Open
Conversation
Update 20 documentation files for the v0.21.0 release which removes previously deprecated CRD fields and adds new Cedar authorization features. Breaking changes documented: - Inline oidcConfig removed from MCPServer, MCPRemoteProxy, VirtualMCPServer - replaced with oidcConfigRef + MCPOIDCConfig - Inline telemetry removed - replaced with telemetryConfigRef - config.groupRef fallback removed from VirtualMCPServer - external_auth_config_ref snake_case enum removed - thv group run registry-based groups removed New features documented: - Cedar role_claim_name for separate IdP role extraction - Cedar serverName scoping for per-MCP-server policies - oidcConfigRef.resourceUrl for OAuth protected resource metadata Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Contributor
There was a problem hiding this comment.
Pull request overview
Documentation update for the ToolHive v0.21.0 release, reflecting breaking CRD changes (removal of inline oidcConfig / telemetry) and updating examples to the new shared-resource reference pattern (oidcConfigRef / telemetryConfigRef), plus CLI and Cedar policy documentation updates.
Changes:
- Replace inline OIDC/telemetry examples with
MCPOIDCConfig/MCPTelemetryConfig+*Refusage across K8s, vMCP, and integrations docs. - Update CLI docs to remove
thv group runregistry-group usage and documentthv group create+thv run --group. - Expand Cedar docs with
role_claim_nameand server-scoped policy/resource patterns; bump operator CRD install URLs to v0.21.0 and update migration guidance.
Reviewed changes
Copilot reviewed 20 out of 20 changed files in this pull request and generated 7 comments.
Show a summary per file
| File | Description |
|---|---|
| docs/toolhive/tutorials/custom-registry.mdx | Updates runtime group workflow for running servers from a registry. |
| docs/toolhive/reference/authz-policy-reference.mdx | Documents role claim resolution and server-scoped resources in Cedar. |
| docs/toolhive/integrations/okta.mdx | Migrates OIDC setup examples to MCPOIDCConfig + oidcConfigRef. |
| docs/toolhive/integrations/aws-sts.mdx | Migrates OIDC examples to MCPOIDCConfig + oidcConfigRef in proxy flows. |
| docs/toolhive/guides-vmcp/configuration.mdx | Updates MCPRemoteProxy example to use oidcConfigRef. |
| docs/toolhive/guides-vmcp/backend-discovery.mdx | Updates outgoing auth enum docs and groupRef troubleshooting text. |
| docs/toolhive/guides-vmcp/authentication.mdx | Introduces MCPOIDCConfig-based incoming auth examples for vMCP. |
| docs/toolhive/guides-k8s/token-exchange-k8s.mdx | Updates token-exchange examples to the shared OIDC config model. |
| docs/toolhive/guides-k8s/telemetry-and-metrics.mdx | Documents removal of inline telemetry and points to telemetryConfigRef. |
| docs/toolhive/guides-k8s/remote-mcp-proxy.mdx | Migrates proxy auth/telemetry examples to shared config refs. |
| docs/toolhive/guides-k8s/rate-limiting.mdx | Updates rate limiting examples to use MCPOIDCConfig + oidcConfigRef. |
| docs/toolhive/guides-k8s/migrate-to-v1beta1.mdx | Adds v0.21.0 breaking changes section and migration examples. |
| docs/toolhive/guides-k8s/intro.mdx | Fixes/updates anchors and shared-CRD links. |
| docs/toolhive/guides-k8s/deploy-operator.mdx | Bumps CRD install/upgrade URLs to v0.21.0. |
| docs/toolhive/guides-k8s/connect-clients.mdx | Updates OAuth/resource URL guidance to use oidcConfigRef. |
| docs/toolhive/guides-k8s/auth-k8s.mdx | Reworks auth guidance around MCPOIDCConfig and removes inline oidcConfig references. |
| docs/toolhive/guides-cli/run-mcp-servers.mdx | Updates group-running docs to new runtime group commands. |
| docs/toolhive/guides-cli/registry.mdx | Removes registry-group run docs in favor of runtime groups. |
| docs/toolhive/concepts/cedar-policies.mdx | Adds role_claim_name and server-scoped policy patterns. |
| docs/toolhive/_partials/_basic-cedar-config.mdx | Adds group_claim_name / role_claim_name fields to the basic config example. |
- Add missing audience to oidcConfigRef in embedded auth server example - Replace obsolete oidcConfig ConfigMap tab with MCPOIDCConfig k8s-sa tab - Move audience from kubernetesServiceAccount to oidcConfigRef in vMCP docs Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
- Fix wrong apiVersion domain (stacklok.com → stacklok.dev) in 5 YAML examples - Fix config.groupRef before example in migration guide to use struct format - Add --secret examples for thv run --group in registry docs - Remove inline oidcConfig/telemetry removal warnings from guide pages Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The "Set up shared OIDC configuration" section duplicated the canonical "Set up shared OIDC configuration with MCPOIDCConfig" section earlier in the same page. Removes the duplicate to avoid drift and confusion. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
The raw GitHub URLs were missing /files/ in the path, causing all 24 kubectl apply commands to 404. This was a pre-existing bug from v0.20.0. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
oidcConfig, inlinetelemetry,config.groupReffallback,external_auth_config_refenum)oidcConfig/telemetryYAML examples across K8s, vMCP, and integration docs with theoidcConfigRef/telemetryConfigRef+ shared resource patternthv group runregistry-based group support from CLI docs; replace withthv group create+thv run --grouprole_claim_namedocumentation for separate IdP role extraction (e.g., Entra IDrolesclaim)resource in MCP::"server-name")Files changed
Migration & deployment (2 files)
guides-k8s/migrate-to-v1beta1.mdx- Added v0.21.0 section, moved deprecations to removedguides-k8s/deploy-operator.mdx- Version bump v0.20.0 → v0.21.0CLI docs (3 files)
guides-cli/run-mcp-servers.mdx- Replacethv group runwiththv group create+thv run --groupguides-cli/registry.mdx- Sametutorials/custom-registry.mdx- SameK8s docs (7 files)
guides-k8s/auth-k8s.mdx- Replace inline oidcConfig with MCPOIDCConfig + oidcConfigRefguides-k8s/rate-limiting.mdx- Sameguides-k8s/token-exchange-k8s.mdx- Sameguides-k8s/remote-mcp-proxy.mdx- Same + remove inline telemetry sectionguides-k8s/connect-clients.mdx- Sameguides-k8s/telemetry-and-metrics.mdx- Remove inline telemetry, update deprecation noticesguides-k8s/intro.mdx- Fix broken anchorvMCP docs (3 files)
guides-vmcp/authentication.mdx- Replace inline oidcConfig with MCPOIDCConfig + oidcConfigRefguides-vmcp/backend-discovery.mdx- Fixexternal_auth_config_ref→externalAuthConfigRef, update groupRefguides-vmcp/configuration.mdx- Replace inline oidcConfigCedar docs (3 files)
concepts/cedar-policies.mdx- Addrole_claim_name, server-scoped policiesreference/authz-policy-reference.mdx- Add role resolution, server-scoped resources_partials/_basic-cedar-config.mdx- Addrole_claim_namefieldIntegration docs (2 files)
integrations/okta.mdx- Replace inline oidcConfig with MCPOIDCConfig + oidcConfigRefintegrations/aws-sts.mdx- SameCRD dry-run validation
132 YAML blocks validated against v0.21.0 CRD schemas (
kubectl apply --dry-run=server). No real failures.The 2 failures in
k8s-connect-clientsare false positives - these are intentionally abbreviated snippets that use# ...as a YAML comment placeholder for the metadata section. The extractor seeskind:andname:(fromoidcConfigRef.name) but there is nometadata.name, so kubectl rejects them. No schema issues.Test plan
npm run buildpasses with no new broken anchors🤖 Generated with Claude Code