Skip to content

Commit 4b64792

Browse files
ChrisJBurnsclaude
andcommitted
Reframe AuthzConfigRef as part 1 of 2 in godocs
The new AuthzConfigRef field on MCPServer, MCPRemoteProxy, and VirtualMCPServer.IncomingAuth is wired into the MCPAuthzConfig controller's reference tracking (status.referenceCount, deletion protection) but no workload controller actually resolves the ref into a runtime authz config in this PR. That wiring lands in a follow-up. The previous godocs marked the inline AuthzConfig field "Deprecated: Use AuthzConfigRef" — which pointed users at a non-functional field and risked workloads running with no authorization enforced. Drop the premature Deprecated annotation and add an explicit NOTE on AuthzConfigRef so adopters know to stick with the inline form until the consumer-side wiring lands. The CEL mutex rule and the controller's reference tracking are unchanged; only the descriptive godocs move. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
1 parent a16d018 commit 4b64792

3 files changed

Lines changed: 18 additions & 3 deletions

File tree

cmd/thv-operator/api/v1beta1/mcpremoteproxy_types.go

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -82,14 +82,19 @@ type MCPRemoteProxySpec struct {
8282
HeaderForward *HeaderForwardConfig `json:"headerForward,omitempty"`
8383

8484
// AuthzConfig defines authorization policy configuration for the proxy.
85-
// Deprecated: Use AuthzConfigRef to reference a shared MCPAuthzConfig resource instead.
8685
// AuthzConfig and AuthzConfigRef are mutually exclusive.
8786
// +optional
8887
AuthzConfig *AuthzConfigRef `json:"authzConfig,omitempty"`
8988

9089
// AuthzConfigRef references a shared MCPAuthzConfig resource for authorization.
9190
// The referenced MCPAuthzConfig must exist in the same namespace as this MCPRemoteProxy.
9291
// Mutually exclusive with authzConfig.
92+
//
93+
// NOTE: this field is consumed by workload controllers in a follow-up PR.
94+
// Until that lands, AuthzConfigRef is reference-tracked by the
95+
// MCPAuthzConfig controller (deletion protection, status.referenceCount)
96+
// but does NOT apply authorization to this MCPRemoteProxy. Use the
97+
// inline AuthzConfig field in the meantime.
9398
// +optional
9499
AuthzConfigRef *MCPAuthzConfigReference `json:"authzConfigRef,omitempty"`
95100

cmd/thv-operator/api/v1beta1/mcpserver_types.go

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -295,14 +295,19 @@ type MCPServerSpec struct {
295295
OIDCConfigRef *MCPOIDCConfigReference `json:"oidcConfigRef,omitempty"`
296296

297297
// AuthzConfig defines authorization policy configuration for the MCP server.
298-
// Deprecated: Use AuthzConfigRef to reference a shared MCPAuthzConfig resource instead.
299298
// AuthzConfig and AuthzConfigRef are mutually exclusive.
300299
// +optional
301300
AuthzConfig *AuthzConfigRef `json:"authzConfig,omitempty"`
302301

303302
// AuthzConfigRef references a shared MCPAuthzConfig resource for authorization.
304303
// The referenced MCPAuthzConfig must exist in the same namespace as this MCPServer.
305304
// Mutually exclusive with authzConfig.
305+
//
306+
// NOTE: this field is consumed by workload controllers in a follow-up PR.
307+
// Until that lands, AuthzConfigRef is reference-tracked by the
308+
// MCPAuthzConfig controller (deletion protection, status.referenceCount)
309+
// but does NOT apply authorization to this MCPServer. Use the inline
310+
// AuthzConfig field in the meantime.
306311
// +optional
307312
AuthzConfigRef *MCPAuthzConfigReference `json:"authzConfigRef,omitempty"`
308313

cmd/thv-operator/api/v1beta1/virtualmcpserver_types.go

Lines changed: 6 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -179,14 +179,19 @@ type IncomingAuthConfig struct {
179179

180180
// AuthzConfig defines authorization policy configuration.
181181
// Reuses MCPServer authz patterns.
182-
// Deprecated: Use AuthzConfigRef to reference a shared MCPAuthzConfig resource instead.
183182
// AuthzConfig and AuthzConfigRef are mutually exclusive.
184183
// +optional
185184
AuthzConfig *AuthzConfigRef `json:"authzConfig,omitempty"`
186185

187186
// AuthzConfigRef references a shared MCPAuthzConfig resource for authorization.
188187
// The referenced MCPAuthzConfig must exist in the same namespace as this VirtualMCPServer.
189188
// Mutually exclusive with authzConfig.
189+
//
190+
// NOTE: this field is consumed by workload controllers in a follow-up PR.
191+
// Until that lands, AuthzConfigRef is reference-tracked by the
192+
// MCPAuthzConfig controller (deletion protection, status.referenceCount)
193+
// but does NOT apply authorization to this VirtualMCPServer. Use the
194+
// inline AuthzConfig field in the meantime.
190195
// +optional
191196
AuthzConfigRef *MCPAuthzConfigReference `json:"authzConfigRef,omitempty"`
192197
}

0 commit comments

Comments
 (0)