Skip to content

Add CA bundle volume mount and validation for MCPRemoteProxy#4190

Open
majiayu000 wants to merge 3 commits intostacklok:mainfrom
majiayu000:fix/issue-4113-mcpremoteproxy-ca-bundle
Open

Add CA bundle volume mount and validation for MCPRemoteProxy#4190
majiayu000 wants to merge 3 commits intostacklok:mainfrom
majiayu000:fix/issue-4113-mcpremoteproxy-ca-bundle

Conversation

@majiayu000
Copy link
Contributor

@majiayu000 majiayu000 commented Mar 17, 2026

Summary

  • MCPRemoteProxy was missing OIDC CA bundle support that already existed in MCPServer, preventing custom CA certificates from being used with remote proxies
  • Add AddOIDCCABundleVolumes() call in buildVolumesForProxy() to mount CA bundle ConfigMaps into the proxy container
  • Add validateCABundleRef() method to the reconciler that validates the referenced ConfigMap exists and contains the expected key, mirroring the MCPServer pattern
  • Add ConditionTypeMCPRemoteProxyCABundleRefValidated condition type for status reporting

Fixes #4113

Type of change

  • Bug fix (non-breaking change which fixes an issue)

Changes

File Change
mcpremoteproxy_types.go Add ConditionTypeMCPRemoteProxyCABundleRefValidated constant
mcpremoteproxy_deployment.go Add AddOIDCCABundleVolumes() call in buildVolumesForProxy()
mcpremoteproxy_controller.go Add validateCABundleRef(), updateCABundleStatusForProxy(), setCABundleRefConditionForProxy() methods and call from validateAndHandleConfigs()
mcpremoteproxy_deployment_test.go Add test for OIDC CA bundle volume generation
mcpremoteproxy_controller_test.go Add TestMCPRemoteProxyValidateCABundleRef with 4 cases

Test plan

  • go build ./... passes
  • task lint-fix passes with 0 issues
  • go test ./cmd/thv-operator/controllers/... passes
  • New deployment test verifies CA bundle volume and mount are present
  • New controller test covers: no CA bundle, valid CA bundle, missing ConfigMap, missing key

Does this introduce a user-facing change?

MCPRemoteProxy now supports OIDC CA bundle ConfigMap references, matching the existing MCPServer behavior. Users can configure custom CA certificates for OIDC providers by setting caBundle in their OIDC configuration.

@majiayu000
Add CA bundle volume mount and validation for MCPRemoteProxy
797fa13 
MCPRemoteProxy was missing CA bundle support that already existed in
MCPServer. This adds two features:

1. OIDC CA bundle volume mount in buildVolumesForProxy() so that
   custom CA certificates are available to the proxy container.

2. CA bundle ConfigMap validation in validateAndHandleConfigs() that
   checks the referenced ConfigMap exists and contains the expected
   key, setting appropriate status conditions.

Signed-off-by: majiayu000 <1835304752@qq.com>
@github-actions github-actions bot added the size/M Medium PR: 300-599 lines changed label Mar 17, 2026
@codecov
Copy link

codecov bot commented Mar 17, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 69.56522% with 14 lines in your changes missing coverage. Please review.
✅ Project coverage is 68.97%. Comparing base (29a2c67) to head (88fc3b7).
⚠️ Report is 3 commits behind head on main.

Files with missing lines Patch % Lines
...-operator/controllers/mcpremoteproxy_controller.go 67.44% 6 Missing and 8 partials ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4190      +/-   ##
==========================================
+ Coverage   68.85%   68.97%   +0.12%     
==========================================
  Files         467      467              
  Lines       46983    47051      +68     
==========================================
+ Hits        32349    32455     +106     
- Misses      11974    11992      +18     
+ Partials     2660     2604      -56

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@github-actions github-actions bot added size/M Medium PR: 300-599 lines changed and removed size/M Medium PR: 300-599 lines changed labels Mar 17, 2026
@ChrisJBurns
Copy link
Collaborator

ChrisJBurns commented Mar 17, 2026

Are there any integration tests that we can add to this?

@majiayu000
Add CA bundle validation integration tests for MCPRemoteProxy
88fc3b7 
Add WithCABundleRef builder helper and 4 integration test cases to
verify the CA bundle ConfigMap reference validation end-to-end:
valid ConfigMap with correct key, missing ConfigMap, wrong key in
ConfigMap, and no CA bundle configured.

Signed-off-by: majiayu000 <1835304752@qq.com>
@github-actions github-actions bot added size/M Medium PR: 300-599 lines changed and removed size/M Medium PR: 300-599 lines changed labels Mar 18, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ChrisJBurns ChrisJBurns Awaiting requested review from ChrisJBurns ChrisJBurns is a code owner

@yrobla yrobla Awaiting requested review from yrobla yrobla is a code owner

@JAORMX JAORMX Awaiting requested review from JAORMX JAORMX is a code owner

@jerm-dro jerm-dro Awaiting requested review from jerm-dro jerm-dro is a code owner

@jhrozek jhrozek Awaiting requested review from jhrozek jhrozek is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

size/M Medium PR: 300-599 lines changed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

MCPRemoteProxy missing CA bundle volume mount and validation

2 participants

@majiayu000 @ChrisJBurns