MCPWebhookConfig
toolhive.stacklok.dev / v1alpha1
apiVersion: toolhive.stacklok.dev/v1alpha1
kind: MCPWebhookConfig
metadata:
name: example
apiVersion
string
APIVersion defines the versioned schema of this representation of an object.
Servers should convert recognized schemas to the latest internal value, and
may reject unrecognized values.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources
kind
string
Kind is a string value representing the REST resource this object represents.
Servers may infer this from the endpoint the client submits requests to.
Cannot be updated.
In CamelCase.
More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds
metadata
object
spec object
MCPWebhookConfigSpec defines the desired state of MCPWebhookConfig
mutating []object
Mutating webhooks are called to transform MCP requests before processing.
failurePolicy
string
FailurePolicy defines how to handle errors when communicating with the webhook.
Supported values: "fail", "ignore". Defaults to "fail".
enum:
fail, ignorehmacSecretRef object
HMACSecretRef references a Kubernetes Secret containing the HMAC signing key
used to sign the webhook payload. If set, the X-Toolhive-Signature header will be injected.
key
string required
Key is the key within the secret
name
string required
Name is the name of the secret
name
string required
Name is a unique identifier for this webhook
minLength:
1maxLength:
63
timeout
string
Timeout configures the maximum time to wait for the webhook to respond.
Defaults to 10s if not specified. Maximum is 30s.
format:
durationtlsConfig object
TLSConfig contains optional TLS configuration for the webhook connection.
caSecretRef object
CASecretRef references a Secret containing the CA certificate bundle used to verify the webhook server's certificate.
Contains a bundle of PEM-encoded X.509 certificates.
key
string required
Key is the key within the secret
name
string required
Name is the name of the secret
clientCertSecretRef object
ClientCertSecretRef references a Secret containing the client certificate for mTLS authentication.
The referenced key must contain a PEM-encoded client certificate.
Use ClientKeySecretRef to provide the corresponding private key.
key
string required
Key is the key within the secret
name
string required
Name is the name of the secret
clientKeySecretRef object
ClientKeySecretRef references a Secret containing the private key for the client certificate.
Required when ClientCertSecretRef is set to enable mTLS.
key
string required
Key is the key within the secret
name
string required
Name is the name of the secret
insecureSkipVerify
boolean
InsecureSkipVerify disables server certificate verification.
WARNING: This should only be used for development/testing and not in production environments.
url
string required
URL is the endpoint to call for this webhook. Must be an HTTP/HTTPS URL.
format:
urivalidating []object
Validating webhooks are called to approve or deny MCP requests.
failurePolicy
string
FailurePolicy defines how to handle errors when communicating with the webhook.
Supported values: "fail", "ignore". Defaults to "fail".
enum:
fail, ignorehmacSecretRef object
HMACSecretRef references a Kubernetes Secret containing the HMAC signing key
used to sign the webhook payload. If set, the X-Toolhive-Signature header will be injected.
key
string required
Key is the key within the secret
name
string required
Name is the name of the secret
name
string required
Name is a unique identifier for this webhook
minLength:
1maxLength:
63
timeout
string
Timeout configures the maximum time to wait for the webhook to respond.
Defaults to 10s if not specified. Maximum is 30s.
format:
durationtlsConfig object
TLSConfig contains optional TLS configuration for the webhook connection.
caSecretRef object
CASecretRef references a Secret containing the CA certificate bundle used to verify the webhook server's certificate.
Contains a bundle of PEM-encoded X.509 certificates.
key
string required
Key is the key within the secret
name
string required
Name is the name of the secret
clientCertSecretRef object
ClientCertSecretRef references a Secret containing the client certificate for mTLS authentication.
The referenced key must contain a PEM-encoded client certificate.
Use ClientKeySecretRef to provide the corresponding private key.
key
string required
Key is the key within the secret
name
string required
Name is the name of the secret
clientKeySecretRef object
ClientKeySecretRef references a Secret containing the private key for the client certificate.
Required when ClientCertSecretRef is set to enable mTLS.
key
string required
Key is the key within the secret
name
string required
Name is the name of the secret
insecureSkipVerify
boolean
InsecureSkipVerify disables server certificate verification.
WARNING: This should only be used for development/testing and not in production environments.
url
string required
URL is the endpoint to call for this webhook. Must be an HTTP/HTTPS URL.
format:
uristatus object
MCPWebhookConfigStatus defines the observed state of MCPWebhookConfig
conditions []object
Conditions represent the latest available observations
lastTransitionTime
string required
lastTransitionTime is the last time the condition transitioned from one status to another.
This should be when the underlying condition changed. If that is not known, then using the time when the API field changed is acceptable.
format:
date-time
message
string required
message is a human readable message indicating details about the transition.
This may be an empty string.
maxLength:
32768
observedGeneration
integer
observedGeneration represents the .metadata.generation that the condition was set based upon.
For instance, if .metadata.generation is currently 12, but the .status.conditions[x].observedGeneration is 9, the condition is out of date
with respect to the current state of the instance.
format:
int64minimum:
0
reason
string required
reason contains a programmatic identifier indicating the reason for the condition's last transition.
Producers of specific condition types may define expected values and meanings for this field,
and whether the values are considered a guaranteed API.
The value should be a CamelCase string.
This field may not be empty.
pattern:
^[A-Za-z]([A-Za-z0-9_,:]*[A-Za-z0-9_])?$minLength:
1maxLength:
1024
status
string required
status of the condition, one of True, False, Unknown.
enum:
True, False, Unknown
type
string required
type of condition in CamelCase or in foo.example.com/CamelCase.
pattern:
^([a-z0-9]([-a-z0-9]*[a-z0-9])?(\.[a-z0-9]([-a-z0-9]*[a-z0-9])?)*/)?(([A-Za-z0-9][-A-Za-z0-9_.]*)?[A-Za-z0-9])$maxLength:
316
configHash
string
ConfigHash is a hash of the spec, used for detecting changes
observedGeneration
integer
ObservedGeneration is the last observed generation corresponding to the current status
format:
int64referencingWorkloads []object
ReferencingWorkloads is a list of workload resources that reference this MCPWebhookConfig.
Each entry identifies the workload by kind and name.
kind
string required
Kind is the type of workload resource
enum:
MCPServer, VirtualMCPServer, MCPRemoteProxy
name
string required
Name is the name of the workload resource
minLength:
1No matches. Try .spec.mutating for an exact path