converters

package
v0.6.10 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Dec 2, 2025 License: Apache-2.0 Imports: 8 Imported by: 0

Documentation

Overview

Package converters provides functions to convert external authentication configurations to vMCP auth strategy metadata.

Package converters provides strategy-specific converters for external authentication configurations.

Package converters provides a registry for converting external authentication configurations to vMCP auth strategy metadata.

Package converters provides strategy-specific converters for external authentication configurations.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func ConvertToStrategy added in v0.6.10 

func ConvertToStrategy(
	externalAuth *mcpv1alpha1.MCPExternalAuthConfig,
) (*authtypes.BackendAuthStrategy, error)

ConvertToStrategy is a convenience function that uses the default registry to convert an external auth config to a BackendAuthStrategy with typed fields. This is the main entry point for converting auth configs at runtime.

func DiscoverAndResolveAuth 

func DiscoverAndResolveAuth(
	ctx context.Context,
	externalAuthConfigRef *mcpv1alpha1.ExternalAuthConfigRef,
	namespace string,
	k8sClient client.Client,
) (*authtypes.BackendAuthStrategy, error)

DiscoverAndResolveAuth discovers authentication configuration from an MCPServer's ExternalAuthConfigRef and resolves it to a BackendAuthStrategy with typed fields. This is the main entry point for auth discovery from Kubernetes.

Returns:

  • strategy: The resolved BackendAuthStrategy with typed fields and secrets fetched from Kubernetes
  • error: Any error that occurred during discovery or resolution

Returns nil strategy and nil error if externalAuthConfigRef is nil (no auth configured).

func ResolveSecretsForStrategy 

func ResolveSecretsForStrategy(
	ctx context.Context,
	externalAuth *mcpv1alpha1.MCPExternalAuthConfig,
	k8sClient client.Client,
	namespace string,
	strategy *authtypes.BackendAuthStrategy,
) (*authtypes.BackendAuthStrategy, error)

ResolveSecretsForStrategy is a convenience function that uses the default registry to resolve secrets for a given strategy.

Types

type HeaderInjectionConverter 

type HeaderInjectionConverter struct{}

HeaderInjectionConverter converts MCPExternalAuthConfig HeaderInjection to vMCP header_injection strategy.

func (*HeaderInjectionConverter) ConvertToStrategy added in v0.6.10 

func (*HeaderInjectionConverter) ConvertToStrategy(
	externalAuth *mcpv1alpha1.MCPExternalAuthConfig,
) (*authtypes.BackendAuthStrategy, error)

ConvertToStrategy converts HeaderInjectionConfig to a BackendAuthStrategy with typed fields. The header value will be added by ResolveSecrets when using discovered mode.

func (*HeaderInjectionConverter) ResolveSecrets 

func (*HeaderInjectionConverter) ResolveSecrets(
	ctx context.Context,
	externalAuth *mcpv1alpha1.MCPExternalAuthConfig,
	k8sClient client.Client,
	namespace string,
	strategy *authtypes.BackendAuthStrategy,
) (*authtypes.BackendAuthStrategy, error)

ResolveSecrets fetches the header value secret from Kubernetes and sets it in the strategy. Unlike token exchange which can use environment variables in non-discovered mode, header injection always requires dynamic secret resolution because backends can be added or modified at runtime, even in non-discovered mode. The vMCP pod cannot know all backend auth configs at pod creation time.

func (*HeaderInjectionConverter) StrategyType 

func (*HeaderInjectionConverter) StrategyType() string

StrategyType returns the vMCP strategy type for header injection.

type Registry 

type Registry struct {
	// contains filtered or unexported fields
}

Registry holds registered strategy converters

func DefaultRegistry 

func DefaultRegistry() *Registry

DefaultRegistry returns the singleton default registry with all built-in converters registered. This registry is lazily initialized once and reused across all calls.

func NewRegistry 

func NewRegistry() *Registry

NewRegistry creates a new converter registry with all built-in converters registered. For most use cases, use DefaultRegistry() instead to avoid unnecessary allocations.

func (*Registry) GetConverter 

func (r *Registry) GetConverter(authType mcpv1alpha1.ExternalAuthType) (StrategyConverter, error)

GetConverter retrieves a converter by auth type

func (*Registry) Register 

func (r *Registry) Register(authType mcpv1alpha1.ExternalAuthType, converter StrategyConverter)

Register adds a converter to the registry

type StrategyConverter 

type StrategyConverter interface {
	// StrategyType returns the vMCP strategy type identifier (e.g., "token_exchange", "header_injection")
	StrategyType() string

	// ConvertToStrategy converts an MCPExternalAuthConfig to a BackendAuthStrategy with typed fields.
	// Secret references should be represented as environment variable names (e.g., "TOOLHIVE_*")
	// that will be resolved later by ResolveSecrets or at runtime.
	ConvertToStrategy(externalAuth *mcpv1alpha1.MCPExternalAuthConfig) (*authtypes.BackendAuthStrategy, error)

	// ResolveSecrets fetches secrets from Kubernetes and replaces environment variable references
	// with actual secret values in the strategy configuration. This is used in discovered auth mode where
	// secrets cannot be mounted as environment variables because the vMCP pod doesn't know
	// about backend auth configs at pod creation time.
	//
	// For non-discovered mode (where secrets are mounted as env vars), this is typically a no-op.
	ResolveSecrets(
		ctx context.Context,
		externalAuth *mcpv1alpha1.MCPExternalAuthConfig,
		k8sClient client.Client,
		namespace string,
		strategy *authtypes.BackendAuthStrategy,
	) (*authtypes.BackendAuthStrategy, error)
}

StrategyConverter defines the interface for converting external auth configs to BackendAuthStrategy. Each auth type (e.g., token exchange, header injection) implements this interface.

type TokenExchangeConverter 

type TokenExchangeConverter struct{}

TokenExchangeConverter converts MCPExternalAuthConfig TokenExchange to vMCP token_exchange strategy.

func (*TokenExchangeConverter) ConvertToStrategy added in v0.6.10 

func (*TokenExchangeConverter) ConvertToStrategy(
	externalAuth *mcpv1alpha1.MCPExternalAuthConfig,
) (*authtypes.BackendAuthStrategy, error)

ConvertToStrategy converts TokenExchangeConfig to a BackendAuthStrategy with typed fields. Secret references are represented as environment variable names that will be resolved by ResolveSecrets.

func (*TokenExchangeConverter) ResolveSecrets 

func (*TokenExchangeConverter) ResolveSecrets(
	ctx context.Context,
	externalAuth *mcpv1alpha1.MCPExternalAuthConfig,
	k8sClient client.Client,
	namespace string,
	strategy *authtypes.BackendAuthStrategy,
) (*authtypes.BackendAuthStrategy, error)

ResolveSecrets fetches the client secret from Kubernetes and sets it in the strategy. Unlike non-discovered mode where secrets can be mounted as environment variables at pod creation time, discovered mode requires dynamic secret resolution because the vMCP pod doesn't know about backend auth configs at pod creation time.

This method:

  1. Checks if ClientSecretEnv is set in the strategy
  2. Fetches the referenced Kubernetes secret
  3. Replaces ClientSecretEnv with ClientSecret containing the actual value

If ClientSecretEnv is not set, the strategy is returned unchanged.

func (*TokenExchangeConverter) StrategyType 

func (*TokenExchangeConverter) StrategyType() string

StrategyType returns the vMCP strategy type for token exchange.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.