Merge branch 'main' into issue-4729

Author: yrobla

cmd/thv-operator/api/v1alpha1/mcpoidcconfig_types.go

@@ -127,12 +127,16 @@ type InlineOIDCSharedConfig struct {
 	// +optional
 	JWKSAuthTokenPath string `json:"jwksAuthTokenPath,omitempty"`
 
-	// JWKSAllowPrivateIP allows JWKS/OIDC endpoints on private IP addresses
+	// JWKSAllowPrivateIP allows JWKS/OIDC endpoints on private IP addresses.
+	// Note: at runtime, if either JWKSAllowPrivateIP or ProtectedResourceAllowPrivateIP
+	// is true, private IPs are allowed for all OIDC HTTP requests (JWKS, discovery, introspection).
 	// +kubebuilder:default=false
 	// +optional
 	JWKSAllowPrivateIP bool `json:"jwksAllowPrivateIP"`
 
-	// ProtectedResourceAllowPrivateIP allows protected resource endpoint on private IP addresses
+	// ProtectedResourceAllowPrivateIP allows protected resource endpoint on private IP addresses.
+	// Note: at runtime, if either ProtectedResourceAllowPrivateIP or JWKSAllowPrivateIP
+	// is true, private IPs are allowed for all OIDC HTTP requests (JWKS, discovery, introspection).
 	// +kubebuilder:default=false
 	// +optional
 	ProtectedResourceAllowPrivateIP bool `json:"protectedResourceAllowPrivateIP"`

cmd/thv-operator/api/v1alpha1/mcpserver_types.go

@@ -815,14 +815,18 @@ type InlineOIDCConfig struct {
 	// +optional
 	JWKSAuthTokenPath string `json:"jwksAuthTokenPath,omitempty"`
 
-	// JWKSAllowPrivateIP allows JWKS/OIDC endpoints on private IP addresses
-	// Use with caution - only enable for trusted internal IDPs
+	// JWKSAllowPrivateIP allows JWKS/OIDC endpoints on private IP addresses.
+	// Use with caution - only enable for trusted internal IDPs.
+	// Note: at runtime, if either JWKSAllowPrivateIP or ProtectedResourceAllowPrivateIP
+	// is true, private IPs are allowed for all OIDC HTTP requests (JWKS, discovery, introspection).
 	// +kubebuilder:default=false
 	// +optional
 	JWKSAllowPrivateIP bool `json:"jwksAllowPrivateIP"`
 
-	// ProtectedResourceAllowPrivateIP allows protected resource endpoint on private IP addresses
-	// Use with caution - only enable for trusted internal IDPs or testing
+	// ProtectedResourceAllowPrivateIP allows protected resource endpoint on private IP addresses.
+	// Use with caution - only enable for trusted internal IDPs or testing.
+	// Note: at runtime, if either ProtectedResourceAllowPrivateIP or JWKSAllowPrivateIP
+	// is true, private IPs are allowed for all OIDC HTTP requests (JWKS, discovery, introspection).
 	// +kubebuilder:default=false
 	// +optional
 	ProtectedResourceAllowPrivateIP bool `json:"protectedResourceAllowPrivateIP"`

cmd/thv-operator/pkg/oidc/resolver.go

@@ -25,22 +25,24 @@ const (
 	defaultK8sTokenPath    = "/var/run/secrets/kubernetes.io/serviceaccount/token" //nolint:gosec
 	defaultK8sIssuer       = "https://kubernetes.default.svc"
 	defaultK8sAudience     = "toolhive"
+	configMapBoolTrue      = "true"
 )
 
 // OIDCConfig represents the resolved OIDC configuration values
 type OIDCConfig struct { //nolint:revive // Keeping OIDCConfig name for backward compatibility
-	Issuer             string
-	Audience           string
-	JWKSURL            string
-	IntrospectionURL   string
-	ClientID           string
-	ClientSecret       string // #nosec G117 -- not a hardcoded credential, populated at runtime from config
-	ThvCABundlePath    string
-	JWKSAuthTokenPath  string
-	ResourceURL        string
-	JWKSAllowPrivateIP bool
-	InsecureAllowHTTP  bool
-	Scopes             []string
+	Issuer                          string
+	Audience                        string
+	JWKSURL                         string
+	IntrospectionURL                string
+	ClientID                        string
+	ClientSecret                    string // #nosec G117 -- not a hardcoded credential, populated at runtime from config
+	ThvCABundlePath                 string
+	JWKSAuthTokenPath               string
+	ResourceURL                     string
+	JWKSAllowPrivateIP              bool
+	ProtectedResourceAllowPrivateIP bool
+	InsecureAllowHTTP               bool
+	Scopes                          []string
 }
 
 // OIDCConfigurable is an interface for resources that have OIDC configuration
@@ -198,17 +200,18 @@ func (*resolver) resolveFromInlineSharedConfig(
 	}
 
 	return &OIDCConfig{
-		Issuer:             config.Issuer,
-		Audience:           ref.Audience,
-		JWKSURL:            config.JWKSURL,
-		IntrospectionURL:   config.IntrospectionURL,
-		ClientID:           config.ClientID,
-		ThvCABundlePath:    computeCABundlePath(config.CABundleRef),
-		JWKSAuthTokenPath:  config.JWKSAuthTokenPath,
-		ResourceURL:        resourceURL,
-		JWKSAllowPrivateIP: config.JWKSAllowPrivateIP,
-		InsecureAllowHTTP:  config.InsecureAllowHTTP,
-		Scopes:             ref.Scopes,
+		Issuer:                          config.Issuer,
+		Audience:                        ref.Audience,
+		JWKSURL:                         config.JWKSURL,
+		IntrospectionURL:                config.IntrospectionURL,
+		ClientID:                        config.ClientID,
+		ThvCABundlePath:                 computeCABundlePath(config.CABundleRef),
+		JWKSAuthTokenPath:               config.JWKSAuthTokenPath,
+		ResourceURL:                     resourceURL,
+		JWKSAllowPrivateIP:              config.JWKSAllowPrivateIP,
+		ProtectedResourceAllowPrivateIP: config.ProtectedResourceAllowPrivateIP,
+		InsecureAllowHTTP:               config.InsecureAllowHTTP,
+		Scopes:                          ref.Scopes,
 	}, nil
 }
 
@@ -311,10 +314,13 @@ func (r *resolver) resolveConfigMapConfig(
 	config.JWKSAuthTokenPath = getMapValue(configMap.Data, "jwksAuthTokenPath")
 
 	// Handle boolean values
-	if v, exists := configMap.Data["jwksAllowPrivateIP"]; exists && v == "true" {
+	if v, exists := configMap.Data["jwksAllowPrivateIP"]; exists && v == configMapBoolTrue {
 		config.JWKSAllowPrivateIP = true
 	}
-	if v, exists := configMap.Data["insecureAllowHTTP"]; exists && v == "true" {
+	if v, exists := configMap.Data["protectedResourceAllowPrivateIP"]; exists && v == configMapBoolTrue {
+		config.ProtectedResourceAllowPrivateIP = true
+	}
+	if v, exists := configMap.Data["insecureAllowHTTP"]; exists && v == configMapBoolTrue {
 		config.InsecureAllowHTTP = true
 	}
 
@@ -344,17 +350,18 @@ func (*resolver) resolveInlineConfig(
 	}
 
 	return &OIDCConfig{
-		Issuer:             config.Issuer,
-		Audience:           config.Audience,
-		JWKSURL:            config.JWKSURL,
-		IntrospectionURL:   config.IntrospectionURL,
-		ClientID:           config.ClientID,
-		ThvCABundlePath:    computeCABundlePath(config.CABundleRef),
-		JWKSAuthTokenPath:  config.JWKSAuthTokenPath,
-		ResourceURL:        resourceURL,
-		JWKSAllowPrivateIP: config.JWKSAllowPrivateIP,
-		InsecureAllowHTTP:  config.InsecureAllowHTTP,
-		Scopes:             config.Scopes,
+		Issuer:                          config.Issuer,
+		Audience:                        config.Audience,
+		JWKSURL:                         config.JWKSURL,
+		IntrospectionURL:                config.IntrospectionURL,
+		ClientID:                        config.ClientID,
+		ThvCABundlePath:                 computeCABundlePath(config.CABundleRef),
+		JWKSAuthTokenPath:               config.JWKSAuthTokenPath,
+		ResourceURL:                     resourceURL,
+		JWKSAllowPrivateIP:              config.JWKSAllowPrivateIP,
+		ProtectedResourceAllowPrivateIP: config.ProtectedResourceAllowPrivateIP,
+		InsecureAllowHTTP:               config.InsecureAllowHTTP,
+		Scopes:                          config.Scopes,
 	}, nil
 }
 

cmd/thv-operator/pkg/oidc/resolver_configref_test.go

@@ -154,6 +154,31 @@ func TestResolveFromConfigRef_InlineType(t *testing.T) {
 				Scopes:      []string{"openid", "email"},
 			},
 		},
+		{
+			name: "protectedResourceAllowPrivateIP propagated from shared inline config",
+			ref: &mcpv1alpha1.MCPOIDCConfigReference{
+				Name: "i", Audience: "inline-aud",
+			},
+			oidcCfg: &mcpv1alpha1.MCPOIDCConfig{
+				Spec: mcpv1alpha1.MCPOIDCConfigSpec{
+					Type: mcpv1alpha1.MCPOIDCConfigTypeInline,
+					Inline: &mcpv1alpha1.InlineOIDCSharedConfig{
+						Issuer:                          "https://accounts.google.com",
+						ClientID:                        "gid",
+						ProtectedResourceAllowPrivateIP: true,
+						JWKSAllowPrivateIP:              false,
+					},
+				},
+			},
+			expected: &OIDCConfig{
+				Issuer:                          "https://accounts.google.com",
+				Audience:                        "inline-aud",
+				ClientID:                        "gid",
+				ResourceURL:                     "http://srv.default.svc.cluster.local:8080",
+				ProtectedResourceAllowPrivateIP: true,
+				JWKSAllowPrivateIP:              false,
+			},
+		},
 		{
 			name: "nil inline config returns nil",
 			ref: &mcpv1alpha1.MCPOIDCConfigReference{

cmd/thv-operator/pkg/oidc/resolver_test.go

@@ -168,28 +168,30 @@ func TestResolve_ConfigMapType(t *testing.T) {
 					Namespace: "test-ns",
 				},
 				Data: map[string]string{
-					"issuer":             "https://auth.example.com",
-					"audience":           "test-audience",
-					"jwksUrl":            "https://auth.example.com/.well-known/jwks.json",
-					"introspectionUrl":   "https://auth.example.com/introspect",
-					"clientId":           "test-client",
-					"clientSecret":       "test-secret",
-					"thvCABundlePath":    "/etc/ssl/ca.pem",
-					"jwksAuthTokenPath":  "/etc/auth/token",
-					"jwksAllowPrivateIP": "true",
+					"issuer":                          "https://auth.example.com",
+					"audience":                        "test-audience",
+					"jwksUrl":                         "https://auth.example.com/.well-known/jwks.json",
+					"introspectionUrl":                "https://auth.example.com/introspect",
+					"clientId":                        "test-client",
+					"clientSecret":                    "test-secret",
+					"thvCABundlePath":                 "/etc/ssl/ca.pem",
+					"jwksAuthTokenPath":               "/etc/auth/token",
+					"jwksAllowPrivateIP":              "true",
+					"protectedResourceAllowPrivateIP": "true",
 				},
 			},
 			expected: &OIDCConfig{
-				Issuer:             "https://auth.example.com",
-				Audience:           "test-audience",
-				JWKSURL:            "https://auth.example.com/.well-known/jwks.json",
-				IntrospectionURL:   "https://auth.example.com/introspect",
-				ClientID:           "test-client",
-				ClientSecret:       "test-secret",
-				ThvCABundlePath:    "/etc/ssl/ca.pem",
-				JWKSAuthTokenPath:  "/etc/auth/token",
-				ResourceURL:        "http://test-server.test-ns.svc.cluster.local:8080",
-				JWKSAllowPrivateIP: true,
+				Issuer:                          "https://auth.example.com",
+				Audience:                        "test-audience",
+				JWKSURL:                         "https://auth.example.com/.well-known/jwks.json",
+				IntrospectionURL:                "https://auth.example.com/introspect",
+				ClientID:                        "test-client",
+				ClientSecret:                    "test-secret",
+				ThvCABundlePath:                 "/etc/ssl/ca.pem",
+				JWKSAuthTokenPath:               "/etc/auth/token",
+				ResourceURL:                     "http://test-server.test-ns.svc.cluster.local:8080",
+				JWKSAllowPrivateIP:              true,
+				ProtectedResourceAllowPrivateIP: true,
 			},
 		},
 		{
@@ -227,6 +229,43 @@ func TestResolve_ConfigMapType(t *testing.T) {
 				JWKSAllowPrivateIP: false,
 			},
 		},
+		{
+			name: "configmap with jwksAllowPrivateIP independent of protectedResourceAllowPrivateIP",
+			mcpServer: &mcpv1alpha1.MCPServer{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "independent-server",
+					Namespace: "test-ns",
+				},
+				Spec: mcpv1alpha1.MCPServerSpec{
+					ProxyPort: 8080,
+					OIDCConfig: &mcpv1alpha1.OIDCConfigRef{
+						Type: mcpv1alpha1.OIDCConfigTypeConfigMap,
+						ConfigMap: &mcpv1alpha1.ConfigMapOIDCRef{
+							Name: "independent-config",
+						},
+					},
+				},
+			},
+			configMap: &corev1.ConfigMap{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "independent-config",
+					Namespace: "test-ns",
+				},
+				Data: map[string]string{
+					"issuer":             "https://auth.example.com",
+					"audience":           "test-audience",
+					"jwksAllowPrivateIP": "true",
+					// protectedResourceAllowPrivateIP intentionally absent
+				},
+			},
+			expected: &OIDCConfig{
+				Issuer:                          "https://auth.example.com",
+				Audience:                        "test-audience",
+				ResourceURL:                     "http://independent-server.test-ns.svc.cluster.local:8080",
+				JWKSAllowPrivateIP:              true,
+				ProtectedResourceAllowPrivateIP: false,
+			},
+		},
 		{
 			name: "configmap with insecureAllowHTTP enabled",
 			mcpServer: &mcpv1alpha1.MCPServer{
@@ -513,22 +552,24 @@ func TestResolve_InlineType(t *testing.T) {
 									LocalObjectReference: corev1.LocalObjectReference{Name: "inline-ca"},
 								},
 							},
-							JWKSAuthTokenPath:  "/etc/auth/inline-token",
-							JWKSAllowPrivateIP: true,
+							JWKSAuthTokenPath:               "/etc/auth/inline-token",
+							JWKSAllowPrivateIP:              true,
+							ProtectedResourceAllowPrivateIP: true,
 						},
 					},
 				},
 			},
 			expected: &OIDCConfig{
-				Issuer:             "https://inline.example.com",
-				Audience:           "inline-audience",
-				JWKSURL:            "https://inline.example.com/.well-known/jwks.json",
-				IntrospectionURL:   "https://inline.example.com/introspect",
-				ClientID:           "inline-client",
-				ThvCABundlePath:    "/config/certs/inline-ca/ca.crt",
-				JWKSAuthTokenPath:  "/etc/auth/inline-token",
-				ResourceURL:        "http://test-server.test-ns.svc.cluster.local:8080",
-				JWKSAllowPrivateIP: true,
+				Issuer:                          "https://inline.example.com",
+				Audience:                        "inline-audience",
+				JWKSURL:                         "https://inline.example.com/.well-known/jwks.json",
+				IntrospectionURL:                "https://inline.example.com/introspect",
+				ClientID:                        "inline-client",
+				ThvCABundlePath:                 "/config/certs/inline-ca/ca.crt",
+				JWKSAuthTokenPath:               "/etc/auth/inline-token",
+				ResourceURL:                     "http://test-server.test-ns.svc.cluster.local:8080",
+				JWKSAllowPrivateIP:              true,
+				ProtectedResourceAllowPrivateIP: true,
 			},
 		},
 		{
@@ -586,6 +627,34 @@ func TestResolve_InlineType(t *testing.T) {
 				InsecureAllowHTTP:  true,
 			},
 		},
+		{
+			name: "inline with protectedResourceAllowPrivateIP independent of jwksAllowPrivateIP",
+			mcpServer: &mcpv1alpha1.MCPServer{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "protected-resource-server",
+					Namespace: "test-ns",
+				},
+				Spec: mcpv1alpha1.MCPServerSpec{
+					ProxyPort: 8080,
+					OIDCConfig: &mcpv1alpha1.OIDCConfigRef{
+						Type: mcpv1alpha1.OIDCConfigTypeInline,
+						Inline: &mcpv1alpha1.InlineOIDCConfig{
+							Issuer:                          "https://auth.example.com",
+							Audience:                        "test-audience",
+							ProtectedResourceAllowPrivateIP: true,
+							JWKSAllowPrivateIP:              false,
+						},
+					},
+				},
+			},
+			expected: &OIDCConfig{
+				Issuer:                          "https://auth.example.com",
+				Audience:                        "test-audience",
+				ResourceURL:                     "http://protected-resource-server.test-ns.svc.cluster.local:8080",
+				ProtectedResourceAllowPrivateIP: true,
+				JWKSAllowPrivateIP:              false,
+			},
+		},
 		{
 			name: "inline with scopes",
 			mcpServer: &mcpv1alpha1.MCPServer{

cmd/thv-operator/pkg/vmcpconfig/converter.go

@@ -276,7 +276,8 @@ func mapResolvedOIDCToVmcpConfig(
 		Resource:                        resolved.ResourceURL,
 		JWKSURL:                         resolved.JWKSURL,
 		IntrospectionURL:                resolved.IntrospectionURL,
-		ProtectedResourceAllowPrivateIP: resolved.JWKSAllowPrivateIP,
+		ProtectedResourceAllowPrivateIP: resolved.ProtectedResourceAllowPrivateIP,
+		JwksAllowPrivateIP:              resolved.JWKSAllowPrivateIP,
 		InsecureAllowHTTP:               resolved.InsecureAllowHTTP,
 		Scopes:                          resolved.Scopes,
 	}
@@ -319,7 +320,10 @@ func mapResolvedOIDCToVmcpConfigFromRef(
 		ClientID:                        resolved.ClientID,
 		Audience:                        resolved.Audience,
 		Resource:                        resolved.ResourceURL,
-		ProtectedResourceAllowPrivateIP: resolved.JWKSAllowPrivateIP,
+		JWKSURL:                         resolved.JWKSURL,
+		IntrospectionURL:                resolved.IntrospectionURL,
+		ProtectedResourceAllowPrivateIP: resolved.ProtectedResourceAllowPrivateIP,
+		JwksAllowPrivateIP:              resolved.JWKSAllowPrivateIP,
 		InsecureAllowHTTP:               resolved.InsecureAllowHTTP,
 		Scopes:                          resolved.Scopes,
 	}