add bearerToken type to MCPExternalAuthConfig CRD

[amirejaz]

Summary

This PR adds bearer token authentication support to the MCPExternalAuthConfig CRD, allowing users to configure bearer token authentication for remote MCP servers via Kubernetes Secrets.

NOTE: Controller Implementation will be done in next PR

Changes

CRD Types (cmd/thv-operator/api/v1alpha1/mcpexternalauthconfig_types.go)

• Added ExternalAuthTypeBearerToken constant
• Added BearerTokenConfig struct with TokenSecretRef *SecretKeyRef field
• Updated MCPExternalAuthConfigSpec to include BearerToken *BearerTokenConfig field
• Updated validation enum to include bearerToken type

Webhook Validation (cmd/thv-operator/api/v1alpha1/mcpexternalauthconfig_webhook.go)

• Added validation for bearerToken type:
  • BearerToken config must be provided when type is bearerToken
  • TokenExchange and HeaderInjection must not be set when type is bearerToken
  • BearerToken must not be set when type is not bearerToken
• Updated validation for other types to reject BearerToken field

Tests (cmd/thv-operator/api/v1alpha1/mcpexternalauthconfig_webhook_test.go)

• Added comprehensive test cases:
  • Valid bearer token configuration
  • Invalid: bearerToken without config
  • Invalid: bearerToken with tokenExchange
  • Invalid: bearerToken with headerInjection
  • Invalid: unauthenticated with bearerToken
  • Invalid: tokenExchange with bearerToken
  • Invalid: headerInjection with bearerToken

Code Generation

• Regenerated deepcopy code (includes BearerTokenConfig)

Example Usage

apiVersion: v1
kind: Secret
metadata:
  name: posthog-bearer-token
  namespace: default
type: Opaque
stringData:
  token: "your-bearer-token-here"
---
apiVersion: toolhive.stacklok.dev/v1alpha1
kind: MCPExternalAuthConfig
metadata:
  name: posthog-bearer-auth
  namespace: default
spec:
  type: bearerToken
  bearerToken:
    tokenSecretRef:
      name: posthog-bearer-token
      key: token

Security Considerations

No Plain Text: Only Kubernetes Secret references are supported
Namespace Scoped: Secrets must be in the same namespace as the MCPExternalAuthConfig
Consistent with OAuth: Follows the same security model as ClientSecretRef in token exchange

Testing

✅ All existing tests pass
✅ New bearer token validation tests pass
✅ CRD validation correctly rejects invalid configurations
✅ Deepcopy code generated successfully

Related

Part of Phase 3: Kubernetes Operator Implementation
PR 1 of 2: CRD Types and Validation (this PR)
PR 2: Controller Implementation (next)

[codecov]

Codecov Report

❌ Patch coverage is 90.00000% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 64.79%. Comparing base (9ff9ec2) to head (73f7834).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
...perator/controllers/virtualmcpserver_deployment.go	0.00%	2 Missing ⚠️
...d/thv-operator/pkg/controllerutil/tokenexchange.go	0.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3224      +/-   ##
==========================================
+ Coverage   64.76%   64.79%   +0.02%     
==========================================
  Files         381      381              
  Lines       37121    37149      +28     
==========================================
+ Hits        24043    24069      +26     
+ Misses      11194    11193       -1     
- Partials     1884     1887       +3     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[jhrozek]

I'm fine adding a new type as a user shortcut, but it would be nice to, at least thinking about vmCP, reuse code when converting this to a vMCP auth strategy

[amirejaz]

@jhrozek would appreciate another look

[jhrozek]

LGTM, but needs rebase (sorry for the late review!)

[jhrozek]

LGTM again, I'm sorry but the version needs to be bumped again. Let me know when you've bumped the version on Slack so we can merge the patch ASAP.

[jhrozek]

and you've got version 100 :-)

[amirejaz]

and you've got version 100 :-)

Honestly, I didn’t wait for it to reach 100 😄