Fix VirtualMCPServer OIDC configuration by implementing OIDCConfigurable interface #2821
+431 −55
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@ ## main #2821 +/- ## ========================================== + Coverage 56.59% 56.65% +0.05% ========================================== Files 322 322 Lines 31247 31279 +32 ========================================== + Hits 17685 17721 +36 + Misses 12042 12040 -2 + Partials 1520 1518 -2 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
jhrozek force-pushed the oidc_refactor branch from 05a8222 to 9bec199 Compare 
github-actions bot added size/M jhrozek force-pushed the oidc_refactor branch from 9bec199 to a363bd6 Compare github-actions bot added size/M 
rdimitrov approved these changes Dec 3, 2025
Add go:generate directive to generate gomock mock for the oidc.Resolver interface. This enables proper unit testing of components that depend on OIDC resolution without requiring a real Kubernetes client.
Implement GetOIDCConfig() and GetProxyPort() methods on VirtualMCPServer to satisfy the oidc.OIDCConfigurable interface. This allows the OIDC resolver to resolve Kubernetes and ConfigMap OIDC configurations for VirtualMCPServer resources. GetProxyPort returns 4483, the default vMCP server port.
Previously, the Converter only handled inline OIDC configuration directly and had a TODO for kubernetes and configMap types. This change: - Makes oidcResolver a required parameter for NewConverter (returns error if nil) - Uses the resolver for all OIDC types (kubernetes, configMap, inline) - Adds mapResolvedOIDCToVmcpConfig() to map resolver output to vmcp config - Handles ClientSecretEnv for all OIDC types that may have client secrets - Updates controller to pass OIDC resolver to converter - Adds comprehensive tests using gomock for OIDC resolution - Adds compile-time interface assertion for VirtualMCPServer This ensures fail-closed behavior: if OIDC is configured but resolution fails, the converter returns an error rather than silently deploying without authentication.
jhrozek force-pushed the oidc_refactor branch from 5d80a94 to eeb373e Compare github-actions bot added size/M Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Add this suggestion to a batch that can be applied as a single commit. This suggestion is invalid because no changes were made to the code. Suggestions cannot be applied while the pull request is closed. Suggestions cannot be applied while viewing a subset of changes. Only one suggestion per line can be applied in a batch. Add this suggestion to a batch that can be applied as a single commit. Applying suggestions on deleted lines is not supported. You must change the existing code in this line in order to create a valid suggestion. Outdated suggestions cannot be applied. This suggestion has been applied or marked resolved. Suggestions cannot be applied from pending reviews. Suggestions cannot be applied on multi-line comments. Suggestions cannot be applied while the pull request is queued to merge. Suggestion cannot be applied right now. Please check back later.
Summary
VirtualMCPServer with
type: kubernetesortype: configMapOIDC configuration was not working because the converter used hand-rolled conversions instead of implementing the pre-existingOIDCConfigurableinterface that the OIDC resolver requires.This PR:
OIDCConfigurableinterface onVirtualMCPServer(addsGetOIDCConfig()andGetProxyPort()methods)Converterto require an OIDC resolver and use it for all OIDC types (kubernetes, configMap, inline)Changes
Test plan
Fixes #2820
🤖 Generated with Claude Code