From f513b8cffce57c78a2bb22268032eb0d39361c16 Mon Sep 17 00:00:00 2001 From: kimwwk Date: Mon, 12 Jan 2026 21:46:03 -0500 Subject: [PATCH] Fix: Pass secret values directly in Docker -e arguments When using Docker over a socket (e.g., standalone deployments without Docker Desktop), the -e VARNAME syntax looks up the variable in the Docker daemon's environment, not the caller's environment. This causes secrets to not be passed to spawned MCP server containers. Changed to use -e VARNAME=value when the secret is available, which directly passes the value to the container regardless of the Docker daemon's environment. Co-Authored-By: Claude Opus 4.5 --- pkg/gateway/clientpool.go | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/pkg/gateway/clientpool.go b/pkg/gateway/clientpool.go index 872225b41..502128d44 100644 --- a/pkg/gateway/clientpool.go +++ b/pkg/gateway/clientpool.go @@ -329,13 +329,16 @@ func (cp *clientPool) argsAndEnv(serverConfig *catalog.ServerConfig, readOnly *b } // Secrets + // Fix: When using Docker over a socket, -e VARNAME looks up the variable + // in the Docker daemon's environment, not the caller's. We must pass the + // value directly as -e VARNAME=value for standalone deployments. for _, s := range serverConfig.Spec.Secrets { - args = append(args, "-e", s.Env) - secretValue, ok := serverConfig.Secrets[s.Name] if ok { + args = append(args, "-e", fmt.Sprintf("%s=%s", s.Env, secretValue)) env = append(env, fmt.Sprintf("%s=%s", s.Env, secretValue)) } else { + args = append(args, "-e", s.Env) log.Logf("Warning: Secret '%s' not found for server '%s', setting %s=", s.Name, serverConfig.Name, s.Env) env = append(env, fmt.Sprintf("%s=%s", s.Env, "")) }