Make oidcConfig optional on MCPRemoteProxy for anonymous access

MCPRemoteProxy previously required oidcConfig, making it impossible
to proxy public MCP servers without configuring authentication.

Make the oidcConfig field optional — when omitted, the proxy allows
anonymous access and forwards requests to the upstream without any
authentication on either side. This enables "case 1" where both the
upstream MCP and the proxy are fully public.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: aron-muon

cmd/thv-operator/api/v1alpha1/mcpremoteproxy_types.go

@@ -58,10 +58,11 @@ type MCPRemoteProxySpec struct {
 	// +kubebuilder:default=streamable-http
 	Transport string `json:"transport,omitempty"`
 
-	// OIDCConfig defines OIDC authentication configuration for the proxy
-	// This validates incoming tokens from clients. Required for proxy mode.
-	// +kubebuilder:validation:Required
-	OIDCConfig OIDCConfigRef `json:"oidcConfig"`
+	// OIDCConfig defines OIDC authentication configuration for the proxy.
+	// When set, incoming requests are validated against the configured OIDC provider.
+	// When omitted, the proxy allows anonymous access (no authentication required).
+	// +optional
+	OIDCConfig *OIDCConfigRef `json:"oidcConfig,omitempty"`
 
 	// ExternalAuthConfigRef references a MCPExternalAuthConfig resource for token exchange.
 	// When specified, the proxy will exchange validated incoming tokens for remote service tokens.
@@ -327,7 +328,7 @@ func (m *MCPRemoteProxy) GetNamespace() string {
 
 // GetOIDCConfig returns the OIDC configuration reference
 func (m *MCPRemoteProxy) GetOIDCConfig() *OIDCConfigRef {
-	return &m.Spec.OIDCConfig
+	return m.Spec.OIDCConfig
 }
 
 // GetProxyPort returns the proxy port of the MCPRemoteProxy

cmd/thv-operator/api/v1alpha1/zz_generated.deepcopy.go

@@ -423,6 +423,9 @@ func setConfigurationInvalidCondition(proxy *mcpv1alpha1.MCPRemoteProxy, reason,
 // validateOIDCIssuerURL validates the OIDC issuer URL scheme.
 func (*MCPRemoteProxyReconciler) validateOIDCIssuerURL(proxy *mcpv1alpha1.MCPRemoteProxy) error {
 	oidcConfig := proxy.Spec.OIDCConfig
+	if oidcConfig == nil {
+		return nil
+	}
 
 	switch oidcConfig.Type {
 	case mcpv1alpha1.OIDCConfigTypeInline:

cmd/thv-operator/controllers/mcpremoteproxy_controller.go

@@ -57,7 +57,7 @@ func TestMCPRemoteProxyValidateSpec(t *testing.T) {
 				Spec: mcpv1alpha1.MCPRemoteProxySpec{
 					RemoteURL: "https://mcp.salesforce.com",
 					ProxyPort: 8080,
-					OIDCConfig: mcpv1alpha1.OIDCConfigRef{
+					OIDCConfig: &mcpv1alpha1.OIDCConfigRef{
 						Type: mcpv1alpha1.OIDCConfigTypeInline,
 						Inline: &mcpv1alpha1.InlineOIDCConfig{
 							Issuer:   "https://login.salesforce.com",
@@ -77,7 +77,7 @@ func TestMCPRemoteProxyValidateSpec(t *testing.T) {
 				},
 				Spec: mcpv1alpha1.MCPRemoteProxySpec{
 					ProxyPort: 8080,
-					OIDCConfig: mcpv1alpha1.OIDCConfigRef{
+					OIDCConfig: &mcpv1alpha1.OIDCConfigRef{
 						Type: mcpv1alpha1.OIDCConfigTypeInline,
 						Inline: &mcpv1alpha1.InlineOIDCConfig{
 							Issuer:   "https://auth.example.com",
@@ -89,8 +89,20 @@ func TestMCPRemoteProxyValidateSpec(t *testing.T) {
 			expectError: true,
 			errContains: "remote URL must not be empty",
 		},
-		// Note: "missing OIDC config" test removed - OIDCConfig is now a required value type
-		// with kubebuilder:validation:Required, so the API server prevents resources without it
+		{
+			name: "valid spec without OIDC config (anonymous access)",
+			proxy: &mcpv1alpha1.MCPRemoteProxy{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "anon-proxy",
+					Namespace: "default",
+				},
+				Spec: mcpv1alpha1.MCPRemoteProxySpec{
+					RemoteURL: "https://docs.example.com/mcp",
+					ProxyPort: 8080,
+				},
+			},
+			expectError: false,
+		},
 		{
 			name: "with valid external auth config",
 			proxy: &mcpv1alpha1.MCPRemoteProxy{
@@ -101,7 +113,7 @@ func TestMCPRemoteProxyValidateSpec(t *testing.T) {
 				Spec: mcpv1alpha1.MCPRemoteProxySpec{
 					RemoteURL: "https://mcp.example.com",
 					ProxyPort: 8080,
-					OIDCConfig: mcpv1alpha1.OIDCConfigRef{
+					OIDCConfig: &mcpv1alpha1.OIDCConfigRef{
 						Type: mcpv1alpha1.OIDCConfigTypeInline,
 						Inline: &mcpv1alpha1.InlineOIDCConfig{
 							Issuer:   "https://auth.company.com",
@@ -159,7 +171,7 @@ func TestMCPRemoteProxyReconcile_CreateResources(t *testing.T) {
 		Spec: mcpv1alpha1.MCPRemoteProxySpec{
 			RemoteURL: "https://mcp.salesforce.com",
 			ProxyPort: 8080,
-			OIDCConfig: mcpv1alpha1.OIDCConfigRef{
+			OIDCConfig: &mcpv1alpha1.OIDCConfigRef{
 				Type: mcpv1alpha1.OIDCConfigTypeInline,
 				Inline: &mcpv1alpha1.InlineOIDCConfig{
 					Issuer:   "https://login.salesforce.com",

cmd/thv-operator/controllers/mcpremoteproxy_controller_test.go

@@ -154,42 +154,11 @@ func (r *MCPRemoteProxyReconciler) buildEnvVarsForProxy(
 		env = append(env, otelEnvVars...)
 	}
 
-	// Add token exchange environment variables
-	// Note: Embedded auth server env vars are added separately in deploymentForMCPRemoteProxy
-	// to avoid duplicate API calls.
-	if proxy.Spec.ExternalAuthConfigRef != nil {
-		tokenExchangeEnvVars, err := ctrlutil.GenerateTokenExchangeEnvVars(
-			ctx,
-			r.Client,
-			proxy.Namespace,
-			proxy.Spec.ExternalAuthConfigRef,
-			ctrlutil.GetExternalAuthConfigByName,
-		)
-		if err != nil {
-			ctxLogger := log.FromContext(ctx)
-			ctxLogger.Error(err, "Failed to generate token exchange environment variables")
-		} else {
-			env = append(env, tokenExchangeEnvVars...)
-		}
-
-		// Add bearer token environment variables
-		bearerTokenEnvVars, err := ctrlutil.GenerateBearerTokenEnvVar(
-			ctx,
-			r.Client,
-			proxy.Namespace,
-			proxy.Spec.ExternalAuthConfigRef,
-			ctrlutil.GetExternalAuthConfigByName,
-		)
-		if err != nil {
-			ctxLogger := log.FromContext(ctx)
-			ctxLogger.Error(err, "Failed to generate bearer token environment variables")
-		} else {
-			env = append(env, bearerTokenEnvVars...)
-		}
-	}
+	// Add token exchange and bearer token environment variables
+	env = append(env, r.buildExternalAuthEnvVars(ctx, proxy)...)
 
 	// Add OIDC client secret environment variable if using inline config with secretRef
-	if proxy.Spec.OIDCConfig.Type == "inline" && proxy.Spec.OIDCConfig.Inline != nil {
+	if proxy.Spec.OIDCConfig != nil && proxy.Spec.OIDCConfig.Type == "inline" && proxy.Spec.OIDCConfig.Inline != nil {
 		oidcClientSecretEnvVar, err := ctrlutil.GenerateOIDCClientSecretEnvVar(
 			ctx, r.Client, proxy.Namespace, proxy.Spec.OIDCConfig.Inline.ClientSecretRef,
 		)
@@ -228,6 +197,40 @@ func (r *MCPRemoteProxyReconciler) buildEnvVarsForProxy(
 	return ctrlutil.EnsureRequiredEnvVars(ctx, env)
 }
 
+// buildExternalAuthEnvVars builds environment variables for external auth (token exchange and bearer token).
+// Note: Embedded auth server env vars are added separately in deploymentForMCPRemoteProxy
+// to avoid duplicate API calls.
+func (r *MCPRemoteProxyReconciler) buildExternalAuthEnvVars(
+	ctx context.Context, proxy *mcpv1alpha1.MCPRemoteProxy,
+) []corev1.EnvVar {
+	if proxy.Spec.ExternalAuthConfigRef == nil {
+		return nil
+	}
+
+	ctxLogger := log.FromContext(ctx)
+	var env []corev1.EnvVar
+
+	tokenExchangeEnvVars, err := ctrlutil.GenerateTokenExchangeEnvVars(
+		ctx, r.Client, proxy.Namespace, proxy.Spec.ExternalAuthConfigRef, ctrlutil.GetExternalAuthConfigByName,
+	)
+	if err != nil {
+		ctxLogger.Error(err, "Failed to generate token exchange environment variables")
+	} else {
+		env = append(env, tokenExchangeEnvVars...)
+	}
+
+	bearerTokenEnvVars, err := ctrlutil.GenerateBearerTokenEnvVar(
+		ctx, r.Client, proxy.Namespace, proxy.Spec.ExternalAuthConfigRef, ctrlutil.GetExternalAuthConfigByName,
+	)
+	if err != nil {
+		ctxLogger.Error(err, "Failed to generate bearer token environment variables")
+	} else {
+		env = append(env, bearerTokenEnvVars...)
+	}
+
+	return env
+}
+
 // buildHeaderForwardSecretEnvVars builds environment variables for header forward secrets.
 // Each secret is mounted as an env var using Kubernetes SecretKeyRef, with a name following
 // the TOOLHIVE_SECRET_<identifier> pattern expected by the secrets.EnvironmentProvider.

cmd/thv-operator/controllers/mcpremoteproxy_deployment.go

@@ -911,7 +911,7 @@ func TestBuildEnvVarsForProxy(t *testing.T) {
 				},
 				Spec: mcpv1alpha1.MCPRemoteProxySpec{
 					RemoteURL: "https://mcp.example.com",
-					OIDCConfig: mcpv1alpha1.OIDCConfigRef{
+					OIDCConfig: &mcpv1alpha1.OIDCConfigRef{
 						Type: mcpv1alpha1.OIDCConfigTypeInline,
 						Inline: &mcpv1alpha1.InlineOIDCConfig{
 							Issuer:   "https://auth.example.com",

cmd/thv-operator/controllers/mcpremoteproxy_deployment_test.go

@@ -50,6 +50,50 @@ func TestMCPRemoteProxyFullReconciliation(t *testing.T) {
 		secret         *corev1.Secret
 		validateResult func(*testing.T, *mcpv1alpha1.MCPRemoteProxy, client.Client)
 	}{
+		{
+			name: "anonymous proxy without OIDC config",
+			proxy: &mcpv1alpha1.MCPRemoteProxy{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "anon-proxy",
+					Namespace: "default",
+				},
+				Spec: mcpv1alpha1.MCPRemoteProxySpec{
+					RemoteURL: "https://docs.example.com/mcp",
+					Port:      8080,
+					Transport: "streamable-http",
+				},
+			},
+			validateResult: func(t *testing.T, proxy *mcpv1alpha1.MCPRemoteProxy, c client.Client) {
+				t.Helper()
+
+				// Verify RunConfig ConfigMap created with no OIDC config
+				cm := &corev1.ConfigMap{}
+				err := c.Get(context.TODO(), types.NamespacedName{
+					Name:      fmt.Sprintf("%s-runconfig", proxy.Name),
+					Namespace: proxy.Namespace,
+				}, cm)
+				assert.NoError(t, err, "RunConfig ConfigMap should be created")
+				assert.Contains(t, cm.Data, "runconfig.json")
+				// OIDC config should not be present in the RunConfig
+				assert.NotContains(t, cm.Data["runconfig.json"], "oidc_issuer")
+
+				// Verify Deployment created
+				dep := &appsv1.Deployment{}
+				err = c.Get(context.TODO(), types.NamespacedName{
+					Name:      proxy.Name,
+					Namespace: proxy.Namespace,
+				}, dep)
+				assert.NoError(t, err, "Deployment should be created")
+
+				// Verify Service created
+				svc := &corev1.Service{}
+				err = c.Get(context.TODO(), types.NamespacedName{
+					Name:      createProxyServiceName(proxy.Name),
+					Namespace: proxy.Namespace,
+				}, svc)
+				assert.NoError(t, err, "Service should be created")
+			},
+		},
 		{
 			name: "basic proxy with inline OIDC",
 			proxy: &mcpv1alpha1.MCPRemoteProxy{
@@ -61,7 +105,7 @@ func TestMCPRemoteProxyFullReconciliation(t *testing.T) {
 					RemoteURL: "https://mcp.salesforce.com",
 					Port:      8080,
 					Transport: "streamable-http",
-					OIDCConfig: mcpv1alpha1.OIDCConfigRef{
+					OIDCConfig: &mcpv1alpha1.OIDCConfigRef{
 						Type: mcpv1alpha1.OIDCConfigTypeInline,
 						Inline: &mcpv1alpha1.InlineOIDCConfig{
 							Issuer:   "https://login.salesforce.com",
@@ -134,7 +178,7 @@ func TestMCPRemoteProxyFullReconciliation(t *testing.T) {
 					RemoteURL: "https://mcp.example.com",
 					Port:      9090,
 					Transport: "sse",
-					OIDCConfig: mcpv1alpha1.OIDCConfigRef{
+					OIDCConfig: &mcpv1alpha1.OIDCConfigRef{
 						Type: mcpv1alpha1.OIDCConfigTypeInline,
 						Inline: &mcpv1alpha1.InlineOIDCConfig{
 							Issuer:   "https://auth.company.com",
@@ -248,7 +292,7 @@ func TestMCPRemoteProxyFullReconciliation(t *testing.T) {
 				Spec: mcpv1alpha1.MCPRemoteProxySpec{
 					RemoteURL: "https://mcp.example.com",
 					Port:      8080,
-					OIDCConfig: mcpv1alpha1.OIDCConfigRef{
+					OIDCConfig: &mcpv1alpha1.OIDCConfigRef{
 						Type: mcpv1alpha1.OIDCConfigTypeInline,
 						Inline: &mcpv1alpha1.InlineOIDCConfig{
 							Issuer:   "https://auth.example.com",
@@ -363,7 +407,7 @@ func TestMCPRemoteProxyConfigChangePropagation(t *testing.T) {
 		Spec: mcpv1alpha1.MCPRemoteProxySpec{
 			RemoteURL: "https://mcp.example.com",
 			Port:      8080,
-			OIDCConfig: mcpv1alpha1.OIDCConfigRef{
+			OIDCConfig: &mcpv1alpha1.OIDCConfigRef{
 				Type: mcpv1alpha1.OIDCConfigTypeInline,
 				Inline: &mcpv1alpha1.InlineOIDCConfig{
 					Issuer:   "https://auth.example.com",
@@ -444,7 +488,7 @@ func TestMCPRemoteProxyStatusProgression(t *testing.T) {
 		Spec: mcpv1alpha1.MCPRemoteProxySpec{
 			RemoteURL: "https://mcp.example.com",
 			Port:      8080,
-			OIDCConfig: mcpv1alpha1.OIDCConfigRef{
+			OIDCConfig: &mcpv1alpha1.OIDCConfigRef{
 				Type: mcpv1alpha1.OIDCConfigTypeInline,
 				Inline: &mcpv1alpha1.InlineOIDCConfig{
 					Issuer:   "https://auth.example.com",
@@ -617,7 +661,7 @@ func TestEnsureAuthzConfigMapShared(t *testing.T) {
 		},
 		Spec: mcpv1alpha1.MCPRemoteProxySpec{
 			RemoteURL: "https://mcp.example.com",
-			OIDCConfig: mcpv1alpha1.OIDCConfigRef{
+			OIDCConfig: &mcpv1alpha1.OIDCConfigRef{
 				Type: mcpv1alpha1.OIDCConfigTypeInline,
 				Inline: &mcpv1alpha1.InlineOIDCConfig{
 					Issuer:   "https://auth.example.com",
@@ -681,7 +725,7 @@ func TestRBACClientIntegration(t *testing.T) {
 		},
 		Spec: mcpv1alpha1.MCPRemoteProxySpec{
 			RemoteURL: "https://mcp.example.com",
-			OIDCConfig: mcpv1alpha1.OIDCConfigRef{
+			OIDCConfig: &mcpv1alpha1.OIDCConfigRef{
 				Type: mcpv1alpha1.OIDCConfigTypeInline,
 				Inline: &mcpv1alpha1.InlineOIDCConfig{
 					Issuer:   "https://auth.example.com",
@@ -813,7 +857,7 @@ func TestValidateSpecConfigurationConditions(t *testing.T) {
 				ObjectMeta: metav1.ObjectMeta{Name: "http-oidc-proxy", Namespace: "default"},
 				Spec: mcpv1alpha1.MCPRemoteProxySpec{
 					RemoteURL: "https://mcp.example.com",
-					OIDCConfig: mcpv1alpha1.OIDCConfigRef{
+					OIDCConfig: &mcpv1alpha1.OIDCConfigRef{
 						Type: mcpv1alpha1.OIDCConfigTypeInline,
 						Inline: &mcpv1alpha1.InlineOIDCConfig{
 							Issuer:   "http://insecure-idp.example.com",
@@ -833,7 +877,7 @@ func TestValidateSpecConfigurationConditions(t *testing.T) {
 				ObjectMeta: metav1.ObjectMeta{Name: "http-insecure-proxy", Namespace: "default"},
 				Spec: mcpv1alpha1.MCPRemoteProxySpec{
 					RemoteURL: "https://mcp.example.com",
-					OIDCConfig: mcpv1alpha1.OIDCConfigRef{
+					OIDCConfig: &mcpv1alpha1.OIDCConfigRef{
 						Type: mcpv1alpha1.OIDCConfigTypeInline,
 						Inline: &mcpv1alpha1.InlineOIDCConfig{
 							Issuer:            "http://dev-idp.example.com",
@@ -853,7 +897,7 @@ func TestValidateSpecConfigurationConditions(t *testing.T) {
 				ObjectMeta: metav1.ObjectMeta{Name: "https-oidc-proxy", Namespace: "default"},
 				Spec: mcpv1alpha1.MCPRemoteProxySpec{
 					RemoteURL: "https://mcp.example.com",
-					OIDCConfig: mcpv1alpha1.OIDCConfigRef{
+					OIDCConfig: &mcpv1alpha1.OIDCConfigRef{
 						Type: mcpv1alpha1.OIDCConfigTypeInline,
 						Inline: &mcpv1alpha1.InlineOIDCConfig{
 							Issuer:   "https://auth.example.com",
@@ -1064,7 +1108,7 @@ func TestValidateAndHandleConfigs(t *testing.T) {
 				Spec: mcpv1alpha1.MCPRemoteProxySpec{
 					RemoteURL: "https://mcp.example.com",
 					Port:      8080,
-					OIDCConfig: mcpv1alpha1.OIDCConfigRef{
+					OIDCConfig: &mcpv1alpha1.OIDCConfigRef{
 						Type: mcpv1alpha1.OIDCConfigTypeInline,
 						Inline: &mcpv1alpha1.InlineOIDCConfig{
 							Issuer:   "https://auth.example.com",
@@ -1100,7 +1144,7 @@ func TestValidateAndHandleConfigs(t *testing.T) {
 				Spec: mcpv1alpha1.MCPRemoteProxySpec{
 					RemoteURL: "https://mcp.example.com",
 					Port:      8080,
-					OIDCConfig: mcpv1alpha1.OIDCConfigRef{
+					OIDCConfig: &mcpv1alpha1.OIDCConfigRef{
 						Type: mcpv1alpha1.OIDCConfigTypeInline,
 						Inline: &mcpv1alpha1.InlineOIDCConfig{
 							Issuer:   "https://auth.example.com",