agentic-community/mcp-gateway-registry v1.0.17

v1.0.17 - Okta Identity Provider, Security Hardening, and OTLP Metrics Export

on GitHub

Upgrading from v1.0.16

This section covers everything you need to know to upgrade from v1.0.16 to v1.0.17.

Breaking Changes

1. Local Admin Credentials Removed

The ADMIN_USER and ADMIN_PASSWORD environment variables have been removed. All authentication now requires an identity provider (Keycloak, Entra ID, Okta, or AgentCore).

• Action Required: Remove these variables from your .env file
• Migration: Use identity provider accounts for admin access

2. Registry Container Port Changes (Helm/Kubernetes Only)

The registry service now uses non-privileged ports:

• HTTP: 80 → 8080

• HTTPS: 443 → 8443

• Action Required for Kubernetes/Helm: Update any external port references or ingress configurations

• No Action Required: Docker Compose and Terraform/ECS deployments automatically map these ports

3. MongoDB Init Container Removed (Helm/Kubernetes Only)

The wait-for-mongodb init container has been removed from auth-server and registry deployments. MongoDB readiness is now handled through application-level retries and health checks.

• Action Required: None - MongoDB connection retry logic is built into the applications
• Benefit: Faster pod startup times and reduced security surface

New Environment Variables

Upgrade Instructions

Docker Compose

cd mcp-gateway-registry
git pull origin main
git checkout v1.0.17

# Review new env vars in .env.example and update your .env if needed
# Remove ADMIN_USER and ADMIN_PASSWORD if present

# Rebuild and restart:
./build_and_run.sh

Kubernetes / Helm (EKS)

cd mcp-gateway-registry
git pull origin main
git checkout v1.0.17

# Update values.yaml if needed, then upgrade:
cd charts/mcp-gateway-registry-stack
helm upgrade mcp-gateway . -f your-values.yaml

Terraform / ECS

cd mcp-gateway-registry
git pull origin main
git checkout v1.0.17

# Update your .tfvars with any new variables
cd terraform/aws-ecs
terraform plan
terraform apply

DockerHub Images

Pre-built images are available:

docker pull mcpgateway/registry:v1.0.17
docker pull mcpgateway/auth-server:v1.0.17
docker pull mcpgateway/currenttime-server:v1.0.17
docker pull mcpgateway/realserverfaketools-server:v1.0.17
docker pull mcpgateway/mcpgw-server:v1.0.17
docker pull mcpgateway/fininfo-server:v1.0.17
docker pull mcpgateway/metrics-service:v1.0.17

Major Features

Okta Identity Provider Support

Complete integration of Okta as a supported identity provider alongside Keycloak, Entra ID, and Amazon Bedrock AgentCore.

Key Capabilities:

• Full OAuth 2.0/OIDC authentication flow with Okta
• Machine-to-machine (M2M) token generation for automated workflows
• User and group synchronization via Okta API
• IAM group mapping and authorization
• Support for custom authorization servers
• Optional separate M2M client credentials
• Helm chart configuration support

Configuration:

• Set AUTH_PROVIDER=okta in your environment
• Configure required variables: OKTA_DOMAIN, OKTA_CLIENT_ID, OKTA_CLIENT_SECRET
• Optional IAM features require OKTA_API_TOKEN

PR #644
PR #657

Infrastructure Security Hardening

Comprehensive security improvements across deployment methods (Docker Compose, Helm/Kubernetes, Terraform/ECS).

Security Enhancements:

• Container Security: Non-root user execution, dropped capabilities, read-only root filesystems
• Secrets Management: Removed hardcoded credentials, AWS Secrets Manager integration for ECS
• Network Security: Localhost binding for development, private IP binding for production
• Health Checks: Liveness and readiness probes for all services
• Resource Limits: CPU and memory constraints for all containers
• Logging: Structured logging with AWS CloudWatch integration

Deployment-Specific Improvements:

• Helm/Kubernetes: SecurityContext enforcement, pod security standards compliance
• Terraform/ECS: IAM role refinement, VPC security group tightening, ALB access logging
• Docker Compose: TLS certificate management, nginx security headers

PR #642

Direct OTLP Metrics Export

Push OpenTelemetry metrics directly to external observability platforms (Datadog, New Relic, Grafana Cloud, Honeycomb) via OTLP/HTTP.

Key Features:

• Parallel export to both Prometheus and OTLP endpoints
• Configurable export intervals
• Support for cumulative and delta metric temporality
• Pre-configured examples for major platforms
• No additional collector required

Supported Platforms:

• Datadog (US1/EU1 regions)
• New Relic
• Grafana Cloud
• Honeycomb
• Any OTLP-compatible platform

Configuration:

• Set OTEL_OTLP_ENDPOINT to your platform's OTLP endpoint
• Add platform-specific headers in OTEL_EXPORTER_OTLP_HEADERS
• Adjust temporality for Datadog: OTEL_EXPORTER_OTLP_METRICS_TEMPORALITY_PREFERENCE=delta

PR #560
PR #543

What's New

Security Fixes

• Shell Injection Prevention: Replaced execSync with execFileSync to prevent command injection attacks (#655)
• Semgrep Findings: Addressed static analysis findings including SQL injection patterns, hardcoded credentials, and insecure randomness (#651)
• CSRF Protection: Added Cross-Site Request Forgery protection with flexible token validation (#635)
• Hardcoded Secrets Removal: Eliminated hardcoded database passwords and API tokens (#633)
• Network Binding Security: Servers now bind to localhost in development, private IPs in production (#604)
• Subprocess Security: Implemented hardcoded command patterns with proper validation (#577)
• SQL Injection Prevention: Parameterized queries and allowlist validation for dynamic identifiers (#579)

Authentication & Identity

• Complete Okta identity provider integration with M2M support (#644, #657)
• Removed local username/password authentication (#591)
• Fixed Keycloak SSO logout with id_token_hint parameter (#592)
• Removed old admin username/password references (#627)

Agent Management

• Fixed agent enable/disable 500 error after container restart (#621, #622)
• Resolved health status race condition for enabled services (#639)
• Agent enabled state now persists to repository on toggle (#622)

Search & Discovery

• Fixed FAISS search initialization and entity type handling (#646)
• Improved semantic search accuracy and performance

Deployment & Configuration

• Helm charts now support Okta configuration (#657)
• OpenTelemetry ConfigMap for registry metrics configuration (#638)
• MongoDB credentials passed to configure job (#630)
• Conditional environment variable handling (#640)
• Docker security hardening and ECS Fargate production fixes (#624)

Infrastructure

• Created writable /app/certs directory for DocumentDB CA bundle (#632)
• Fixed nginx X-Forwarded-Port mapping and proxy buffer permissions (#631)
• Federation server reconciliation and DELETE endpoint fixes (#576)

Frontend Improvements

• ESC key now closes modals in the UI (#596)
• Uptime display with system stats tooltip (#567)
• IAM tool selector improvements and path normalization (#570)

Documentation

• Added Direct OTLP Push Export documentation (#637)
• Updated roadmap with March 2026 milestones (#653)
• Added modern type hints (PEP 604/585) guidance (#582)
• Comprehensive subprocess and SQL security guidelines (#580)
• Enterprise Security Posture documentation
• AWS Show & Tell video added to demo videos

Bug Fixes

• Fixed FAISS search broken initialization and wrong entity types (#646)
• Fixed agent enable/disable 500 error after container restart (#621)
• Fixed agent enabled state persistence on toggle (#622)
• Eliminated health status race condition for enabled services (#639)
• Fixed writable /app/certs directory for DocumentDB CA bundle (#632)
• Fixed nginx X-Forwarded-Port mapping and proxy buffer permissions (#631)
• Fixed Keycloak SSO logout with id_token_hint (issue #490) (#592)
• Fixed mcpgw API compatibility and Service Connect (#588)
• Fixed federation server reconciliation and DELETE endpoint (issue #539) (#576)
• Resolved Bandit B105 findings (issue #525) (#571)
• Fixed IAM tool selector, path normalization, and UI permission sync (#570)
• Resolved Bandit B404/B307/B310 findings (issue #526) (#568)
• Preserved encrypted federation tokens during peer updates (#564)
• Fixed Bandit B101 configuration for test files (#565)

Pull Requests Included

Security Dependency Updates

Contributors

Thank you to all contributors for this release:

• Amit Arora (@aroraai)
• Omri Shiv (@omrishiv)
• Wallace Printz (@printw)
• Harshit Kumar Gupta (@harshit-knit)
• Abhishek Singh (@abkrsinh)
• Spidershield-contrib (@Spidershield-contrib)
• Prateek Sinha (@shekharprateek)
• dependabot[bot] (@dependabot)

Support

• GitHub Issues
• GitHub Discussions
• Documentation

Full Changelog: v1.0.16...v1.0.17

What's Changed

• esc now closes modals in the UI by @omrishiv in #596
• Remove local username password by @omrishiv in #591
• fix(security): address test code and network binding security findings (issue #599) by @aarora79 in #604
• remove old references to admin username/password by @omrishiv in #627
• Docker security hardening and ECS Fargate production fixes by @aarora79 in #624
• fix: nginx X-Forwarded-Port mapping and proxy buffer permissions by @aarora79 in #631
• pass mongodb credentials to configure job by @omrishiv in #630
• fix: add CSRF protection, flexible validation, and security scan directories by @aarora79 in #635
• fix: persist agent enabled state to repository on toggle by @WPrintz in #622
• fix: agent enable/disable 500 after container restart by @WPrintz in #621
• feat: Enable OTLP push export through Docker Compose and Terraform/ECS (#543) by @abkrsinh in #560
• docs: add Direct OTLP Push Export documentation for metrics by @aarora79 in #637
• create otel configmap for registry and add variables in values by @omrishiv in #638
• only set envvars if available by @omrishiv in #640
• fix: eliminate health status race condition for enabled services (#612) by @shekharprateek in #639
• feat: complete infrastructure security hardening implementation (issue #603) by @aarora79 in #642
• fix: FAISS search broken - missing initialization and wrong entity types by @harshitkgupta in #646
• chore(deps): bump orjson from 3.11.5 to 3.11.6 by @dependabot[bot] in #645
• chore(deps): bump black from 25.12.0 to 26.3.1 in /metrics-service by @dependabot[bot] in #643
• chore(deps): bump flatted from 3.3.3 to 3.4.1 in /frontend by @dependabot[bot] in #647
• chore(deps): bump langgraph from 1.0.9 to 1.0.10rc1 by @dependabot[bot] in #648
• fix: implement Semgrep security findings fixes (issue #650) by @aarora79 in #651
• docs: update roadmap with March 2026 milestones by @aarora79 in #653
• fix: replace execSync with execFileSync to prevent shell injection by @spidershield-contrib in #655
• feat: Add Okta as an Identity Provider by @abkrsinh in #644
• add okta envvars to charts by @omrishiv in #657

New Contributors

• @shekharprateek made their first contribution in #639
• @spidershield-contrib made their first contribution in #655

Full Changelog: v1.0.16...v1.0.17