remove mixed mode to simplify vmcp operation (#2798)

* remove mixed mode to simplify vmcp operation * bump version --------- Co-authored-by: taskbot <taskbot@users.noreply.github.com>

Author: yrobla

cmd/thv-operator/api/v1alpha1/virtualmcpserver_types.go

@@ -85,8 +85,7 @@ type OutgoingAuthConfig struct {
 // Source defines how backend authentication configurations are determined
 // - discovered: Automatically discover from backend's MCPServer.spec.externalAuthConfigRef
 // - inline: Explicit per-backend configuration in VirtualMCPServer
-// - mixed: Discover most, override specific backends
-// +kubebuilder:validation:Enum=discovered;inline;mixed
+// +kubebuilder:validation:Enum=discovered;inline
 // +kubebuilder:default=discovered
 // +optional
 Source string `json:"source,omitempty"`
@@ -96,7 +95,7 @@ type OutgoingAuthConfig struct {
 Default *BackendAuthConfig `json:"default,omitempty"`
 
 // Backends defines per-backend authentication overrides
-// Works in all modes (discovered, inline, mixed)
+// Works in all modes (discovered, inline)
 // +optional
 Backends map[string]BackendAuthConfig `json:"backends,omitempty"`
 }

cmd/thv-operator/api/v1alpha1/virtualmcpserver_webhook.go

@@ -102,10 +102,9 @@ func (r *VirtualMCPServer) validateOutgoingAuth() error {
 validSources := map[string]bool{
 "discovered": true,
 "inline": true,
-"mixed": true,
 }
 if auth.Source != "" && !validSources[auth.Source] {
-return fmt.Errorf("spec.outgoingAuth.source must be one of: discovered, inline, mixed")
+return fmt.Errorf("spec.outgoingAuth.source must be one of: discovered, inline")
 }
 
 // Validate backend configurations

cmd/thv-operator/api/v1alpha1/virtualmcpserver_webhook_test.go

@@ -58,7 +58,7 @@ func TestVirtualMCPServerValidate(t *testing.T) {
 },
 },
 wantErr: true,
-errMsg: "spec.outgoingAuth.source must be one of: discovered, inline, mixed",
+errMsg: "spec.outgoingAuth.source must be one of: discovered, inline",
 },
 {
 name: "valid backend external auth config ref",

cmd/thv-operator/controllers/virtualmcpserver_vmcpconfig_test.go

@@ -111,14 +111,14 @@ func TestConvertOutgoingAuth(t *testing.T) {
 {
 name: "with per-backend auth",
 outgoingAuth: &mcpv1alpha1.OutgoingAuthConfig{
-Source: "mixed",
+Source: "discovered",
 Backends: map[string]mcpv1alpha1.BackendAuthConfig{
 "backend-1": {
 Type: mcpv1alpha1.BackendAuthTypeDiscovered,
 },
 },
 },
-expectedSource: "mixed",
+expectedSource: "discovered",
 hasDefault: false,
 backendCount: 1,
 },
@@ -514,7 +514,7 @@ func TestYAMLMarshalingDeterminism(t *testing.T) {
 },
 // OutgoingAuth with Backends map
 OutgoingAuth: &mcpv1alpha1.OutgoingAuthConfig{
-Source: "mixed",
+Source: "discovered",
 Backends: map[string]mcpv1alpha1.BackendAuthConfig{
 "backend-zebra": {
 Type: mcpv1alpha1.BackendAuthTypeDiscovered,

deploy/charts/operator-crds/Chart.yaml

@@ -2,5 +2,5 @@ apiVersion: v2
 name: toolhive-operator-crds
 description: A Helm chart for installing the ToolHive Operator CRDs into Kubernetes.
 type: application
-version: 0.0.71
+version: 0.0.72
 appVersion: "0.0.1"

deploy/charts/operator-crds/README.md

@@ -1,6 +1,6 @@
 # ToolHive Operator CRDs Helm Chart
 
-![Version: 0.0.71](https://img.shields.io/badge/Version-0.0.71-informational?style=flat-square)
+![Version: 0.0.72](https://img.shields.io/badge/Version-0.0.72-informational?style=flat-square)
 ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 A Helm chart for installing the ToolHive Operator CRDs into Kubernetes.

deploy/charts/operator-crds/crds/toolhive.stacklok.dev_virtualmcpservers.yaml

@@ -612,7 +612,7 @@ spec:
  type: object
  description: |-
  Backends defines per-backend authentication overrides
- Works in all modes (discovered, inline, mixed)
+ Works in all modes (discovered, inline)
  type: object
  default:
  description: Default defines default behavior for backends without
@@ -645,11 +645,9 @@ spec:
  Source defines how backend authentication configurations are determined
  - discovered: Automatically discover from backend's MCPServer.spec.externalAuthConfigRef
  - inline: Explicit per-backend configuration in VirtualMCPServer
- - mixed: Discover most, override specific backends
  enum:
  - discovered
  - inline
- - mixed
  type: string
  type: object
  podTemplateSpec:

docs/operator/crd-api.md

@@ -80,7 +80,6 @@ Configures authentication from Virtual MCP to backend MCPServers.
 - `source` (string, optional): How backend authentication configurations are determined
  - `discovered` (default): Automatically discover from backend's `MCPServer.spec.externalAuthConfigRef`
  - `inline`: Explicit per-backend configuration in VirtualMCPServer
- - `mixed`: Discover most, override specific backends
 - `default` (BackendAuthConfig, optional): Default behavior for backends without explicit auth config
 - `backends` (map[string]BackendAuthConfig, optional): Per-backend authentication overrides
 
@@ -113,27 +112,6 @@ spec:
  headerFormat: "Bearer {token}"
 ```
 
-**Example (mixed mode)**:
-```yaml
-spec:
- outgoingAuth:
- source: mixed
- default:
- type: discovered
- backends:
- # Override specific backends while others use discovery
- slack:
- type: service_account
- serviceAccount:
- credentialsRef:
- name: slack-bot-override
- key: token
- headerName: Authorization
- headerFormat: "Bearer {token}"
- # Other backends (github, jira, etc.) will automatically
- # discover auth config from their MCPServer.spec.externalAuthConfigRef
-```
-
 #### BackendAuthConfig
 
 **Fields**:

docs/operator/virtualmcpserver-api.md

@@ -593,7 +593,7 @@ spec:
  # ===== OUTGOING AUTHENTICATION (Virtual MCP → Backends) =====
  outgoingAuth:
  # Configuration source
- source: discovered # inline | discovered | mixed
+ source: discovered # inline | discovered
 
  # When source=discovered:
  # Virtual MCP queries each backend's MCPServer.spec.externalAuthConfigRef