Add MCPServerEntry backend discovery to VirtualMCPServer (#4698)

* Add MCPServerEntry backend discovery to VirtualMCPServer controller

VirtualMCPServer needs to discover MCPServerEntry resources (zero-infrastructure
catalog entries) and include them as backends. This enables vMCP to route traffic
to remote MCP servers declared as MCPServerEntry without proxy pods.

- Add WorkloadTypeMCPServerEntry constant and discoverer logic that lists
  MCPServerEntries by groupRef, converts them to vmcp.Backend using the remote
  URL directly from the spec (no K8s Service needed)
- Extend ConfigMap generation to include entry-type backends with remoteURL,
  transport, auth config, and CA bundle mount paths
- Mount CA bundle ConfigMaps as read-only volumes at
  /etc/toolhive/ca-bundles/<entry-name>/ when caBundleRef is configured
- Add mcpserverentries to VirtualMCPServer RBAC rules (get/list/watch)
- Add MCPServerEntry watch with optimized mapper (via MCPGroup Status.Entries)
- Add CABundlePath field to StaticBackendConfig for TLS verification
- Fix pre-existing missing mcpremoteproxies RBAC marker on controller
- Extract metadata key constants to fix goconst lint violations

Closes #4657

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Regenerate CRD manifests and API docs for CABundlePath field

Run task operator-manifests, operator-generate, and crdref-gen to
pick up the new CABundlePath field on StaticBackendConfig and the
updated RBAC markers.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Address review feedback for MCPServerEntry discovery

- Rename metadataKeyWorkloadStat to metadataKeyWorkloadStatus (F4)
- Add nil guard to caBundleMountPath for defensive safety (F5)
- Fix volume name truncation with hash suffix to avoid collisions and
  trailing hyphens in DNS labels (F2)
- Add url.Parse validation for RemoteURL as defense-in-depth (F6)
- Propagate errors from buildCABundlePathMap and
  buildCABundleVolumesForEntries instead of silently swallowing (F7)
- Add explicit phase check to skip non-Valid MCPServerEntry backends
- Use path.Join instead of fmt.Sprintf for path construction
- Add tests for volume name truncation, collision avoidance, and
  phase-based filtering

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Fix undefined assert.NotHasSuffix in volume name tests

testify does not provide NotHasSuffix; use
assert.False with strings.HasSuffix instead.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* Fix import-shadowing lint errors in k8s workload backends

Rename local `url` variables to `serverURL` and `proxyURL` to avoid
shadowing the `net/url` import, which revive flags as import-shadowing.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: JAORMX

cmd/thv-operator/controllers/virtualmcpserver_controller.go

@@ -109,6 +109,8 @@ type VirtualMCPServerReconciler struct {
 // +kubebuilder:rbac:groups=toolhive.stacklok.dev,resources=virtualmcpservers/status,verbs=get;update;patch
 // +kubebuilder:rbac:groups=toolhive.stacklok.dev,resources=mcpgroups,verbs=get;list;watch
 // +kubebuilder:rbac:groups=toolhive.stacklok.dev,resources=mcpservers,verbs=get;list;watch
+// +kubebuilder:rbac:groups=toolhive.stacklok.dev,resources=mcpremoteproxies,verbs=get;list;watch
+// +kubebuilder:rbac:groups=toolhive.stacklok.dev,resources=mcpserverentries,verbs=get;list;watch
 // +kubebuilder:rbac:groups=toolhive.stacklok.dev,resources=mcpexternalauthconfigs,verbs=get;list;watch
 // +kubebuilder:rbac:groups=toolhive.stacklok.dev,resources=mcptoolconfigs,verbs=get;list;watch
 // +kubebuilder:rbac:groups=toolhive.stacklok.dev,resources=virtualmcpcompositetooldefinitions,verbs=get;list;watch
@@ -1837,6 +1839,22 @@ func (r *VirtualMCPServerReconciler) listMCPRemoteProxiesAsMap(
 	return mcpRemoteProxyMap, nil
 }
 
+// listMCPServerEntriesAsMap lists all MCPServerEntries in the namespace and returns a map by name.
+func (r *VirtualMCPServerReconciler) listMCPServerEntriesAsMap(
+	ctx context.Context,
+	namespace string,
+) (map[string]*mcpv1alpha1.MCPServerEntry, error) {
+	mcpServerEntryList := &mcpv1alpha1.MCPServerEntryList{}
+	if err := r.List(ctx, mcpServerEntryList, client.InNamespace(namespace)); err != nil {
+		return nil, err
+	}
+	mcpServerEntryMap := make(map[string]*mcpv1alpha1.MCPServerEntry, len(mcpServerEntryList.Items))
+	for i := range mcpServerEntryList.Items {
+		mcpServerEntryMap[mcpServerEntryList.Items[i].Name] = &mcpServerEntryList.Items[i]
+	}
+	return mcpServerEntryMap, nil
+}
+
 // discoverExternalAuthConfigs discovers ExternalAuthConfig from workloads and adds them to the outgoing config.
 // Returns a list of non-fatal errors that should be reported via status conditions.
 // The controller should continue in degraded mode even if some auth configs fail.
@@ -1862,9 +1880,15 @@ func (r *VirtualMCPServerReconciler) discoverExternalAuthConfigs(
 		return backendsWithAuthConfig, authErrors
 	}
 
+	mcpServerEntryMap, err := r.listMCPServerEntriesAsMap(ctx, vmcp.Namespace)
+	if err != nil {
+		ctxLogger.Error(err, "Failed to list MCPServerEntries")
+		return backendsWithAuthConfig, authErrors
+	}
+
 	for _, workloadInfo := range typedWorkloads {
 		externalAuthConfigName := r.getExternalAuthConfigNameFromWorkload(
-			workloadInfo, mcpServerMap, mcpRemoteProxyMap)
+			workloadInfo, mcpServerMap, mcpRemoteProxyMap, mcpServerEntryMap)
 		if externalAuthConfigName == "" {
 			continue
 		}
@@ -1920,6 +1944,7 @@ func (*VirtualMCPServerReconciler) getExternalAuthConfigNameFromWorkload(
 	workloadInfo workloads.TypedWorkload,
 	mcpServerMap map[string]*mcpv1alpha1.MCPServer,
 	mcpRemoteProxyMap map[string]*mcpv1alpha1.MCPRemoteProxy,
+	mcpServerEntryMap map[string]*mcpv1alpha1.MCPServerEntry,
 ) string {
 	switch workloadInfo.Type {
 	case workloads.WorkloadTypeMCPServer:
@@ -1936,6 +1961,13 @@ func (*VirtualMCPServerReconciler) getExternalAuthConfigNameFromWorkload(
 		}
 		return mcpRemoteProxy.Spec.ExternalAuthConfigRef.Name
 
+	case workloads.WorkloadTypeMCPServerEntry:
+		mcpServerEntry, found := mcpServerEntryMap[workloadInfo.Name]
+		if !found || mcpServerEntry.Spec.ExternalAuthConfigRef == nil {
+			return ""
+		}
+		return mcpServerEntry.Spec.ExternalAuthConfigRef.Name
+
 	default:
 		return ""
 	}
@@ -2048,10 +2080,12 @@ func injectSubjectProviderIfNeeded(
 // convertBackendsToStaticBackends converts Backend objects to StaticBackendConfig for ConfigMap embedding.
 // Preserves metadata and uses transport types from workload Specs.
 // Logs warnings when backends are skipped due to missing URL or transport information.
+// caBundlePathMap maps backend names to their CA bundle mount paths (populated for MCPServerEntry backends).
 func convertBackendsToStaticBackends(
 	ctx context.Context,
 	backends []vmcptypes.Backend,
 	transportMap map[string]string,
+	caBundlePathMap map[string]string,
 ) []vmcpconfig.StaticBackendConfig {
 	logger := log.FromContext(ctx)
 	static := make([]vmcpconfig.StaticBackendConfig, 0, len(backends))
@@ -2069,12 +2103,18 @@ func convertBackendsToStaticBackends(
 			continue
 		}
 
-		static = append(static, vmcpconfig.StaticBackendConfig{
+		cfg := vmcpconfig.StaticBackendConfig{
 			Name:      backend.Name,
 			URL:       backend.BaseURL,
 			Transport: transport,
 			Metadata:  backend.Metadata,
-		})
+		}
+
+		if caBundlePath, ok := caBundlePathMap[backend.Name]; ok {
+			cfg.CABundlePath = caBundlePath
+		}
+
+		static = append(static, cfg)
 	}
 	return static
 }
@@ -2168,6 +2208,7 @@ func (r *VirtualMCPServerReconciler) SetupWithManager(mgr ctrl.Manager) error {
 		Watches(&mcpv1alpha1.MCPGroup{}, handler.EnqueueRequestsFromMapFunc(r.mapMCPGroupToVirtualMCPServer)).
 		Watches(&mcpv1alpha1.MCPServer{}, handler.EnqueueRequestsFromMapFunc(r.mapMCPServerToVirtualMCPServer)).
 		Watches(&mcpv1alpha1.MCPRemoteProxy{}, handler.EnqueueRequestsFromMapFunc(r.mapMCPRemoteProxyToVirtualMCPServer)).
+		Watches(&mcpv1alpha1.MCPServerEntry{}, handler.EnqueueRequestsFromMapFunc(r.mapMCPServerEntryToVirtualMCPServer)).
 		Watches(&mcpv1alpha1.MCPExternalAuthConfig{}, handler.EnqueueRequestsFromMapFunc(r.mapExternalAuthConfigToVirtualMCPServer)).
 		Watches(&mcpv1alpha1.MCPToolConfig{}, handler.EnqueueRequestsFromMapFunc(r.mapToolConfigToVirtualMCPServer)).
 		Watches(
@@ -2378,6 +2419,82 @@ func (r *VirtualMCPServerReconciler) mapMCPRemoteProxyToVirtualMCPServer(
 	return requests
 }
 
+// mapMCPServerEntryToVirtualMCPServer maps MCPServerEntry changes to VirtualMCPServer reconciliation requests.
+// This function implements the same optimization as mapMCPServerToVirtualMCPServer to only reconcile
+// VirtualMCPServers that are actually affected by the MCPServerEntry change.
+//
+// The optimization works by:
+// 1. Finding all MCPGroups that include the changed MCPServerEntry (via Status.Entries)
+// 2. Finding all VirtualMCPServers that reference those MCPGroups
+// 3. Only reconciling those specific VirtualMCPServers
+func (r *VirtualMCPServerReconciler) mapMCPServerEntryToVirtualMCPServer(
+	ctx context.Context,
+	obj client.Object,
+) []reconcile.Request {
+	mcpServerEntry, ok := obj.(*mcpv1alpha1.MCPServerEntry)
+	if !ok {
+		return nil
+	}
+
+	ctxLogger := log.FromContext(ctx)
+
+	// Step 1: Find all MCPGroups that include this MCPServerEntry
+	mcpGroupList := &mcpv1alpha1.MCPGroupList{}
+	if err := r.List(ctx, mcpGroupList, client.InNamespace(mcpServerEntry.Namespace)); err != nil {
+		ctxLogger.Error(err, "Failed to list MCPGroups for MCPServerEntry watch")
+		return nil
+	}
+
+	affectedGroups := make(map[string]bool)
+	for _, group := range mcpGroupList.Items {
+		for _, entryName := range group.Status.Entries {
+			if entryName == mcpServerEntry.Name {
+				affectedGroups[group.Name] = true
+				ctxLogger.V(1).Info("MCPServerEntry is member of MCPGroup",
+					"mcpServerEntry", mcpServerEntry.Name,
+					"mcpGroup", group.Name)
+				break
+			}
+		}
+	}
+
+	if len(affectedGroups) == 0 {
+		ctxLogger.V(1).Info("MCPServerEntry not a member of any MCPGroup, skipping VirtualMCPServer reconciliation",
+			"mcpServerEntry", mcpServerEntry.Name)
+		return nil
+	}
+
+	// Step 2: Find VirtualMCPServers that reference the affected MCPGroups
+	vmcpList := &mcpv1alpha1.VirtualMCPServerList{}
+	if err := r.List(ctx, vmcpList, client.InNamespace(mcpServerEntry.Namespace)); err != nil {
+		ctxLogger.Error(err, "Failed to list VirtualMCPServers for MCPServerEntry watch")
+		return nil
+	}
+
+	var requests []reconcile.Request
+	for _, vmcp := range vmcpList.Items {
+		if affectedGroups[vmcp.Spec.Config.Group] {
+			requests = append(requests, reconcile.Request{
+				NamespacedName: types.NamespacedName{
+					Name:      vmcp.Name,
+					Namespace: vmcp.Namespace,
+				},
+			})
+			ctxLogger.V(1).Info("Queuing VirtualMCPServer for reconciliation due to MCPServerEntry change",
+				"virtualMCPServer", vmcp.Name,
+				"mcpGroup", vmcp.Spec.Config.Group,
+				"mcpServerEntry", mcpServerEntry.Name)
+		}
+	}
+
+	ctxLogger.V(1).Info("Mapped MCPServerEntry to VirtualMCPServers",
+		"mcpServerEntry", mcpServerEntry.Name,
+		"affectedGroups", len(affectedGroups),
+		"virtualMCPServers", len(requests))
+
+	return requests
+}
+
 // mapExternalAuthConfigToVirtualMCPServer maps MCPExternalAuthConfig changes to VirtualMCPServer reconciliation requests
 func (r *VirtualMCPServerReconciler) mapExternalAuthConfigToVirtualMCPServer(
 	ctx context.Context,

cmd/thv-operator/controllers/virtualmcpserver_controller_test.go

@@ -272,6 +272,7 @@ func TestVirtualMCPServerEnsureRBACResources(t *testing.T) {
 	assert.Contains(t, toolhiveRule.Resources, "mcpgroups", "Role should allow listing mcpgroups")
 	assert.Contains(t, toolhiveRule.Resources, "mcpservers", "Role should allow listing mcpservers")
 	assert.Contains(t, toolhiveRule.Resources, "mcpremoteproxies", "Role should allow listing mcpremoteproxies")
+	assert.Contains(t, toolhiveRule.Resources, "mcpserverentries", "Role should allow listing mcpserverentries")
 	assert.Contains(t, toolhiveRule.Resources, "mcpexternalauthconfigs", "Role should allow listing mcpexternalauthconfigs")
 
 	// Verify RoleBinding was created
@@ -3317,3 +3318,150 @@ func mustBuildEnvVarsForVmcp(r *VirtualMCPServerReconciler, vmcp *mcpv1alpha1.Vi
 	}
 	return env
 }
+
+// TestGetExternalAuthConfigNameFromWorkload tests auth config ref extraction from all workload types
+func TestGetExternalAuthConfigNameFromWorkload(t *testing.T) {
+	t.Parallel()
+
+	mcpServerMap := map[string]*mcpv1alpha1.MCPServer{
+		"server-with-auth": {
+			Spec: mcpv1alpha1.MCPServerSpec{
+				ExternalAuthConfigRef: &mcpv1alpha1.ExternalAuthConfigRef{
+					Name: "server-auth-config",
+				},
+			},
+		},
+		"server-no-auth": {
+			Spec: mcpv1alpha1.MCPServerSpec{},
+		},
+	}
+
+	mcpRemoteProxyMap := map[string]*mcpv1alpha1.MCPRemoteProxy{
+		"proxy-with-auth": {
+			Spec: mcpv1alpha1.MCPRemoteProxySpec{
+				ExternalAuthConfigRef: &mcpv1alpha1.ExternalAuthConfigRef{
+					Name: "proxy-auth-config",
+				},
+			},
+		},
+	}
+
+	mcpServerEntryMap := map[string]*mcpv1alpha1.MCPServerEntry{
+		"entry-with-auth": {
+			Spec: mcpv1alpha1.MCPServerEntrySpec{
+				ExternalAuthConfigRef: &mcpv1alpha1.ExternalAuthConfigRef{
+					Name: "entry-auth-config",
+				},
+			},
+		},
+		"entry-no-auth": {
+			Spec: mcpv1alpha1.MCPServerEntrySpec{},
+		},
+	}
+
+	tests := []struct {
+		name         string
+		workload     workloads.TypedWorkload
+		expectedName string
+	}{
+		{
+			name: "MCPServer with auth config ref",
+			workload: workloads.TypedWorkload{
+				Name: "server-with-auth",
+				Type: workloads.WorkloadTypeMCPServer,
+			},
+			expectedName: "server-auth-config",
+		},
+		{
+			name: "MCPServer without auth config ref",
+			workload: workloads.TypedWorkload{
+				Name: "server-no-auth",
+				Type: workloads.WorkloadTypeMCPServer,
+			},
+			expectedName: "",
+		},
+		{
+			name: "MCPServer not found in map",
+			workload: workloads.TypedWorkload{
+				Name: "non-existent",
+				Type: workloads.WorkloadTypeMCPServer,
+			},
+			expectedName: "",
+		},
+		{
+			name: "MCPRemoteProxy with auth config ref",
+			workload: workloads.TypedWorkload{
+				Name: "proxy-with-auth",
+				Type: workloads.WorkloadTypeMCPRemoteProxy,
+			},
+			expectedName: "proxy-auth-config",
+		},
+		{
+			name: "MCPServerEntry with auth config ref",
+			workload: workloads.TypedWorkload{
+				Name: "entry-with-auth",
+				Type: workloads.WorkloadTypeMCPServerEntry,
+			},
+			expectedName: "entry-auth-config",
+		},
+		{
+			name: "MCPServerEntry without auth config ref",
+			workload: workloads.TypedWorkload{
+				Name: "entry-no-auth",
+				Type: workloads.WorkloadTypeMCPServerEntry,
+			},
+			expectedName: "",
+		},
+		{
+			name: "MCPServerEntry not found in map",
+			workload: workloads.TypedWorkload{
+				Name: "non-existent-entry",
+				Type: workloads.WorkloadTypeMCPServerEntry,
+			},
+			expectedName: "",
+		},
+		{
+			name: "unknown workload type",
+			workload: workloads.TypedWorkload{
+				Name: "unknown",
+				Type: workloads.WorkloadType("UnknownType"),
+			},
+			expectedName: "",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			r := &VirtualMCPServerReconciler{}
+			result := r.getExternalAuthConfigNameFromWorkload(
+				tt.workload,
+				mcpServerMap,
+				mcpRemoteProxyMap,
+				mcpServerEntryMap,
+			)
+			assert.Equal(t, tt.expectedName, result)
+		})
+	}
+}
+
+// TestDiscoveredRBACRulesIncludeMCPServerEntries verifies that the RBAC rules
+// for discovered mode include mcpserverentries as an allowed resource
+func TestDiscoveredRBACRulesIncludeMCPServerEntries(t *testing.T) {
+	t.Parallel()
+
+	foundMCPServerEntries := false
+	for _, rule := range vmcpDiscoveredRBACRules {
+		for _, apiGroup := range rule.APIGroups {
+			if apiGroup == "toolhive.stacklok.dev" {
+				for _, resource := range rule.Resources {
+					if resource == "mcpserverentries" {
+						foundMCPServerEntries = true
+					}
+				}
+			}
+		}
+	}
+	assert.True(t, foundMCPServerEntries, "vmcpDiscoveredRBACRules should include mcpserverentries")
+}