Skip to content

Add MCPAuthzConfig ref-resolution foundation#5559

Merged
ChrisJBurns merged 3 commits into
mainfrom
cburns/authzconfigref-foundation
Jun 18, 2026
Merged

Add MCPAuthzConfig ref-resolution foundation#5559
ChrisJBurns merged 3 commits into
mainfrom
cburns/authzconfigref-foundation

Conversation

@ChrisJBurns

@ChrisJBurns ChrisJBurns commented Jun 18, 2026

Copy link
Copy Markdown
Collaborator

Summary

Workloads can reference a shared MCPAuthzConfig via spec.authzConfigRef, but today that reference is a runtime no-op — the workload controllers only consume the inline spec.authzConfig. This is the foundation (stage 1 of finishing the MCPAuthzConfig wiring originally drafted in the now-stale #4778, re-derived against current v1beta1) that the per-controller wiring will build on. It is purely additive — no controller is wired yet, so there is no behavior change.

Part of finishing the MCPAuthzConfig implementation (follow-up to #4777; supersedes the stale #4778).

Medium level
  • New controllerutil ref-helpers (authz_ref.go): GetAuthzConfigForWorkload, ValidateAuthzConfigReady, AddAuthzConfigRefOptions (resolves a referenced MCPAuthzConfig into a runner authz.Config for any registered backend — cedarv1 and httpv1 — via the authorizers factory, so MCPServer/MCPRemoteProxy get all backends for free), and EnsureAuthzConfigMapFromRef / GenerateAuthzVolumeConfigFromRef mirroring the inline materialization helpers.
  • Moved + exported BuildFullAuthzConfigJSON from the MCPAuthzConfig controller into controllerutil so the config controller and the workload controllers share one backend-agnostic envelope builder without an import cycle; the controller now calls the shared helper (behavior-preserving).
  • Added the AuthzConfigHash status field to MCPServer, MCPRemoteProxy, and VirtualMCPServer, plus ConditionAuthzConfigRefValidated + reason constants, mirroring the OIDCConfigRef equivalents. Regenerated CRD manifests + crd-api.md.
Low level
File Change
cmd/thv-operator/pkg/controllerutil/authz_ref.go New: ref-resolution + materialization helpers + moved BuildFullAuthzConfigJSON
cmd/thv-operator/pkg/controllerutil/authz_ref_test.go New: unit tests (cedarv1 and httpv1 paths, not-found/not-ready errors)
cmd/thv-operator/controllers/mcpauthzconfig_controller.go Call shared ctrlutil.BuildFullAuthzConfigJSON; drop private copy + unused const/import
cmd/thv-operator/controllers/mcpauthzconfig_controller_test.go Drop the moved-function tests (now covered in controllerutil)
cmd/thv-operator/api/v1beta1/{mcpserver,mcpremoteproxy,virtualmcpserver}_types.go Add AuthzConfigHash status field; condition constants on mcpserver_types.go
deploy/charts/operator-crds/**, docs/operator/crd-api.md Regenerated for the new status field

Type of change

  • Bug fix
  • New feature
  • Breaking change
  • Refactoring
  • Documentation
  • Other

Test plan

  • task test passes for cmd/thv-operator/pkg/controllerutil, controllers, and api/v1beta1
  • New unit tests prove BuildFullAuthzConfigJSON / AddAuthzConfigRefOptions are backend-agnostic (drive a real httpv1 config end-to-end through the factory, not just cedarv1), plus not-found / not-ready error paths
  • task build passes; generated code re-run with no drift
  • Lint clean on changed files (CI runs the pinned config)

Special notes for reviewers

Foundation only — intentionally not wired into any reconciler; the inline spec.authzConfig path is untouched. The per-controller wiring (MCPServer, MCPRemoteProxy, VirtualMCPServer) lands in follow-up PRs. The backend-agnostic envelope builder is what lets MCPServer/MCPRemoteProxy support both cedarv1 and httpv1 without runtime changes (the proxy runner's authz factory dispatches on type); VirtualMCPServer will be Cedar-only at first (its vMCP runtime authz is currently Cedar-hardcoded — a separately-tracked follow-up).

Generated with Claude Code

ChrisJBurns and others added 2 commits June 18, 2026 16:44
@ChrisJBurns @claude
Add MCPAuthzConfig ref-resolution foundation
9b548f8 
Foundation (Stage 1 of #4778's re-derivation) for making spec.authzConfigRef
enforce at runtime. Purely additive: no workload controller is wired yet and
the inline spec.authzConfig path is untouched.

- Add controllerutil ref-helpers in authz_ref.go: GetAuthzConfigForWorkload,
  ValidateAuthzConfigReady, AddAuthzConfigRefOptions (resolves a referenced
  MCPAuthzConfig into a runner authz.Config for any registered backend —
  cedarv1 and httpv1 — via the authorizers factory), and the
  EnsureAuthzConfigMapFromRef / GenerateAuthzVolumeConfigFromRef materialization
  helpers mirroring the inline ones.
- Export and move BuildFullAuthzConfigJSON from the MCPAuthzConfig controller
  into controllerutil so both the config controller and the workload controllers
  share it without an import cycle; the controller now calls the shared helper.
- Add the AuthzConfigHash status field to MCPServer, MCPRemoteProxy, and
  VirtualMCPServer, plus ConditionAuthzConfigRefValidated and reason constants,
  mirroring the OIDCConfigRef equivalents.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@ChrisJBurns @claude
Regenerate CRD manifests and docs for AuthzConfigHash
d08c386 
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@github-actions github-actions Bot added the size/L Large PR: 600-999 lines changed label Jun 18, 2026
@codecov

codecov Bot commented Jun 18, 2026
edited
Loading

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 76.76768% with 23 lines in your changes missing coverage. Please review.
✅ Project coverage is 70.05%. Comparing base (4470503) to head (39f6caa).

Files with missing lines Patch % Lines
cmd/thv-operator/pkg/controllerutil/authz_ref.go 76.53% 13 Missing and 10 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #5559      +/-   ##
==========================================
- Coverage   70.05%   70.05%   -0.01%     
==========================================
  Files         650      651       +1     
  Lines       66167    66248      +81     
==========================================
+ Hits        46352    46408      +56     
- Misses      16459    16476      +17     
- Partials     3356     3364       +8

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@ChrisJBurns @claude
Address review feedback on authz ref helpers
39f6caa 
- Guard EnsureAuthzConfigMapFromRef with ValidateAuthzConfigReady so the
  exported helper never materializes a ConfigMap from a config flagged invalid
  (defense in depth; no extra I/O — the object is already fetched). (F2)
- Clarify the authzRefConfigMapName doc comment: the ConfigMap *name* is
  distinct from the inline path, while the *volume* name and mount path are
  deliberately shared (inline and ref are mutually exclusive via CRD
  XValidation, so a workload mounts at most one authz volume). (F3)
- Restore the nil data/factory assertions on BuildFullAuthzConfigJSON's error
  branch. (F5)

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@github-actions github-actions Bot added size/L Large PR: 600-999 lines changed and removed size/L Large PR: 600-999 lines changed labels Jun 18, 2026
@ChrisJBurns ChrisJBurns merged commit 254a724 into main Jun 18, 2026
46 checks passed
@ChrisJBurns ChrisJBurns deleted the cburns/authzconfigref-foundation branch June 18, 2026 21:38
@ChrisJBurns ChrisJBurns mentioned this pull request Jun 18, 2026
Merged
10 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@reyortiz3 reyortiz3 reyortiz3 approved these changes

@JAORMX JAORMX Awaiting requested review from JAORMX JAORMX is a code owner

@jerm-dro jerm-dro Awaiting requested review from jerm-dro jerm-dro is a code owner

@jhrozek jhrozek Awaiting requested review from jhrozek jhrozek is a code owner

@tgrunnagle tgrunnagle Awaiting requested review from tgrunnagle tgrunnagle is a code owner

@rdimitrov rdimitrov Awaiting requested review from rdimitrov rdimitrov is a code owner

@blkt blkt Awaiting requested review from blkt blkt is a code owner

Assignees

No one assigned

Labels

size/L Large PR: 600-999 lines changed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@ChrisJBurns @reyortiz3