Skip to content

Expose CIMD config in MCPExternalAuthConfig CRD#5384

Draft
amirejaz wants to merge 3 commits into
cimd-phase2-pr6-cimd-validationfrom
cimd-phase2-pr5-crd-field
Draft

Expose CIMD config in MCPExternalAuthConfig CRD#5384
amirejaz wants to merge 3 commits into
cimd-phase2-pr6-cimd-validationfrom
cimd-phase2-pr5-crd-field

Conversation

@amirejaz
Copy link
Copy Markdown
Contributor

@amirejaz amirejaz commented May 26, 2026

Summary

  • Stacked on Wire CIMD config through embedded AS and enable storage decorator #5348. Merge that first.
  • Resolves the TODO(cimd) left in PR Wire CIMD config through embedded AS and enable storage decorator #5348: CIMD config is now exposed in the MCPExternalAuthConfig CRD so Kubernetes operators can enable it through a normal VirtualMCPServer manifest instead of writing runconfig.json directly.
  • Adds EmbeddedAuthServerCIMDConfig struct to the CRD API with enabled, cacheMaxSize, and cacheFallbackTtl fields, following the same patterns as existing fields (TokenLifespanConfig for durations, kubebuilder markers for validation).
  • Wires the new CRD field through BuildAuthServerRunConfig in controllerutil/authserver.go, parsing cacheFallbackTtl from a Go duration string to time.Duration.
  • Regenerates zz_generated.deepcopy.go and CRD YAML manifests.

Usage example after this PR:

spec:
  externalAuth:
    type: embeddedAuthServer
    embeddedAuthServer:
      issuer: https://auth.example.com
      upstreamProviders: [...]
      cimd:
        enabled: true
        cacheMaxSize: 256
        cacheFallbackTtl: "5m"

Type of change

  • New feature

Test plan

  • go test ./cmd/thv-operator/pkg/controllerutil/... — new TestBuildAuthServerRunConfig_CIMD covers nil, disabled, enabled with values, enabled with zero fields, invalid TTL
  • go build ./... passes
  • task lint-fix clean
  • CRD YAML regenerated — cimd block appears in both mcpexternalauthconfigs and virtualmcpservers CRDs

Generated with Claude Code

@github-actions github-actions Bot added the size/M Medium PR: 300-599 lines changed label May 26, 2026
@codecov
Copy link
Copy Markdown

codecov Bot commented May 26, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 68.78%. Comparing base (76fd736) to head (04ee659).

Additional details and impacted files 
@@                    Coverage Diff                     @@
##           cimd-phase2-pr3-wiring    #5384      +/-   ##
==========================================================
- Coverage                   68.78%   68.78%   -0.01%     
==========================================================
  Files                         627      627              
  Lines                       63644    63643       -1     
==========================================================
- Hits                        43780    43778       -2     
- Misses                      16609    16614       +5     
+ Partials                     3255     3251       -4

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@amirejaz amirejaz force-pushed the cimd-phase2-pr5-crd-field branch from e27ecdf to dff1dd5 Compare May 26, 2026 13:48
@github-actions github-actions Bot added size/M Medium PR: 300-599 lines changed and removed size/M Medium PR: 300-599 lines changed labels May 26, 2026
@amirejaz amirejaz force-pushed the cimd-phase2-pr5-crd-field branch from dff1dd5 to bf8f137 Compare May 26, 2026 14:47
@github-actions github-actions Bot added size/M Medium PR: 300-599 lines changed and removed size/M Medium PR: 300-599 lines changed labels May 26, 2026
@amirejaz amirejaz force-pushed the cimd-phase2-pr5-crd-field branch from bf8f137 to 04ee659 Compare May 26, 2026 17:40
@github-actions github-actions Bot added size/M Medium PR: 300-599 lines changed and removed size/M Medium PR: 300-599 lines changed labels May 26, 2026
Base automatically changed from cimd-phase2-pr3-wiring to main May 26, 2026 20:12
amirejaz and others added 3 commits May 27, 2026 02:08
@amirejaz @claude
Validate CIMD scope, grant_types and response_types against AS policy
90db2a6 
C3 - Thread ScopesSupported into NewCIMDStorageDecorator so CIMD scope
     handling is consistent with DCR. Uses registration.ValidateScopes
     (same function as the DCR handler) to validate declared scopes
     against the AS allowlist and compute the effective scope list.
     When ScopesSupported is unset, the document's declared scopes are
     used directly; omitted scopes default to DefaultScopes.

C4 - Reject CIMD documents that declare grant_types or response_types
     the embedded AS does not support for public clients
     (authorization_code + refresh_token; code). Consistent with DCR
     which returns invalid_client_metadata for the same cases.

buildFositeClient now receives pre-computed scopes from fetch() rather
than re-parsing doc.Scope, matching the DCR handler pattern where scope
computation and validation happen before client construction.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
@amirejaz @claude
Expose CIMD config in MCPExternalAuthConfig CRD
b8e8028 
Adds EmbeddedAuthServerCIMDConfig to the CRD so operators can enable
CIMD through the normal VirtualMCPServer manifest workflow instead of
writing runconfig.json directly. Resolves the TODO(cimd) comment in
pkg/authserver/config.go.

The new cimd field on EmbeddedAuthServerConfig maps to
authserver.CIMDRunConfig in the generated RunConfig. CacheFallbackTTL
is stored as a Go duration string in the CRD (e.g. "5m") and parsed
to time.Duration by the converter.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
@amirejaz @claude
Update PR5 converter for CacheFallbackTTL string type
4f3e1cb 
CIMDRunConfig.CacheFallbackTTL changed from time.Duration to string in
PR3. The operator converter now passes the string through unchanged;
parsing to time.Duration happens in resolveCIMDConfig in the runner,
after CIMDRunConfig.Validate() has already confirmed the format.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
@amirejaz amirejaz force-pushed the cimd-phase2-pr5-crd-field branch from 04ee659 to 4f3e1cb Compare May 26, 2026 21:11
@amirejaz amirejaz changed the base branch from main to cimd-phase2-pr6-cimd-validation May 26, 2026 21:11
@github-actions github-actions Bot added size/M Medium PR: 300-599 lines changed and removed size/M Medium PR: 300-599 lines changed labels May 26, 2026
@amirejaz amirejaz force-pushed the cimd-phase2-pr6-cimd-validation branch 3 times, most recently from 8e68d45 to 36b5e97 Compare May 26, 2026 21:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jhrozek jhrozek Awaiting requested review from jhrozek jhrozek will be requested when the pull request is marked ready for review jhrozek is a code owner

@JAORMX JAORMX Awaiting requested review from JAORMX JAORMX will be requested when the pull request is marked ready for review JAORMX is a code owner

@ChrisJBurns ChrisJBurns Awaiting requested review from ChrisJBurns ChrisJBurns will be requested when the pull request is marked ready for review ChrisJBurns is a code owner

@yrobla yrobla Awaiting requested review from yrobla yrobla will be requested when the pull request is marked ready for review yrobla is a code owner

@jerm-dro jerm-dro Awaiting requested review from jerm-dro jerm-dro will be requested when the pull request is marked ready for review jerm-dro is a code owner

Assignees

No one assigned

Labels

size/M Medium PR: 300-599 lines changed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@amirejaz