Docs update needed: Document caBundleRef for custom CA certificates in OIDC config

[jhrozek]

Context

Commit: 1853ae98069b6238d599d7b7394bf8ddd2b19ea3 in stacklok/toolhive
PR: #3391
Author: @jhrozek

Summary

The MCPServer CRD gains a new caBundleRef field (on both InlineOIDCConfig and ConfigMapOIDCRef) that auto-mounts a CA certificate ConfigMap for OIDC token validation against issuers with non-public certificates (e.g., corporate Keycloak instances). The existing thvCABundlePath field is deprecated.

Pages Requiring Updates

Priority	Page	What Needs Changing
High	https://docs.stacklok.com/toolhive/guides-k8s/auth-k8s	Document caBundleRef field for custom CA certificates; add deprecation note for thvCABundlePath; add example for corporate IdP with custom CA

Suggested Changes

• Add a new section or subsection under the OIDC authentication approaches explaining how to use caBundleRef when the OIDC provider uses a non-public CA (e.g., corporate Keycloak with self-signed or internal CA)
• Show an example MCPServer manifest with caBundleRef pointing to a ConfigMap containing the CA bundle:

  oidcConfig:
    type: inline
    inline:
      issuer: "https://keycloak.corp.example.com/realms/myrealm"
      audience: "my-audience"
      caBundleRef:
        configMapRef:
          name: corporate-ca-bundle
          key: ca.crt

• Add a deprecation note for thvCABundlePath explaining that users should migrate to caBundleRef which automatically handles volume mounting
• Mention the CABundleRefValidated status condition that operators can check for validation errors

---

Auto-generated by doc-impact analysis

[jhrozek]

Apologies for the AI slop, testing a skill and prematurely agreed to open an issue

[danbarr]

Apologies for the AI slop, testing a skill and prematurely agreed to open an issue

@jhrozek Should this be closed then? Or assigned?

[jhrozek]

I'm going to self-assign this, the basic ask of the issue is valid