feat: Split ProxyRunner Capability into Separate Binary for ToolHive on Kubernetes (#1057)

Signed-off-by: ChrisJBurns <[email protected]>

Author: ChrisJBurns

.github/ko-ci.yml

@@ -10,6 +10,15 @@ builds:
 
   - id: thv-operator
     dir: ./cmd/thv-operator
+    ldflags:
+      - -s -w
+      - -X github.com/stacklok/toolhive/pkg/versions.Version={{.Env.VERSION}}
+      - -X github.com/stacklok/toolhive/pkg/versions.Commit={{.Env.COMMIT}}
+      - -X github.com/stacklok/toolhive/pkg/versions.BuildDate={{.Env.BUILD_DATE}}
+      - -X github.com/stacklok/toolhive/pkg/versions.BuildType=release
+
+  - id: thv-proxyrunner
+    dir: ./cmd/thv-proxyrunner
     ldflags:
       - -s -w
       - -X github.com/stacklok/toolhive/pkg/versions.Version={{.Env.VERSION}}

.github/workflows/image-build-and-publish.yml

@@ -243,3 +243,82 @@ jobs:
           if [[ "${{ github.ref }}" == refs/tags/* ]]; then
             cosign sign -y $BASE_REPO:latest
           fi
+
+  proxyrunner-image-build-and-publish:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      packages: write
+      id-token: write
+
+    env:
+      BASE_REPO: "ghcr.io/stacklok/toolhive/proxyrunner"
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4
+
+      - name: Set up Go
+        uses: actions/setup-go@d35c59abb061a4a6fb18e82ac0862c26744d6ab5 # v5
+        with:
+          go-version-file: go.mod
+
+      - name: Compute version number
+        id: version-string
+        run: |
+          if [[ "${{ github.ref }}" == "refs/heads/main" ]]; then
+            # For main branch, use semver with -dev suffix
+            echo "tag=0.0.1-dev.$GITHUB_RUN_NUMBER+$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT"
+          elif [[ "${{ github.ref }}" == refs/tags/* ]]; then
+            # For tags, use the tag as is (assuming it's semver)
+            TAG="${{ github.ref_name }}"
+            echo "tag=$TAG" >> "$GITHUB_OUTPUT"
+          else
+            # For other branches, use branch name and run number
+            BRANCH="${{ github.ref_name }}"
+            echo "tag=0.0.1-$BRANCH.$GITHUB_RUN_NUMBER+$(git rev-parse --short HEAD)" >> "$GITHUB_OUTPUT"
+          fi
+
+      - name: Login to GitHub Container Registry
+        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # v3.4.0
+        with:
+          registry: ghcr.io
+          username: ${{ github.actor }}
+          password: ${{ secrets.GITHUB_TOKEN }}
+
+      - name: Setup ko
+        uses: ko-build/setup-ko@d006021bd0c28d1ce33a07e7943d48b079944c8d # v0.9
+
+      - name: Install Cosign
+        uses: sigstore/cosign-installer@398d4b0eeef1380460a10c8013a76f728fb906ac # v3.9.1
+
+      - name: Build and Push Image to GHCR
+        env:
+          VERSION: ${{ steps.version-string.outputs.tag }}
+          COMMIT: ${{ github.sha }}
+          BUILD_DATE: ${{ github.event.head_commit.timestamp }}
+          KO_CONFIG_PATH: ${{ github.workspace }}/.github/ko-ci.yml
+        run: |
+          TAG=$(echo "${{ steps.version-string.outputs.tag }}" | sed 's/+/_/g')
+          TAGS="-t $TAG"
+          
+          # Add latest tag only if building from a tag
+          if [[ "${{ github.ref }}" == refs/tags/* ]]; then
+            TAGS="$TAGS -t latest"
+          fi
+          
+          KO_DOCKER_REPO=$BASE_REPO ko build --platform=linux/amd64,linux/arm64 --bare $TAGS ./cmd/thv-proxyrunner \
+            --image-label=org.opencontainers.image.source=https://github.com/stacklok/toolhive,org.opencontainers.image.title="toolhive-proxyrunner",org.opencontainers.image.vendor=Stacklok
+
+      - name: Sign Image with Cosign
+        # This step uses the identity token to provision an ephemeral certificate
+        # against the sigstore community Fulcio instance.
+        run: |
+          TAG=$(echo "${{ steps.version-string.outputs.tag }}" | sed 's/+/_/g')
+          # Sign the ko image
+          cosign sign -y $BASE_REPO:$TAG
+          
+          # Sign the latest tag if building from a tag
+          if [[ "${{ github.ref }}" == refs/tags/* ]]; then
+            cosign sign -y $BASE_REPO:latest
+          fi

Taskfile.yml

@@ -73,6 +73,7 @@ tasks:
       - mkdir -p bin
       - go build -ldflags "-s -w -X github.com/stacklok/toolhive/pkg/versions.Version={{.VERSION}} -X github.com/stacklok/toolhive/pkg/versions.Commit={{.COMMIT}} -X github.com/stacklok/toolhive/pkg/versions.BuildDate={{.BUILD_DATE}}" -o bin/thv ./cmd/thv
 
+
   install:
     desc: Install the thv binary to GOPATH/bin
     vars:

cmd/thv-operator/Taskfile.yml

@@ -99,7 +99,7 @@ tasks:
       OPERATOR_IMAGE:
         sh: KO_DOCKER_REPO=kind.local ko build --local -B ./cmd/thv-operator | tail -n 1
       TOOLHIVE_IMAGE:
-        sh: KO_DOCKER_REPO=kind.local ko build --local -B ./cmd/thv | tail -n 1
+        sh: KO_DOCKER_REPO=kind.local ko build --local -B ./cmd/thv-proxyrunner | tail -n 1
     cmds:
       - echo "Loading toolhive operator image {{.OPERATOR_IMAGE}} into kind..."
       - kind load docker-image --name toolhive {{.OPERATOR_IMAGE}}

cmd/thv-proxyrunner/app/commands.go

@@ -0,0 +1,41 @@
+// Package app provides the entry point for the toolhive command-line application.
+package app
+
+import (
+	"github.com/spf13/cobra"
+	"github.com/spf13/viper"
+
+	"github.com/stacklok/toolhive/pkg/logger"
+)
+
+var rootCmd = &cobra.Command{
+	Use:               "thv-proxyrunner",
+	DisableAutoGenTag: true,
+	Short:             "ToolHive (thv) is a lightweight, secure, and fast manager for MCP servers",
+	Long: `ToolHive (thv) is a lightweight, secure, and fast manager for MCP (Model Context Protocol) servers.
+It is written in Go and has extensive test coverage—including input validation—to ensure reliability and security.`,
+	Run: func(cmd *cobra.Command, _ []string) {
+		// If no subcommand is provided, print help
+		if err := cmd.Help(); err != nil {
+			logger.Errorf("Error displaying help: %v", err)
+		}
+	},
+	PersistentPreRun: func(_ *cobra.Command, _ []string) {
+		logger.Initialize()
+	},
+}
+
+// NewRootCmd creates a new root command for the ToolHive CLI.
+func NewRootCmd() *cobra.Command {
+	// Add persistent flags
+	rootCmd.PersistentFlags().Bool("debug", false, "Enable debug mode")
+	err := viper.BindPFlag("debug", rootCmd.PersistentFlags().Lookup("debug"))
+	if err != nil {
+		logger.Errorf("Error binding debug flag: %v", err)
+	}
+
+	// Add subcommands
+	rootCmd.AddCommand(runCmd)
+
+	return rootCmd
+}