Extract resolveOIDCConfig helper in VirtualMCPServer converter

ChrisJBurns · claude · ChrisJBurns · commit 2111396e4e04 · 2026-04-02T18:42:42.000+01:00
Collapse the two OIDC resolution branches (MCPOIDCConfigRef and legacy
inline OIDCConfig) into a single resolveOIDCConfig method that returns
an immutable (*vmcpconfig.OIDCConfig, error). This simplifies
convertIncomingAuth by making incoming auth construction a single
assignment rather than a mutable struct with conditional field mutation.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/cmd/thv-operator/pkg/vmcpconfig/converter.go b/cmd/thv-operator/pkg/vmcpconfig/converter.go
@@ -171,13 +171,53 @@ func (c *Converter) convertIncomingAuth(
 	ctx context.Context,
 	vmcp *mcpv1alpha1.VirtualMCPServer,
 ) (*vmcpconfig.IncomingAuthConfig, error) {
-	ctxLogger := log.FromContext(ctx)
+	oidcConfig, err := c.resolveOIDCConfig(ctx, vmcp)
+	if err != nil {
+		return nil, err
+	}
 
 	incoming := &vmcpconfig.IncomingAuthConfig{
 		Type: vmcp.Spec.IncomingAuth.Type,
+		OIDC: oidcConfig,
+	}
+
+	// Convert authorization configuration
+	if vmcp.Spec.IncomingAuth.AuthzConfig != nil {
+		// Map Kubernetes API types to vmcp config types
+		// API "inline" maps to vmcp "cedar"
+		authzType := vmcp.Spec.IncomingAuth.AuthzConfig.Type
+		if authzType == authzLabelValueInline {
+			authzType = "cedar"
+		}
+
+		incoming.Authz = &vmcpconfig.AuthzConfig{
+			Type: authzType,
+		}
+
+		// Handle inline policies
+		if vmcp.Spec.IncomingAuth.AuthzConfig.Type == authzLabelValueInline && vmcp.Spec.IncomingAuth.AuthzConfig.Inline != nil {
+			incoming.Authz.Policies = vmcp.Spec.IncomingAuth.AuthzConfig.Inline.Policies
+		}
+		// TODO: Load policies from ConfigMap if Type is "configMap"
 	}
 
-	// Convert OIDC configuration if present.
+	return incoming, nil
+}
+
+// resolveOIDCConfig resolves OIDC configuration from either an MCPOIDCConfig reference
+// or legacy inline OIDCConfig. Returns nil when no OIDC config is present.
+// Fails closed: returns an error when OIDC is configured but resolution fails,
+// preventing deployment without authentication when OIDC is explicitly requested.
+func (c *Converter) resolveOIDCConfig(
+	ctx context.Context,
+	vmcp *mcpv1alpha1.VirtualMCPServer,
+) (*vmcpconfig.OIDCConfig, error) {
+	if vmcp.Spec.IncomingAuth == nil {
+		return nil, nil
+	}
+
+	ctxLogger := log.FromContext(ctx)
+
 	// New path: resolve from MCPOIDCConfig reference (preferred over legacy inline OIDCConfig)
 	if vmcp.Spec.IncomingAuth.OIDCConfigRef != nil {
 		oidcCfg, err := controllerutil.GetOIDCConfigForServer(
@@ -186,7 +226,7 @@ func (c *Converter) convertIncomingAuth(
 			return nil, fmt.Errorf("failed to get MCPOIDCConfig %s: %w",
 				vmcp.Spec.IncomingAuth.OIDCConfigRef.Name, err)
 		}
-		resolvedConfig, err := c.oidcResolver.ResolveFromConfigRef(
+		resolved, err := c.oidcResolver.ResolveFromConfigRef(
 			ctx, vmcp.Spec.IncomingAuth.OIDCConfigRef, oidcCfg,
 			vmcp.Name, vmcp.Namespace, vmcp.GetProxyPort())
 		if err != nil {
@@ -197,50 +237,24 @@ func (c *Converter) convertIncomingAuth(
 			return nil, fmt.Errorf("OIDC resolution failed from MCPOIDCConfig %q: %w",
 				vmcp.Spec.IncomingAuth.OIDCConfigRef.Name, err)
 		}
-		if resolvedConfig != nil {
-			incoming.OIDC = mapResolvedOIDCToVmcpConfigFromRef(resolvedConfig, oidcCfg)
-		}
-	} else if vmcp.Spec.IncomingAuth.OIDCConfig != nil {
-		// Legacy path: resolve from inline OIDCConfig
-		// Use the OIDC resolver to handle all OIDC types (kubernetes, configMap, inline)
-		// VirtualMCPServer implements OIDCConfigurable, so the resolver can work with it directly
-		resolvedConfig, err := c.oidcResolver.Resolve(ctx, vmcp)
+		return mapResolvedOIDCToVmcpConfigFromRef(resolved, oidcCfg), nil
+	}
+
+	// Legacy path: resolve from inline OIDCConfig
+	if vmcp.Spec.IncomingAuth.OIDCConfig != nil {
+		resolved, err := c.oidcResolver.Resolve(ctx, vmcp)
 		if err != nil {
 			ctxLogger.Error(err, "failed to resolve OIDC config",
 				"vmcp", vmcp.Name,
 				"namespace", vmcp.Namespace,
 				"oidcType", vmcp.Spec.IncomingAuth.OIDCConfig.Type)
-			// Fail closed: return error when OIDC is configured but resolution fails
-			// This prevents deploying without authentication when OIDC is explicitly requested
 			return nil, fmt.Errorf("OIDC resolution failed for type %q: %w",
 				vmcp.Spec.IncomingAuth.OIDCConfig.Type, err)
 		}
-		if resolvedConfig != nil {
-			incoming.OIDC = mapResolvedOIDCToVmcpConfig(resolvedConfig, vmcp.Spec.IncomingAuth.OIDCConfig)
-		}
+		return mapResolvedOIDCToVmcpConfig(resolved, vmcp.Spec.IncomingAuth.OIDCConfig), nil
 	}
 
-	// Convert authorization configuration
-	if vmcp.Spec.IncomingAuth.AuthzConfig != nil {
-		// Map Kubernetes API types to vmcp config types
-		// API "inline" maps to vmcp "cedar"
-		authzType := vmcp.Spec.IncomingAuth.AuthzConfig.Type
-		if authzType == authzLabelValueInline {
-			authzType = "cedar"
-		}
-
-		incoming.Authz = &vmcpconfig.AuthzConfig{
-			Type: authzType,
-		}
-
-		// Handle inline policies
-		if vmcp.Spec.IncomingAuth.AuthzConfig.Type == authzLabelValueInline && vmcp.Spec.IncomingAuth.AuthzConfig.Inline != nil {
-			incoming.Authz.Policies = vmcp.Spec.IncomingAuth.AuthzConfig.Inline.Policies
-		}
-		// TODO: Load policies from ConfigMap if Type is "configMap"
-	}
-
-	return incoming, nil
+	return nil, nil
 }
 
 // mapResolvedOIDCToVmcpConfig maps from oidc.OIDCConfig (resolved by the OIDC resolver)
