Skip to content

Wire GenerateAuthServerConfig into VirtualMCPServer deployment controller #4284

Closed
#4383
Closed
Wire GenerateAuthServerConfig into VirtualMCPServer deployment controller#4284
#4383
Assignees
jhrozek
Labels
authenticationauthorizationenhancementNew feature or requestgoPull requests that update go codekubernetesItems related to KubernetesoperatorvmcpVirtual MCP Server related issues
@jhrozek

Description

@jhrozek
jhrozek
opened on Mar 19, 2026

Problem

The VirtualMCPServer deployment controller does not mount embedded auth server secrets (signing keys, HMAC secrets, upstream client secrets) onto the vMCP pod. Without these, the embedded auth server cannot start even though:

  1. The CRD field authServerConfigRef is accepted and validated (Phase 1: Foundation — add AuthServerConfig model, CRD field, and structural validation #4140)
  2. The reconciler validates the reference and sets conditions (Phase 4: Operator reconciler, HTTP handler unit tests, and E2E test coverage for embedded AS #4143)
  3. The converter produces a RuntimeConfig.AuthServer from the referenced MCPExternalAuthConfig (Phase 4: Operator reconciler, HTTP handler unit tests, and E2E test coverage for embedded AS #4143)
  4. The vMCP binary has RegisterHandlers to mount AS routes on the mux (Phase 2: Server wiring — mount embedded auth server routes on vMCP mux #4141)

The deployment controller has an explicit placeholder at virtualmcpserver_deployment.go:533:

case mcpv1alpha1.ExternalAuthTypeEmbeddedAuthServer:
    // Embedded auth server secrets are handled separately (via volume mounts, not env vars)
    // Controller integration will be in a future task
    return nil, nil

The MCPServer controller already does this correctly at mcpserver_controller.go:1101 by calling ctrlutil.GenerateAuthServerConfig().

What needs to happen

Call ctrlutil.GenerateAuthServerConfig() in the VirtualMCPServer deployment reconciler when authServerConfigRef is set, and add the resulting volumes, volume mounts, and env vars to the vMCP Deployment spec.

Acceptance Criteria

  • vMCP Deployment includes signing key volume mounts when authServerConfigRef is set
  • vMCP Deployment includes auth server env vars (issuer, upstream config, etc.)
  • OIDC discovery (/.well-known/openid-configuration) returns 200 on a vMCP with embedded AS
  • JWKS endpoint returns 200
  • Unauthenticated MCP request returns 401 (not 406)

Key files

  • cmd/thv-operator/controllers/virtualmcpserver_deployment.go — needs the wiring
  • cmd/thv-operator/pkg/controllerutil/authserver.goGenerateAuthServerConfig() already exists
  • cmd/thv-operator/controllers/mcpserver_controller.go:1099-1112 — reference implementation

Parent issues

Part of #4143 (Phase 4: Operator reconciler for embedded AS)
Part of #4120 (vMCP: add embedded authorization server)

Metadata

Metadata

Assignees

Labels

authenticationauthorizationenhancementNew feature or requestgoPull requests that update go codekubernetesItems related to KubernetesoperatorvmcpVirtual MCP Server related issues

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions