kagent-dev
diff --git a/‎go/config/crd/bases/kagent.dev_toolservers.yaml‎
Lines changed: 74 additions & 0 deletions b/‎go/config/crd/bases/kagent.dev_toolservers.yaml‎
Lines changed: 74 additions & 0 deletions
diff --git a/‎go/controller/api/v1alpha1/toolserver_types.go‎
Lines changed: 31 additions & 0 deletions b/‎go/controller/api/v1alpha1/toolserver_types.go‎
Lines changed: 31 additions & 0 deletions
diff --git a/‎go/controller/api/v1alpha1/zz_generated.deepcopy.go‎
Lines changed: 49 additions & 0 deletions b/‎go/controller/api/v1alpha1/zz_generated.deepcopy.go‎
Lines changed: 49 additions & 0 deletions
diff --git a/‎go/controller/internal/autogen/autogen_api_translator.go‎
Lines changed: 111 additions & 3 deletions b/‎go/controller/internal/autogen/autogen_api_translator.go‎
Lines changed: 111 additions & 3 deletions
@@ -47,6 +47,43 @@ spec:
                     properties:
                       headers:
                         x-kubernetes-preserve-unknown-fields: true
+                      headersFrom:
+                        items:
+                          description: ValueRef represents a configuration value
+                          properties:
+                            name:
+                              type: string
+                            value:
+                              type: string
+                            valueFrom:
+                              description: ValueSource defines a source for configuration
+                                values from a Secret or ConfigMap
+                              properties:
+                                key:
+                                  type: string
+                                type:
+                                  enum:
+                                  - ConfigMap
+                                  - Secret
+                                  type: string
+                                valueRef:
+                                  description: |-
+                                    The reference to the ConfigMap or Secret. Can either be a reference to a resource in the same namespace,
+                                    or a reference to a resource in a different namespace in the form "namespace/name".
+                                    If namespace is not provided, the default namespace is used.
+                                  type: string
+                              required:
+                              - key
+                              - type
+                              type: object
+                          required:
+                          - name
+                          type: object
+                          x-kubernetes-validations:
+                          - message: Exactly one of value or valueFrom must be specified
+                            rule: (has(self.value) && !has(self.valueFrom)) || (!has(self.value)
+                              && has(self.valueFrom))
+                        type: array
                       sse_read_timeout:
                         type: string
                       timeout:
@@ -68,6 +105,43 @@ spec:
                         additionalProperties:
                           type: string
                         type: object
+                      envFrom:
+                        items:
+                          description: ValueRef represents a configuration value
+                          properties:
+                            name:
+                              type: string
+                            value:
+                              type: string
+                            valueFrom:
+                              description: ValueSource defines a source for configuration
+                                values from a Secret or ConfigMap
+                              properties:
+                                key:
+                                  type: string
+                                type:
+                                  enum:
+                                  - ConfigMap
+                                  - Secret
+                                  type: string
+                                valueRef:
+                                  description: |-
+                                    The reference to the ConfigMap or Secret. Can either be a reference to a resource in the same namespace,
+                                    or a reference to a resource in a different namespace in the form "namespace/name".
+                                    If namespace is not provided, the default namespace is used.
+                                  type: string
+                              required:
+                              - key
+                              - type
+                              type: object
+                          required:
+                          - name
+                          type: object
+                          x-kubernetes-validations:
+                          - message: Exactly one of value or valueFrom must be specified
+                            rule: (has(self.value) && !has(self.valueFrom)) || (!has(self.value)
+                              && has(self.valueFrom))
+                        type: array
                     required:
                     - command
                     type: object
 
@@ -31,17 +31,48 @@ type ToolServerConfig struct {
 	Sse   *SseMcpServerConfig   `json:"sse,omitempty"`
 }
 
+type ValueSourceType string
+
+const (
+	ConfigMapValueSource ValueSourceType = "ConfigMap"
+	SecretValueSource    ValueSourceType = "Secret"
+)
+
+// ValueSource defines a source for configuration values from a Secret or ConfigMap
+type ValueSource struct {
+	// +kubebuilder:validation:Enum=ConfigMap;Secret
+	Type ValueSourceType `json:"type"`
+	// The reference to the ConfigMap or Secret. Can either be a reference to a resource in the same namespace,
+	// or a reference to a resource in a different namespace in the form "namespace/name".
+	// If namespace is not provided, the default namespace is used.
+	// +optional
+	ValueRef string `json:"valueRef"`
+	Key      string `json:"key"`
+}
+
+// ValueRef represents a configuration value
+// +kubebuilder:validation:XValidation:rule="(has(self.value) && !has(self.valueFrom)) || (!has(self.value) && has(self.valueFrom))",message="Exactly one of value or valueFrom must be specified"
+type ValueRef struct {
+	Name string `json:"name"`
+	// +optional
+	Value string `json:"value,omitempty"`
+	// +optional
+	ValueFrom *ValueSource `json:"valueFrom,omitempty"`
+}
+
 type StdioMcpServerConfig struct {
 	Command string            `json:"command"`
 	Args    []string          `json:"args,omitempty"`
 	Env     map[string]string `json:"env,omitempty"`
+	EnvFrom []ValueRef        `json:"envFrom,omitempty"`
 }
 
 type SseMcpServerConfig struct {
 	URL string `json:"url"`
 	// +kubebuilder:pruning:PreserveUnknownFields
 	// +kubebuilder:validation:Schemaless
 	Headers        map[string]AnyType `json:"headers,omitempty"`
+	HeadersFrom    []ValueRef         `json:"headersFrom,omitempty"`
 	Timeout        string             `json:"timeout,omitempty"`
 	SseReadTimeout string             `json:"sse_read_timeout,omitempty"`
 }
 
@@ -13,6 +13,7 @@ import (
 	autogen_client "github.com/kagent-dev/kagent/go/autogen/client"
 	"github.com/kagent-dev/kagent/go/controller/api/v1alpha1"
 	common "github.com/kagent-dev/kagent/go/controller/internal/utils"
+	corev1 "k8s.io/api/core/v1"
 	v1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/types"
@@ -52,7 +53,7 @@ type apiTranslator struct {
 
 func (a *apiTranslator) TranslateToolServer(ctx context.Context, toolServer *v1alpha1.ToolServer) (*autogen_client.ToolServer, error) {
 	// provder = "kagent.tool_servers.StdioMcpToolServer" || "kagent.tool_servers.SseMcpToolServer"
-	provider, toolServerConfig, err := translateToolServerConfig(toolServer.Spec.Config)
+	provider, toolServerConfig, err := a.translateToolServerConfig(ctx, toolServer.Spec.Config, toolServer.Namespace)
 	if err != nil {
 		return nil, err
 	}
@@ -70,21 +71,128 @@ func (a *apiTranslator) TranslateToolServer(ctx context.Context, toolServer *v1a
 	}, nil
 }
 
-func translateToolServerConfig(config v1alpha1.ToolServerConfig) (string, *api.ToolServerConfig, error) {
+// resolveValueSource resolves a value from a ValueSource
+func (a *apiTranslator) resolveValueSource(ctx context.Context, source *v1alpha1.ValueSource, namespace string) (string, error) {
+	if source == nil {
+		return "", fmt.Errorf("source cannot be nil")
+	}
+
+	switch source.Type {
+	case v1alpha1.ConfigMapValueSource:
+		return a.getConfigMapValue(ctx, source, namespace)
+	case v1alpha1.SecretValueSource:
+		return a.getSecretValue(ctx, source, namespace)
+	default:
+		return "", fmt.Errorf("unknown value source type: %s", source.Type)
+	}
+}
+
+// getConfigMapValue fetches a value from a ConfigMap
+func (a *apiTranslator) getConfigMapValue(ctx context.Context, source *v1alpha1.ValueSource, namespace string) (string, error) {
+	if source == nil {
+		return "", fmt.Errorf("source cannot be nil")
+	}
+
+	configMap := &corev1.ConfigMap{}
+	err := fetchObjKube(
+		ctx,
+		a.kube,
+		configMap,
+		source.ValueRef,
+		namespace,
+	)
+	if err != nil {
+		return "", fmt.Errorf("failed to find ConfigMap for %s: %v", source.ValueRef, err)
+	}
+
+	value, exists := configMap.Data[source.Key]
+	if !exists {
+		return "", fmt.Errorf("key %s not found in ConfigMap %s/%s", source.Key, configMap.Namespace, configMap.Name)
+	}
+	return value, nil
+}
+
+// getSecretValue fetches a value from a Secret
+func (a *apiTranslator) getSecretValue(ctx context.Context, source *v1alpha1.ValueSource, namespace string) (string, error) {
+	if source == nil {
+		return "", fmt.Errorf("source cannot be nil")
+	}
+
+	secret := &corev1.Secret{}
+	err := fetchObjKube(
+		ctx,
+		a.kube,
+		secret,
+		source.ValueRef,
+		namespace,
+	)
+	if err != nil {
+		return "", fmt.Errorf("failed to find Secret for %s: %v", source.ValueRef, err)
+	}
+
+	value, exists := secret.Data[source.Key]
+	if !exists {
+		return "", fmt.Errorf("key %s not found in Secret %s/%s", source.Key, secret.Namespace, secret.Name)
+	}
+	return string(value), nil
+}
+
+func (a *apiTranslator) translateToolServerConfig(ctx context.Context, config v1alpha1.ToolServerConfig, namespace string) (string, *api.ToolServerConfig, error) {
 	switch {
 	case config.Stdio != nil:
+		env := make(map[string]string)
+
+		if config.Stdio.Env != nil {
+			for k, v := range config.Stdio.Env {
+				env[k] = v
+			}
+		}
+
+		if len(config.Stdio.EnvFrom) > 0 {
+			for _, envVar := range config.Stdio.EnvFrom {
+				if envVar.ValueFrom != nil {
+					value, err := a.resolveValueSource(ctx, envVar.ValueFrom, namespace)
+
+					if err != nil {
+						return "", nil, fmt.Errorf("failed to resolve environment variable %s: %v", envVar.Name, err)
+					}
+
+					env[envVar.Name] = value
+				} else if envVar.Value != "" {
+					env[envVar.Name] = envVar.Value
+				}
+			}
+		}
+
 		return "kagent.tool_servers.StdioMcpToolServer", &api.ToolServerConfig{
 			StdioMcpServerConfig: &api.StdioMcpServerConfig{
 				Command: config.Stdio.Command,
 				Args:    config.Stdio.Args,
-				Env:     config.Stdio.Env,
+				Env:     env,
 			},
 		}, nil
 	case config.Sse != nil:
 		headers, err := convertMapFromAnytype(config.Sse.Headers)
 		if err != nil {
 			return "", nil, err
 		}
+
+		if len(config.Sse.HeadersFrom) > 0 {
+			for _, header := range config.Sse.HeadersFrom {
+				if header.ValueFrom != nil {
+					value, err := a.resolveValueSource(ctx, header.ValueFrom, namespace)
+
+					if err != nil {
+						return "", nil, fmt.Errorf("failed to resolve header %s: %v", header.Name, err)
+					}
+
+					headers[header.Name] = value
+				} else if header.Value != "" {
+					headers[header.Name] = header.Value
+				}
+			}
+		}
+
 		timeout, err := convertDurationToSeconds(config.Sse.Timeout)
 		if err != nil {
 			return "", nil, err