remove mixed mode to simplify vmcp operation

Author: taskbot

cmd/thv-operator/api/v1alpha1/virtualmcpserver_types.go

@@ -85,8 +85,7 @@ type OutgoingAuthConfig struct {
 // Source defines how backend authentication configurations are determined
 // - discovered: Automatically discover from backend's MCPServer.spec.externalAuthConfigRef
 // - inline: Explicit per-backend configuration in VirtualMCPServer
-// - mixed: Discover most, override specific backends
-// +kubebuilder:validation:Enum=discovered;inline;mixed
+// +kubebuilder:validation:Enum=discovered;inline
 // +kubebuilder:default=discovered
 // +optional
 Source string `json:"source,omitempty"`
@@ -96,7 +95,7 @@ type OutgoingAuthConfig struct {
 Default *BackendAuthConfig `json:"default,omitempty"`
 
 // Backends defines per-backend authentication overrides
-// Works in all modes (discovered, inline, mixed)
+// Works in all modes (discovered, inline)
 // +optional
 Backends map[string]BackendAuthConfig `json:"backends,omitempty"`
 }

cmd/thv-operator/api/v1alpha1/virtualmcpserver_webhook.go

@@ -102,10 +102,9 @@ func (r *VirtualMCPServer) validateOutgoingAuth() error {
 validSources := map[string]bool{
 "discovered": true,
 "inline": true,
-"mixed": true,
 }
 if auth.Source != "" && !validSources[auth.Source] {
-return fmt.Errorf("spec.outgoingAuth.source must be one of: discovered, inline, mixed")
+return fmt.Errorf("spec.outgoingAuth.source must be one of: discovered, inline")
 }
 
 // Validate backend configurations

cmd/thv-operator/api/v1alpha1/virtualmcpserver_webhook_test.go

@@ -58,7 +58,7 @@ func TestVirtualMCPServerValidate(t *testing.T) {
 },
 },
 wantErr: true,
-errMsg: "spec.outgoingAuth.source must be one of: discovered, inline, mixed",
+errMsg: "spec.outgoingAuth.source must be one of: discovered, inline",
 },
 {
 name: "valid backend external auth config ref",

cmd/thv-operator/controllers/virtualmcpserver_vmcpconfig_test.go

@@ -111,14 +111,14 @@ func TestConvertOutgoingAuth(t *testing.T) {
 {
 name: "with per-backend auth",
 outgoingAuth: &mcpv1alpha1.OutgoingAuthConfig{
-Source: "mixed",
+Source: "discovered",
 Backends: map[string]mcpv1alpha1.BackendAuthConfig{
 "backend-1": {
 Type: mcpv1alpha1.BackendAuthTypeDiscovered,
 },
 },
 },
-expectedSource: "mixed",
+expectedSource: "discovered",
 hasDefault: false,
 backendCount: 1,
 },
@@ -514,7 +514,7 @@ func TestYAMLMarshalingDeterminism(t *testing.T) {
 },
 // OutgoingAuth with Backends map
 OutgoingAuth: &mcpv1alpha1.OutgoingAuthConfig{
-Source: "mixed",
+Source: "discovered",
 Backends: map[string]mcpv1alpha1.BackendAuthConfig{
 "backend-zebra": {
 Type: mcpv1alpha1.BackendAuthTypeDiscovered,

deploy/charts/operator-crds/crds/toolhive.stacklok.dev_virtualmcpservers.yaml

@@ -612,7 +612,7 @@ spec:
  type: object
  description: |-
  Backends defines per-backend authentication overrides
- Works in all modes (discovered, inline, mixed)
+ Works in all modes (discovered, inline)
  type: object
  default:
  description: Default defines default behavior for backends without
@@ -645,11 +645,9 @@ spec:
  Source defines how backend authentication configurations are determined
  - discovered: Automatically discover from backend's MCPServer.spec.externalAuthConfigRef
  - inline: Explicit per-backend configuration in VirtualMCPServer
- - mixed: Discover most, override specific backends
  enum:
  - discovered
  - inline
- - mixed
  type: string
  type: object
  podTemplateSpec:

docs/operator/crd-api.md

@@ -80,7 +80,6 @@ Configures authentication from Virtual MCP to backend MCPServers.
 - `source` (string, optional): How backend authentication configurations are determined
  - `discovered` (default): Automatically discover from backend's `MCPServer.spec.externalAuthConfigRef`
  - `inline`: Explicit per-backend configuration in VirtualMCPServer
- - `mixed`: Discover most, override specific backends
 - `default` (BackendAuthConfig, optional): Default behavior for backends without explicit auth config
 - `backends` (map[string]BackendAuthConfig, optional): Per-backend authentication overrides
 
@@ -113,27 +112,6 @@ spec:
  headerFormat: "Bearer {token}"
 ```
 
-**Example (mixed mode)**:
-```yaml
-spec:
- outgoingAuth:
- source: mixed
- default:
- type: discovered
- backends:
- # Override specific backends while others use discovery
- slack:
- type: service_account
- serviceAccount:
- credentialsRef:
- name: slack-bot-override
- key: token
- headerName: Authorization
- headerFormat: "Bearer {token}"
- # Other backends (github, jira, etc.) will automatically
- # discover auth config from their MCPServer.spec.externalAuthConfigRef
-```
-
 #### BackendAuthConfig
 
 **Fields**:

docs/operator/virtualmcpserver-api.md

@@ -593,7 +593,7 @@ spec:
  # ===== OUTGOING AUTHENTICATION (Virtual MCP → Backends) =====
  outgoingAuth:
  # Configuration source
- source: discovered # inline | discovered | mixed
+ source: discovered # inline | discovered
 
  # When source=discovered:
  # Virtual MCP queries each backend's MCPServer.spec.externalAuthConfigRef

docs/proposals/THV-2106-virtual-mcp-server.md

@@ -159,7 +159,6 @@ func (d *backendDiscoverer) Discover(ctx context.Context, groupRef string) ([]vm
 //
 // Auth resolution logic:
 // - "discovered" mode: Use discovered auth if available, otherwise fall back to Default or backend-specific config
-// - "mixed" mode: Use discovered auth unless there's an explicit backend override in config
 // - "inline" mode (or ""): Always use config-based auth, ignore discovered auth
 // - unknown mode: Default to config-based auth for safety
 //
@@ -180,11 +179,6 @@ func (d *backendDiscoverer) applyAuthConfigToBackend(backend *vmcp.Backend, back
 // If no auth is discovered, fall back to config-based auth via ResolveForBackend
 // which will use backend-specific config, then Default, then no auth
 useDiscoveredAuth = backend.AuthStrategy != ""
-case "mixed":
-// In mixed mode, use discovered auth as default, but allow config overrides
-// If there's no explicit config for this backend, use discovered auth
-_, hasExplicitConfig := d.authConfig.Backends[backendName]
-useDiscoveredAuth = !hasExplicitConfig && backend.AuthStrategy != ""
 case "inline", "":
 // For inline mode or empty source, always use config-based auth
 // Ignore any discovered auth from backends
@@ -199,7 +193,7 @@ func (d *backendDiscoverer) applyAuthConfigToBackend(backend *vmcp.Backend, back
 // Keep the auth discovered from MCPServer (already populated in backend)
 logger.Debugf("Backend %s using discovered auth strategy: %s", backendName, backend.AuthStrategy)
 } else {
-// Use auth from config (inline mode or explicit override in mixed mode)
+// Use auth from config (inline mode)
 authStrategy, authMetadata := d.authConfig.ResolveForBackend(backendName)
 if authStrategy != "" {
 backend.AuthStrategy = authStrategy

pkg/vmcp/aggregator/discoverer.go

@@ -493,90 +493,6 @@ func TestBackendDiscoverer_applyAuthConfigToBackend(t *testing.T) {
 assert.Equal(t, "config-token", backend.AuthMetadata["token"])
 })
 
-t.Run("mixed mode with explicit config override", func(t *testing.T) {
-t.Parallel()
-ctrl := gomock.NewController(t)
-t.Cleanup(ctrl.Finish)
-
-mockWorkloadDiscoverer := discoverermocks.NewMockDiscoverer(ctrl)
-mockGroups := mocks.NewMockManager(ctrl)
-
-authConfig := &config.OutgoingAuthConfig{
-Source: "mixed",
-Backends: map[string]*config.BackendAuthStrategy{
-"backend1": {
-Type: "bearer",
-Metadata: map[string]any{
-"token": "override-token",
-},
-},
-},
-}
-
-discoverer := &backendDiscoverer{
-workloadsManager: mockWorkloadDiscoverer,
-groupsManager: mockGroups,
-authConfig: authConfig,
-}
-
-backend := &vmcp.Backend{
-ID: "backend1",
-Name: "backend1",
-AuthStrategy: "token_exchange",
-AuthMetadata: map[string]any{
-"token_endpoint": "https://auth.example.com/token",
-},
-}
-
-discoverer.applyAuthConfigToBackend(backend, "backend1")
-
-// In mixed mode with explicit config, config should override discovered auth
-assert.Equal(t, "bearer", backend.AuthStrategy)
-assert.Equal(t, "override-token", backend.AuthMetadata["token"])
-})
-
-t.Run("mixed mode without explicit config uses discovered auth", func(t *testing.T) {
-t.Parallel()
-ctrl := gomock.NewController(t)
-t.Cleanup(ctrl.Finish)
-
-mockWorkloadDiscoverer := discoverermocks.NewMockDiscoverer(ctrl)
-mockGroups := mocks.NewMockManager(ctrl)
-
-authConfig := &config.OutgoingAuthConfig{
-Source: "mixed",
-Backends: map[string]*config.BackendAuthStrategy{
-"other-backend": {
-Type: "bearer",
-Metadata: map[string]any{
-"token": "other-token",
-},
-},
-},
-}
-
-discoverer := &backendDiscoverer{
-workloadsManager: mockWorkloadDiscoverer,
-groupsManager: mockGroups,
-authConfig: authConfig,
-}
-
-backend := &vmcp.Backend{
-ID: "backend1",
-Name: "backend1",
-AuthStrategy: "token_exchange",
-AuthMetadata: map[string]any{
-"token_endpoint": "https://auth.example.com/token",
-},
-}
-
-discoverer.applyAuthConfigToBackend(backend, "backend1")
-
-// In mixed mode without explicit config, discovered auth should be preserved
-assert.Equal(t, "token_exchange", backend.AuthStrategy)
-assert.Equal(t, "https://auth.example.com/token", backend.AuthMetadata["token_endpoint"])
-})
-
 t.Run("inline mode ignores discovered auth", func(t *testing.T) {
 t.Parallel()
 ctrl := gomock.NewController(t)
@@ -813,52 +729,6 @@ func TestBackendDiscoverer_applyAuthConfigToBackend(t *testing.T) {
 assert.Equal(t, "secret-key-123", backend.AuthMetadata["api_key"])
 })
 
-t.Run("mixed mode falls back to config when no discovered auth", func(t *testing.T) {
-t.Parallel()
-ctrl := gomock.NewController(t)
-t.Cleanup(ctrl.Finish)
-
-mockWorkloadDiscoverer := discoverermocks.NewMockDiscoverer(ctrl)
-mockGroups := mocks.NewMockManager(ctrl)
-
-authConfig := &config.OutgoingAuthConfig{
-Source: "mixed",
-Backends: map[string]*config.BackendAuthStrategy{
-"other-backend": {
-Type: "bearer",
-Metadata: map[string]any{
-"token": "other-token",
-},
-},
-},
-Default: &config.BackendAuthStrategy{
-Type: "bearer",
-Metadata: map[string]any{
-"token": "default-token",
-},
-},
-}
-
-discoverer := &backendDiscoverer{
-workloadsManager: mockWorkloadDiscoverer,
-groupsManager: mockGroups,
-authConfig: authConfig,
-}
-
-backend := &vmcp.Backend{
-ID: "backend1",
-Name: "backend1",
-// No discovered auth
-}
-
-discoverer.applyAuthConfigToBackend(backend, "backend1")
-
-// In mixed mode with no explicit config and no discovered auth,
-// should use default config
-assert.Equal(t, "bearer", backend.AuthStrategy)
-assert.Equal(t, "default-token", backend.AuthMetadata["token"])
-})
-
 t.Run("discovered mode falls back to default config when no auth discovered", func(t *testing.T) {
 t.Parallel()
 ctrl := gomock.NewController(t)