discover and mount ExternalAuthConfig from MCPServers for VirtualMCPServer

Author: amirejaz

cmd/thv-operator/controllers/virtualmcpserver_controller.go

@@ -30,9 +30,19 @@ import (
 	"github.com/stacklok/toolhive/pkg/groups"
 	vmcptypes "github.com/stacklok/toolhive/pkg/vmcp"
 	"github.com/stacklok/toolhive/pkg/vmcp/aggregator"
+	"github.com/stacklok/toolhive/pkg/vmcp/auth/converters"
+	authtypes "github.com/stacklok/toolhive/pkg/vmcp/auth/types"
+	vmcpconfig "github.com/stacklok/toolhive/pkg/vmcp/config"
 	"github.com/stacklok/toolhive/pkg/vmcp/workloads"
 )
 
+const (
+	// OutgoingAuthSourceDiscovered indicates that auth configs should be automatically discovered from MCPServers
+	OutgoingAuthSourceDiscovered = "discovered"
+	// OutgoingAuthSourceInline indicates that auth configs should be explicitly specified
+	OutgoingAuthSourceInline = "inline"
+)
+
 // VirtualMCPServerReconciler reconciles a VirtualMCPServer object
 //
 // Resource Cleanup Strategy:
@@ -896,6 +906,169 @@ func createVmcpServiceURL(vmcpName, namespace string, port int32) string {
 	return fmt.Sprintf("http://%s.%s.svc.cluster.local:%d", serviceName, namespace, port)
 }
 
+// convertExternalAuthConfigToStrategy converts an MCPExternalAuthConfig to a BackendAuthStrategy.
+// This uses the converter registry to support all auth types (token exchange, header injection, etc.).
+// For ConfigMap mode (inline), secrets are referenced as environment variables that will be
+// mounted in the deployment.
+func (r *VirtualMCPServerReconciler) convertExternalAuthConfigToStrategy(
+	ctx context.Context,
+	namespace string,
+	externalAuthConfig *mcpv1alpha1.MCPExternalAuthConfig,
+) (*authtypes.BackendAuthStrategy, error) {
+	// Use the converter registry to convert to typed strategy
+	registry := converters.DefaultRegistry()
+	converter, err := registry.GetConverter(externalAuthConfig.Spec.Type)
+	if err != nil {
+		return nil, err
+	}
+
+	// Convert to typed BackendAuthStrategy (this will use env var references for secrets)
+	strategy, err := converter.ConvertToStrategy(externalAuthConfig)
+	if err != nil {
+		return nil, fmt.Errorf("failed to convert external auth config to strategy: %w", err)
+	}
+
+	// For header injection, resolve secrets from Kubernetes
+	if externalAuthConfig.Spec.Type == mcpv1alpha1.ExternalAuthTypeHeaderInjection {
+		strategy, err = converter.ResolveSecrets(ctx, externalAuthConfig, r.Client, namespace, strategy)
+		if err != nil {
+			return nil, fmt.Errorf("failed to resolve secrets for header injection: %w", err)
+		}
+	}
+
+	return strategy, nil
+}
+
+// convertBackendAuthConfigToVMCP converts a BackendAuthConfig from CRD to vmcp config.
+func (r *VirtualMCPServerReconciler) convertBackendAuthConfigToVMCP(
+	ctx context.Context,
+	namespace string,
+	crdConfig *mcpv1alpha1.BackendAuthConfig,
+) (*authtypes.BackendAuthStrategy, error) {
+	// For type="discovered", return a minimal strategy (will be populated by discovery)
+	if crdConfig.Type == mcpv1alpha1.BackendAuthTypeDiscovered {
+		return &authtypes.BackendAuthStrategy{
+			Type: crdConfig.Type,
+		}, nil
+	}
+
+	// For type="external_auth_config_ref", fetch and convert the referenced config
+	if crdConfig.ExternalAuthConfigRef != nil {
+		// Fetch the MCPExternalAuthConfig and convert it
+		externalAuthConfig, err := ctrlutil.GetExternalAuthConfigByName(
+			ctx, r.Client, namespace, crdConfig.ExternalAuthConfigRef.Name)
+		if err != nil {
+			return nil, fmt.Errorf("failed to get MCPExternalAuthConfig %s: %w", crdConfig.ExternalAuthConfigRef.Name, err)
+		}
+
+		// Convert the external auth config to strategy
+		return r.convertExternalAuthConfigToStrategy(ctx, namespace, externalAuthConfig)
+	}
+
+	// Fallback: return minimal strategy
+	return &authtypes.BackendAuthStrategy{
+		Type: crdConfig.Type,
+	}, nil
+}
+
+// discovers ExternalAuthConfig from MCPServers and adds them to the outgoing config
+func (r *VirtualMCPServerReconciler) discoverExternalAuthConfigs(
+	ctx context.Context,
+	vmcp *mcpv1alpha1.VirtualMCPServer,
+	workloadNames []string,
+	outgoing *vmcpconfig.OutgoingAuthConfig,
+) {
+	ctxLogger := log.FromContext(ctx)
+
+	for _, workloadName := range workloadNames {
+		mcpServer := &mcpv1alpha1.MCPServer{}
+		if err := r.Get(ctx, types.NamespacedName{Name: workloadName, Namespace: vmcp.Namespace}, mcpServer); err != nil {
+			// Skip if MCPServer not found (might be a different workload type)
+			continue
+		}
+
+		// Only process if MCPServer has ExternalAuthConfigRef
+		if mcpServer.Spec.ExternalAuthConfigRef == nil {
+			continue
+		}
+
+		// Fetch the MCPExternalAuthConfig
+		externalAuthConfig, err := ctrlutil.GetExternalAuthConfigByName(
+			ctx, r.Client, vmcp.Namespace, mcpServer.Spec.ExternalAuthConfigRef.Name)
+		if err != nil {
+			ctxLogger.V(1).Info("Failed to get MCPExternalAuthConfig for backend, skipping",
+				"backend", workloadName,
+				"externalAuthConfig", mcpServer.Spec.ExternalAuthConfigRef.Name,
+				"error", err)
+			continue
+		}
+
+		// Convert MCPExternalAuthConfig to BackendAuthStrategy
+		strategy, err := r.convertExternalAuthConfigToStrategy(ctx, vmcp.Namespace, externalAuthConfig)
+		if err != nil {
+			ctxLogger.V(1).Info("Failed to convert MCPExternalAuthConfig to strategy, skipping",
+				"backend", workloadName,
+				"externalAuthConfig", externalAuthConfig.Name,
+				"error", err)
+			continue
+		}
+
+		// Only add if not already overridden in inline config
+		if vmcp.Spec.OutgoingAuth == nil || vmcp.Spec.OutgoingAuth.Backends == nil {
+			outgoing.Backends[workloadName] = strategy
+		} else if _, exists := vmcp.Spec.OutgoingAuth.Backends[workloadName]; !exists {
+			// Only add discovered config if not explicitly overridden
+			outgoing.Backends[workloadName] = strategy
+		}
+	}
+}
+
+// buildOutgoingAuthConfig builds an OutgoingAuthConfig from the VirtualMCPServer spec,
+// discovering ExternalAuthConfig from MCPServers when source is "discovered".
+func (r *VirtualMCPServerReconciler) buildOutgoingAuthConfig(
+	ctx context.Context,
+	vmcp *mcpv1alpha1.VirtualMCPServer,
+	workloadNames []string,
+) (*vmcpconfig.OutgoingAuthConfig, error) {
+	// Determine source - default to "discovered" if not specified
+	source := OutgoingAuthSourceDiscovered
+	if vmcp.Spec.OutgoingAuth != nil && vmcp.Spec.OutgoingAuth.Source != "" {
+		source = vmcp.Spec.OutgoingAuth.Source
+	}
+
+	outgoing := &vmcpconfig.OutgoingAuthConfig{
+		Source:   source,
+		Backends: make(map[string]*authtypes.BackendAuthStrategy),
+	}
+
+	// Convert Default if specified
+	if vmcp.Spec.OutgoingAuth != nil && vmcp.Spec.OutgoingAuth.Default != nil {
+		defaultStrategy, err := r.convertBackendAuthConfigToVMCP(ctx, vmcp.Namespace, vmcp.Spec.OutgoingAuth.Default)
+		if err != nil {
+			return nil, fmt.Errorf("failed to convert default auth config: %w", err)
+		}
+		outgoing.Default = defaultStrategy
+	}
+
+	// Discover ExternalAuthConfig from MCPServers if source is "discovered"
+	if source == OutgoingAuthSourceDiscovered {
+		r.discoverExternalAuthConfigs(ctx, vmcp, workloadNames, outgoing)
+	}
+
+	// Apply inline overrides (works for all source modes)
+	if vmcp.Spec.OutgoingAuth != nil && vmcp.Spec.OutgoingAuth.Backends != nil {
+		for backendName, backendAuth := range vmcp.Spec.OutgoingAuth.Backends {
+			strategy, err := r.convertBackendAuthConfigToVMCP(ctx, vmcp.Namespace, &backendAuth)
+			if err != nil {
+				return nil, fmt.Errorf("failed to convert backend auth config for %s: %w", backendName, err)
+			}
+			outgoing.Backends[backendName] = strategy
+		}
+	}
+
+	return outgoing, nil
+}
+
 // discoverBackends discovers all MCPServers in the referenced MCPGroup and returns
 // a list of DiscoveredBackend objects with their current status.
 // This reuses the existing workload discovery code from pkg/vmcp/workloads.
@@ -911,22 +1084,35 @@ func (r *VirtualMCPServerReconciler) discoverBackends(
 	// Create K8S workload discoverer for the VirtualMCPServer's namespace
 	workloadDiscoverer := workloads.NewK8SDiscovererWithClient(r.Client, vmcp.Namespace)
 
+	// Get all workload names in the group
+	workloadNames, err := workloadDiscoverer.ListWorkloadsInGroup(ctx, vmcp.Spec.GroupRef.Name)
+	if err != nil {
+		return nil, fmt.Errorf("failed to list workloads in group: %w", err)
+	}
+
+	// Build outgoing auth config only if OutgoingAuth is explicitly configured
+	// This allows the aggregator to apply auth config to backends based on source mode
+	var authConfig *vmcpconfig.OutgoingAuthConfig
+	if vmcp.Spec.OutgoingAuth != nil {
+		var err error
+		authConfig, err = r.buildOutgoingAuthConfig(ctx, vmcp, workloadNames)
+		if err != nil {
+			ctxLogger.V(1).Info("Failed to build outgoing auth config, continuing without auth",
+				"error", err)
+			// Continue without auth config rather than failing
+			authConfig = nil
+		}
+	}
+
 	// Use the aggregator's unified backend discoverer to reuse discovery logic
-	// Pass nil for authConfig since we'll extract auth config from MCPServer directly
-	backendDiscoverer := aggregator.NewUnifiedBackendDiscoverer(workloadDiscoverer, groupsManager, nil)
+	backendDiscoverer := aggregator.NewUnifiedBackendDiscoverer(workloadDiscoverer, groupsManager, authConfig)
 
 	// Discover backends using the aggregator
 	backends, err := backendDiscoverer.Discover(ctx, vmcp.Spec.GroupRef.Name)
 	if err != nil {
 		return nil, fmt.Errorf("failed to discover backends: %w", err)
 	}
 
-	// Get all workload names to track backends that weren't accessible
-	workloadNames, err := workloadDiscoverer.ListWorkloadsInGroup(ctx, vmcp.Spec.GroupRef.Name)
-	if err != nil {
-		return nil, fmt.Errorf("failed to list workloads in group: %w", err)
-	}
-
 	// Create a map of discovered backend names for quick lookup
 	discoveredBackendMap := make(map[string]*vmcptypes.Backend, len(backends))
 	for i := range backends {