diff --git a/static/api-specs/toolhive-crd-api.md b/static/api-specs/toolhive-crd-api.md
index 4f2b71a4..08303a48 100644
--- a/static/api-specs/toolhive-crd-api.md
+++ b/static/api-specs/toolhive-crd-api.md
@@ -124,7 +124,7 @@ _Appears in:_
-AggregationConfig configures capability aggregation.
+AggregationConfig defines tool aggregation and conflict resolution strategies.
@@ -133,10 +133,10 @@ _Appears in:_
| Field | Description | Default | Validation |
| --- | --- | --- | --- |
-| `conflictResolution` _[pkg.vmcp.ConflictResolutionStrategy](#pkgvmcpconflictresolutionstrategy)_ | ConflictResolution is the strategy: "prefix", "priority", "manual" | | |
-| `conflictResolutionConfig` _[vmcp.config.ConflictResolutionConfig](#vmcpconfigconflictresolutionconfig)_ | ConflictResolutionConfig contains strategy-specific configuration. | | |
-| `tools` _[vmcp.config.WorkloadToolConfig](#vmcpconfigworkloadtoolconfig) array_ | Tools contains per-workload tool configuration. | | |
-| `excludeAllTools` _boolean_ | | | |
+| `conflictResolution` _[pkg.vmcp.ConflictResolutionStrategy](#pkgvmcpconflictresolutionstrategy)_ | ConflictResolution defines the strategy for resolving tool name conflicts.
- prefix: Automatically prefix tool names with workload identifier
- priority: First workload in priority order wins
- manual: Explicitly define overrides for all conflicts | prefix | Enum: [prefix priority manual]
|
+| `conflictResolutionConfig` _[vmcp.config.ConflictResolutionConfig](#vmcpconfigconflictresolutionconfig)_ | ConflictResolutionConfig provides configuration for the chosen strategy. | | |
+| `tools` _[vmcp.config.WorkloadToolConfig](#vmcpconfigworkloadtoolconfig) array_ | Tools defines per-workload tool filtering and overrides. | | |
+| `excludeAllTools` _boolean_ | ExcludeAllTools excludes all tools from aggregation when true. | | |
#### vmcp.config.AuthzConfig
@@ -160,7 +160,7 @@ _Appears in:_
-CircuitBreakerConfig configures circuit breaker.
+CircuitBreakerConfig configures circuit breaker behavior.
@@ -169,9 +169,9 @@ _Appears in:_
| Field | Description | Default | Validation |
| --- | --- | --- | --- |
-| `enabled` _boolean_ | Enabled indicates if circuit breaker is enabled. | | |
-| `failureThreshold` _integer_ | FailureThreshold is how many failures trigger open circuit. | | |
-| `timeout` _[vmcp.config.Duration](#vmcpconfigduration)_ | Timeout is how long to keep circuit open. | | |
+| `enabled` _boolean_ | Enabled controls whether circuit breaker is enabled. | false | |
+| `failureThreshold` _integer_ | FailureThreshold is the number of failures before opening the circuit. | 5 | |
+| `timeout` _[vmcp.config.Duration](#vmcpconfigduration)_ | Timeout is the duration to wait before attempting to close the circuit. | 60s | Pattern: `^([0-9]+(\.[0-9]+)?(ns\|us\|µs\|ms\|s\|m\|h))+$`
Type: string
|
#### vmcp.config.CompositeToolConfig
@@ -185,17 +185,35 @@ This matches the YAML structure from the proposal (lines 173-255).
_Appears in:_
- [vmcp.config.Config](#vmcpconfigconfig)
+- [api.v1alpha1.VirtualMCPCompositeToolDefinitionSpec](#apiv1alpha1virtualmcpcompositetooldefinitionspec)
| Field | Description | Default | Validation |
| --- | --- | --- | --- |
| `name` _string_ | Name is the workflow name (unique identifier). | | |
| `description` _string_ | Description describes what the workflow does. | | |
| `parameters` _[pkg.json.Map](#pkgjsonmap)_ | Parameters defines input parameter schema in JSON Schema format.
Should be a JSON Schema object with "type": "object" and "properties".
Example:
\{
"type": "object",
"properties": \{
"param1": \{"type": "string", "default": "value"\},
"param2": \{"type": "integer"\}
\},
"required": ["param2"]
\}
We use json.Map rather than a typed struct because JSON Schema is highly
flexible with many optional fields (default, enum, minimum, maximum, pattern,
items, additionalProperties, oneOf, anyOf, allOf, etc.). Using json.Map
allows full JSON Schema compatibility without needing to define every possible
field, and matches how the MCP SDK handles inputSchema. | | |
-| `timeout` _[vmcp.config.Duration](#vmcpconfigduration)_ | Timeout is the maximum workflow execution time. | | |
+| `timeout` _[vmcp.config.Duration](#vmcpconfigduration)_ | Timeout is the maximum workflow execution time. | | Pattern: `^([0-9]+(\.[0-9]+)?(ns\|us\|µs\|ms\|s\|m\|h))+$`
Type: string
|
| `steps` _[vmcp.config.WorkflowStepConfig](#vmcpconfigworkflowstepconfig) array_ | Steps are the workflow steps to execute. | | |
| `output` _[vmcp.config.OutputConfig](#vmcpconfigoutputconfig)_ | Output defines the structured output schema for this workflow.
If not specified, the workflow returns the last step's output (backward compatible). | | |
+#### vmcp.config.CompositeToolRef
+
+
+
+CompositeToolRef defines a reference to a VirtualMCPCompositeToolDefinition resource.
+The referenced resource must be in the same namespace as the VirtualMCPServer.
+
+
+
+_Appears in:_
+- [vmcp.config.Config](#vmcpconfigconfig)
+
+| Field | Description | Default | Validation |
+| --- | --- | --- | --- |
+| `name` _string_ | Name is the name of the VirtualMCPCompositeToolDefinition resource in the same namespace. | | Required: \{\}
|
+
+
#### vmcp.config.Config
@@ -216,10 +234,11 @@ _Appears in:_
| --- | --- | --- | --- |
| `name` _string_ | Name is the virtual MCP server name. | | |
| `groupRef` _string_ | Group references an existing MCPGroup that defines backend workloads.
In Kubernetes, the referenced MCPGroup must exist in the same namespace. | | Required: \{\}
|
-| `incomingAuth` _[vmcp.config.IncomingAuthConfig](#vmcpconfigincomingauthconfig)_ | IncomingAuth configures how clients authenticate to the virtual MCP server. | | |
-| `outgoingAuth` _[vmcp.config.OutgoingAuthConfig](#vmcpconfigoutgoingauthconfig)_ | OutgoingAuth configures how the virtual MCP server authenticates to backends. | | |
-| `aggregation` _[vmcp.config.AggregationConfig](#vmcpconfigaggregationconfig)_ | Aggregation configures capability aggregation and conflict resolution. | | |
+| `incomingAuth` _[vmcp.config.IncomingAuthConfig](#vmcpconfigincomingauthconfig)_ | IncomingAuth configures how clients authenticate to the virtual MCP server.
When using the Kubernetes operator, this is populated by the converter from
VirtualMCPServerSpec.IncomingAuth and any values set here will be superseded. | | |
+| `outgoingAuth` _[vmcp.config.OutgoingAuthConfig](#vmcpconfigoutgoingauthconfig)_ | OutgoingAuth configures how the virtual MCP server authenticates to backends.
When using the Kubernetes operator, this is populated by the converter from
VirtualMCPServerSpec.OutgoingAuth and any values set here will be superseded. | | |
+| `aggregation` _[vmcp.config.AggregationConfig](#vmcpconfigaggregationconfig)_ | Aggregation defines tool aggregation and conflict resolution strategies.
Supports ToolConfigRef for Kubernetes-native MCPToolConfig resource references. | | |
| `compositeTools` _[vmcp.config.CompositeToolConfig](#vmcpconfigcompositetoolconfig) array_ | CompositeTools defines inline composite tool workflows.
Full workflow definitions are embedded in the configuration.
For Kubernetes, complex workflows can also reference VirtualMCPCompositeToolDefinition CRDs. | | |
+| `compositeToolRefs` _[vmcp.config.CompositeToolRef](#vmcpconfigcompositetoolref) array_ | CompositeToolRefs references VirtualMCPCompositeToolDefinition resources
for complex, reusable workflows. Only applicable when running in Kubernetes.
Referenced resources must be in the same namespace as the VirtualMCPServer. | | |
| `operational` _[vmcp.config.OperationalConfig](#vmcpconfigoperationalconfig)_ | Operational configures operational settings. | | |
| `metadata` _object (keys:string, values:string)_ | Refer to Kubernetes API documentation for fields of `metadata`. | | |
| `telemetry` _[pkg.telemetry.Config](#pkgtelemetryconfig)_ | Telemetry configures OpenTelemetry-based observability for the Virtual MCP server
including distributed tracing, OTLP metrics export, and Prometheus metrics endpoint. | | |
@@ -230,7 +249,7 @@ _Appears in:_
-ConflictResolutionConfig contains conflict resolution settings.
+ConflictResolutionConfig provides configuration for conflict resolution strategies.
@@ -239,8 +258,8 @@ _Appears in:_
| Field | Description | Default | Validation |
| --- | --- | --- | --- |
-| `prefixFormat` _string_ | PrefixFormat is the prefix format (for prefix strategy).
Options: "\{workload\}", "\{workload\}_", "\{workload\}.", custom string | | |
-| `priorityOrder` _string array_ | PriorityOrder is the explicit priority ordering (for priority strategy). | | |
+| `prefixFormat` _string_ | PrefixFormat defines the prefix format for the "prefix" strategy.
Supports placeholders: \{workload\}, \{workload\}_, \{workload\}. | \{workload\}_ | |
+| `priorityOrder` _string array_ | PriorityOrder defines the workload priority order for the "priority" strategy. | | |
@@ -251,7 +270,7 @@ _Appears in:_
-ElicitationResponseConfig defines how to handle elicitation responses.
+ElicitationResponseConfig defines how to handle user responses to elicitation requests.
@@ -260,14 +279,14 @@ _Appears in:_
| Field | Description | Default | Validation |
| --- | --- | --- | --- |
-| `action` _string_ | Action: "skip_remaining", "abort", "continue" | | |
+| `action` _string_ | Action defines the action to take when the user declines or cancels
- skip_remaining: Skip remaining steps in the workflow
- abort: Abort the entire workflow execution
- continue: Continue to the next step | abort | Enum: [skip_remaining abort continue]
|
#### vmcp.config.FailureHandlingConfig
-FailureHandlingConfig configures failure handling.
+FailureHandlingConfig configures failure handling behavior.
@@ -276,10 +295,10 @@ _Appears in:_
| Field | Description | Default | Validation |
| --- | --- | --- | --- |
-| `healthCheckInterval` _[vmcp.config.Duration](#vmcpconfigduration)_ | HealthCheckInterval is how often to check backend health. | | |
-| `unhealthyThreshold` _integer_ | UnhealthyThreshold is how many failures before marking unhealthy. | | |
-| `partialFailureMode` _string_ | PartialFailureMode defines behavior when some backends fail.
Options: "fail" (fail entire request), "best_effort" (return partial results) | | |
-| `circuitBreaker` _[vmcp.config.CircuitBreakerConfig](#vmcpconfigcircuitbreakerconfig)_ | CircuitBreaker configures circuit breaker settings. | | |
+| `healthCheckInterval` _[vmcp.config.Duration](#vmcpconfigduration)_ | HealthCheckInterval is the interval between health checks. | 30s | Pattern: `^([0-9]+(\.[0-9]+)?(ns\|us\|µs\|ms\|s\|m\|h))+$`
Type: string
|
+| `unhealthyThreshold` _integer_ | UnhealthyThreshold is the number of consecutive failures before marking unhealthy. | 3 | |
+| `partialFailureMode` _string_ | PartialFailureMode defines behavior when some backends are unavailable.
- fail: Fail entire request if any backend is unavailable
- best_effort: Continue with available backends | fail | Enum: [fail best_effort]
|
+| `circuitBreaker` _[vmcp.config.CircuitBreakerConfig](#vmcpconfigcircuitbreakerconfig)_ | CircuitBreaker configures circuit breaker behavior. | | |
#### vmcp.config.IncomingAuthConfig
@@ -288,6 +307,13 @@ _Appears in:_
IncomingAuthConfig configures client authentication to the virtual MCP server.
+Note: When using the Kubernetes operator (VirtualMCPServer CRD), the
+VirtualMCPServerSpec.IncomingAuth field is the authoritative source for
+authentication configuration. The operator's converter will resolve the CRD's
+IncomingAuth (which supports Kubernetes-native references like SecretKeyRef,
+ConfigMapRef, etc.) and populate this IncomingAuthConfig with the resolved values.
+Any values set here directly will be superseded by the CRD configuration.
+
_Appears in:_
@@ -330,6 +356,7 @@ _Appears in:_
OperationalConfig contains operational settings.
+OperationalConfig defines operational settings like timeouts and health checks.
@@ -338,8 +365,9 @@ _Appears in:_
| Field | Description | Default | Validation |
| --- | --- | --- | --- |
-| `timeouts` _[vmcp.config.TimeoutConfig](#vmcpconfigtimeoutconfig)_ | Timeouts configures request timeouts. | | |
-| `failureHandling` _[vmcp.config.FailureHandlingConfig](#vmcpconfigfailurehandlingconfig)_ | FailureHandling configures failure handling. | | |
+| `logLevel` _string_ | LogLevel sets the logging level for the Virtual MCP server.
The only valid value is "debug" to enable debug logging.
When omitted or empty, the server uses info level logging. | | Enum: [debug]
|
+| `timeouts` _[vmcp.config.TimeoutConfig](#vmcpconfigtimeoutconfig)_ | Timeouts configures timeout settings. | | |
+| `failureHandling` _[vmcp.config.FailureHandlingConfig](#vmcpconfigfailurehandlingconfig)_ | FailureHandling configures failure handling behavior. | | |
#### vmcp.config.OutgoingAuthConfig
@@ -348,6 +376,14 @@ _Appears in:_
OutgoingAuthConfig configures backend authentication.
+Note: When using the Kubernetes operator (VirtualMCPServer CRD), the
+VirtualMCPServerSpec.OutgoingAuth field is the authoritative source for
+backend authentication configuration. The operator's converter will resolve
+the CRD's OutgoingAuth (which supports Kubernetes-native references like
+SecretKeyRef, ConfigMapRef, etc.) and populate this OutgoingAuthConfig with
+the resolved values. Any values set here directly will be superseded by the
+CRD configuration.
+
_Appears in:_
@@ -372,6 +408,7 @@ MCP output schema (type, description) and runtime value construction (value, def
_Appears in:_
- [vmcp.config.CompositeToolConfig](#vmcpconfigcompositetoolconfig)
+- [api.v1alpha1.VirtualMCPCompositeToolDefinitionSpec](#apiv1alpha1virtualmcpcompositetooldefinitionspec)
| Field | Description | Default | Validation |
| --- | --- | --- | --- |
@@ -395,18 +432,18 @@ _Appears in:_
| Field | Description | Default | Validation |
| --- | --- | --- | --- |
-| `type` _string_ | Type is the JSON Schema type: "string", "integer", "number", "boolean", "object", "array". | | |
-| `description` _string_ | Description is a human-readable description exposed to clients and models. | | |
+| `type` _string_ | Type is the JSON Schema type: "string", "integer", "number", "boolean", "object", "array" | | Enum: [string integer number boolean object array]
Required: \{\}
|
+| `description` _string_ | Description is a human-readable description exposed to clients and models | | |
| `value` _string_ | Value is a template string for constructing the runtime value.
For object types, this can be a JSON string that will be deserialized.
Supports template syntax: \{\{.steps.step_id.output.field\}\}, \{\{.params.param_name\}\} | | |
| `properties` _object (keys:string, values:[vmcp.config.OutputProperty](#vmcpconfigoutputproperty))_ | Properties defines nested properties for object types.
Each nested property has full metadata (type, description, value/properties). | | Schemaless: \{\}
Type: object
|
-| `default` _[pkg.json.Any](#pkgjsonany)_ | Default is the fallback value if template expansion fails.
Type coercion is applied to match the declared Type. | | |
+| `default` _[pkg.json.Any](#pkgjsonany)_ | Default is the fallback value if template expansion fails.
Type coercion is applied to match the declared Type. | | Schemaless: \{\}
|
#### vmcp.config.StepErrorHandling
-StepErrorHandling defines error handling for a workflow step.
+StepErrorHandling defines error handling behavior for workflow steps.
@@ -415,16 +452,16 @@ _Appears in:_
| Field | Description | Default | Validation |
| --- | --- | --- | --- |
-| `action` _string_ | Action: "abort", "continue", "retry" | | |
-| `retryCount` _integer_ | RetryCount is the number of retry attempts (for retry action). | | |
-| `retryDelay` _[vmcp.config.Duration](#vmcpconfigduration)_ | RetryDelay is the initial delay between retries. | | |
+| `action` _string_ | Action defines the action to take on error | abort | Enum: [abort continue retry]
|
+| `retryCount` _integer_ | RetryCount is the maximum number of retries
Only used when Action is "retry" | | |
+| `retryDelay` _[vmcp.config.Duration](#vmcpconfigduration)_ | RetryDelay is the delay between retry attempts
Only used when Action is "retry" | | Pattern: `^([0-9]+(\.[0-9]+)?(ns\|us\|µs\|ms\|s\|m\|h))+$`
Type: string
|
#### vmcp.config.TimeoutConfig
-TimeoutConfig configures timeouts.
+TimeoutConfig configures timeout settings.
@@ -433,15 +470,32 @@ _Appears in:_
| Field | Description | Default | Validation |
| --- | --- | --- | --- |
-| `default` _[vmcp.config.Duration](#vmcpconfigduration)_ | Default is the default timeout for backend requests. | | |
-| `perWorkload` _object (keys:string, values:[vmcp.config.Duration](#vmcpconfigduration))_ | PerWorkload contains per-workload timeout overrides. | | |
+| `default` _[vmcp.config.Duration](#vmcpconfigduration)_ | Default is the default timeout for backend requests. | 30s | Pattern: `^([0-9]+(\.[0-9]+)?(ns\|us\|µs\|ms\|s\|m\|h))+$`
Type: string
|
+| `perWorkload` _object (keys:string, values:[vmcp.config.Duration](#vmcpconfigduration))_ | PerWorkload defines per-workload timeout overrides. | | |
+
+
+#### vmcp.config.ToolConfigRef
+
+
+
+ToolConfigRef references an MCPToolConfig resource for tool filtering and renaming.
+Only used when running in Kubernetes with the operator.
+
+
+
+_Appears in:_
+- [vmcp.config.WorkloadToolConfig](#vmcpconfigworkloadtoolconfig)
+
+| Field | Description | Default | Validation |
+| --- | --- | --- | --- |
+| `name` _string_ | Name is the name of the MCPToolConfig resource in the same namespace. | | Required: \{\}
|
#### vmcp.config.ToolOverride
-ToolOverride defines tool name/description overrides.
+ToolOverride defines tool name and description overrides.
@@ -451,7 +505,7 @@ _Appears in:_
| Field | Description | Default | Validation |
| --- | --- | --- | --- |
| `name` _string_ | Name is the new tool name (for renaming). | | |
-| `description` _string_ | Description is the new tool description (for updating). | | |
+| `description` _string_ | Description is the new tool description. | | |
@@ -467,29 +521,30 @@ This matches the proposal's step configuration (lines 180-255).
_Appears in:_
- [vmcp.config.CompositeToolConfig](#vmcpconfigcompositetoolconfig)
+- [api.v1alpha1.VirtualMCPCompositeToolDefinitionSpec](#apiv1alpha1virtualmcpcompositetooldefinitionspec)
| Field | Description | Default | Validation |
| --- | --- | --- | --- |
-| `id` _string_ | ID uniquely identifies this step. | | |
-| `type` _string_ | Type is the step type: "tool", "elicitation" | | |
-| `tool` _string_ | Tool is the tool name to call (for tool steps). | | |
-| `arguments` _[pkg.json.Map](#pkgjsonmap)_ | Arguments are the tool arguments (supports template expansion). | | |
-| `condition` _string_ | Condition is an optional execution condition (template syntax). | | |
-| `dependsOn` _string array_ | DependsOn lists step IDs that must complete first (for DAG execution). | | |
-| `onError` _[vmcp.config.StepErrorHandling](#vmcpconfigsteperrorhandling)_ | OnError defines error handling for this step. | | |
-| `message` _string_ | Elicitation config (for elicitation steps). | | |
-| `schema` _[pkg.json.Map](#pkgjsonmap)_ | | | |
-| `timeout` _[vmcp.config.Duration](#vmcpconfigduration)_ | | | |
-| `onDecline` _[vmcp.config.ElicitationResponseConfig](#vmcpconfigelicitationresponseconfig)_ | Elicitation response handlers. | | |
-| `onCancel` _[vmcp.config.ElicitationResponseConfig](#vmcpconfigelicitationresponseconfig)_ | | | |
-| `defaultResults` _[pkg.json.Map](#pkgjsonmap)_ | DefaultResults provides fallback output values when this step is skipped
(due to condition evaluating to false) or fails (when onError.action is "continue").
Each key corresponds to an output field name referenced by downstream steps. | | |
+| `id` _string_ | ID is the unique identifier for this step. | | Required: \{\}
|
+| `type` _string_ | Type is the step type (tool, elicitation, etc.) | tool | Enum: [tool elicitation]
|
+| `tool` _string_ | Tool is the tool to call (format: "workload.tool_name")
Only used when Type is "tool" | | |
+| `arguments` _[pkg.json.Map](#pkgjsonmap)_ | Arguments is a map of argument values with template expansion support.
Supports Go template syntax with .params and .steps for string values.
Non-string values (integers, booleans, arrays, objects) are passed as-is.
Note: the templating is only supported on the first level of the key-value pairs. | | Type: object
|
+| `condition` _string_ | Condition is a template expression that determines if the step should execute | | |
+| `dependsOn` _string array_ | DependsOn lists step IDs that must complete before this step | | |
+| `onError` _[vmcp.config.StepErrorHandling](#vmcpconfigsteperrorhandling)_ | OnError defines error handling behavior | | |
+| `message` _string_ | Message is the elicitation message
Only used when Type is "elicitation" | | |
+| `schema` _[pkg.json.Map](#pkgjsonmap)_ | Schema defines the expected response schema for elicitation | | Type: object
|
+| `timeout` _[vmcp.config.Duration](#vmcpconfigduration)_ | Timeout is the maximum execution time for this step | | Pattern: `^([0-9]+(\.[0-9]+)?(ns\|us\|µs\|ms\|s\|m\|h))+$`
Type: string
|
+| `onDecline` _[vmcp.config.ElicitationResponseConfig](#vmcpconfigelicitationresponseconfig)_ | OnDecline defines the action to take when the user explicitly declines the elicitation
Only used when Type is "elicitation" | | |
+| `onCancel` _[vmcp.config.ElicitationResponseConfig](#vmcpconfigelicitationresponseconfig)_ | OnCancel defines the action to take when the user cancels/dismisses the elicitation
Only used when Type is "elicitation" | | |
+| `defaultResults` _[pkg.json.Map](#pkgjsonmap)_ | DefaultResults provides fallback output values when this step is skipped
(due to condition evaluating to false) or fails (when onError.action is "continue").
Each key corresponds to an output field name referenced by downstream steps.
Required if the step may be skipped AND downstream steps reference this step's output. | | Schemaless: \{\}
|
#### vmcp.config.WorkloadToolConfig
-WorkloadToolConfig configures tool filtering/overrides for a workload.
+WorkloadToolConfig defines tool filtering and overrides for a specific workload.
@@ -498,10 +553,11 @@ _Appears in:_
| Field | Description | Default | Validation |
| --- | --- | --- | --- |
-| `workload` _string_ | Workload is the workload name/ID. | | |
-| `filter` _string array_ | Filter is the list of tools to include (nil = include all). | | |
-| `overrides` _object (keys:string, values:[vmcp.config.ToolOverride](#vmcpconfigtooloverride))_ | Overrides maps tool names to override configurations. | | |
-| `excludeAll` _boolean_ | | | |
+| `workload` _string_ | Workload is the name of the backend MCPServer workload. | | Required: \{\}
|
+| `toolConfigRef` _[vmcp.config.ToolConfigRef](#vmcpconfigtoolconfigref)_ | ToolConfigRef references an MCPToolConfig resource for tool filtering and renaming.
If specified, Filter and Overrides are ignored.
Only used when running in Kubernetes with the operator. | | |
+| `filter` _string array_ | Filter is an inline list of tool names to allow (allow list).
Only used if ToolConfigRef is not specified. | | |
+| `overrides` _object (keys:string, values:[vmcp.config.ToolOverride](#vmcpconfigtooloverride))_ | Overrides is an inline map of tool overrides.
Only used if ToolConfigRef is not specified. | | |
+| `excludeAll` _boolean_ | ExcludeAll excludes all tools from this workload when true. | | |
@@ -524,16 +580,16 @@ _Appears in:_
| Field | Description | Default | Validation |
| --- | --- | --- | --- |
| `endpoint` _string_ | Endpoint is the OTLP endpoint URL | | |
-| `serviceName` _string_ | ServiceName is the service name for telemetry | | |
-| `serviceVersion` _string_ | ServiceVersion is the service version for telemetry | | |
-| `tracingEnabled` _boolean_ | TracingEnabled controls whether distributed tracing is enabled
When false, no tracer provider is created even if an endpoint is configured | | |
-| `metricsEnabled` _boolean_ | MetricsEnabled controls whether OTLP metrics are enabled
When false, OTLP metrics are not sent even if an endpoint is configured
This is independent of EnablePrometheusMetricsPath | | |
-| `samplingRate` _string_ | SamplingRate is the trace sampling rate (0.0-1.0) as a string.
Only used when TracingEnabled is true.
Example: "0.05" for 5% sampling. | | |
-| `headers` _object (keys:string, values:string)_ | Headers contains authentication headers for the OTLP endpoint | | |
-| `insecure` _boolean_ | Insecure indicates whether to use HTTP instead of HTTPS for the OTLP endpoint | | |
-| `enablePrometheusMetricsPath` _boolean_ | EnablePrometheusMetricsPath controls whether to expose Prometheus-style /metrics endpoint
The metrics are served on the main transport port at /metrics
This is separate from OTLP metrics which are sent to the Endpoint | | |
-| `environmentVariables` _string array_ | EnvironmentVariables is a list of environment variable names that should be
included in telemetry spans as attributes. Only variables in this list will
be read from the host machine and included in spans for observability.
Example: []string\{"NODE_ENV", "DEPLOYMENT_ENV", "SERVICE_VERSION"\} | | |
-| `customAttributes` _object (keys:string, values:string)_ | CustomAttributes contains custom resource attributes to be added to all telemetry signals.
These are parsed from CLI flags (--otel-custom-attributes) or environment variables
(OTEL_RESOURCE_ATTRIBUTES) as key=value pairs.
We use map[string]string for proper JSON serialization instead of []attribute.KeyValue
which doesn't marshal/unmarshal correctly. | | |
+| `serviceName` _string_ | ServiceName is the service name for telemetry.
When omitted, defaults to the server name (e.g., VirtualMCPServer name). | | |
+| `serviceVersion` _string_ | ServiceVersion is the service version for telemetry.
When omitted, defaults to the ToolHive version. | | |
+| `tracingEnabled` _boolean_ | TracingEnabled controls whether distributed tracing is enabled.
When false, no tracer provider is created even if an endpoint is configured. | false | |
+| `metricsEnabled` _boolean_ | MetricsEnabled controls whether OTLP metrics are enabled.
When false, OTLP metrics are not sent even if an endpoint is configured.
This is independent of EnablePrometheusMetricsPath. | false | |
+| `samplingRate` _string_ | SamplingRate is the trace sampling rate (0.0-1.0) as a string.
Only used when TracingEnabled is true.
Example: "0.05" for 5% sampling. | 0.05 | |
+| `headers` _object (keys:string, values:string)_ | Headers contains authentication headers for the OTLP endpoint. | | |
+| `insecure` _boolean_ | Insecure indicates whether to use HTTP instead of HTTPS for the OTLP endpoint. | false | |
+| `enablePrometheusMetricsPath` _boolean_ | EnablePrometheusMetricsPath controls whether to expose Prometheus-style /metrics endpoint.
The metrics are served on the main transport port at /metrics.
This is separate from OTLP metrics which are sent to the Endpoint. | false | |
+| `environmentVariables` _string array_ | EnvironmentVariables is a list of environment variable names that should be
included in telemetry spans as attributes. Only variables in this list will
be read from the host machine and included in spans for observability.
Example: ["NODE_ENV", "DEPLOYMENT_ENV", "SERVICE_VERSION"] | | |
+| `customAttributes` _object (keys:string, values:string)_ | CustomAttributes contains custom resource attributes to be added to all telemetry signals.
These are parsed from CLI flags (--otel-custom-attributes) or environment variables
(OTEL_RESOURCE_ATTRIBUTES) as key=value pairs. | | |
@@ -624,26 +680,6 @@ _Appears in:_
| `readySince` _[Time](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#time-v1-meta)_ | ReadySince is the timestamp when the API became ready | | |
-
-
-#### api.v1alpha1.AggregationConfig
-
-
-
-AggregationConfig defines tool aggregation and conflict resolution strategies
-
-
-
-_Appears in:_
-- [api.v1alpha1.VirtualMCPServerSpec](#apiv1alpha1virtualmcpserverspec)
-
-| Field | Description | Default | Validation |
-| --- | --- | --- | --- |
-| `conflictResolution` _string_ | ConflictResolution defines the strategy for resolving tool name conflicts
- prefix: Automatically prefix tool names with workload identifier
- priority: First workload in priority order wins
- manual: Explicitly define overrides for all conflicts | prefix | Enum: [prefix priority manual]
|
-| `conflictResolutionConfig` _[api.v1alpha1.ConflictResolutionConfig](#apiv1alpha1conflictresolutionconfig)_ | ConflictResolutionConfig provides configuration for the chosen strategy | | |
-| `tools` _[api.v1alpha1.WorkloadToolConfig](#apiv1alpha1workloadtoolconfig) array_ | Tools defines per-workload tool filtering and overrides
References existing MCPToolConfig resources | | |
-
-
#### api.v1alpha1.AuditConfig
@@ -698,62 +734,6 @@ _Appears in:_
| `externalAuthConfigRef` _[api.v1alpha1.ExternalAuthConfigRef](#apiv1alpha1externalauthconfigref)_ | ExternalAuthConfigRef references an MCPExternalAuthConfig resource
Only used when Type is "external_auth_config_ref" | | |
-#### api.v1alpha1.CircuitBreakerConfig
-
-
-
-CircuitBreakerConfig configures circuit breaker behavior
-
-
-
-_Appears in:_
-- [api.v1alpha1.FailureHandlingConfig](#apiv1alpha1failurehandlingconfig)
-
-| Field | Description | Default | Validation |
-| --- | --- | --- | --- |
-| `enabled` _boolean_ | Enabled controls whether circuit breaker is enabled | false | |
-| `failureThreshold` _integer_ | FailureThreshold is the number of failures before opening the circuit | 5 | |
-| `timeout` _string_ | Timeout is the duration to wait before attempting to close the circuit | 60s | |
-
-
-#### api.v1alpha1.CompositeToolDefinitionRef
-
-
-
-CompositeToolDefinitionRef references a VirtualMCPCompositeToolDefinition resource
-
-
-
-_Appears in:_
-- [api.v1alpha1.VirtualMCPServerSpec](#apiv1alpha1virtualmcpserverspec)
-
-| Field | Description | Default | Validation |
-| --- | --- | --- | --- |
-| `name` _string_ | Name is the name of the VirtualMCPCompositeToolDefinition resource in the same namespace | | Required: \{\}
|
-
-
-#### api.v1alpha1.CompositeToolSpec
-
-
-
-CompositeToolSpec defines an inline composite tool
-For complex workflows, reference VirtualMCPCompositeToolDefinition resources instead
-
-
-
-_Appears in:_
-- [api.v1alpha1.VirtualMCPServerSpec](#apiv1alpha1virtualmcpserverspec)
-
-| Field | Description | Default | Validation |
-| --- | --- | --- | --- |
-| `name` _string_ | Name is the name of the composite tool | | Required: \{\}
|
-| `description` _string_ | Description describes the composite tool | | Required: \{\}
|
-| `parameters` _[RawExtension](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#rawextension-runtime-pkg)_ | Parameters defines the input parameter schema in JSON Schema format.
Should be a JSON Schema object with "type": "object" and "properties".
Per MCP specification, this should follow standard JSON Schema for tool inputSchema.
Example:
\{
"type": "object",
"properties": \{
"param1": \{"type": "string", "default": "value"\},
"param2": \{"type": "integer"\}
\},
"required": ["param2"]
\} | | Type: object
|
-| `steps` _[api.v1alpha1.WorkflowStep](#apiv1alpha1workflowstep) array_ | Steps defines the workflow steps | | MinItems: 1
Required: \{\}
|
-| `timeout` _string_ | Timeout is the maximum execution time for the composite tool | 30m | |
-| `output` _[api.v1alpha1.OutputSpec](#apiv1alpha1outputspec)_ | Output defines the structured output schema for the composite tool.
Specifies how to construct the final output from workflow step results.
If not specified, the workflow returns the last step's output (backward compatible). | | |
-
-
#### api.v1alpha1.ConfigMapAuthzRef
@@ -788,23 +768,6 @@ _Appears in:_
| `key` _string_ | Key is the key in the ConfigMap that contains the OIDC configuration | oidc.json | |
-#### api.v1alpha1.ConflictResolutionConfig
-
-
-
-ConflictResolutionConfig provides configuration for conflict resolution strategies
-
-
-
-_Appears in:_
-- [api.v1alpha1.AggregationConfig](#apiv1alpha1aggregationconfig)
-
-| Field | Description | Default | Validation |
-| --- | --- | --- | --- |
-| `prefixFormat` _string_ | PrefixFormat defines the prefix format for the "prefix" strategy
Supports placeholders: \{workload\}, \{workload\}_, \{workload\}. | \{workload\}_ | |
-| `priorityOrder` _string array_ | PriorityOrder defines the workload priority order for the "priority" strategy | | |
-
-
#### api.v1alpha1.DiscoveredBackend
@@ -826,24 +789,6 @@ _Appears in:_
| `url` _string_ | URL is the URL of the backend MCPServer | | |
-#### api.v1alpha1.ElicitationResponseHandler
-
-
-
-ElicitationResponseHandler defines how to handle user responses to elicitation requests
-
-
-
-_Appears in:_
-- [api.v1alpha1.WorkflowStep](#apiv1alpha1workflowstep)
-
-| Field | Description | Default | Validation |
-| --- | --- | --- | --- |
-| `action` _string_ | Action defines the action to take when the user declines or cancels
- skip_remaining: Skip remaining steps in the workflow
- abort: Abort the entire workflow execution
- continue: Continue to the next step | abort | Enum: [skip_remaining abort continue]
|
-
-
-
-
#### api.v1alpha1.EnvVar
@@ -862,24 +807,6 @@ _Appears in:_
| `value` _string_ | Value of the environment variable | | Required: \{\}
|
-#### api.v1alpha1.ErrorHandling
-
-
-
-ErrorHandling defines error handling behavior for workflow steps
-
-
-
-_Appears in:_
-- [api.v1alpha1.WorkflowStep](#apiv1alpha1workflowstep)
-
-| Field | Description | Default | Validation |
-| --- | --- | --- | --- |
-| `action` _string_ | Action defines the action to take on error | abort | Enum: [abort continue retry]
|
-| `maxRetries` _integer_ | MaxRetries is the maximum number of retries
Only used when Action is "retry" | | |
-| `retryDelay` _string_ | RetryDelay is the delay between retry attempts
Only used when Action is "retry" | | Pattern: `^([0-9]+(\.[0-9]+)?(ms\|s\|m))+$`
|
-
-
#### api.v1alpha1.ExternalAuthConfigRef
@@ -917,25 +844,6 @@ _Appears in:_
| `unauthenticated` | ExternalAuthTypeUnauthenticated is the type for no authentication
This should only be used for backends on trusted networks (e.g., localhost, VPC)
or when authentication is handled by network-level security
|
-#### api.v1alpha1.FailureHandlingConfig
-
-
-
-FailureHandlingConfig configures failure handling behavior
-
-
-
-_Appears in:_
-- [api.v1alpha1.OperationalConfig](#apiv1alpha1operationalconfig)
-
-| Field | Description | Default | Validation |
-| --- | --- | --- | --- |
-| `healthCheckInterval` _string_ | HealthCheckInterval is the interval between health checks | 30s | |
-| `unhealthyThreshold` _integer_ | UnhealthyThreshold is the number of consecutive failures before marking unhealthy | 3 | |
-| `partialFailureMode` _string_ | PartialFailureMode defines behavior when some backends are unavailable
- fail: Fail entire request if any backend is unavailable
- best_effort: Continue with available backends | fail | Enum: [fail best_effort]
|
-| `circuitBreaker` _[api.v1alpha1.CircuitBreakerConfig](#apiv1alpha1circuitbreakerconfig)_ | CircuitBreaker configures circuit breaker behavior | | |
-
-
#### api.v1alpha1.GitSource
@@ -1910,24 +1818,6 @@ _Appears in:_
| `samplingRate` _string_ | SamplingRate is the trace sampling rate (0.0-1.0) | 0.05 | |
-#### api.v1alpha1.OperationalConfig
-
-
-
-OperationalConfig defines operational settings
-
-
-
-_Appears in:_
-- [api.v1alpha1.VirtualMCPServerSpec](#apiv1alpha1virtualmcpserverspec)
-
-| Field | Description | Default | Validation |
-| --- | --- | --- | --- |
-| `logLevel` _string_ | LogLevel sets the logging level for the Virtual MCP server.
Set to "debug" to enable debug logging. When not set, defaults to info level. | | Enum: [debug]
|
-| `timeouts` _[api.v1alpha1.TimeoutConfig](#apiv1alpha1timeoutconfig)_ | Timeouts configures timeout settings | | |
-| `failureHandling` _[api.v1alpha1.FailureHandlingConfig](#apiv1alpha1failurehandlingconfig)_ | FailureHandling configures failure handling behavior | | |
-
-
#### api.v1alpha1.OutboundNetworkPermissions
@@ -1964,45 +1854,6 @@ _Appears in:_
| `backends` _object (keys:string, values:[api.v1alpha1.BackendAuthConfig](#apiv1alpha1backendauthconfig))_ | Backends defines per-backend authentication overrides
Works in all modes (discovered, inline) | | |
-#### api.v1alpha1.OutputPropertySpec
-
-
-
-OutputPropertySpec defines a single output property
-
-
-
-_Appears in:_
-- [api.v1alpha1.OutputPropertySpec](#apiv1alpha1outputpropertyspec)
-- [api.v1alpha1.OutputSpec](#apiv1alpha1outputspec)
-
-| Field | Description | Default | Validation |
-| --- | --- | --- | --- |
-| `type` _string_ | Type is the JSON Schema type: "string", "integer", "number", "boolean", "object", "array" | | Enum: [string integer number boolean object array]
Required: \{\}
|
-| `description` _string_ | Description is a human-readable description exposed to clients and models | | |
-| `value` _string_ | Value is a template string for constructing the runtime value
Supports template syntax: \{\{.steps.step_id.output.field\}\}, \{\{.params.param_name\}\}
For object types, this can be a JSON string that will be deserialized | | |
-| `properties` _object (keys:string, values:[api.v1alpha1.OutputPropertySpec](#apiv1alpha1outputpropertyspec))_ | Properties defines nested properties for object types | | Schemaless: \{\}
|
-| `default` _[RawExtension](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#rawextension-runtime-pkg)_ | Default is the fallback value if template expansion fails | | Schemaless: \{\}
|
-
-
-#### api.v1alpha1.OutputSpec
-
-
-
-OutputSpec defines the structured output schema for a composite tool workflow
-
-
-
-_Appears in:_
-- [api.v1alpha1.CompositeToolSpec](#apiv1alpha1compositetoolspec)
-- [api.v1alpha1.VirtualMCPCompositeToolDefinitionSpec](#apiv1alpha1virtualmcpcompositetooldefinitionspec)
-
-| Field | Description | Default | Validation |
-| --- | --- | --- | --- |
-| `properties` _object (keys:string, values:[api.v1alpha1.OutputPropertySpec](#apiv1alpha1outputpropertyspec))_ | Properties defines the output properties
Map key is the property name, value is the property definition | | |
-| `required` _string array_ | Required lists property names that must be present in the output | | |
-
-
#### api.v1alpha1.PVCSource
@@ -2163,26 +2014,6 @@ _Appears in:_
| `requests` _[api.v1alpha1.ResourceList](#apiv1alpha1resourcelist)_ | Requests describes the minimum amount of compute resources required | | |
-#### api.v1alpha1.RetryPolicy
-
-
-
-RetryPolicy defines retry behavior for workflow steps
-
-
-
-_Appears in:_
-- [api.v1alpha1.AdvancedWorkflowStep](#apiv1alpha1advancedworkflowstep)
-
-| Field | Description | Default | Validation |
-| --- | --- | --- | --- |
-| `maxRetries` _integer_ | MaxRetries is the maximum number of retry attempts | 3 | Maximum: 10
Minimum: 1
|
-| `backoffStrategy` _string_ | BackoffStrategy defines the backoff strategy
- fixed: Fixed delay between retries
- exponential: Exponential backoff | exponential | Enum: [fixed exponential]
|
-| `initialDelay` _string_ | InitialDelay is the initial delay before first retry | 1s | Pattern: `^([0-9]+(\.[0-9]+)?(ms\|s\|m))+$`
|
-| `maxDelay` _string_ | MaxDelay is the maximum delay between retries | 30s | Pattern: `^([0-9]+(\.[0-9]+)?(ms\|s\|m))+$`
|
-| `retryableErrors` _string array_ | RetryableErrors defines which errors should trigger retry
If empty, all errors are retryable
Supports regex patterns | | |
-
-
#### api.v1alpha1.SecretKeyRef
@@ -2332,23 +2163,6 @@ _Appears in:_
| `prometheus` _[api.v1alpha1.PrometheusConfig](#apiv1alpha1prometheusconfig)_ | Prometheus defines Prometheus-specific configuration | | |
-#### api.v1alpha1.TimeoutConfig
-
-
-
-TimeoutConfig configures timeout settings
-
-
-
-_Appears in:_
-- [api.v1alpha1.OperationalConfig](#apiv1alpha1operationalconfig)
-
-| Field | Description | Default | Validation |
-| --- | --- | --- | --- |
-| `default` _string_ | Default is the default timeout for backend requests | 30s | |
-| `perWorkload` _object (keys:string, values:string)_ | PerWorkload defines per-workload timeout overrides | | |
-
-
#### api.v1alpha1.TokenExchangeConfig
@@ -2386,7 +2200,6 @@ The referenced MCPToolConfig must be in the same namespace as the MCPServer.
_Appears in:_
- [api.v1alpha1.MCPRemoteProxySpec](#apiv1alpha1mcpremoteproxyspec)
- [api.v1alpha1.MCPServerSpec](#apiv1alpha1mcpserverspec)
-- [api.v1alpha1.WorkloadToolConfig](#apiv1alpha1workloadtoolconfig)
| Field | Description | Default | Validation |
| --- | --- | --- | --- |
@@ -2405,7 +2218,6 @@ they can't be both empty.
_Appears in:_
- [api.v1alpha1.MCPToolConfigSpec](#apiv1alpha1mcptoolconfigspec)
-- [api.v1alpha1.WorkloadToolConfig](#apiv1alpha1workloadtoolconfig)
| Field | Description | Default | Validation |
| --- | --- | --- | --- |
@@ -2480,7 +2292,9 @@ VirtualMCPCompositeToolDefinitionList contains a list of VirtualMCPCompositeTool
-VirtualMCPCompositeToolDefinitionSpec defines the desired state of VirtualMCPCompositeToolDefinition
+VirtualMCPCompositeToolDefinitionSpec defines the desired state of VirtualMCPCompositeToolDefinition.
+This embeds the CompositeToolConfig from pkg/vmcp/config to share the configuration model
+between CLI and operator usage.
@@ -2489,13 +2303,12 @@ _Appears in:_
| Field | Description | Default | Validation |
| --- | --- | --- | --- |
-| `name` _string_ | Name is the workflow name exposed as a composite tool | | MaxLength: 64
MinLength: 1
Pattern: `^[a-z0-9]([a-z0-9_-]*[a-z0-9])?$`
Required: \{\}
|
-| `description` _string_ | Description is a human-readable description of the workflow | | MinLength: 1
Required: \{\}
|
-| `parameters` _[RawExtension](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#rawextension-runtime-pkg)_ | Parameters defines the input parameter schema for the workflow in JSON Schema format.
Should be a JSON Schema object with "type": "object" and "properties".
Per MCP specification, this should follow standard JSON Schema for tool inputSchema.
Example:
\{
"type": "object",
"properties": \{
"param1": \{"type": "string", "default": "value"\},
"param2": \{"type": "integer"\}
\},
"required": ["param2"]
\} | | Type: object
|
-| `steps` _[api.v1alpha1.WorkflowStep](#apiv1alpha1workflowstep) array_ | Steps defines the workflow step definitions
Steps are executed sequentially in Phase 1
Phase 2 will support DAG execution via dependsOn | | MinItems: 1
Required: \{\}
|
-| `timeout` _string_ | Timeout is the overall workflow timeout
Defaults to 30m if not specified | 30m | Pattern: `^([0-9]+(\.[0-9]+)?(ms\|s\|m\|h))+$`
|
-| `failureMode` _string_ | FailureMode defines the failure handling strategy
- abort: Stop execution on first failure (default)
- continue: Continue executing remaining steps | abort | Enum: [abort continue]
|
-| `output` _[api.v1alpha1.OutputSpec](#apiv1alpha1outputspec)_ | Output defines the structured output schema for the composite tool.
Specifies how to construct the final output from workflow step results.
If not specified, the workflow returns the last step's output (backward compatible). | | |
+| `name` _string_ | Name is the workflow name (unique identifier). | | |
+| `description` _string_ | Description describes what the workflow does. | | |
+| `parameters` _[pkg.json.Map](#pkgjsonmap)_ | Parameters defines input parameter schema in JSON Schema format.
Should be a JSON Schema object with "type": "object" and "properties".
Example:
\{
"type": "object",
"properties": \{
"param1": \{"type": "string", "default": "value"\},
"param2": \{"type": "integer"\}
\},
"required": ["param2"]
\}
We use json.Map rather than a typed struct because JSON Schema is highly
flexible with many optional fields (default, enum, minimum, maximum, pattern,
items, additionalProperties, oneOf, anyOf, allOf, etc.). Using json.Map
allows full JSON Schema compatibility without needing to define every possible
field, and matches how the MCP SDK handles inputSchema. | | |
+| `timeout` _[vmcp.config.Duration](#vmcpconfigduration)_ | Timeout is the maximum workflow execution time. | | Pattern: `^([0-9]+(\.[0-9]+)?(ns\|us\|µs\|ms\|s\|m\|h))+$`
Type: string
|
+| `steps` _[vmcp.config.WorkflowStepConfig](#vmcpconfigworkflowstepconfig) array_ | Steps are the workflow steps to execute. | | |
+| `output` _[vmcp.config.OutputConfig](#vmcpconfigoutputconfig)_ | Output defines the structured output schema for this workflow.
If not specified, the workflow returns the last step's output (backward compatible). | | |
#### api.v1alpha1.VirtualMCPCompositeToolDefinitionStatus
@@ -2594,12 +2407,8 @@ _Appears in:_
| Field | Description | Default | Validation |
| --- | --- | --- | --- |
-| `incomingAuth` _[api.v1alpha1.IncomingAuthConfig](#apiv1alpha1incomingauthconfig)_ | IncomingAuth configures authentication for clients connecting to the Virtual MCP server
Must be explicitly set - use "anonymous" type when no authentication is required | | Required: \{\}
|
-| `outgoingAuth` _[api.v1alpha1.OutgoingAuthConfig](#apiv1alpha1outgoingauthconfig)_ | OutgoingAuth configures authentication from Virtual MCP to backend MCPServers | | |
-| `aggregation` _[api.v1alpha1.AggregationConfig](#apiv1alpha1aggregationconfig)_ | Aggregation defines tool aggregation and conflict resolution strategies | | |
-| `compositeTools` _[api.v1alpha1.CompositeToolSpec](#apiv1alpha1compositetoolspec) array_ | CompositeTools defines inline composite tool definitions
For complex workflows, reference VirtualMCPCompositeToolDefinition resources instead | | |
-| `compositeToolRefs` _[api.v1alpha1.CompositeToolDefinitionRef](#apiv1alpha1compositetooldefinitionref) array_ | CompositeToolRefs references VirtualMCPCompositeToolDefinition resources
for complex, reusable workflows | | |
-| `operational` _[api.v1alpha1.OperationalConfig](#apiv1alpha1operationalconfig)_ | Operational defines operational settings like timeouts and health checks | | |
+| `incomingAuth` _[api.v1alpha1.IncomingAuthConfig](#apiv1alpha1incomingauthconfig)_ | IncomingAuth configures authentication for clients connecting to the Virtual MCP server.
Must be explicitly set - use "anonymous" type when no authentication is required.
This field takes precedence over config.IncomingAuth and should be preferred because it
supports Kubernetes-native secret references (SecretKeyRef, ConfigMapRef) for secure
dynamic discovery of credentials, rather than requiring secrets to be embedded in config. | | Required: \{\}
|
+| `outgoingAuth` _[api.v1alpha1.OutgoingAuthConfig](#apiv1alpha1outgoingauthconfig)_ | OutgoingAuth configures authentication from Virtual MCP to backend MCPServers.
This field takes precedence over config.OutgoingAuth and should be preferred because it
supports Kubernetes-native secret references (SecretKeyRef, ConfigMapRef) for secure
dynamic discovery of credentials, rather than requiring secrets to be embedded in config. | | |
| `serviceType` _string_ | ServiceType specifies the Kubernetes service type for the Virtual MCP server | ClusterIP | Enum: [ClusterIP NodePort LoadBalancer]
|
| `podTemplateSpec` _[RawExtension](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#rawextension-runtime-pkg)_ | PodTemplateSpec defines the pod template to use for the Virtual MCP server
This allows for customizing the pod configuration beyond what is provided by the other fields.
Note that to modify the specific container the Virtual MCP server runs in, you must specify
the 'vmcp' container name in the PodTemplateSpec.
This field accepts a PodTemplateSpec object as JSON/YAML. | | Type: object
|
| `config` _[vmcp.config.Config](#vmcpconfigconfig)_ | Config is the Virtual MCP server configuration
The only field currently required within config is `config.groupRef`.
GroupRef references an existing MCPGroup that defines backend workloads.
The referenced MCPGroup must exist in the same namespace.
The telemetry and audit config from here are also supported, but not required.
NOTE: THIS IS NOT ENTIRELY USED AND IS PARTIALLY DUPLICATED BY THE SPEC FIELDS ABOVE. | | Type: object
|
@@ -2646,51 +2455,3 @@ _Appears in:_
| `readOnly` _boolean_ | ReadOnly specifies whether the volume should be mounted read-only | false | |
-#### api.v1alpha1.WorkflowStep
-
-
-
-WorkflowStep defines a step in a composite tool workflow
-
-
-
-_Appears in:_
-- [api.v1alpha1.CompositeToolSpec](#apiv1alpha1compositetoolspec)
-- [api.v1alpha1.VirtualMCPCompositeToolDefinitionSpec](#apiv1alpha1virtualmcpcompositetooldefinitionspec)
-
-| Field | Description | Default | Validation |
-| --- | --- | --- | --- |
-| `id` _string_ | ID is the unique identifier for this step | | Required: \{\}
|
-| `type` _string_ | Type is the step type (tool, elicitation, etc.) | tool | Enum: [tool elicitation]
|
-| `tool` _string_ | Tool is the tool to call (format: "workload.tool_name")
Only used when Type is "tool" | | |
-| `arguments` _[RawExtension](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#rawextension-runtime-pkg)_ | Arguments is a map of argument values with template expansion support.
Supports Go template syntax with .params and .steps for string values.
Non-string values (integers, booleans, arrays, objects) are passed as-is.
Note: the templating is only supported on the first level of the key-value pairs. | | Type: object
|
-| `message` _string_ | Message is the elicitation message
Only used when Type is "elicitation" | | |
-| `schema` _[RawExtension](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#rawextension-runtime-pkg)_ | Schema defines the expected response schema for elicitation | | Type: object
|
-| `onDecline` _[api.v1alpha1.ElicitationResponseHandler](#apiv1alpha1elicitationresponsehandler)_ | OnDecline defines the action to take when the user explicitly declines the elicitation
Only used when Type is "elicitation" | | |
-| `onCancel` _[api.v1alpha1.ElicitationResponseHandler](#apiv1alpha1elicitationresponsehandler)_ | OnCancel defines the action to take when the user cancels/dismisses the elicitation
Only used when Type is "elicitation" | | |
-| `dependsOn` _string array_ | DependsOn lists step IDs that must complete before this step | | |
-| `condition` _string_ | Condition is a template expression that determines if the step should execute | | |
-| `onError` _[api.v1alpha1.ErrorHandling](#apiv1alpha1errorhandling)_ | OnError defines error handling behavior | | |
-| `timeout` _string_ | Timeout is the maximum execution time for this step | | |
-| `defaultResults` _object (keys:string, values:[RawExtension](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#rawextension-runtime-pkg))_ | DefaultResults provides fallback output values when this step is skipped
(due to condition evaluating to false) or fails (when onError.action is "continue").
Each key corresponds to an output field name referenced by downstream steps.
Required if the step may be skipped AND downstream steps reference this step's output. | | Schemaless: \{\}
|
-
-
-#### api.v1alpha1.WorkloadToolConfig
-
-
-
-WorkloadToolConfig defines tool filtering and overrides for a specific workload
-
-
-
-_Appears in:_
-- [api.v1alpha1.AggregationConfig](#apiv1alpha1aggregationconfig)
-
-| Field | Description | Default | Validation |
-| --- | --- | --- | --- |
-| `workload` _string_ | Workload is the name of the backend MCPServer workload | | Required: \{\}
|
-| `toolConfigRef` _[api.v1alpha1.ToolConfigRef](#apiv1alpha1toolconfigref)_ | ToolConfigRef references a MCPToolConfig resource for tool filtering and renaming
If specified, Filter and Overrides are ignored | | |
-| `filter` _string array_ | Filter is an inline list of tool names to allow (allow list)
Only used if ToolConfigRef is not specified | | |
-| `overrides` _object (keys:string, values:[api.v1alpha1.ToolOverride](#apiv1alpha1tooloverride))_ | Overrides is an inline map of tool overrides
Only used if ToolConfigRef is not specified | | |
-
-