Documentation
¶
Overview ¶
Package converters provides functions to convert external authentication configurations to vMCP auth strategy metadata.
Package converters provides strategy-specific converters for external authentication configurations.
Package converters provides a registry for converting external authentication configurations to vMCP auth strategy metadata.
Package converters provides strategy-specific converters for external authentication configurations.
Index ¶
- func ConvertToStrategyMetadata(externalAuth *mcpv1alpha1.MCPExternalAuthConfig) (strategyType string, metadata map[string]any, err error)
- func DiscoverAndResolveAuth(ctx context.Context, externalAuthConfigRef *mcpv1alpha1.ExternalAuthConfigRef, ...) (strategyType string, metadata map[string]any, err error)
- func ResolveSecretsForStrategy(ctx context.Context, externalAuth *mcpv1alpha1.MCPExternalAuthConfig, ...) (map[string]any, error)
- type HeaderInjectionConverter
- func (*HeaderInjectionConverter) ConvertToMetadata(externalAuth *mcpv1alpha1.MCPExternalAuthConfig) (map[string]any, error)
- func (*HeaderInjectionConverter) ResolveSecrets(ctx context.Context, externalAuth *mcpv1alpha1.MCPExternalAuthConfig, ...) (map[string]any, error)
- func (*HeaderInjectionConverter) StrategyType() string
- type Registry
- type StrategyConverter
- type TokenExchangeConverter
- func (*TokenExchangeConverter) ConvertToMetadata(externalAuth *mcpv1alpha1.MCPExternalAuthConfig) (map[string]any, error)
- func (*TokenExchangeConverter) ResolveSecrets(ctx context.Context, externalAuth *mcpv1alpha1.MCPExternalAuthConfig, ...) (map[string]any, error)
- func (*TokenExchangeConverter) StrategyType() string
Constants ¶
This section is empty.
Variables ¶
This section is empty.
Functions ¶
func ConvertToStrategyMetadata ¶
func ConvertToStrategyMetadata( externalAuth *mcpv1alpha1.MCPExternalAuthConfig, ) (strategyType string, metadata map[string]any, err error)
ConvertToStrategyMetadata is a convenience function that uses the default registry to convert an external auth config to strategy metadata. This is the main entry point for converting auth configs at runtime.
func DiscoverAndResolveAuth ¶
func DiscoverAndResolveAuth( ctx context.Context, externalAuthConfigRef *mcpv1alpha1.ExternalAuthConfigRef, namespace string, k8sClient client.Client, ) (strategyType string, metadata map[string]any, err error)
DiscoverAndResolveAuth discovers authentication configuration from an MCPServer's ExternalAuthConfigRef and resolves it to a strategy type and metadata. This is the main entry point for auth discovery from Kubernetes.
Returns:
- strategyType: The auth strategy type (e.g., "token_exchange", "header_injection")
- metadata: The resolved auth metadata with secrets fetched from Kubernetes
- error: Any error that occurred during discovery or resolution
Returns empty string and nil if externalAuthConfigRef is nil (no auth configured).
func ResolveSecretsForStrategy ¶
func ResolveSecretsForStrategy( ctx context.Context, externalAuth *mcpv1alpha1.MCPExternalAuthConfig, k8sClient client.Client, namespace string, metadata map[string]any, ) (map[string]any, error)
ResolveSecretsForStrategy is a convenience function that uses the default registry to resolve secrets for a given strategy.
Types ¶
type HeaderInjectionConverter ¶
type HeaderInjectionConverter struct{}
HeaderInjectionConverter converts MCPExternalAuthConfig HeaderInjection to vMCP header_injection strategy metadata.
func (*HeaderInjectionConverter) ConvertToMetadata ¶
func (*HeaderInjectionConverter) ConvertToMetadata( externalAuth *mcpv1alpha1.MCPExternalAuthConfig, ) (map[string]any, error)
ConvertToMetadata converts HeaderInjectionConfig to header_injection strategy metadata (without secrets resolved). The secret value will be added by ResolveSecrets.
func (*HeaderInjectionConverter) ResolveSecrets ¶
func (*HeaderInjectionConverter) ResolveSecrets( ctx context.Context, externalAuth *mcpv1alpha1.MCPExternalAuthConfig, k8sClient client.Client, namespace string, metadata map[string]any, ) (map[string]any, error)
ResolveSecrets fetches the header value secret from Kubernetes and adds it to the metadata. Unlike token exchange which can use environment variables in non-discovered mode, header injection always requires dynamic secret resolution because backends can be added or modified at runtime, even in non-discovered mode. The vMCP pod cannot know all backend auth configs at pod creation time.
func (*HeaderInjectionConverter) StrategyType ¶
func (*HeaderInjectionConverter) StrategyType() string
StrategyType returns the vMCP strategy type for header injection.
type Registry ¶
type Registry struct {
// contains filtered or unexported fields
}
Registry holds registered strategy converters
func DefaultRegistry ¶
func DefaultRegistry() *Registry
DefaultRegistry returns the singleton default registry with all built-in converters registered. This registry is lazily initialized once and reused across all calls.
func NewRegistry ¶
func NewRegistry() *Registry
NewRegistry creates a new converter registry with all built-in converters registered. For most use cases, use DefaultRegistry() instead to avoid unnecessary allocations.
func (*Registry) GetConverter ¶
func (r *Registry) GetConverter(authType mcpv1alpha1.ExternalAuthType) (StrategyConverter, error)
GetConverter retrieves a converter by auth type
func (*Registry) Register ¶
func (r *Registry) Register(authType mcpv1alpha1.ExternalAuthType, converter StrategyConverter)
Register adds a converter to the registry
type StrategyConverter ¶
type StrategyConverter interface {
// StrategyType returns the vMCP strategy type identifier (e.g., "token_exchange", "header_injection")
StrategyType() string
// ConvertToMetadata converts an MCPExternalAuthConfig to strategy metadata.
// Secret references should be represented as environment variable names (e.g., "TOOLHIVE_*")
// that will be resolved later by ResolveSecrets or at runtime.
ConvertToMetadata(externalAuth *mcpv1alpha1.MCPExternalAuthConfig) (map[string]any, error)
// ResolveSecrets fetches secrets from Kubernetes and replaces environment variable references
// with actual secret values in the metadata. This is used in discovered auth mode where
// secrets cannot be mounted as environment variables because the vMCP pod doesn't know
// about backend auth configs at pod creation time.
//
// For non-discovered mode (where secrets are mounted as env vars), this is typically a no-op.
ResolveSecrets(
ctx context.Context,
externalAuth *mcpv1alpha1.MCPExternalAuthConfig,
k8sClient client.Client,
namespace string,
metadata map[string]any,
) (map[string]any, error)
}
StrategyConverter defines the interface for converting external auth configs to strategy metadata. Each auth type (e.g., token exchange, header injection) implements this interface.
type TokenExchangeConverter ¶
type TokenExchangeConverter struct{}
TokenExchangeConverter converts MCPExternalAuthConfig TokenExchange to vMCP token_exchange strategy metadata.
func (*TokenExchangeConverter) ConvertToMetadata ¶
func (*TokenExchangeConverter) ConvertToMetadata( externalAuth *mcpv1alpha1.MCPExternalAuthConfig, ) (map[string]any, error)
ConvertToMetadata converts TokenExchangeConfig to token_exchange strategy metadata (without secrets resolved). Secret references are represented as environment variable names that will be resolved at runtime.
func (*TokenExchangeConverter) ResolveSecrets ¶
func (*TokenExchangeConverter) ResolveSecrets( ctx context.Context, externalAuth *mcpv1alpha1.MCPExternalAuthConfig, k8sClient client.Client, namespace string, metadata map[string]any, ) (map[string]any, error)
ResolveSecrets fetches the client secret from Kubernetes and replaces the env var reference with the actual secret value. Unlike non-discovered mode where secrets can be mounted as environment variables at pod creation time, discovered mode requires dynamic secret resolution because the vMCP pod doesn't know about backend auth configs at pod creation time.
This method:
- Checks if client_secret_env is present in metadata
- Fetches the referenced Kubernetes secret
- Replaces client_secret_env with client_secret containing the actual value
If client_secret_env is not present (or client_secret is already set), metadata is returned unchanged.
func (*TokenExchangeConverter) StrategyType ¶
func (*TokenExchangeConverter) StrategyType() string
StrategyType returns the vMCP strategy type for token exchange.
Source Files