27980106310

Committed 22 Jun 2026 07:58PM UTC coverage: 67.182% (+0.1%) from 67.084%

Build # 27980106310

Build Type

push

github

Committed by

web-flow

Commit Message

Wire MCPAuthzConfig references into VirtualMCPServer (Cedar-only) (#5580)

* Wire MCPAuthzConfig references into VirtualMCPServer

A VirtualMCPServer that sets spec.incomingAuth.authzConfigRef only had
the reference tracked for deletion protection — it never applied the
referenced policy at runtime. Resolve the reference and enforce it,
completing the workload-controller wiring started for MCPServer (#5563)
and MCPRemoteProxy (#5564).

vMCP's incoming-auth middleware is hard-coded to Cedar, so only cedarv1
MCPAuthzConfig resources are resolved; a non-Cedar reference fails fast
with a clear error rather than being carried through as inert config.
Generalizing the vMCP runtime to other backends is a separate follow-up.

- handleAuthzConfig mirrors handleOIDCConfig (statusManager-based):
  validates the ref, tracks AuthzConfigHash, sets AuthzConfigRefValidated,
  and clears both hash and condition on nil-ref. Fail-stale, not
  fail-open, on revocation (documented inline).
- Watch MCPAuthzConfig + map changes back to referencing VirtualMCPServers,
  plus the mcpauthzconfigs RBAC marker as the dependency source of truth.
- Converter resolveAuthzConfigRef resolves cedarv1 into vmcpconfig.AuthzConfig
  and guards inline-vs-ref mutual exclusion as defense-in-depth.
- Add SetAuthzConfigHash to the StatusManager interface and collector.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* Regenerate VirtualMCPServer CRD docs and status mock

Generated output from the authzConfigRef wiring: refreshed CRD schema
description (staging note replaced with the cedarv1-only constraint),
CRD API docs, and the StatusManager mock for SetAuthzConfigHash.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* Add VirtualMCPServer authzConfigRef envtest integration test

Drives the registered VirtualMCPServer controller against envtest with a
pre-seeded MCPAuthzConfig, mirroring the MCPServer (#5563) and
MCPRemoteProxy (#5564) integratio... (continued)

Coverage Stats

142 of 176 new or added lines in 5 files covered. (80.68%)

11 existing lines in 4 files now uncovered.

70016 of 104219 relevant lines covered (67.18%)

65.13 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

80.42

/pkg/transport/proxy/httpsse/http_proxy.go

stacklok / toolhive / 27980106310

Source File Press 'n' to go to next uncovered line, 'b' for previous

Source Not Available

Source File
Press 'n' to go to next uncovered line, 'b' for previous