converters

package
v0.6.16 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 2, 2026 License: Apache-2.0 Imports: 8 Imported by: 0

Documentation

Overview

Package converters provides functions to convert external authentication configurations to typed vMCP BackendAuthStrategy configurations.

Package converters provides strategy-specific converters for external authentication configurations.

Package converters provides a registry for converting external authentication configurations to vMCP auth strategy metadata.

Package converters provides strategy-specific converters for external authentication configurations.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

func ConvertToStrategy added in v0.6.10 

func ConvertToStrategy(
	externalAuth *mcpv1alpha1.MCPExternalAuthConfig,
) (*authtypes.BackendAuthStrategy, error)

ConvertToStrategy is a convenience function that uses the default registry to convert an external auth config to a BackendAuthStrategy with typed fields. This is the main entry point for converting auth configs at runtime.

func DiscoverAndResolveAuth 

func DiscoverAndResolveAuth(
	ctx context.Context,
	externalAuthConfigRef *mcpv1alpha1.ExternalAuthConfigRef,
	namespace string,
	k8sClient client.Client,
) (*authtypes.BackendAuthStrategy, error)

DiscoverAndResolveAuth discovers authentication configuration from an MCPServer's ExternalAuthConfigRef and resolves it to a BackendAuthStrategy with typed fields. This is the main entry point for auth discovery from Kubernetes.

Returns:

  • strategy: The resolved BackendAuthStrategy with typed fields and secrets fetched from Kubernetes
  • error: Any error that occurred during discovery or resolution

Returns nil strategy and nil error if externalAuthConfigRef is nil (no auth configured).

func ResolveSecretsForStrategy 

func ResolveSecretsForStrategy(
	ctx context.Context,
	externalAuth *mcpv1alpha1.MCPExternalAuthConfig,
	k8sClient client.Client,
	namespace string,
	strategy *authtypes.BackendAuthStrategy,
) (*authtypes.BackendAuthStrategy, error)

ResolveSecretsForStrategy is a convenience function that uses the default registry to resolve secrets for a given strategy.

Types

type HeaderInjectionConverter 

type HeaderInjectionConverter struct{}

HeaderInjectionConverter converts MCPExternalAuthConfig HeaderInjection to vMCP header_injection strategy.

func (*HeaderInjectionConverter) ConvertToStrategy added in v0.6.10 

func (*HeaderInjectionConverter) ConvertToStrategy(
	externalAuth *mcpv1alpha1.MCPExternalAuthConfig,
) (*authtypes.BackendAuthStrategy, error)

ConvertToStrategy converts HeaderInjectionConfig to a BackendAuthStrategy with typed fields. Sets HeaderValueEnv when ValueSecretRef is present, similar to token exchange. Secrets are mounted as environment variables, not resolved into ConfigMap.

func (*HeaderInjectionConverter) ResolveSecrets 

func (*HeaderInjectionConverter) ResolveSecrets(
	ctx context.Context,
	externalAuth *mcpv1alpha1.MCPExternalAuthConfig,
	k8sClient client.Client,
	namespace string,
	strategy *authtypes.BackendAuthStrategy,
) (*authtypes.BackendAuthStrategy, error)

ResolveSecrets fetches the header value secret from Kubernetes and sets it in the strategy. This is used for runtime discovery in the vmcp binary where secrets cannot be mounted as environment variables because backends are discovered dynamically at runtime. For operator-managed ConfigMaps (inline mode), secrets are mounted as env vars instead (see ConvertToStrategy).

func (*HeaderInjectionConverter) StrategyType 

func (*HeaderInjectionConverter) StrategyType() string

StrategyType returns the vMCP strategy type for header injection.

type Registry 

type Registry struct {
	// contains filtered or unexported fields
}

Registry holds registered strategy converters

func DefaultRegistry 

func DefaultRegistry() *Registry

DefaultRegistry returns the singleton default registry with all built-in converters registered. This registry is lazily initialized once and reused across all calls.

func NewRegistry 

func NewRegistry() *Registry

NewRegistry creates a new converter registry with all built-in converters registered. For most use cases, use DefaultRegistry() instead to avoid unnecessary allocations.

func (*Registry) GetConverter 

func (r *Registry) GetConverter(authType mcpv1alpha1.ExternalAuthType) (StrategyConverter, error)

GetConverter retrieves a converter by auth type

func (*Registry) Register 

func (r *Registry) Register(authType mcpv1alpha1.ExternalAuthType, converter StrategyConverter)

Register adds a converter to the registry

type StrategyConverter 

type StrategyConverter interface {
	// StrategyType returns the vMCP strategy type identifier (e.g., "token_exchange", "header_injection")
	StrategyType() string

	// ConvertToStrategy converts an MCPExternalAuthConfig to a BackendAuthStrategy with typed fields.
	// Secret references should be represented as environment variable names (e.g., "TOOLHIVE_*")
	// that will be resolved later by ResolveSecrets or at runtime.
	ConvertToStrategy(externalAuth *mcpv1alpha1.MCPExternalAuthConfig) (*authtypes.BackendAuthStrategy, error)

	// ResolveSecrets fetches secrets from Kubernetes and replaces environment variable references
	// with actual secret values in the strategy configuration. This is used in discovered auth mode where
	// secrets cannot be mounted as environment variables because the vMCP pod doesn't know
	// about backend auth configs at pod creation time.
	//
	// For non-discovered mode (where secrets are mounted as env vars), this is typically a no-op.
	ResolveSecrets(
		ctx context.Context,
		externalAuth *mcpv1alpha1.MCPExternalAuthConfig,
		k8sClient client.Client,
		namespace string,
		strategy *authtypes.BackendAuthStrategy,
	) (*authtypes.BackendAuthStrategy, error)
}

StrategyConverter defines the interface for converting external auth configs to BackendAuthStrategy. Each auth type (e.g., token exchange, header injection) implements this interface.

type TokenExchangeConverter 

type TokenExchangeConverter struct{}

TokenExchangeConverter converts MCPExternalAuthConfig TokenExchange to vMCP token_exchange strategy.

func (*TokenExchangeConverter) ConvertToStrategy added in v0.6.10 

func (*TokenExchangeConverter) ConvertToStrategy(
	externalAuth *mcpv1alpha1.MCPExternalAuthConfig,
) (*authtypes.BackendAuthStrategy, error)

ConvertToStrategy converts TokenExchangeConfig to a BackendAuthStrategy with typed fields. Secret references are represented as environment variable names that will be resolved by ResolveSecrets.

func (*TokenExchangeConverter) ResolveSecrets 

func (*TokenExchangeConverter) ResolveSecrets(
	ctx context.Context,
	externalAuth *mcpv1alpha1.MCPExternalAuthConfig,
	k8sClient client.Client,
	namespace string,
	strategy *authtypes.BackendAuthStrategy,
) (*authtypes.BackendAuthStrategy, error)

ResolveSecrets fetches the client secret from Kubernetes and sets it in the strategy. Unlike non-discovered mode where secrets can be mounted as environment variables at pod creation time, discovered mode requires dynamic secret resolution because the vMCP pod doesn't know about backend auth configs at pod creation time.

This method:

  1. Checks if ClientSecretEnv is set in the strategy
  2. Fetches the referenced Kubernetes secret
  3. Replaces ClientSecretEnv with ClientSecret containing the actual value

If ClientSecretEnv is not set, the strategy is returned unchanged.

func (*TokenExchangeConverter) StrategyType 

func (*TokenExchangeConverter) StrategyType() string

StrategyType returns the vMCP strategy type for token exchange.

type UnauthenticatedConverter added in v0.6.12 

type UnauthenticatedConverter struct{}

UnauthenticatedConverter converts unauthenticated external auth configs to BackendAuthStrategy. This converter handles the case where no authentication is required for a backend.

func (*UnauthenticatedConverter) ConvertToStrategy added in v0.6.12 

func (*UnauthenticatedConverter) ConvertToStrategy(
	_ *mcpv1alpha1.MCPExternalAuthConfig,
) (*authtypes.BackendAuthStrategy, error)

ConvertToStrategy converts an MCPExternalAuthConfig with type "unauthenticated" to a BackendAuthStrategy. Since unauthenticated requires no configuration, this simply returns a strategy with the correct type.

func (*UnauthenticatedConverter) ResolveSecrets added in v0.6.12 

func (*UnauthenticatedConverter) ResolveSecrets(
	_ context.Context,
	_ *mcpv1alpha1.MCPExternalAuthConfig,
	_ client.Client,
	_ string,
	strategy *authtypes.BackendAuthStrategy,
) (*authtypes.BackendAuthStrategy, error)

ResolveSecrets is a no-op for unauthenticated strategy since there are no secrets to resolve.

func (*UnauthenticatedConverter) StrategyType added in v0.6.12 

func (*UnauthenticatedConverter) StrategyType() string

StrategyType returns the vMCP strategy type identifier for unauthenticated auth.

Source Files

View all Source files

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.