RFC-55: VirtualMCPServer MCPServerEntry Static Mode Backend Discovery

[JAORMX]

As a platform engineer using VirtualMCPServer in static mode,
I want VirtualMCPServer to discover MCPServerEntry resources via groupRef and include them as backends in the generated ConfigMap,
so that vMCP can route traffic to remote MCP servers declared as MCPServerEntry without proxy pods.

Size: L
Dependencies: MCPServerEntry CRD types must exist (Phase 1 story)
Labels: operator, kubernetes
RFC: RFC-0055

Context

Once the MCPServerEntry CRD exists (Phase 1), the VirtualMCPServer controller needs to discover these resources and include them as backends. In static mode, vMCP reads its backend configuration from a ConfigMap generated by the operator. This story extends that ConfigMap generation to include entry-type backends.

Key architectural decisions:

• MCPServerEntry backends are a new backend type (entry) distinct from MCPServer (container) and MCPRemoteProxy (proxy)
• CA bundle ConfigMaps must be mounted as volumes into the vMCP pod for TLS verification
• The workload discoverer (pkg/vmcp/workloads/) needs a new WorkloadTypeMCPServerEntry constant

Scope

VirtualMCPServer Controller Discovery

• Update ensureAllResources() in cmd/thv-operator/controllers/virtualmcpserver_controller.go to discover MCPServerEntry resources via groupRef
• Extend pkg/vmcp/workloads/k8s.go:
  • Add WorkloadTypeMCPServerEntry constant
  • Update ListWorkloadsInGroup() to include MCPServerEntry resources
  • Add getMCPServerEntryAsBackend() conversion (similar to getMCPRemoteProxyAsBackend())
• VirtualMCPServer watches MCPServerEntry (add mapper like findVirtualMCPServerForMCPServer)

ConfigMap Generation

• Update cmd/thv-operator/controllers/virtualmcpserver_vmcpconfig.go:
  • discoverBackendsWithMetadata() includes MCPServerEntry backends
  • convertBackendsToStaticBackends() handles entry-type backends
  • Static config includes remoteURL, transport, and auth config from MCPServerEntry spec
• New backend type marker in static config so vMCP parser can distinguish entry backends

CA Bundle Volume Mounting

• When MCPServerEntry has caBundleRef, mount the referenced ConfigMap as a volume in the vMCP Deployment
• Mount path: /etc/toolhive/ca-bundles//ca.crt
• Include mount path in static config so vMCP knows where to find the CA for each entry backend
• Update ensureDeployment() to add volume and volumeMount entries

RBAC Updates

• VirtualMCPServer's generated ServiceAccount Role needs get, list, watch on mcpserverentries
• Update ensureRBACResources() in the controller

Status Updates

• VirtualMCPServerStatus.DiscoveredBackends includes MCPServerEntry backends
• BackendCount reflects entry backends

Acceptance Criteria

• VirtualMCPServer controller discovers MCPServerEntry resources via groupRef
• WorkloadTypeMCPServerEntry constant added to workloads discoverer
• getMCPServerEntryAsBackend() converts MCPServerEntry to vmcp.Backend
• ConfigMap generation includes entry-type backends with remoteURL, transport, and auth
• CA bundle ConfigMaps mounted as volumes at /etc/toolhive/ca-bundles//ca.crt
• Static config includes CA bundle mount paths for entry backends
• VirtualMCPServer watches MCPServerEntry for reconciliation triggers
• RBAC ServiceAccount Role updated for mcpserverentries
• DiscoveredBackends status includes entry backends
• Unit tests cover ConfigMap generation with entry backends
• Unit tests cover CA bundle volume mounting
• Integration tests cover VirtualMCPServer + MCPServerEntry discovery
• All tests pass (task test)