Proxy-runner is ignoring imagePullSecrets

[jez4]

Bug description

The mcpserver definition are containing the imagePullSecrets. Also the custom helm values of the toolhive-operator chart are including the imagePullSecrets. The proxyrunner could not be pulled from custom registry with authorization. The imagePullSecrets are not added to proxyrunner deployment nor the proxy-runner service account.

Steps to reproduce

Deploy the mcpserver kind with imagePullSecrets in spec.

apiVersion: toolhive.stacklok.dev/v1alpha1
kind: MCPServer
metadata:
  name: sequentialthinking
  namespace: toolhive-operator
spec:
  image: custom-registry/mcp-servers/sequentialthinking:0.0.1
  transport: streamable-http
  proxyPort: 8080
  mcpPort: 8080
  podTemplateSpec:
    spec:
      imagePullSecrets:
        - name: regsec
      containers:
        - name: mcp # This name must be "mcp"

Expected behavior

The proxyrunner should be downloaded from custom registry using the imagePullSecrets.
The proxyrunner deployment should be specifying the imagePullSecrets or proxy-runner service account should do so.

Actual behavior

The proxyrunner is failing to pull the image.

Environment (if relevant)

• OS/version: Kubernetes v1.33.5
• ToolHive-operator version: v0.7.2
• Chart version: v0.5.25

Additional context

The toolhive-operator is deployed by the helm chart with custom values where the imagePullSecrets are specified.

[jez4]

The helm chart custom values :

namespace: toolhive-operator
fullnameOverride: "toolhive-operator"

operator:
  features:
    experimental: false
  replicaCount: 1

  # -- List of image pull secrets to use
  imagePullSecrets:
    - name: regsec

[Sanskarzz]

/assign

[JAORMX]

@Sanskarzz sure! Thanks for volunteering

[jerm-dro]

Also, assigning myself here, so I can track and remember to review.

[jerm-dro]

@jez4 There's an approved fix (thanks @Sanskarzz!). This will be included in an upcoming release. Please note the solution requires using the newly introduced ImagePullSecrets field found here: mcpServer.Spec.ResourceOverrides.ProxyDeployment.ImagePullSecrets. The podTemplateSpec in your example controls the pod spec used for the backend, not the proxy that sits in front of it. You may need to configure the ImagePullSecrets in both the podTemplateSpec and ProxyDeployment if both the proxy and backend require imagePullSecrets.

[jez4]

Thank you @Sanskarzz and toolhive team !