add bearerToken type to MCPExternalAuthConfig CRD

[amirejaz]

Summary

This PR adds bearer token authentication support to the MCPExternalAuthConfig CRD, allowing users to configure bearer token authentication for remote MCP servers via Kubernetes Secrets.

NOTE: Controller Implementation will be done in next PR

Changes

CRD Types (cmd/thv-operator/api/v1alpha1/mcpexternalauthconfig_types.go)

• Added ExternalAuthTypeBearerToken constant
• Added BearerTokenConfig struct with TokenSecretRef *SecretKeyRef field
• Updated MCPExternalAuthConfigSpec to include BearerToken *BearerTokenConfig field
• Updated validation enum to include bearerToken type

Webhook Validation (cmd/thv-operator/api/v1alpha1/mcpexternalauthconfig_webhook.go)

• Added validation for bearerToken type:
  • BearerToken config must be provided when type is bearerToken
  • TokenExchange and HeaderInjection must not be set when type is bearerToken
  • BearerToken must not be set when type is not bearerToken
• Updated validation for other types to reject BearerToken field

Tests (cmd/thv-operator/api/v1alpha1/mcpexternalauthconfig_webhook_test.go)

• Added comprehensive test cases:
  • Valid bearer token configuration
  • Invalid: bearerToken without config
  • Invalid: bearerToken with tokenExchange
  • Invalid: bearerToken with headerInjection
  • Invalid: unauthenticated with bearerToken
  • Invalid: tokenExchange with bearerToken
  • Invalid: headerInjection with bearerToken

Code Generation

• Regenerated deepcopy code (includes BearerTokenConfig)

Example Usage

apiVersion: v1
kind: Secret
metadata:
  name: posthog-bearer-token
  namespace: default
type: Opaque
stringData:
  token: "your-bearer-token-here"
---
apiVersion: toolhive.stacklok.dev/v1alpha1
kind: MCPExternalAuthConfig
metadata:
  name: posthog-bearer-auth
  namespace: default
spec:
  type: bearerToken
  bearerToken:
    tokenSecretRef:
      name: posthog-bearer-token
      key: token

Security Considerations

No Plain Text: Only Kubernetes Secret references are supported
Namespace Scoped: Secrets must be in the same namespace as the MCPExternalAuthConfig
Consistent with OAuth: Follows the same security model as ClientSecretRef in token exchange

Testing

✅ All existing tests pass
✅ New bearer token validation tests pass
✅ CRD validation correctly rejects invalid configurations
✅ Deepcopy code generated successfully

Related

Part of Phase 3: Kubernetes Operator Implementation
PR 1 of 2: CRD Types and Validation (this PR)
PR 2: Controller Implementation (next)

[codecov]

Codecov Report

❌ Patch coverage is 90.00000% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 57.01%. Comparing base (deda935) to head (4106fb4).

Files with missing lines	Patch %	Lines
...perator/controllers/virtualmcpserver_deployment.go	0.00%	2 Missing ⚠️
...d/thv-operator/pkg/controllerutil/tokenexchange.go	0.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3224      +/-   ##
==========================================
+ Coverage   56.97%   57.01%   +0.04%     
==========================================
  Files         351      351              
  Lines       34962    34990      +28     
==========================================
+ Hits        19919    19951      +32     
+ Misses      13387    13378       -9     
- Partials     1656     1661       +5     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[jhrozek]

I should have probably asked this earlier but what is the difference and overlap between HeaderInjectin and BearerToken?

[jhrozek]

I'm fine adding a new type as a user shortcut, but it would be nice to, at least thinking about vmCP, reuse code when converting this to a vMCP auth strategy