Skip to content

Add SecretKeyRef support to InlineOIDCConfig for enhanced secret management #2321

New issue
New issue
Closed
#2324
Closed
Add SecretKeyRef support to InlineOIDCConfig for enhanced secret management#2321
#2324
Labels
apiItems related to the APIauthenticationenhancementNew feature or requestkubernetesItems related to Kubernetesoperator
@JAORMX

Description

@JAORMX
JAORMX
opened on Oct 24, 2025

Feature Request

Add SecretKeyRef support to InlineOIDCConfig to enable Kubernetes-native secret references, similar to the pattern already implemented in MCPExternalAuthConfig.

Current Behavior

InlineOIDCConfig.clientSecret accepts a plain string value:

oidcConfig:
  type: inline
  inline:
    issuer: "https://github.com"
    clientId: "my-client-id"
    clientSecret: "literal-value-here"

Desired Behavior

Support Kubernetes Secret references via SecretKeyRef:

oidcConfig:
  type: inline
  inline:
    issuer: "https://github.com"
    clientId: "my-client-id"
    clientSecretRef:
      name: oauth-credentials
      key: client-secret

Motivation

This feature would provide:

Better secret management - Secrets managed via Kubernetes RBAC
External secret operator support - Integration with Vault, AWS Secrets Manager, etc.
Consistency - Matches the pattern used by MCPExternalAuthConfig.clientSecretRef
Security best practices - Secrets not exposed in YAML manifests

Precedent

MCPExternalAuthConfig already implements this pattern:

// cmd/thv-operator/api/v1alpha1/mcpexternalauthconfig_types.go:41-43
ClientSecretRef SecretKeyRef `json:"clientSecretRef"`

Where SecretKeyRef is:

type SecretKeyRef struct {
    Name string `json:"name"`
    Key  string `json:"key"`
}

Proposed Implementation

Add optional ClientSecretRef field to InlineOIDCConfig:

type InlineOIDCConfig struct {
    // ... existing fields ...
    
    // ClientSecret is the client secret (optional, deprecated in favor of ClientSecretRef)
    // +optional
    ClientSecret string `json:"clientSecret,omitempty"`
    
    // ClientSecretRef is a reference to a Kubernetes Secret containing the client secret
    // If both ClientSecret and ClientSecretRef are provided, ClientSecretRef takes precedence
    // +optional
    ClientSecretRef *SecretKeyRef `json:"clientSecretRef,omitempty"`
}

OIDC resolver changes:
Update cmd/thv-operator/pkg/oidc/resolver.go to read from Secret when clientSecretRef is set.

Backward compatibility:

  • Keep existing clientSecret field for backward compatibility
  • clientSecretRef takes precedence if both are set
  • Add deprecation notice for clientSecret in documentation

Benefits

  • Enables secure GitHub.com OAuth authentication for MCPRemoteProxy
  • Improves security posture for all OIDC configurations
  • Consistent API design across ToolHive CRDs
  • Enables integration with external secret management systems

Related CRDs

This would affect:

  • MCPServer.spec.oidcConfig.inline
  • MCPRemoteProxy.spec.oidcConfig.inline

Metadata

Metadata

Assignees

No one assigned

    Labels

    apiItems related to the APIauthenticationenhancementNew feature or requestkubernetesItems related to Kubernetesoperator

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions