Merge branch 'main' into update-registry-from-release

Author: jhrozek

.github/workflows/autoupdate.yml

@@ -0,0 +1,17 @@
+name: autoupdate
+permissions:
+  contents: read
+  pull-requests: write
+on:
+  # Update all PRs on merge to main
+  push:
+    branches:
+      - main
+jobs:
+  autoupdate:
+    name: autoupdate
+    runs-on: ubuntu-latest
+    steps:
+      - uses: docker://chinthakagodawita/autoupdate-action:v1
+        env:
+          GITHUB_TOKEN: '${{ secrets.GITHUB_TOKEN }}'

.github/workflows/operator-ci.yml

@@ -183,7 +183,7 @@ jobs:
         go install github.com/stackloklabs/yardstick/cmd/yardstick-client@v0.0.2
         
     - name: Install Chainsaw
-      uses: kyverno/action-install-chainsaw@6354895e0f99ab23d3e38d85cf5c71b5dc21d727 # v0.2.13
+      uses: kyverno/action-install-chainsaw@06560d18422209e9c1e08e931d477d04bf2674c1 # v0.2.14
       with:
         release: v0.2.12
 

cmd/thv-operator/api/v1alpha1/mcpexternalauthconfig_types.go

@@ -11,6 +11,11 @@ const (
 
 	// ExternalAuthTypeHeaderInjection is the type for custom header injection
 	ExternalAuthTypeHeaderInjection ExternalAuthType = "headerInjection"
+
+	// ExternalAuthTypeUnauthenticated is the type for no authentication
+	// This should only be used for backends on trusted networks (e.g., localhost, VPC)
+	// or when authentication is handled by network-level security
+	ExternalAuthTypeUnauthenticated ExternalAuthType = "unauthenticated"
 )
 
 // ExternalAuthType represents the type of external authentication
@@ -21,7 +26,7 @@ type ExternalAuthType string
 // MCPServer resources in the same namespace.
 type MCPExternalAuthConfigSpec struct {
 	// Type is the type of external authentication to configure
-	// +kubebuilder:validation:Enum=tokenExchange;headerInjection
+	// +kubebuilder:validation:Enum=tokenExchange;headerInjection;unauthenticated
 	// +kubebuilder:validation:Required
 	Type ExternalAuthType `json:"type"`
 

cmd/thv-operator/api/v1alpha1/mcpexternalauthconfig_webhook.go

@@ -0,0 +1,87 @@
+package v1alpha1
+
+import (
+	"context"
+	"fmt"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/webhook"
+	"sigs.k8s.io/controller-runtime/pkg/webhook/admission"
+)
+
+// SetupWebhookWithManager sets up the webhook with the Manager
+func (r *MCPExternalAuthConfig) SetupWebhookWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewWebhookManagedBy(mgr).
+		For(r).
+		Complete()
+}
+
+//nolint:lll // kubebuilder webhook marker cannot be split
+// +kubebuilder:webhook:path=/validate-toolhive-stacklok-com-v1alpha1-mcpexternalauthconfig,mutating=false,failurePolicy=fail,sideEffects=None,groups=toolhive.stacklok.com,resources=mcpexternalauthconfigs,verbs=create;update,versions=v1alpha1,name=vmcpexternalauthconfig.kb.io,admissionReviewVersions=v1
+
+var _ webhook.CustomValidator = &MCPExternalAuthConfig{}
+
+// ValidateCreate implements webhook.CustomValidator
+func (r *MCPExternalAuthConfig) ValidateCreate(_ context.Context, _ runtime.Object) (admission.Warnings, error) {
+	var warnings admission.Warnings
+	if r.Spec.Type == ExternalAuthTypeUnauthenticated {
+		warnings = append(warnings,
+			"'unauthenticated' type disables authentication to the backend. "+
+				"Only use for backends on trusted networks or when authentication is handled by network-level security.")
+	}
+	return warnings, r.validate()
+}
+
+// ValidateUpdate implements webhook.CustomValidator
+func (r *MCPExternalAuthConfig) ValidateUpdate(
+	_ context.Context, _ runtime.Object, _ runtime.Object,
+) (admission.Warnings, error) {
+	var warnings admission.Warnings
+	if r.Spec.Type == ExternalAuthTypeUnauthenticated {
+		warnings = append(warnings,
+			"'unauthenticated' type disables authentication to the backend. "+
+				"Only use for backends on trusted networks or when authentication is handled by network-level security.")
+	}
+	return warnings, r.validate()
+}
+
+// ValidateDelete implements webhook.CustomValidator
+func (*MCPExternalAuthConfig) ValidateDelete(_ context.Context, _ runtime.Object) (admission.Warnings, error) {
+	// No validation needed for deletion
+	return nil, nil
+}
+
+// validate performs validation on the MCPExternalAuthConfig spec
+func (r *MCPExternalAuthConfig) validate() error {
+	switch r.Spec.Type {
+	case ExternalAuthTypeTokenExchange:
+		if r.Spec.TokenExchange == nil {
+			return fmt.Errorf("tokenExchange configuration is required when type is 'tokenExchange'")
+		}
+		if r.Spec.HeaderInjection != nil {
+			return fmt.Errorf("headerInjection must not be set when type is 'tokenExchange'")
+		}
+
+	case ExternalAuthTypeHeaderInjection:
+		if r.Spec.HeaderInjection == nil {
+			return fmt.Errorf("headerInjection configuration is required when type is 'headerInjection'")
+		}
+		if r.Spec.TokenExchange != nil {
+			return fmt.Errorf("tokenExchange must not be set when type is 'headerInjection'")
+		}
+
+	case ExternalAuthTypeUnauthenticated:
+		if r.Spec.TokenExchange != nil {
+			return fmt.Errorf("tokenExchange must not be set when type is 'unauthenticated'")
+		}
+		if r.Spec.HeaderInjection != nil {
+			return fmt.Errorf("headerInjection must not be set when type is 'unauthenticated'")
+		}
+
+	default:
+		return fmt.Errorf("unsupported auth type: %s", r.Spec.Type)
+	}
+
+	return nil
+}