From 6845e1598f6fe0acc8dee6190af60faef9572134 Mon Sep 17 00:00:00 2001 From: Rashad Sirajudeen Date: Fri, 15 May 2026 15:40:20 +0530 Subject: [PATCH 1/3] docs: move secret reference writes to the pe toolset The control-plane MCP server now registers create_, update_, and delete_secret_reference on the pe toolset only; list_secret_references and get_secret_reference are dual-registered on both the namespace and pe toolsets so developers can inspect what's available without enabling pe. Reflects openchoreo/openchoreo#3504. Signed-off-by: Rashad Sirajudeen --- docs/reference/mcp-servers.mdx | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/docs/reference/mcp-servers.mdx b/docs/reference/mcp-servers.mdx index 6a85c0ac..86cc816b 100644 --- a/docs/reference/mcp-servers.mdx +++ b/docs/reference/mcp-servers.mdx @@ -67,11 +67,10 @@ If your integration depends on the legacy `*_cluster_*` names, migrate to the ca - `list_namespaces` — List all namespaces (top-level containers for organizing projects, components, and resources) - `create_namespace` — Create a new namespace -- `list_secret_references` — List all secret references (credentials and sensitive configuration) for a namespace -- `get_secret_reference` — Get a single secret reference's full spec (template, data sources, refresh interval, target plane). For sync status, query `get_resource_events` (PE toolset; enable PE alongside Namespace) against the rendered ExternalSecret on the data plane -- `create_secret_reference` — Create a new secret reference; spec must include `template` (Kubernetes Secret type) and `data[]` (mapping of secret keys to external store references) -- `update_secret_reference` — Update an existing secret reference; annotations are merged, spec is replaced wholesale when provided -- `delete_secret_reference` — Delete a secret reference (the underlying Kubernetes Secret is removed by the controller) +- `list_secret_references` ‡ — List all secret references (credentials and sensitive configuration) for a namespace +- `get_secret_reference` ‡ — Get a single secret reference's full spec (template, data sources, refresh interval, target plane). For sync status, query `get_resource_events` (PE toolset; enable PE alongside Namespace) against the rendered ExternalSecret on the data plane + +‡ Also registered on the PE toolset. Authoring secret references (`create_`, `update_`, `delete_secret_reference`) is PE-only — see the PE toolset below. @@ -283,6 +282,16 @@ The PE toolset is enabled by default. These tools are intended for platform admi - `update_authz_role_binding` — Update an existing authz role binding (full replacement) - `delete_authz_role_binding` — Delete an authz role binding +**Secret References** + +- `list_secret_references` ‡ — List all secret references (credentials and sensitive configuration) for a namespace +- `get_secret_reference` ‡ — Get a single secret reference's full spec (template, data sources, refresh interval, target plane). For sync status, query `get_resource_events` against the rendered ExternalSecret on the data plane +- `create_secret_reference` — Create a new secret reference; spec must include `template` (Kubernetes Secret type) and `data[]` (mapping of secret keys to external store references) +- `update_secret_reference` — Update an existing secret reference; annotations are merged, spec is replaced wholesale when provided +- `delete_secret_reference` — Delete a secret reference (the underlying Kubernetes Secret is removed by the controller) + +‡ Also registered on the Namespace toolset so developers can list and inspect secret references without enabling PE. + **Diagnostics** - `get_resource_tree` — Get the rendered resource tree for a release binding From 373b993f777c34d504815f727a7ceab04c036f3d Mon Sep 17 00:00:00 2001 From: Rashad Sirajudeen Date: Fri, 15 May 2026 16:33:34 +0530 Subject: [PATCH 2/3] docs: simplify get_secret_reference parenthetical MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Per coderabbit review on #622: replace "(PE toolset; enable PE alongside Namespace)" with "(available in the PE toolset)" — cleaner phrasing, same meaning. Signed-off-by: Rashad Sirajudeen --- docs/reference/mcp-servers.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/reference/mcp-servers.mdx b/docs/reference/mcp-servers.mdx index 86cc816b..71479943 100644 --- a/docs/reference/mcp-servers.mdx +++ b/docs/reference/mcp-servers.mdx @@ -68,7 +68,7 @@ If your integration depends on the legacy `*_cluster_*` names, migrate to the ca - `list_namespaces` — List all namespaces (top-level containers for organizing projects, components, and resources) - `create_namespace` — Create a new namespace - `list_secret_references` ‡ — List all secret references (credentials and sensitive configuration) for a namespace -- `get_secret_reference` ‡ — Get a single secret reference's full spec (template, data sources, refresh interval, target plane). For sync status, query `get_resource_events` (PE toolset; enable PE alongside Namespace) against the rendered ExternalSecret on the data plane +- `get_secret_reference` ‡ — Get a single secret reference's full spec (template, data sources, refresh interval, target plane). For sync status, query `get_resource_events` (available in the PE toolset) against the rendered ExternalSecret on the data plane ‡ Also registered on the PE toolset. Authoring secret references (`create_`, `update_`, `delete_secret_reference`) is PE-only — see the PE toolset below. From d54415bc9df4c8a1697d8d70a9f6457633c0cf4b Mon Sep 17 00:00:00 2001 From: Rashad Sirajudeen Date: Fri, 15 May 2026 16:34:21 +0530 Subject: [PATCH 3/3] docs: drop redundant toolset parenthetical on get_secret_reference Signed-off-by: Rashad Sirajudeen --- docs/reference/mcp-servers.mdx | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/reference/mcp-servers.mdx b/docs/reference/mcp-servers.mdx index 71479943..b2d85db2 100644 --- a/docs/reference/mcp-servers.mdx +++ b/docs/reference/mcp-servers.mdx @@ -68,7 +68,7 @@ If your integration depends on the legacy `*_cluster_*` names, migrate to the ca - `list_namespaces` — List all namespaces (top-level containers for organizing projects, components, and resources) - `create_namespace` — Create a new namespace - `list_secret_references` ‡ — List all secret references (credentials and sensitive configuration) for a namespace -- `get_secret_reference` ‡ — Get a single secret reference's full spec (template, data sources, refresh interval, target plane). For sync status, query `get_resource_events` (available in the PE toolset) against the rendered ExternalSecret on the data plane +- `get_secret_reference` ‡ — Get a single secret reference's full spec (template, data sources, refresh interval, target plane). For sync status, query `get_resource_events` against the rendered ExternalSecret on the data plane ‡ Also registered on the PE toolset. Authoring secret references (`create_`, `update_`, `delete_secret_reference`) is PE-only — see the PE toolset below.