:%d%s", svc.Name, svc.Namespace, port, path),
-		Protocol: v1alpha2.RemoteMCPServerProtocol(protocol),
+	return &v1alpha2.RemoteMCPServer{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      svc.Name,
+			Namespace: svc.Namespace,
+		},
+		Spec: v1alpha2.RemoteMCPServerSpec{
+			URL:      fmt.Sprintf("http://%s.%s:%d%s", svc.Name, svc.Namespace, port, path),
+			Protocol: v1alpha2.RemoteMCPServerProtocol(protocol),
+		},
 	}, nil
 }
 
-func ConvertMCPServerToRemoteMCPServer(mcpServer *v1alpha1.MCPServer) (*v1alpha2.RemoteMCPServerSpec, error) {
+func ConvertMCPServerToRemoteMCPServer(mcpServer *v1alpha1.MCPServer) (*v1alpha2.RemoteMCPServer, error) {
 	if mcpServer.Spec.Deployment.Port == 0 {
 		return nil, fmt.Errorf("cannot determine port for MCP server %s", mcpServer.Name)
 	}
 
-	return &v1alpha2.RemoteMCPServerSpec{
-		URL:      fmt.Sprintf("http://%s.%s:%d/mcp", mcpServer.Name, mcpServer.Namespace, mcpServer.Spec.Deployment.Port),
-		Protocol: v1alpha2.RemoteMCPServerProtocolStreamableHttp,
+	return &v1alpha2.RemoteMCPServer{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      mcpServer.Name,
+			Namespace: mcpServer.Namespace,
+		},
+		Spec: v1alpha2.RemoteMCPServerSpec{
+			URL:      fmt.Sprintf("http://%s.%s:%d/mcp", mcpServer.Name, mcpServer.Namespace, mcpServer.Spec.Deployment.Port),
+			Protocol: v1alpha2.RemoteMCPServerProtocolStreamableHttp,
+		},
 	}, nil
 }
 
-func (a *adkApiTranslator) translateRemoteMCPServerTarget(ctx context.Context, agent *adk.AgentConfig, agentNamespace string, remoteMcpServer *v1alpha2.RemoteMCPServerSpec, toolNames []string) error {
-	switch remoteMcpServer.Protocol {
+func (a *adkApiTranslator) translateRemoteMCPServerTarget(ctx context.Context, agent *adk.AgentConfig, remoteMcpServer *v1alpha2.RemoteMCPServer, toolNames []string, agentHeaders map[string]string) error {
+	switch remoteMcpServer.Spec.Protocol {
 	case v1alpha2.RemoteMCPServerProtocolSse:
-		tool, err := a.translateSseHttpTool(ctx, remoteMcpServer, agentNamespace)
+		tool, err := a.translateSseHttpTool(ctx, remoteMcpServer, agentHeaders)
 		if err != nil {
 			return err
 		}
@@ -1127,7 +1138,7 @@ func (a *adkApiTranslator) translateRemoteMCPServerTarget(ctx context.Context, a
 			Tools:  toolNames,
 		})
 	default:
-		tool, err := a.translateStreamableHttpTool(ctx, remoteMcpServer, agentNamespace)
+		tool, err := a.translateStreamableHttpTool(ctx, remoteMcpServer, agentHeaders)
 		if err != nil {
 			return err
 		}