-
Notifications
You must be signed in to change notification settings - Fork 10
Expand file tree
/
Copy pathconfig-oauth.yaml
More file actions
119 lines (101 loc) · 3.69 KB
/
config-oauth.yaml
File metadata and controls
119 lines (101 loc) · 3.69 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
# Example configuration for syncing from the ToolHive Git repository with OAuth authentication
#
# This configuration pulls registry data from the official ToolHive repository
# and syncs it to the local storage every 30 minutes.
# All API endpoints require OAuth/OIDC authentication.
#
# Usage:
# thv-registry-api serve --config examples/config-oauth.yaml
# Sources configuration (can have multiple sources)
sources:
- name: toolhive
# Git repository configuration
git:
# Repository URL (HTTP/HTTPS/SSH)
repository: https://github.com/stacklok/toolhive-catalog.git
# Branch to use (mutually exclusive with tag and commit)
branch: main
# Alternative: Use a specific tag
# tag: v1.0.0
# Alternative: Use a specific commit SHA
# commit: abc123def456
# Path to registry file within the repository
path: pkg/catalog/toolhive/data/registry-upstream.json
# Per-registry automatic synchronization policy
syncPolicy:
# Sync interval (valid duration: 1m, 5m, 30m, 1h, 24h, etc.)
interval: "30m"
registries:
- name: default
sources: ["toolhive"]
# OAuth/OIDC authentication configuration
auth:
mode: oauth
# Additional paths that bypass authentication (optional)
# These extend the default public paths (health, docs, swagger, well-known)
# publicPaths:
# - /custom/public
# - /metrics
# OAuth/OIDC specific configuration
oauth:
# URL identifying this protected resource (RFC 9728)
# Used in /.well-known/oauth-protected-resource endpoint
resourceUrl: https://registry.example.com
# Protection space identifier for WWW-Authenticate header (optional)
# Defaults to "mcp-registry"
realm: mcp-registry
# OAuth scopes supported by this resource (optional)
# Defaults to ["mcp-registry:read", "mcp-registry:write"]
scopesSupported:
- mcp-registry:read
- mcp-registry:write
# OAuth/OIDC providers (at least one required)
# Multiple providers can be configured (e.g., external IDP + Kubernetes)
providers:
# Example: External OIDC provider (e.g., Keycloak, Auth0, Okta)
- name: my-idp
# OIDC issuer URL (must be HTTPS in production)
issuerUrl: https://idp.example.com
# Expected audience claim in the token (REQUIRED)
audience: api://registry
# OAuth client ID for token introspection (optional)
# clientId: registry-client
# Path to file containing client secret (optional)
# clientSecretFile: /run/secrets/oauth_client_secret
# Example: Kubernetes in-cluster authentication
- name: kubernetes
issuerUrl: https://kubernetes.default.svc
audience: https://kubernetes.default.svc
# Path to CA certificate for verifying Kubernetes API server TLS
caCertPath: /var/run/secrets/kubernetes.io/serviceaccount/ca.crt
# PostgreSQL database configuration (required)
# Passwords are managed via PostgreSQL's pgpass file (~/.pgpass or $PGPASSFILE)
# See: https://www.postgresql.org/docs/current/libpq-pgpass.html
database:
host: localhost
port: 5432
user: thv_user
database: toolhive_registry
sslMode: require
# Optional: Filter configuration to include/exclude specific servers
# filter:
# # Name-based filtering
# names:
# # Only include servers matching these patterns (glob syntax)
# include:
# - "stacklok/*"
# - "official/*"
# # Exclude servers matching these patterns
# exclude:
# - "*/deprecated"
#
# # Tag-based filtering
# tags:
# # Only include servers with these tags
# include:
# - "production"
# - "stable"
# # Exclude servers with these tags
# exclude:
# - "experimental"
# - "beta"