Skip to content

Add CA bundle volume mount and validation for MCPRemoteProxy#4190

Open
majiayu000 wants to merge 10 commits intostacklok:mainfrom
majiayu000:fix/issue-4113-mcpremoteproxy-ca-bundle
Open

Add CA bundle volume mount and validation for MCPRemoteProxy#4190
majiayu000 wants to merge 10 commits intostacklok:mainfrom
majiayu000:fix/issue-4113-mcpremoteproxy-ca-bundle

Conversation

@majiayu000
Copy link
Contributor

@majiayu000 majiayu000 commented Mar 17, 2026

Summary

  • MCPRemoteProxy was missing OIDC CA bundle support that already existed in MCPServer, preventing custom CA certificates from being used with remote proxies
  • Add AddOIDCCABundleVolumes() call in buildVolumesForProxy() to mount CA bundle ConfigMaps into the proxy container
  • Add validateCABundleRef() method to the reconciler that validates the referenced ConfigMap exists and contains the expected key, mirroring the MCPServer pattern
  • Add ConditionTypeMCPRemoteProxyCABundleRefValidated condition type for status reporting

Fixes #4113

Type of change

  • Bug fix (non-breaking change which fixes an issue)

Changes

File Change
mcpremoteproxy_types.go Add ConditionTypeMCPRemoteProxyCABundleRefValidated constant
mcpremoteproxy_deployment.go Add AddOIDCCABundleVolumes() call in buildVolumesForProxy()
mcpremoteproxy_controller.go Add validateCABundleRef(), updateCABundleStatusForProxy(), setCABundleRefConditionForProxy() methods and call from validateAndHandleConfigs()
mcpremoteproxy_deployment_test.go Add test for OIDC CA bundle volume generation
mcpremoteproxy_controller_test.go Add TestMCPRemoteProxyValidateCABundleRef with 4 cases

Test plan

  • go build ./... passes
  • task lint-fix passes with 0 issues
  • go test ./cmd/thv-operator/controllers/... passes
  • New deployment test verifies CA bundle volume and mount are present
  • New controller test covers: no CA bundle, valid CA bundle, missing ConfigMap, missing key

Does this introduce a user-facing change?

MCPRemoteProxy now supports OIDC CA bundle ConfigMap references, matching the existing MCPServer behavior. Users can configure custom CA certificates for OIDC providers by setting caBundle in their OIDC configuration.

@majiayu000
Add CA bundle volume mount and validation for MCPRemoteProxy
797fa13 
MCPRemoteProxy was missing CA bundle support that already existed in
MCPServer. This adds two features:

1. OIDC CA bundle volume mount in buildVolumesForProxy() so that
   custom CA certificates are available to the proxy container.

2. CA bundle ConfigMap validation in validateAndHandleConfigs() that
   checks the referenced ConfigMap exists and contains the expected
   key, setting appropriate status conditions.

Signed-off-by: majiayu000 <1835304752@qq.com>
@github-actions github-actions bot added the size/M Medium PR: 300-599 lines changed label Mar 17, 2026
@codecov
Copy link

codecov bot commented Mar 17, 2026
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 69.25%. Comparing base (29a2c67) to head (ea64bd0).
⚠️ Report is 34 commits behind head on main.

Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4190      +/-   ##
==========================================
+ Coverage   68.85%   69.25%   +0.40%     
==========================================
  Files         467      477      +10     
  Lines       46983    48120    +1137     
==========================================
+ Hits        32349    33326     +977     
- Misses      11974    12217     +243     
+ Partials     2660     2577      -83

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@github-actions github-actions bot added size/M Medium PR: 300-599 lines changed and removed size/M Medium PR: 300-599 lines changed labels Mar 17, 2026
@ChrisJBurns
Copy link
Collaborator

ChrisJBurns commented Mar 17, 2026

Are there any integration tests that we can add to this?

@majiayu000
Add CA bundle validation integration tests for MCPRemoteProxy
88fc3b7 
Add WithCABundleRef builder helper and 4 integration test cases to
verify the CA bundle ConfigMap reference validation end-to-end:
valid ConfigMap with correct key, missing ConfigMap, wrong key in
ConfigMap, and no CA bundle configured.

Signed-off-by: majiayu000 <1835304752@qq.com>
@github-actions github-actions bot added size/M Medium PR: 300-599 lines changed and removed size/M Medium PR: 300-599 lines changed labels Mar 18, 2026
@majiayu000
Add missing test cases for CA bundle validation coverage
3888b33 
Add three additional test cases to TestMCPRemoteProxyValidateCABundleRef:
- CABundleRef with nil ConfigMapRef (early return branch)
- CABundleRef with empty ConfigMap name (ValidateCABundleSource error)
- Valid CABundleRef with default key fallback (empty key branch)

This brings validateCABundleRef to 100% coverage.

Signed-off-by: majiayu000 <1835304752@qq.com>
@github-actions github-actions bot added size/M Medium PR: 300-599 lines changed and removed size/M Medium PR: 300-599 lines changed labels Mar 23, 2026
@majiayu000
Add test coverage for Kubernetes OIDC validation and service account …
05ee777 
…resolution

Cover previously untested branches in validateOIDCIssuerURL,
validateJWKSURL, and serviceAccountNameForRemoteProxy to address
Codecov patch coverage gaps.

Signed-off-by: majiayu000 <1835304752@qq.com>
@github-actions github-actions bot added size/L Large PR: 600-999 lines changed and removed size/M Medium PR: 300-599 lines changed labels Mar 23, 2026
@majiayu000
Add validation and K8s ref coverage for MCPRemoteProxy controller
7c168a0 
Cover missing Codecov branches: inline OIDC HTTP issuer rejection,
inline JWKS URL validation, authz ConfigMap reference errors, header
secret reference errors, and nil ValueSecretRef skip path.

Signed-off-by: majiayu000 <1835304752@qq.com>
@github-actions github-actions bot added size/XL Extra large PR: 1000+ lines changed and removed size/L Large PR: 600-999 lines changed labels Mar 23, 2026
github-actions[bot]
github-actions bot requested changes Mar 23, 2026
View reviewed changes
Copy link
Contributor

@github-actions github-actions bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Large PR Detected

This PR exceeds 1000 lines of changes and requires justification before it can be reviewed.

How to unblock this PR:

Add a section to your PR description with the following format:

## Large PR Justification

[Explain why this PR must be large, such as:]
- Generated code that cannot be split
- Large refactoring that must be atomic
- Multiple related changes that would break if separated
- Migration or data transformation

Alternative:

Consider splitting this PR into smaller, focused changes (< 1000 lines each) for easier review and reduced risk.

See our Contributing Guidelines for more details.

This review will be automatically dismissed once you add the justification section.

@majiayu000
Add test coverage for OIDC validation edge cases and service update path
9dfd3be 
Cover uncovered branches flagged by Codecov:
- validateOIDCIssuerURL/validateJWKSURL with nil config structs
- validateSpec with unsupported OIDC issuer scheme
- ensureService update path with drifted session affinity

Signed-off-by: majiayu000 <1835304752@qq.com>
@github-actions github-actions bot added size/XL Extra large PR: 1000+ lines changed and removed size/XL Extra large PR: 1000+ lines changed labels Mar 23, 2026
@majiayu000
Add test coverage for CA bundle status update error and annotation su…
210cbd1 
…bset check

Cover remaining Codecov-flagged branches:
- updateCABundleStatusForProxy error path (Status().Update failure)
- deploymentMetadataNeedsUpdate with MapIsSubset annotation check

Signed-off-by: majiayu000 <1835304752@qq.com>
@github-actions github-actions bot removed the size/XL Extra large PR: 1000+ lines changed label Mar 23, 2026
@github-actions github-actions bot added the size/XL Extra large PR: 1000+ lines changed label Mar 23, 2026
@majiayu000
Add test coverage for status update error paths in handleToolConfig a…
5dc40af 
…nd handleExternalAuthConfig

Signed-off-by: majiayu000 <1835304752@qq.com>
@github-actions github-actions bot added size/XL Extra large PR: 1000+ lines changed and removed size/XL Extra large PR: 1000+ lines changed labels Mar 23, 2026
@majiayu000
Fix unused parameter lint error in validation test interceptor
ea64bd0 
Signed-off-by: majiayu000 <1835304752@qq.com>
@github-actions github-actions bot added size/XL Extra large PR: 1000+ lines changed and removed size/XL Extra large PR: 1000+ lines changed labels Mar 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@github-actions github-actions[bot] github-actions[bot] requested changes

@ChrisJBurns ChrisJBurns Awaiting requested review from ChrisJBurns ChrisJBurns is a code owner

@yrobla yrobla Awaiting requested review from yrobla yrobla is a code owner

@JAORMX JAORMX Awaiting requested review from JAORMX JAORMX is a code owner

@jerm-dro jerm-dro Awaiting requested review from jerm-dro jerm-dro is a code owner

@jhrozek jhrozek Awaiting requested review from jhrozek jhrozek is a code owner

Requested changes must be addressed to merge this pull request.

Assignees

No one assigned

Labels

size/XL Extra large PR: 1000+ lines changed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

MCPRemoteProxy missing CA bundle volume mount and validation

2 participants

@majiayu000 @ChrisJBurns