Add authServerRef CRD types, controller logic, and unit tests (#4644)

The embedded auth server currently competes with outgoing auth types (like AWS STS) for the single `externalAuthConfigRef` slot on MCPServer and MCPRemoteProxy CRDs. Because `MCPExternalAuthConfig` enforces mutually exclusive types, users cannot configure both an embedded auth server for incoming client authentication and an outgoing token exchange on the same resource. This PR adds a dedicated `authServerRef` field to both CRDs, separating the embedded auth server from `externalAuthConfigRef` so both can coexist.

Author: tgrunnagle

cmd/thv-operator/api/v1alpha1/mcpremoteproxy_types.go

@@ -76,6 +76,12 @@ type MCPRemoteProxySpec struct {
 	// +optional
 	ExternalAuthConfigRef *ExternalAuthConfigRef `json:"externalAuthConfigRef,omitempty"`
 
+	// AuthServerRef optionally references a resource that configures an embedded
+	// OAuth 2.0/OIDC authorization server to authenticate MCP clients.
+	// Currently the only supported kind is MCPExternalAuthConfig (type: embeddedAuthServer).
+	// +optional
+	AuthServerRef *AuthServerRef `json:"authServerRef,omitempty"`
+
 	// HeaderForward configures headers to inject into requests to the remote MCP server.
 	// Use this to add custom headers like X-Tenant-ID or correlation IDs.
 	// +optional
@@ -172,6 +178,11 @@ type MCPRemoteProxyStatus struct {
 	// +optional
 	ExternalAuthConfigHash string `json:"externalAuthConfigHash,omitempty"`
 
+	// AuthServerConfigHash is the hash of the referenced authServerRef spec,
+	// used to detect configuration changes and trigger reconciliation.
+	// +optional
+	AuthServerConfigHash string `json:"authServerConfigHash,omitempty"`
+
 	// OIDCConfigHash is the hash of the referenced MCPOIDCConfig spec for change detection
 	// +optional
 	OIDCConfigHash string `json:"oidcConfigHash,omitempty"`
@@ -219,6 +230,9 @@ const (
 	// ConditionTypeMCPRemoteProxyExternalAuthConfigValidated indicates whether the ExternalAuthConfigRef is valid
 	ConditionTypeMCPRemoteProxyExternalAuthConfigValidated = "ExternalAuthConfigValidated"
 
+	// ConditionTypeMCPRemoteProxyAuthServerRefValidated indicates whether the AuthServerRef is valid
+	ConditionTypeMCPRemoteProxyAuthServerRefValidated = "AuthServerRefValidated"
+
 	// ConditionTypeConfigurationValid indicates whether the proxy spec has passed all pre-deployment validation checks
 	ConditionTypeConfigurationValid = "ConfigurationValid"
 )
@@ -277,6 +291,24 @@ const (
 	// for MCPRemoteProxy (use VirtualMCPServer for multi-upstream).
 	ConditionReasonMCPRemoteProxyExternalAuthConfigMultiUpstream = "MultiUpstreamNotSupported"
 
+	// ConditionReasonMCPRemoteProxyAuthServerRefValid indicates the AuthServerRef is valid
+	ConditionReasonMCPRemoteProxyAuthServerRefValid = "AuthServerRefValid"
+
+	// ConditionReasonMCPRemoteProxyAuthServerRefNotFound indicates the referenced auth server config was not found
+	ConditionReasonMCPRemoteProxyAuthServerRefNotFound = "AuthServerRefNotFound"
+
+	// ConditionReasonMCPRemoteProxyAuthServerRefFetchError indicates an error occurred fetching the auth server config
+	ConditionReasonMCPRemoteProxyAuthServerRefFetchError = "AuthServerRefFetchError"
+
+	// ConditionReasonMCPRemoteProxyAuthServerRefInvalidKind indicates the authServerRef kind is not supported
+	ConditionReasonMCPRemoteProxyAuthServerRefInvalidKind = "AuthServerRefInvalidKind"
+
+	// ConditionReasonMCPRemoteProxyAuthServerRefInvalidType indicates the referenced config is not an embeddedAuthServer
+	ConditionReasonMCPRemoteProxyAuthServerRefInvalidType = "AuthServerRefInvalidType"
+
+	// ConditionReasonMCPRemoteProxyAuthServerRefMultiUpstream indicates multi-upstream is not supported
+	ConditionReasonMCPRemoteProxyAuthServerRefMultiUpstream = "MultiUpstreamNotSupported"
+
 	// ConditionReasonConfigurationValid indicates all configuration validations passed
 	ConditionReasonConfigurationValid = "ConfigurationValid"
 

cmd/thv-operator/api/v1alpha1/mcpserver_types.go

@@ -108,6 +108,31 @@ const (
 	ConditionReasonExternalAuthConfigMultiUpstream = "MultiUpstreamNotSupported"
 )
 
+const (
+	// ConditionTypeAuthServerRefValidated indicates whether the AuthServerRef is valid
+	ConditionTypeAuthServerRefValidated = "AuthServerRefValidated"
+)
+
+const (
+	// ConditionReasonAuthServerRefValid indicates the referenced auth server config is valid
+	ConditionReasonAuthServerRefValid = "AuthServerRefValid"
+
+	// ConditionReasonAuthServerRefNotFound indicates the referenced auth server config was not found
+	ConditionReasonAuthServerRefNotFound = "AuthServerRefNotFound"
+
+	// ConditionReasonAuthServerRefFetchError indicates an error occurred fetching the auth server config
+	ConditionReasonAuthServerRefFetchError = "AuthServerRefFetchError"
+
+	// ConditionReasonAuthServerRefInvalidKind indicates the authServerRef kind is not supported
+	ConditionReasonAuthServerRefInvalidKind = "AuthServerRefInvalidKind"
+
+	// ConditionReasonAuthServerRefInvalidType indicates the referenced config is not an embeddedAuthServer
+	ConditionReasonAuthServerRefInvalidType = "AuthServerRefInvalidType"
+
+	// ConditionReasonAuthServerRefMultiUpstream indicates multi-upstream is not supported
+	ConditionReasonAuthServerRefMultiUpstream = "MultiUpstreamNotSupported"
+)
+
 // ConditionTelemetryConfigRefValidated indicates whether the TelemetryConfigRef is valid
 const ConditionTelemetryConfigRefValidated = "TelemetryConfigRefValidated"
 
@@ -270,6 +295,12 @@ type MCPServerSpec struct {
 	// +optional
 	ExternalAuthConfigRef *ExternalAuthConfigRef `json:"externalAuthConfigRef,omitempty"`
 
+	// AuthServerRef optionally references a resource that configures an embedded
+	// OAuth 2.0/OIDC authorization server to authenticate MCP clients.
+	// Currently the only supported kind is MCPExternalAuthConfig (type: embeddedAuthServer).
+	// +optional
+	AuthServerRef *AuthServerRef `json:"authServerRef,omitempty"`
+
 	// TelemetryConfigRef references an MCPTelemetryConfig resource for shared telemetry configuration.
 	// The referenced MCPTelemetryConfig must exist in the same namespace as this MCPServer.
 	// Cross-namespace references are not supported for security and isolation reasons.
@@ -836,6 +867,21 @@ type ExternalAuthConfigRef struct {
 	Name string `json:"name"`
 }
 
+// AuthServerRef defines a reference to a resource that configures an embedded
+// OAuth 2.0/OIDC authorization server. Currently only MCPExternalAuthConfig is supported;
+// the enum will be extended when a dedicated auth server CRD is introduced.
+type AuthServerRef struct {
+	// Kind identifies the type of the referenced resource.
+	// +kubebuilder:validation:Enum=MCPExternalAuthConfig
+	// +kubebuilder:default=MCPExternalAuthConfig
+	Kind string `json:"kind"`
+
+	// Name is the name of the referenced resource in the same namespace.
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:MinLength=1
+	Name string `json:"name"`
+}
+
 // ToolConfigRef defines a reference to a MCPToolConfig resource.
 // The referenced MCPToolConfig must be in the same namespace as the MCPServer.
 type ToolConfigRef struct {
@@ -971,6 +1017,11 @@ type MCPServerStatus struct {
 	// +optional
 	ExternalAuthConfigHash string `json:"externalAuthConfigHash,omitempty"`
 
+	// AuthServerConfigHash is the hash of the referenced authServerRef spec,
+	// used to detect configuration changes and trigger reconciliation.
+	// +optional
+	AuthServerConfigHash string `json:"authServerConfigHash,omitempty"`
+
 	// OIDCConfigHash is the hash of the referenced MCPOIDCConfig spec for change detection
 	// +optional
 	OIDCConfigHash string `json:"oidcConfigHash,omitempty"`