Introduce certificate-authority for self-signed certificates of authorization url

ardaguclu · ardaguclu · commit ee8b5551cc11 · 2025-07-22T12:11:04.000+03:00
diff --git a/pkg/config/config.go b/pkg/config/config.go
@@ -19,13 +19,14 @@ type StaticConfig struct {
 	// When true, expose only tools annotated with readOnlyHint=true
 	ReadOnly bool `toml:"read_only,omitempty"`
 	// When true, disable tools annotated with destructiveHint=true
-	DisableDestructive bool     `toml:"disable_destructive,omitempty"`
-	EnabledTools       []string `toml:"enabled_tools,omitempty"`
-	DisabledTools      []string `toml:"disabled_tools,omitempty"`
-	RequireOAuth       bool     `toml:"require_oauth,omitempty"`
-	AuthorizationURL   string   `toml:"authorization_url,omitempty"`
-	JwksURL            string   `toml:"jwks_url,omitempty"`
-	ServerURL          string   `toml:"server_url,omitempty"`
+	DisableDestructive   bool     `toml:"disable_destructive,omitempty"`
+	EnabledTools         []string `toml:"enabled_tools,omitempty"`
+	DisabledTools        []string `toml:"disabled_tools,omitempty"`
+	RequireOAuth         bool     `toml:"require_oauth,omitempty"`
+	AuthorizationURL     string   `toml:"authorization_url,omitempty"`
+	JwksURL              string   `toml:"jwks_url,omitempty"`
+	CertificateAuthority string   `toml:"certificate_authority,omitempty"`
+	ServerURL            string   `toml:"server_url,omitempty"`
 }
 
 type GroupVersionKind struct {
diff --git a/pkg/http/authorization.go b/pkg/http/authorization.go
@@ -69,7 +69,7 @@ func AuthorizationMiddleware(requireOAuth bool, serverURL string, oidcProvider *
 				http.Error(w, "Unauthorized: Invalid token", http.StatusUnauthorized)
 				return
 			}
-			
+
 			if oidcProvider != nil {
 				// If OIDC Provider is configured, this token must be validated against it.
 				if err := validateTokenWithOIDC(r.Context(), oidcProvider, token, audience); err != nil {
diff --git a/pkg/kubernetes-mcp-server/cmd/root.go b/pkg/kubernetes-mcp-server/cmd/root.go
@@ -2,10 +2,14 @@ package cmd
 
 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"errors"
 	"flag"
 	"fmt"
+	"net/http"
 	"net/url"
+	"os"
 	"strconv"
 	"strings"
 
@@ -46,21 +50,22 @@ kubernetes-mcp-server --port 8443 --sse-base-url https://example.com:8443
 )
 
 type MCPServerOptions struct {
-	Version            bool
-	LogLevel           int
-	Port               string
-	SSEPort            int
-	HttpPort           int
-	SSEBaseUrl         string
-	Kubeconfig         string
-	Profile            string
-	ListOutput         string
-	ReadOnly           bool
-	DisableDestructive bool
-	RequireOAuth       bool
-	AuthorizationURL   string
-	JwksURL            string
-	ServerURL          string
+	Version              bool
+	LogLevel             int
+	Port                 string
+	SSEPort              int
+	HttpPort             int
+	SSEBaseUrl           string
+	Kubeconfig           string
+	Profile              string
+	ListOutput           string
+	ReadOnly             bool
+	DisableDestructive   bool
+	RequireOAuth         bool
+	AuthorizationURL     string
+	JwksURL              string
+	CertificateAuthority string
+	ServerURL            string
 
 	ConfigPath   string
 	StaticConfig *config.StaticConfig
@@ -121,6 +126,9 @@ func NewMCPServer(streams genericiooptions.IOStreams) *cobra.Command {
 	cmd.Flags().MarkHidden("jwks-url")
 	cmd.Flags().StringVar(&o.ServerURL, "server-url", o.ServerURL, "Server URL of this application. Optional. If set, this url will be served in protected resource metadata endpoint and tokens will be validated with this audience. If not set, expected audience is kubernetes-mcp-server. Only valid if require-oauth is enabled.")
 	cmd.Flags().MarkHidden("server-url")
+	cmd.Flags().StringVar(&o.CertificateAuthority, "certificate-authority", o.CertificateAuthority, "Certificate authority path to verify certificates. Optional. Only valid if require-oauth is enabled.")
+	cmd.Flags().MarkHidden("certificate-authority")
+
 	return cmd
 }
 
@@ -183,6 +191,9 @@ func (m *MCPServerOptions) loadFlags(cmd *cobra.Command) {
 	if cmd.Flag("server-url").Changed {
 		m.StaticConfig.ServerURL = m.ServerURL
 	}
+	if cmd.Flag("certificate-authority").Changed {
+		m.StaticConfig.CertificateAuthority = m.CertificateAuthority
+	}
 }
 
 func (m *MCPServerOptions) initializeLogging() {
@@ -201,8 +212,8 @@ func (m *MCPServerOptions) Validate() error {
 	if m.Port != "" && (m.SSEPort > 0 || m.HttpPort > 0) {
 		return fmt.Errorf("--port is mutually exclusive with deprecated --http-port and --sse-port flags")
 	}
-	if !m.StaticConfig.RequireOAuth && (m.StaticConfig.AuthorizationURL != "" || m.StaticConfig.ServerURL != "" || m.StaticConfig.JwksURL != "") {
-		return fmt.Errorf("authorization-url, server-url and jwks-url are only valid if require-oauth is enabled. Missing --port may implicitly set require-oauth to false")
+	if !m.StaticConfig.RequireOAuth && (m.StaticConfig.AuthorizationURL != "" || m.StaticConfig.ServerURL != "" || m.StaticConfig.JwksURL != "" || m.StaticConfig.CertificateAuthority != "") {
+		return fmt.Errorf("authorization-url, server-url, certificate-authority and jwks-url are only valid if require-oauth is enabled. Missing --port may implicitly set require-oauth to false")
 	}
 	if m.StaticConfig.AuthorizationURL != "" {
 		u, err := url.Parse(m.StaticConfig.AuthorizationURL)
@@ -266,7 +277,31 @@ func (m *MCPServerOptions) Run() error {
 
 	var oidcProvider *oidc.Provider
 	if m.StaticConfig.AuthorizationURL != "" {
-		provider, err := oidc.NewProvider(context.TODO(), m.StaticConfig.AuthorizationURL)
+		ctx := context.Background()
+		if m.StaticConfig.CertificateAuthority != "" {
+			httpClient := &http.Client{}
+			caCert, err := os.ReadFile(m.StaticConfig.CertificateAuthority)
+			if err != nil {
+				return fmt.Errorf("failed to read CA certificate from %s: %w", m.StaticConfig.CertificateAuthority, err)
+			}
+			caCertPool := x509.NewCertPool()
+			if !caCertPool.AppendCertsFromPEM(caCert) {
+				return fmt.Errorf("failed to append CA certificate from %s to pool", m.StaticConfig.CertificateAuthority)
+			}
+
+			if caCertPool.Equal(x509.NewCertPool()) {
+				caCertPool = nil
+			}
+
+			transport := &http.Transport{
+				TLSClientConfig: &tls.Config{
+					RootCAs: caCertPool,
+				},
+			}
+			httpClient.Transport = transport
+			ctx = oidc.ClientContext(ctx, httpClient)
+		}
+		provider, err := oidc.NewProvider(ctx, m.StaticConfig.AuthorizationURL)
 		if err != nil {
 			return fmt.Errorf("unable to setup OIDC provider: %w", err)
 		}

Original file line number	Diff line number	Diff line change
`@@ -69,7 +69,7 @@ func AuthorizationMiddleware(requireOAuth bool, serverURL string, oidcProvider *`
`69`	`69`	`http.Error(w, "Unauthorized: Invalid token", http.StatusUnauthorized)`
`70`	`70`	`return`
`71`	`71`	`}`
`72`		`-`
	`72`	`+`
`73`	`73`	`if oidcProvider != nil {`
`74`	`74`	`// If OIDC Provider is configured, this token must be validated against it.`
`75`	`75`	`if err := validateTokenWithOIDC(r.Context(), oidcProvider, token, audience); err != nil {`