feature: support secret reference for Redis password in MCP Server (#3006)

Co-authored-by: 澄潭 <zty98751@alibaba-inc.com>
2026-03-16 16:30:47 +08:00 · 2025-10-27 13:33:52 +08:00
parent 7c4899ad38
commit 1bcef0c00c
7 changed files with 325 additions and 8 deletions
--- a/test/e2e/conformance/tests/configmap-mcp-redis-secret.go
+++ b/test/e2e/conformance/tests/configmap-mcp-redis-secret.go
@@ -0,0 +1,87 @@
+// Copyright (c) 2025 Alibaba Group Holding Ltd.
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//	http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package tests
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/alibaba/higress/v2/pkg/ingress/kube/configmap"
+	"github.com/alibaba/higress/v2/test/e2e/conformance/utils/envoy"
+	"github.com/alibaba/higress/v2/test/e2e/conformance/utils/kubernetes"
+	"github.com/alibaba/higress/v2/test/e2e/conformance/utils/suite"
+)
+
+func init() {
+	Register(ConfigMapMcpRedisSecret)
+}
+
+var ConfigMapMcpRedisSecret = suite.ConformanceTest{
+	ShortName:   "ConfigMapMcpRedisSecret",
+	Description: "Envoy MCP session filter should resolve Redis password from Kubernetes secret and react to updates",
+	Manifests:   []string{"tests/configmap-mcp-redis-secret.yaml"},
+	Features:    []suite.SupportedFeature{suite.EnvoyConfigConformanceFeature},
+	Test: func(t *testing.T, suite *suite.ConformanceTestSuite) {
+		const (
+			configMapNamespace = "higress-system"
+			configMapName      = "higress-config"
+			configMapKey       = "higress"
+			secretNamespace    = "higress-system"
+			secretName         = "redis-credentials"
+			secretKey          = "password"
+
+			initialSecretValue = "InitialSecretFromSecret123"
+			updatedSecretValue = "UpdatedSecretFromSecret456"
+		)
+
+		higressCfg := &configmap.HigressConfig{
+			McpServer: &configmap.McpServer{
+				Enable: true,
+				SSEPathSuffix: "/sse",
+				Redis: &configmap.RedisConfig{
+					Address: "redis:6379",
+					PasswordSecret: &configmap.SecretKeyReference{
+						Name: secretName,
+						Key:  secretKey,
+					},
+				},
+			},
+		}
+
+		err := kubernetes.ApplyConfigmapDataWithYaml(t, suite.Client, configMapNamespace, configMapName, configMapKey, higressCfg)
+		require.NoErrorf(t, err, "failed to update %s/%s", configMapNamespace, configMapName)
+
+		assertRedisPassword := func(password string) {
+			envoy.AssertEnvoyConfig(t, suite.TimeoutConfig, envoy.Assertion{
+				Path: `configs.#(@type=="type.googleapis.com/envoy.admin.v3.EcdsConfigDump").` +
+					`ecds_filters.#(ecds_filter.name=="golang-filter-mcp-session").` +
+					`ecds_filter.typed_config.plugin_config.value.redis`,
+				CheckType:       envoy.CheckTypeMatch,
+				TargetNamespace: configMapNamespace,
+				ExpectEnvoyConfig: map[string]interface{}{
+					"password": password,
+				},
+			})
+		}
+
+		assertRedisPassword(initialSecretValue)
+
+		err = kubernetes.ApplySecret(t, suite.Client, secretNamespace, secretName, secretKey, updatedSecretValue)
+		require.NoErrorf(t, err, "failed to update %s/%s secret", secretNamespace, secretName)
+
+		assertRedisPassword(updatedSecretValue)
+	},
+}
--- a/test/e2e/conformance/tests/configmap-mcp-redis-secret.yaml
+++ b/test/e2e/conformance/tests/configmap-mcp-redis-secret.yaml
@@ -0,0 +1,41 @@
+# Copyright (c) 2025 Alibaba Group Holding Ltd.
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#      http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: redis-credentials
+  namespace: higress-system
+type: Opaque
+stringData:
+  password: InitialSecretFromSecret123
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: higress-conformance-infra-configmap-mcp-redis-secret-test
+  namespace: higress-conformance-infra
+spec:
+  ingressClassName: higress
+  rules:
+    - host: "mcp-redis-secret.example.com"
+      http:
+        paths:
+          - pathType: Prefix
+            path: "/mcp"
+            backend:
+              service:
+                name: infra-backend-v3
+                port:
+                  number: 8080