fix: remove allow_transport from network permissions (#1048)

Co-authored-by: taskbot <[email protected]>

Author: yrobla

cmd/thv-operator/api/v1alpha1/mcpserver_types.go

@@ -252,10 +252,6 @@ type OutboundNetworkPermissions struct {
 	// +optional
 	InsecureAllowAll bool `json:"insecureAllowAll,omitempty"`
 
-	// AllowTransport is a list of transport protocols to allow (e.g., "tcp", "udp")
-	// +optional
-	AllowTransport []string `json:"allowTransport,omitempty"`
-
 	// AllowHost is a list of hosts to allow connections to
 	// +optional
 	AllowHost []string `json:"allowHost,omitempty"`

cmd/thv-operator/api/v1alpha1/zz_generated.deepcopy.go

@@ -243,10 +243,6 @@ func printTextServerInfo(name string, server *registry.ImageMetadata) {
 				fmt.Println("    Insecure Allow All: true")
 			}
 
-			if len(outbound.AllowTransport) > 0 {
-				fmt.Printf("    Allow Transport: %s\n", strings.Join(outbound.AllowTransport, ", "))
-			}
-
 			if len(outbound.AllowHost) > 0 {
 				fmt.Printf("    Allow Host: %s\n", strings.Join(outbound.AllowHost, ", "))
 			}

cmd/thv/app/registry.go

@@ -254,16 +254,6 @@
           "uniqueItems": true,
           "default": []
         },
-        "allow_transport": {
-          "type": "array",
-          "description": "Allowed transport protocols for outbound connections",
-          "items": {
-            "type": "string",
-            "enum": ["tcp", "udp"]
-          },
-          "uniqueItems": true,
-          "default": []
-        },
         "insecure_allow_all": {
           "type": "boolean",
           "description": "Whether to allow all outbound connections (insecure, use with caution)",

docs/operator/crd-api.md

@@ -223,16 +223,6 @@ func writeOutboundACLs(sb *strings.Builder, outbound *permissions.OutboundNetwor
 		}
 		sb.WriteString("\n")
 	}
-
-	if len(outbound.AllowTransport) > 0 {
-		sb.WriteString("# Define allowed methods\nacl allowed_methods method")
-		for _, method := range outbound.AllowTransport {
-			if strings.ToUpper(method) == "TCP" {
-				sb.WriteString(" CONNECT GET POST HEAD")
-			}
-			sb.WriteString(" " + strings.ToUpper(method))
-		}
-	}
 }
 
 func writeHttpAccessRules(sb *strings.Builder, outbound *permissions.OutboundNetworkPermissions) {
@@ -243,9 +233,6 @@ func writeHttpAccessRules(sb *strings.Builder, outbound *permissions.OutboundNet
 	if len(outbound.AllowHost) > 0 {
 		conditions = append(conditions, "allowed_dsts")
 	}
-	if len(outbound.AllowTransport) > 0 {
-		conditions = append(conditions, "allowed_methods")
-	}
 	if len(conditions) > 0 {
 		sb.WriteString("\n# Define http_access rules\n")
 		sb.WriteString("http_access allow " + strings.Join(conditions, " ") + "\n")

docs/registry/schema.json

@@ -50,9 +50,6 @@ type OutboundNetworkPermissions struct {
 	// InsecureAllowAll allows all outbound network connections
 	InsecureAllowAll bool `json:"insecure_allow_all,omitempty"`
 
-	// AllowTransport is a list of allowed transport protocols (tcp, udp)
-	AllowTransport []string `json:"allow_transport,omitempty"`
-
 	// AllowHost is a list of allowed hosts
 	AllowHost []string `json:"allow_host,omitempty"`
 
@@ -69,7 +66,6 @@ func NewProfile() *Profile {
 		Network: &NetworkPermissions{
 			Outbound: &OutboundNetworkPermissions{
 				InsecureAllowAll: false,
-				AllowTransport:   []string{},
 				AllowHost:        []string{},
 				AllowPort:        []int{},
 			},
@@ -104,7 +100,6 @@ func BuiltinNoneProfile() *Profile {
 		Network: &NetworkPermissions{
 			Outbound: &OutboundNetworkPermissions{
 				InsecureAllowAll: false,
-				AllowTransport:   []string{},
 				AllowHost:        []string{},
 				AllowPort:        []int{},
 			},
@@ -121,7 +116,6 @@ func BuiltinNetworkProfile() *Profile {
 		Network: &NetworkPermissions{
 			Outbound: &OutboundNetworkPermissions{
 				InsecureAllowAll: true,
-				AllowTransport:   []string{},
 				AllowHost:        []string{},
 				AllowPort:        []int{},
 			},