remove Metadata field and use typed auth config

Remove the deprecated Metadata map[string]any field from BackendAuthStrategy and migrate all code to use typed fields (HeaderInjection, TokenExchange). Key changes: - Remove Metadata field from authtypes.BackendAuthStrategy - Update Strategy interface to accept *BackendAuthStrategy instead of map - Update all strategies (header_injection, tokenexchange, unauthenticated) - Update converters to return typed BackendAuthStrategy - Change Backend/BackendTarget structs to use AuthConfig instead of AuthStrategy + AuthMetadata - Update ResolveForBackend to return *BackendAuthStrategy - Update all consumers and tests This provides type safety, better IDE support, and eliminates runtime type assertions throughout the auth subsystem.

Author: jhrozek

cmd/thv-operator/controllers/virtualmcpserver_vmcpconfig_test.go

@@ -213,7 +213,13 @@ func TestConvertBackendAuthConfig(t *testing.T) {
 assert.Equal(t, tt.expectedType, strategy.Type)
 
 if tt.hasMetadata {
-assert.NotEmpty(t, strategy.Metadata)
+// For external auth config refs, check that the strategy type is set
+// The actual typed fields (HeaderInjection/TokenExchange) are resolved at runtime
+assert.Equal(t, mcpv1alpha1.BackendAuthTypeExternalAuthConfigRef, strategy.Type)
+} else {
+// For discovered auth, there should be no typed fields populated
+assert.Nil(t, strategy.HeaderInjection)
+assert.Nil(t, strategy.TokenExchange)
 }
 })
 }

cmd/thv-operator/pkg/vmcpconfig/converter.go

@@ -174,14 +174,14 @@ func (*Converter) convertBackendAuthConfig(
 crdConfig *mcpv1alpha1.BackendAuthConfig,
 ) *authtypes.BackendAuthStrategy {
 strategy := &authtypes.BackendAuthStrategy{
-Type: crdConfig.Type,
-Metadata: make(map[string]any),
+Type: crdConfig.Type,
 }
 
-// Convert type-specific configuration to metadata
-if crdConfig.ExternalAuthConfigRef != nil {
-strategy.Metadata["externalAuthConfigRef"] = crdConfig.ExternalAuthConfigRef.Name
-}
+// Note: When Type is "external_auth_config_ref", the actual MCPExternalAuthConfig
+// resource should be resolved at runtime and its configuration (TokenExchange or
+// HeaderInjection) should be populated into the corresponding typed fields.
+// This conversion happens during server initialization when the referenced
+// MCPExternalAuthConfig can be looked up.
 
 return strategy
 }

pkg/vmcp/aggregator/discoverer.go

@@ -178,7 +178,7 @@ func (d *backendDiscoverer) applyAuthConfigToBackend(backend *vmcp.Backend, back
 // In discovered mode, use auth discovered from MCPServer (if any exists)
 // If no auth is discovered, fall back to config-based auth via ResolveForBackend
 // which will use backend-specific config, then Default, then no auth
-useDiscoveredAuth = backend.AuthStrategy != ""
+useDiscoveredAuth = backend.AuthConfig != nil
 case "inline", "":
 // For inline mode or empty source, always use config-based auth
 // Ignore any discovered auth from backends
@@ -191,14 +191,13 @@ func (d *backendDiscoverer) applyAuthConfigToBackend(backend *vmcp.Backend, back
 
 if useDiscoveredAuth {
 // Keep the auth discovered from MCPServer (already populated in backend)
-logger.Debugf("Backend %s using discovered auth strategy: %s", backendName, backend.AuthStrategy)
+logger.Debugf("Backend %s using discovered auth strategy: %s", backendName, backend.AuthConfig.Type)
 } else {
 // Use auth from config (inline mode)
-authStrategy, authMetadata := d.authConfig.ResolveForBackend(backendName)
-if authStrategy != "" {
-backend.AuthStrategy = authStrategy
-backend.AuthMetadata = authMetadata
-logger.Debugf("Backend %s configured with auth strategy from config: %s", backendName, authStrategy)
+authConfig := d.authConfig.ResolveForBackend(backendName)
+if authConfig != nil {
+backend.AuthConfig = authConfig
+logger.Debugf("Backend %s configured with auth strategy from config: %s", backendName, authConfig.Type)
 }
 }
 }