Add MCPExternalAuthConfig CRD and controller #2150
Draft
+2,781
−0
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
JAORMX
force-pushed
the
external-auth-controller-impl
branch
from
6bea254 to
b185a87
Compare
Implement external authentication configuration for MCP servers via a new MCPExternalAuthConfig custom resource. This enables MCP servers to exchange incoming authentication tokens for tokens that can be used with external services via RFC-8693 OAuth 2.0 Token Exchange. The MCPExternalAuthConfig is namespace-scoped and can only be referenced by MCPServers in the same namespace. The controller implements a finalizer to prevent deletion while referenced, and uses hash-based change detection to efficiently trigger MCPServer reconciliation when configuration changes. Configuration is injected into MCPServer deployments via RunConfig ConfigMap with the OAuth client secret provided through a TOOLHIVE_TOKEN_EXCHANGE_CLIENT_SECRET environment variable that references a Kubernetes Secret, following security best practices. The controller follows the same pattern as MCPToolConfig, including: - ReferencingServers status field for tracking which MCPServers reference the config - Proper reconcile flow that updates status with referencing servers - Correct SetupWithManager watch handler that reconciles only the specific MCPServers that reference a changed ExternalAuthConfig (not all configs in namespace) - Status updates during deletion when config is still referenced Includes comprehensive unit tests (83% coverage), integration tests, E2E Chainsaw tests, and example manifests. Co-Authored-By: Jakub Hrozek <[email protected]> Co-authored-by: Claude <[email protected]> Co-authored-by: Juan Antonio Osorio <[email protected]> Signed-off-by: Juan Antonio Osorio <[email protected]>
JAORMX
force-pushed
the
external-auth-controller-impl
branch
from
b185a87 to
c61617d
Compare
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #2150 +/- ##
==========================================
- Coverage 48.84% 48.56% -0.28%
==========================================
Files 242 244 +2
Lines 30722 31194 +472
==========================================
+ Hits 15005 15149 +144
- Misses 14595 14901 +306
- Partials 1122 1144 +22 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Summary
Implement external authentication configuration for MCP servers via a new MCPExternalAuthConfig custom resource. This enables MCP servers to exchange incoming authentication tokens for tokens that can be used with external services via RFC-8693 OAuth 2.0 Token Exchange.
Implementation
TOOLHIVE_TOKEN_EXCHANGE_CLIENT_SECRETenvironment variable referencing a Kubernetes SecretTesting
Related
docs/proposals/token-exchange-middleware.md🤖 Generated with Claude Code