fix ci

Author: taskbot

.github/workflows/test-e2e-lifecycle.yml

@@ -116,6 +116,50 @@ jobs:
         export KUBECONFIG=kconfig.yaml
         task thv-operator-e2e-test-run
 
+    - name: Capture pod logs before cleanup
+      if: always()
+      run: |
+        export KUBECONFIG=kconfig.yaml
+        echo "========================================="
+        echo "Capturing logs from all pods in default namespace"
+        echo "========================================="
+
+        # Get all pods in default namespace
+        kubectl get pods -n default --kubeconfig kconfig.yaml -o wide || true
+
+        echo ""
+        echo "========================================="
+        echo "Pod logs:"
+        echo "========================================="
+
+        # Get logs from all pods in default namespace
+        for pod in $(kubectl get pods -n default --kubeconfig kconfig.yaml -o jsonpath='{.items[*].metadata.name}' 2>/dev/null || true); do
+          echo ""
+          echo "========== Pod: $pod =========="
+
+          # Get pod status
+          kubectl get pod $pod -n default --kubeconfig kconfig.yaml -o yaml 2>/dev/null | grep -A 20 "^status:" || true
+
+          echo ""
+          echo "--- Container logs for $pod ---"
+
+          # Get logs from all containers in the pod
+          containers=$(kubectl get pod $pod -n default --kubeconfig kconfig.yaml -o jsonpath='{.spec.containers[*].name}' 2>/dev/null || true)
+          for container in $containers; do
+            echo ""
+            echo "Container: $container"
+            kubectl logs $pod -n default -c $container --tail=200 --kubeconfig kconfig.yaml 2>&1 || echo "Failed to get logs for $container"
+          done
+
+          echo ""
+        done
+
+        echo ""
+        echo "========================================="
+        echo "Pod events:"
+        echo "========================================="
+        kubectl get events -n default --kubeconfig kconfig.yaml --sort-by='.lastTimestamp' || true
+
     - name: Cleanup cluster
       if: always()
       run: |

pkg/vmcp/types.go

@@ -58,13 +58,6 @@ type BackendTarget struct {
 	//
 	// When a backend MCPServer has OIDCConfig configured, it means clients (including vMCP)
 	// must present OIDC tokens to access that backend.
-	//
-	// Discovery Mode: When vMCP's outgoing auth mode is "discovered", vMCP will use the
-	// authentication configuration defined in the backend MCPServer. This field stores the
-	// discovered OIDC config from the backend's OIDCConfig spec, which vMCP uses to
-	// authenticate when accessing OIDC-protected backends.
-	//
-	// See pkg/vmcp/workloads/k8s.go:discoverIncomingOIDCConfig for discovery implementation.
 	IncomingOIDCConfig map[string]interface{}
 
 	// SessionAffinity indicates if requests from the same session
@@ -151,13 +144,6 @@ type Backend struct {
 	//
 	// When a backend MCPServer has OIDCConfig configured, it means clients (including vMCP)
 	// must present OIDC tokens to access that backend.
-	//
-	// Discovery Mode: When vMCP's outgoing auth mode is "discovered", vMCP will use the
-	// authentication configuration defined in the backend MCPServer. This field stores the
-	// discovered OIDC config from the backend's OIDCConfig spec, which vMCP uses to
-	// authenticate when accessing OIDC-protected backends.
-	//
-	// See pkg/vmcp/workloads/k8s.go:discoverIncomingOIDCConfig for discovery implementation.
 	IncomingOIDCConfig map[string]interface{}
 
 	// Metadata stores additional backend information.

pkg/vmcp/workloads/k8s.go

@@ -5,10 +5,8 @@ import (
 	"fmt"
 	"strings"
 
-	corev1 "k8s.io/api/core/v1"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/runtime"
-	"k8s.io/apimachinery/pkg/types"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
@@ -200,12 +198,6 @@ func (d *k8sDiscoverer) mcpServerToBackend(ctx context.Context, mcpServer *mcpv1
 		return nil
 	}
 
-	// Discover and populate incoming OIDC configuration from MCPServer
-	if err := d.discoverIncomingOIDCConfig(ctx, mcpServer, backend); err != nil {
-		logger.Errorf("Failed to discover incoming OIDC config for MCPServer %s: %v", mcpServer.Name, err)
-		return nil
-	}
-
 	return backend
 }
 
@@ -242,97 +234,6 @@ func (d *k8sDiscoverer) discoverAuthConfig(ctx context.Context, mcpServer *mcpv1
 	return nil
 }
 
-// discoverIncomingOIDCConfig discovers and stores the backend's OIDC authentication requirements.
-//
-// When a backend MCPServer has OIDCConfig configured, it means clients (including vMCP) must present
-// OIDC tokens to access that backend. This method discovers the backend's OIDC configuration and
-// stores it in backend.IncomingOIDCConfig.
-//
-// Authentication Flow:
-//   - When vMCP's outgoing auth mode is "discovered", vMCP will use the authentication configuration
-//     defined in the backend MCPServer (via ExternalAuthConfigRef for token exchange/header injection,
-//     or via OIDCConfig for OIDC-protected backends)
-//   - The discovered OIDC config is stored in Backend.IncomingOIDCConfig (see pkg/vmcp/types.go)
-//   - This config is used by vMCP to authenticate to backends that require OIDC tokens
-//
-// Return behavior:
-//   - Returns nil error if OIDCConfig is nil (no OIDC required) - this is expected behavior
-//   - Returns nil error if OIDC config is discovered and successfully populated into backend
-//   - Returns error if OIDC config exists but discovery/resolution fails (e.g., secret not found)
-func (d *k8sDiscoverer) discoverIncomingOIDCConfig(
-	ctx context.Context, mcpServer *mcpv1alpha1.MCPServer, backend *vmcp.Backend,
-) error {
-	// If no OIDC config, nothing to discover
-	if mcpServer.Spec.OIDCConfig == nil {
-		logger.Debugf("MCPServer %s has no OIDCConfig, no incoming auth required", mcpServer.Name)
-		return nil
-	}
-
-	oidcConfig := mcpServer.Spec.OIDCConfig
-
-	// Convert OIDC config to map for storage in backend
-	config := make(map[string]interface{})
-
-	// Handle inline OIDC configuration
-	if oidcConfig.Type == "inline" && oidcConfig.Inline != nil {
-		inline := oidcConfig.Inline
-		config["issuer"] = inline.Issuer
-
-		if inline.Audience != "" {
-			config["audience"] = inline.Audience
-		}
-
-		if inline.ClientID != "" {
-			config["client_id"] = inline.ClientID
-		}
-
-		// Resolve client secret from secret reference if present
-		if inline.ClientSecretRef != nil {
-			secret := &corev1.Secret{}
-			secretKey := types.NamespacedName{
-				Name:      inline.ClientSecretRef.Name,
-				Namespace: mcpServer.Namespace,
-			}
-
-			if err := d.k8sClient.Get(ctx, secretKey, secret); err != nil {
-				return fmt.Errorf("failed to get secret %s/%s: %w",
-					mcpServer.Namespace, inline.ClientSecretRef.Name, err)
-			}
-
-			secretValue, ok := secret.Data[inline.ClientSecretRef.Key]
-			if !ok {
-				return fmt.Errorf("secret %s/%s does not contain key %s",
-					mcpServer.Namespace, inline.ClientSecretRef.Name, inline.ClientSecretRef.Key)
-			}
-
-			config["client_secret"] = string(secretValue)
-		} else if inline.ClientSecret != "" {
-			// Use direct client secret if provided (not recommended but supported)
-			config["client_secret"] = inline.ClientSecret
-		}
-
-		if inline.JWKSURL != "" {
-			config["jwks_url"] = inline.JWKSURL
-		}
-
-		if inline.IntrospectionURL != "" {
-			config["introspection_url"] = inline.IntrospectionURL
-		}
-
-		// Add security flags
-		config["insecure_allow_http"] = inline.InsecureAllowHTTP
-		config["jwks_allow_private_ip"] = inline.JWKSAllowPrivateIP
-		config["protected_resource_allow_private_ip"] = inline.ProtectedResourceAllowPrivateIP
-	}
-
-	// Store the discovered OIDC config
-	backend.IncomingOIDCConfig = config
-
-	logger.Infof("✓ Discovered incoming OIDC config for MCPServer %s: issuer=%s, client_id=%s",
-		mcpServer.Name, config["issuer"], config["client_id"])
-	return nil
-}
-
 // mapK8SWorkloadPhaseToHealth converts a MCPServerPhase to a backend health status.
 func mapK8SWorkloadPhaseToHealth(phase mcpv1alpha1.MCPServerPhase) vmcp.BackendHealthStatus {
 	switch phase {