Skip to content

Sync vMCP CRD auth implementation with the server (or vice versa) #2701

New issue
New issue
Open
0 of 3 issues completed
Open
Sync vMCP CRD auth implementation with the server (or vice versa)#2701
0 of 3 issues completed
Assignees
yrobla
Labels
authenticationbugSomething isn't workingkubernetesItems related to Kubernetesoperator
@jhrozek

Description

@jhrozek
jhrozek
opened on Nov 24, 2025

The VMCP outgoing auth CRDs have not been designed in sync with the actual implementation

The issues are:

  1. The discovered mode is not implemented in vMCP at all
  2. ExtenalAuthConfig doesn't seem to be resolved - the controller seems to use it to populate the status.discoveredBackEnds but I can't find code that actually does anything with the external auth
  3. (biggest) The auth strategies are not compatible. The vMCP implementation uses unauthenticated, header_injection and token_exchange. For token_exchange we have an equivalent in the MCPExternalAuthConfig CRD, but not for the first two. We should decide whether to keep adding to MCPExternalAuthConfig or fork out a special CR for vMCP.

Sub-issues

Metadata

Metadata

Assignees

Labels

authenticationbugSomething isn't workingkubernetesItems related to Kubernetesoperator

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions