From d536257618691418b81e11d91944a7885d92954c Mon Sep 17 00:00:00 2001 From: Trevin Chow Date: Sat, 4 Apr 2026 03:05:28 -0700 Subject: [PATCH 1/6] fix(operator): rename BackendAuthType enum value to camelCase The enum value "external_auth_config_ref" was the only snake_case discriminator in the CRD codebase. All other values use camelCase (tokenExchange, headerInjection, bearerToken, etc.). This renames it to "externalAuthConfigRef" for consistency before the API stabilizes. Updated the constant, kubebuilder validation markers, CEL rules, converter logic, and all test fixtures. CRD manifests and API docs regenerated. Fixes #4542 --- .../api/v1alpha1/virtualmcpserver_types.go | 10 +++++----- .../api/v1alpha1/virtualmcpserver_types_test.go | 2 +- .../controllers/virtualmcpserver_controller.go | 2 +- .../virtualmcpserver_externalauth_test.go | 6 +++--- .../virtualmcpserver_vmcpconfig_test.go | 6 +++--- .../controllers/virtualmcpserver_watch_test.go | 16 ++++++++-------- cmd/thv-operator/pkg/vmcpconfig/converter.go | 4 ++-- .../toolhive.stacklok.dev_virtualmcpservers.yaml | 8 ++++---- .../toolhive.stacklok.dev_virtualmcpservers.yaml | 8 ++++---- docs/operator/crd-api.md | 4 ++-- .../virtualmcp/virtualmcp_external_auth_test.go | 8 ++++---- 11 files changed, 37 insertions(+), 37 deletions(-) diff --git a/cmd/thv-operator/api/v1alpha1/virtualmcpserver_types.go b/cmd/thv-operator/api/v1alpha1/virtualmcpserver_types.go index 3b784bbe67..0f115bdee5 100644 --- a/cmd/thv-operator/api/v1alpha1/virtualmcpserver_types.go +++ b/cmd/thv-operator/api/v1alpha1/virtualmcpserver_types.go @@ -162,12 +162,12 @@ type OutgoingAuthConfig struct { // BackendAuthConfig defines authentication configuration for a backend MCPServer type BackendAuthConfig struct { // Type defines the authentication type - // +kubebuilder:validation:Enum=discovered;external_auth_config_ref + // +kubebuilder:validation:Enum=discovered;externalAuthConfigRef // +kubebuilder:validation:Required Type string `json:"type"` // ExternalAuthConfigRef references an MCPExternalAuthConfig resource - // Only used when Type is "external_auth_config_ref" + // Only used when Type is "externalAuthConfigRef" // +optional ExternalAuthConfigRef *ExternalAuthConfigRef `json:"externalAuthConfigRef,omitempty"` } @@ -341,7 +341,7 @@ const ( BackendAuthTypeDiscovered = "discovered" // BackendAuthTypeExternalAuthConfigRef references an MCPExternalAuthConfig resource - BackendAuthTypeExternalAuthConfigRef = "external_auth_config_ref" + BackendAuthTypeExternalAuthConfigRef = "externalAuthConfigRef" ) // Workflow step types @@ -498,7 +498,7 @@ func (*VirtualMCPServer) validateBackendAuth(backendName string, auth BackendAut case BackendAuthTypeExternalAuthConfigRef: if auth.ExternalAuthConfigRef == nil { return fmt.Errorf( - "spec.outgoingAuth.backends[%s].externalAuthConfigRef is required when type is external_auth_config_ref", + "spec.outgoingAuth.backends[%s].externalAuthConfigRef is required when type is externalAuthConfigRef", backendName) } if auth.ExternalAuthConfigRef.Name == "" { @@ -510,7 +510,7 @@ func (*VirtualMCPServer) validateBackendAuth(backendName string, auth BackendAut default: return fmt.Errorf( - "spec.outgoingAuth.backends[%s].type must be one of: discovered, external_auth_config_ref", + "spec.outgoingAuth.backends[%s].type must be one of: discovered, externalAuthConfigRef", backendName) } diff --git a/cmd/thv-operator/api/v1alpha1/virtualmcpserver_types_test.go b/cmd/thv-operator/api/v1alpha1/virtualmcpserver_types_test.go index 73bfe451e0..b6d28bb7be 100644 --- a/cmd/thv-operator/api/v1alpha1/virtualmcpserver_types_test.go +++ b/cmd/thv-operator/api/v1alpha1/virtualmcpserver_types_test.go @@ -276,7 +276,7 @@ func TestBackendAuthConfigTypes(t *testing.T) { isValid: true, }, { - name: "external_auth_config_ref_valid", + name: "externalAuthConfigRef_valid", authConfig: BackendAuthConfig{ Type: BackendAuthTypeExternalAuthConfigRef, ExternalAuthConfigRef: &ExternalAuthConfigRef{ diff --git a/cmd/thv-operator/controllers/virtualmcpserver_controller.go b/cmd/thv-operator/controllers/virtualmcpserver_controller.go index f55dabfbe1..e43e22c674 100644 --- a/cmd/thv-operator/controllers/virtualmcpserver_controller.go +++ b/cmd/thv-operator/controllers/virtualmcpserver_controller.go @@ -1788,7 +1788,7 @@ func (r *VirtualMCPServerReconciler) convertBackendAuthConfigToVMCP( }, nil } - // For type="external_auth_config_ref", fetch and convert the referenced config + // For type="externalAuthConfigRef", fetch and convert the referenced config if crdConfig.ExternalAuthConfigRef != nil { // Fetch the MCPExternalAuthConfig and convert it externalAuthConfig, err := ctrlutil.GetExternalAuthConfigByName( diff --git a/cmd/thv-operator/controllers/virtualmcpserver_externalauth_test.go b/cmd/thv-operator/controllers/virtualmcpserver_externalauth_test.go index 073d9d3eea..eac97e6e23 100644 --- a/cmd/thv-operator/controllers/virtualmcpserver_externalauth_test.go +++ b/cmd/thv-operator/controllers/virtualmcpserver_externalauth_test.go @@ -638,7 +638,7 @@ func TestBuildOutgoingAuthConfig(t *testing.T) { OutgoingAuth: &mcpv1alpha1.OutgoingAuthConfig{ Source: "discovered", Default: &mcpv1alpha1.BackendAuthConfig{ - Type: "external_auth_config_ref", + Type: "externalAuthConfigRef", ExternalAuthConfigRef: &mcpv1alpha1.ExternalAuthConfigRef{ Name: "missing-default-auth", // Auth config doesn't exist }, @@ -676,7 +676,7 @@ func TestBuildOutgoingAuthConfig(t *testing.T) { Source: "discovered", Backends: map[string]mcpv1alpha1.BackendAuthConfig{ "api-backend": { - Type: "external_auth_config_ref", + Type: "externalAuthConfigRef", ExternalAuthConfigRef: &mcpv1alpha1.ExternalAuthConfigRef{ Name: "missing-backend-auth", }, @@ -765,7 +765,7 @@ func TestConvertBackendAuthConfigToVMCP(t *testing.T) { validate func(*testing.T, *authtypes.BackendAuthStrategy) }{ { - name: "external_auth_config_ref type", + name: "externalAuthConfigRef type", crdConfig: &mcpv1alpha1.BackendAuthConfig{ Type: mcpv1alpha1.BackendAuthTypeExternalAuthConfigRef, ExternalAuthConfigRef: &mcpv1alpha1.ExternalAuthConfigRef{ diff --git a/cmd/thv-operator/controllers/virtualmcpserver_vmcpconfig_test.go b/cmd/thv-operator/controllers/virtualmcpserver_vmcpconfig_test.go index 69365a0afe..4ab18a7812 100644 --- a/cmd/thv-operator/controllers/virtualmcpserver_vmcpconfig_test.go +++ b/cmd/thv-operator/controllers/virtualmcpserver_vmcpconfig_test.go @@ -196,7 +196,7 @@ func TestConvertBackendAuthConfig(t *testing.T) { Name: "auth-config", }, }, - // For external_auth_config_ref, the type comes from the referenced MCPExternalAuthConfig + // For externalAuthConfigRef, the type comes from the referenced MCPExternalAuthConfig expectedType: "unauthenticated", }, } @@ -219,7 +219,7 @@ func TestConvertBackendAuthConfig(t *testing.T) { }, } - // For external_auth_config_ref test, create the referenced MCPExternalAuthConfig + // For externalAuthConfigRef test, create the referenced MCPExternalAuthConfig var converter *vmcpconfigconv.Converter if tt.authConfig.Type == mcpv1alpha1.BackendAuthTypeExternalAuthConfigRef { // Create a fake MCPExternalAuthConfig @@ -259,7 +259,7 @@ func TestConvertBackendAuthConfig(t *testing.T) { // Note: HeaderInjection and TokenExchange are nil because the CRD's // BackendAuthConfig only stores type and reference information. - // For external_auth_config_ref, the actual auth config is resolved + // For externalAuthConfigRef, the actual auth config is resolved // at runtime from the referenced MCPExternalAuthConfig resource. assert.Nil(t, strategy.HeaderInjection) assert.Nil(t, strategy.TokenExchange) diff --git a/cmd/thv-operator/controllers/virtualmcpserver_watch_test.go b/cmd/thv-operator/controllers/virtualmcpserver_watch_test.go index 2305dc9489..a816da9102 100644 --- a/cmd/thv-operator/controllers/virtualmcpserver_watch_test.go +++ b/cmd/thv-operator/controllers/virtualmcpserver_watch_test.go @@ -751,7 +751,7 @@ func TestMapExternalAuthConfigToVirtualMCPServer(t *testing.T) { Spec: mcpv1alpha1.VirtualMCPServerSpec{ OutgoingAuth: &mcpv1alpha1.OutgoingAuthConfig{ Default: &mcpv1alpha1.BackendAuthConfig{ - Type: "external_auth_config_ref", + Type: "externalAuthConfigRef", ExternalAuthConfigRef: &mcpv1alpha1.ExternalAuthConfigRef{ Name: "test-auth", }, @@ -781,7 +781,7 @@ func TestMapExternalAuthConfigToVirtualMCPServer(t *testing.T) { OutgoingAuth: &mcpv1alpha1.OutgoingAuthConfig{ Backends: map[string]mcpv1alpha1.BackendAuthConfig{ "backend1": { - Type: "external_auth_config_ref", + Type: "externalAuthConfigRef", ExternalAuthConfigRef: &mcpv1alpha1.ExternalAuthConfigRef{ Name: "test-auth", }, @@ -831,7 +831,7 @@ func TestMapExternalAuthConfigToVirtualMCPServer(t *testing.T) { Spec: mcpv1alpha1.VirtualMCPServerSpec{ OutgoingAuth: &mcpv1alpha1.OutgoingAuthConfig{ Default: &mcpv1alpha1.BackendAuthConfig{ - Type: "external_auth_config_ref", + Type: "externalAuthConfigRef", ExternalAuthConfigRef: &mcpv1alpha1.ExternalAuthConfigRef{ Name: "test-auth", }, @@ -1406,7 +1406,7 @@ func TestVmcpReferencesExternalAuthConfig(t *testing.T) { Spec: mcpv1alpha1.VirtualMCPServerSpec{ OutgoingAuth: &mcpv1alpha1.OutgoingAuthConfig{ Default: &mcpv1alpha1.BackendAuthConfig{ - Type: "external_auth_config_ref", + Type: "externalAuthConfigRef", ExternalAuthConfigRef: &mcpv1alpha1.ExternalAuthConfigRef{ Name: "test-auth", }, @@ -1424,7 +1424,7 @@ func TestVmcpReferencesExternalAuthConfig(t *testing.T) { OutgoingAuth: &mcpv1alpha1.OutgoingAuthConfig{ Backends: map[string]mcpv1alpha1.BackendAuthConfig{ "backend1": { - Type: "external_auth_config_ref", + Type: "externalAuthConfigRef", ExternalAuthConfigRef: &mcpv1alpha1.ExternalAuthConfigRef{ Name: "test-auth", }, @@ -1460,7 +1460,7 @@ func TestVmcpReferencesExternalAuthConfig(t *testing.T) { Spec: mcpv1alpha1.VirtualMCPServerSpec{ OutgoingAuth: &mcpv1alpha1.OutgoingAuthConfig{ Default: &mcpv1alpha1.BackendAuthConfig{ - Type: "external_auth_config_ref", + Type: "externalAuthConfigRef", ExternalAuthConfigRef: &mcpv1alpha1.ExternalAuthConfigRef{ Name: "other-auth", }, @@ -1478,13 +1478,13 @@ func TestVmcpReferencesExternalAuthConfig(t *testing.T) { OutgoingAuth: &mcpv1alpha1.OutgoingAuthConfig{ Backends: map[string]mcpv1alpha1.BackendAuthConfig{ "backend1": { - Type: "external_auth_config_ref", + Type: "externalAuthConfigRef", ExternalAuthConfigRef: &mcpv1alpha1.ExternalAuthConfigRef{ Name: "other-auth", }, }, "backend2": { - Type: "external_auth_config_ref", + Type: "externalAuthConfigRef", ExternalAuthConfigRef: &mcpv1alpha1.ExternalAuthConfigRef{ Name: "test-auth", }, diff --git a/cmd/thv-operator/pkg/vmcpconfig/converter.go b/cmd/thv-operator/pkg/vmcpconfig/converter.go index 4e8d51eed8..657d99ec56 100644 --- a/cmd/thv-operator/pkg/vmcpconfig/converter.go +++ b/cmd/thv-operator/pkg/vmcpconfig/converter.go @@ -452,10 +452,10 @@ func (c *Converter) convertBackendAuthConfig( }, nil } - // If type is "external_auth_config_ref", resolve the MCPExternalAuthConfig + // If type is "externalAuthConfigRef", resolve the MCPExternalAuthConfig if crdConfig.Type == mcpv1alpha1.BackendAuthTypeExternalAuthConfigRef { if crdConfig.ExternalAuthConfigRef == nil { - return nil, fmt.Errorf("backend %s: external_auth_config_ref type requires externalAuthConfigRef field", backendName) + return nil, fmt.Errorf("backend %s: externalAuthConfigRef type requires externalAuthConfigRef field", backendName) } // Fetch the MCPExternalAuthConfig resource diff --git a/deploy/charts/operator-crds/files/crds/toolhive.stacklok.dev_virtualmcpservers.yaml b/deploy/charts/operator-crds/files/crds/toolhive.stacklok.dev_virtualmcpservers.yaml index 1ae8c86f14..1efc0b2e4c 100644 --- a/deploy/charts/operator-crds/files/crds/toolhive.stacklok.dev_virtualmcpservers.yaml +++ b/deploy/charts/operator-crds/files/crds/toolhive.stacklok.dev_virtualmcpservers.yaml @@ -2136,7 +2136,7 @@ spec: externalAuthConfigRef: description: |- ExternalAuthConfigRef references an MCPExternalAuthConfig resource - Only used when Type is "external_auth_config_ref" + Only used when Type is "externalAuthConfigRef" properties: name: description: Name is the name of the MCPExternalAuthConfig @@ -2149,7 +2149,7 @@ spec: description: Type defines the authentication type enum: - discovered - - external_auth_config_ref + - externalAuthConfigRef type: string required: - type @@ -2165,7 +2165,7 @@ spec: externalAuthConfigRef: description: |- ExternalAuthConfigRef references an MCPExternalAuthConfig resource - Only used when Type is "external_auth_config_ref" + Only used when Type is "externalAuthConfigRef" properties: name: description: Name is the name of the MCPExternalAuthConfig @@ -2178,7 +2178,7 @@ spec: description: Type defines the authentication type enum: - discovered - - external_auth_config_ref + - externalAuthConfigRef type: string required: - type diff --git a/deploy/charts/operator-crds/templates/toolhive.stacklok.dev_virtualmcpservers.yaml b/deploy/charts/operator-crds/templates/toolhive.stacklok.dev_virtualmcpservers.yaml index 572d3ba010..e709eac585 100644 --- a/deploy/charts/operator-crds/templates/toolhive.stacklok.dev_virtualmcpservers.yaml +++ b/deploy/charts/operator-crds/templates/toolhive.stacklok.dev_virtualmcpservers.yaml @@ -2139,7 +2139,7 @@ spec: externalAuthConfigRef: description: |- ExternalAuthConfigRef references an MCPExternalAuthConfig resource - Only used when Type is "external_auth_config_ref" + Only used when Type is "externalAuthConfigRef" properties: name: description: Name is the name of the MCPExternalAuthConfig @@ -2152,7 +2152,7 @@ spec: description: Type defines the authentication type enum: - discovered - - external_auth_config_ref + - externalAuthConfigRef type: string required: - type @@ -2168,7 +2168,7 @@ spec: externalAuthConfigRef: description: |- ExternalAuthConfigRef references an MCPExternalAuthConfig resource - Only used when Type is "external_auth_config_ref" + Only used when Type is "externalAuthConfigRef" properties: name: description: Name is the name of the MCPExternalAuthConfig @@ -2181,7 +2181,7 @@ spec: description: Type defines the authentication type enum: - discovered - - external_auth_config_ref + - externalAuthConfigRef type: string required: - type diff --git a/docs/operator/crd-api.md b/docs/operator/crd-api.md index 4789885ba7..922ea73009 100644 --- a/docs/operator/crd-api.md +++ b/docs/operator/crd-api.md @@ -888,8 +888,8 @@ _Appears in:_ | Field | Description | Default | Validation | | --- | --- | --- | --- | -| `type` _string_ | Type defines the authentication type | | Enum: [discovered external_auth_config_ref]
Required: \{\}
| -| `externalAuthConfigRef` _[api.v1alpha1.ExternalAuthConfigRef](#apiv1alpha1externalauthconfigref)_ | ExternalAuthConfigRef references an MCPExternalAuthConfig resource
Only used when Type is "external_auth_config_ref" | | Optional: \{\}
| +| `type` _string_ | Type defines the authentication type | | Enum: [discovered externalAuthConfigRef]
Required: \{\}
| +| `externalAuthConfigRef` _[api.v1alpha1.ExternalAuthConfigRef](#apiv1alpha1externalauthconfigref)_ | ExternalAuthConfigRef references an MCPExternalAuthConfig resource
Only used when Type is "externalAuthConfigRef" | | Optional: \{\}
| #### api.v1alpha1.BearerTokenConfig diff --git a/test/e2e/thv-operator/virtualmcp/virtualmcp_external_auth_test.go b/test/e2e/thv-operator/virtualmcp/virtualmcp_external_auth_test.go index fd1d73e47c..564ac7f04a 100644 --- a/test/e2e/thv-operator/virtualmcp/virtualmcp_external_auth_test.go +++ b/test/e2e/thv-operator/virtualmcp/virtualmcp_external_auth_test.go @@ -281,7 +281,7 @@ var _ = Describe("VirtualMCPServer Inline Unauthenticated Backend Auth", Ordered // Explicitly configure unauthenticated for specific backend Backends: map[string]mcpv1alpha1.BackendAuthConfig{ backendName: { - Type: "external_auth_config_ref", + Type: "externalAuthConfigRef", ExternalAuthConfigRef: &mcpv1alpha1.ExternalAuthConfigRef{ Name: externalAuthConfigName, }, @@ -328,7 +328,7 @@ var _ = Describe("VirtualMCPServer Inline Unauthenticated Backend Auth", Ordered Expect(k8sClient.Get(ctx, types.NamespacedName{Name: vmcpServerName, Namespace: testNamespace}, vmcpServer)).To(Succeed()) Expect(vmcpServer.Spec.OutgoingAuth.Source).To(Equal("inline")) Expect(vmcpServer.Spec.OutgoingAuth.Backends).To(HaveKey(backendName)) - Expect(vmcpServer.Spec.OutgoingAuth.Backends[backendName].Type).To(Equal("external_auth_config_ref")) + Expect(vmcpServer.Spec.OutgoingAuth.Backends[backendName].Type).To(Equal("externalAuthConfigRef")) Expect(vmcpServer.Spec.OutgoingAuth.Backends[backendName].ExternalAuthConfigRef.Name).To(Equal(externalAuthConfigName)) By("Creating MCP client and listing tools") @@ -680,7 +680,7 @@ var _ = Describe("VirtualMCPServer Inline HeaderInjection Backend Auth", Ordered // Explicitly configure headerInjection for specific backend Backends: map[string]mcpv1alpha1.BackendAuthConfig{ backendName: { - Type: "external_auth_config_ref", + Type: "externalAuthConfigRef", ExternalAuthConfigRef: &mcpv1alpha1.ExternalAuthConfigRef{ Name: externalAuthConfigName, }, @@ -730,7 +730,7 @@ var _ = Describe("VirtualMCPServer Inline HeaderInjection Backend Auth", Ordered Expect(k8sClient.Get(ctx, types.NamespacedName{Name: vmcpServerName, Namespace: testNamespace}, vmcpServer)).To(Succeed()) Expect(vmcpServer.Spec.OutgoingAuth.Source).To(Equal("inline")) Expect(vmcpServer.Spec.OutgoingAuth.Backends).To(HaveKey(backendName)) - Expect(vmcpServer.Spec.OutgoingAuth.Backends[backendName].Type).To(Equal("external_auth_config_ref")) + Expect(vmcpServer.Spec.OutgoingAuth.Backends[backendName].Type).To(Equal("externalAuthConfigRef")) Expect(vmcpServer.Spec.OutgoingAuth.Backends[backendName].ExternalAuthConfigRef.Name).To(Equal(externalAuthConfigName)) By("Creating MCP client and listing tools") From 4ec8b72e59f143e5c652ed3e93a1e72beb5424ab Mon Sep 17 00:00:00 2001 From: Trevin Chow Date: Mon, 6 Apr 2026 10:29:41 -0700 Subject: [PATCH 2/6] fix(operator): deprecate old snake_case enum value instead of breaking Keep the old "external_auth_config_ref" value as DeprecatedBackendAuthTypeExternalAuthConfigRef so existing CRDs continue to validate. The kubebuilder enum and validation switch now accept both the new camelCase and deprecated snake_case values. --- .../api/v1alpha1/virtualmcpserver_types.go | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/cmd/thv-operator/api/v1alpha1/virtualmcpserver_types.go b/cmd/thv-operator/api/v1alpha1/virtualmcpserver_types.go index 0f115bdee5..27db742973 100644 --- a/cmd/thv-operator/api/v1alpha1/virtualmcpserver_types.go +++ b/cmd/thv-operator/api/v1alpha1/virtualmcpserver_types.go @@ -162,12 +162,12 @@ type OutgoingAuthConfig struct { // BackendAuthConfig defines authentication configuration for a backend MCPServer type BackendAuthConfig struct { // Type defines the authentication type - // +kubebuilder:validation:Enum=discovered;externalAuthConfigRef + // +kubebuilder:validation:Enum=discovered;externalAuthConfigRef;external_auth_config_ref // +kubebuilder:validation:Required Type string `json:"type"` // ExternalAuthConfigRef references an MCPExternalAuthConfig resource - // Only used when Type is "externalAuthConfigRef" + // Only used when Type is "externalAuthConfigRef" (or deprecated "external_auth_config_ref") // +optional ExternalAuthConfigRef *ExternalAuthConfigRef `json:"externalAuthConfigRef,omitempty"` } @@ -342,6 +342,10 @@ const ( // BackendAuthTypeExternalAuthConfigRef references an MCPExternalAuthConfig resource BackendAuthTypeExternalAuthConfigRef = "externalAuthConfigRef" + + // DeprecatedBackendAuthTypeExternalAuthConfigRef is the old snake_case value. + // Deprecated: Use BackendAuthTypeExternalAuthConfigRef ("externalAuthConfigRef") instead. + DeprecatedBackendAuthTypeExternalAuthConfigRef = "external_auth_config_ref" ) // Workflow step types @@ -495,7 +499,7 @@ func (*VirtualMCPServer) validateBackendAuth(backendName string, auth BackendAut // Validate type-specific configurations switch auth.Type { - case BackendAuthTypeExternalAuthConfigRef: + case BackendAuthTypeExternalAuthConfigRef, DeprecatedBackendAuthTypeExternalAuthConfigRef: if auth.ExternalAuthConfigRef == nil { return fmt.Errorf( "spec.outgoingAuth.backends[%s].externalAuthConfigRef is required when type is externalAuthConfigRef", From 2077ea170c24c9e545cf19f8d6daa47cceeff912 Mon Sep 17 00:00:00 2001 From: Trevin Chow Date: Mon, 6 Apr 2026 11:26:27 -0700 Subject: [PATCH 3/6] chore: regenerate CRDs and docs after enum update --- .../files/crds/toolhive.stacklok.dev_virtualmcpservers.yaml | 6 ++++-- .../templates/toolhive.stacklok.dev_virtualmcpservers.yaml | 6 ++++-- docs/operator/crd-api.md | 4 ++-- 3 files changed, 10 insertions(+), 6 deletions(-) diff --git a/deploy/charts/operator-crds/files/crds/toolhive.stacklok.dev_virtualmcpservers.yaml b/deploy/charts/operator-crds/files/crds/toolhive.stacklok.dev_virtualmcpservers.yaml index 1efc0b2e4c..f919af400e 100644 --- a/deploy/charts/operator-crds/files/crds/toolhive.stacklok.dev_virtualmcpservers.yaml +++ b/deploy/charts/operator-crds/files/crds/toolhive.stacklok.dev_virtualmcpservers.yaml @@ -2136,7 +2136,7 @@ spec: externalAuthConfigRef: description: |- ExternalAuthConfigRef references an MCPExternalAuthConfig resource - Only used when Type is "externalAuthConfigRef" + Only used when Type is "externalAuthConfigRef" (or deprecated "external_auth_config_ref") properties: name: description: Name is the name of the MCPExternalAuthConfig @@ -2150,6 +2150,7 @@ spec: enum: - discovered - externalAuthConfigRef + - external_auth_config_ref type: string required: - type @@ -2165,7 +2166,7 @@ spec: externalAuthConfigRef: description: |- ExternalAuthConfigRef references an MCPExternalAuthConfig resource - Only used when Type is "externalAuthConfigRef" + Only used when Type is "externalAuthConfigRef" (or deprecated "external_auth_config_ref") properties: name: description: Name is the name of the MCPExternalAuthConfig @@ -2179,6 +2180,7 @@ spec: enum: - discovered - externalAuthConfigRef + - external_auth_config_ref type: string required: - type diff --git a/deploy/charts/operator-crds/templates/toolhive.stacklok.dev_virtualmcpservers.yaml b/deploy/charts/operator-crds/templates/toolhive.stacklok.dev_virtualmcpservers.yaml index e709eac585..8e7e666468 100644 --- a/deploy/charts/operator-crds/templates/toolhive.stacklok.dev_virtualmcpservers.yaml +++ b/deploy/charts/operator-crds/templates/toolhive.stacklok.dev_virtualmcpservers.yaml @@ -2139,7 +2139,7 @@ spec: externalAuthConfigRef: description: |- ExternalAuthConfigRef references an MCPExternalAuthConfig resource - Only used when Type is "externalAuthConfigRef" + Only used when Type is "externalAuthConfigRef" (or deprecated "external_auth_config_ref") properties: name: description: Name is the name of the MCPExternalAuthConfig @@ -2153,6 +2153,7 @@ spec: enum: - discovered - externalAuthConfigRef + - external_auth_config_ref type: string required: - type @@ -2168,7 +2169,7 @@ spec: externalAuthConfigRef: description: |- ExternalAuthConfigRef references an MCPExternalAuthConfig resource - Only used when Type is "externalAuthConfigRef" + Only used when Type is "externalAuthConfigRef" (or deprecated "external_auth_config_ref") properties: name: description: Name is the name of the MCPExternalAuthConfig @@ -2182,6 +2183,7 @@ spec: enum: - discovered - externalAuthConfigRef + - external_auth_config_ref type: string required: - type diff --git a/docs/operator/crd-api.md b/docs/operator/crd-api.md index 922ea73009..b707a8553b 100644 --- a/docs/operator/crd-api.md +++ b/docs/operator/crd-api.md @@ -888,8 +888,8 @@ _Appears in:_ | Field | Description | Default | Validation | | --- | --- | --- | --- | -| `type` _string_ | Type defines the authentication type | | Enum: [discovered externalAuthConfigRef]
Required: \{\}
| -| `externalAuthConfigRef` _[api.v1alpha1.ExternalAuthConfigRef](#apiv1alpha1externalauthconfigref)_ | ExternalAuthConfigRef references an MCPExternalAuthConfig resource
Only used when Type is "externalAuthConfigRef" | | Optional: \{\}
| +| `type` _string_ | Type defines the authentication type | | Enum: [discovered externalAuthConfigRef external_auth_config_ref]
Required: \{\}
| +| `externalAuthConfigRef` _[api.v1alpha1.ExternalAuthConfigRef](#apiv1alpha1externalauthconfigref)_ | ExternalAuthConfigRef references an MCPExternalAuthConfig resource
Only used when Type is "externalAuthConfigRef" (or deprecated "external_auth_config_ref") | | Optional: \{\}
| #### api.v1alpha1.BearerTokenConfig From 5a591d242c474cf0cbf380d68ad8a54b654808ca Mon Sep 17 00:00:00 2001 From: Trevin Chow Date: Mon, 6 Apr 2026 11:31:57 -0700 Subject: [PATCH 4/6] fix: log deprecation warning when old snake_case auth type is used --- cmd/thv-operator/pkg/vmcpconfig/converter.go | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/cmd/thv-operator/pkg/vmcpconfig/converter.go b/cmd/thv-operator/pkg/vmcpconfig/converter.go index 657d99ec56..5e32b27b84 100644 --- a/cmd/thv-operator/pkg/vmcpconfig/converter.go +++ b/cmd/thv-operator/pkg/vmcpconfig/converter.go @@ -452,8 +452,15 @@ func (c *Converter) convertBackendAuthConfig( }, nil } - // If type is "externalAuthConfigRef", resolve the MCPExternalAuthConfig - if crdConfig.Type == mcpv1alpha1.BackendAuthTypeExternalAuthConfigRef { + // Handle deprecated snake_case value + if crdConfig.Type == mcpv1alpha1.DeprecatedBackendAuthTypeExternalAuthConfigRef { + log.FromContext(ctx).Info("backend auth type value \"external_auth_config_ref\" is deprecated, use \"externalAuthConfigRef\" instead", + "backend", backendName, "vmcp", vmcp.Name) + } + + // If type is "externalAuthConfigRef" (or deprecated "external_auth_config_ref"), resolve the MCPExternalAuthConfig + if crdConfig.Type == mcpv1alpha1.BackendAuthTypeExternalAuthConfigRef || + crdConfig.Type == mcpv1alpha1.DeprecatedBackendAuthTypeExternalAuthConfigRef { if crdConfig.ExternalAuthConfigRef == nil { return nil, fmt.Errorf("backend %s: externalAuthConfigRef type requires externalAuthConfigRef field", backendName) } From 276a1390c06906a623a04d6fbf581d8d32450774 Mon Sep 17 00:00:00 2001 From: Trevin Chow Date: Mon, 6 Apr 2026 12:58:52 -0700 Subject: [PATCH 5/6] style: wrap deprecation log to stay within 130-char line limit --- cmd/thv-operator/pkg/vmcpconfig/converter.go | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/cmd/thv-operator/pkg/vmcpconfig/converter.go b/cmd/thv-operator/pkg/vmcpconfig/converter.go index 5e32b27b84..2b29aaefce 100644 --- a/cmd/thv-operator/pkg/vmcpconfig/converter.go +++ b/cmd/thv-operator/pkg/vmcpconfig/converter.go @@ -454,8 +454,11 @@ func (c *Converter) convertBackendAuthConfig( // Handle deprecated snake_case value if crdConfig.Type == mcpv1alpha1.DeprecatedBackendAuthTypeExternalAuthConfigRef { - log.FromContext(ctx).Info("backend auth type value \"external_auth_config_ref\" is deprecated, use \"externalAuthConfigRef\" instead", - "backend", backendName, "vmcp", vmcp.Name) + log.FromContext(ctx).Info( + "backend auth type \"external_auth_config_ref\" is deprecated,"+ + " use \"externalAuthConfigRef\" instead", + "backend", backendName, "vmcp", vmcp.Name, + ) } // If type is "externalAuthConfigRef" (or deprecated "external_auth_config_ref"), resolve the MCPExternalAuthConfig From 792009b5f166a97cb5293b1520e26be431183e40 Mon Sep 17 00:00:00 2001 From: Trevin Chow Date: Fri, 10 Apr 2026 15:30:21 -0700 Subject: [PATCH 6/6] ci: retrigger CI (flaky E2E test timeout)