Add options, exposed through operator CRD, to use a CA bundle and authentication when fetching JWKs (#978)

Author: jhrozek

cmd/thv-operator/api/v1alpha1/mcpserver_types.go

@@ -299,9 +299,16 @@ type KubernetesOIDCConfig struct {
 	Issuer string `json:"issuer,omitempty"`
 
 	// JWKSURL is the URL to fetch the JWKS from
-	// +kubebuilder:default="https://kubernetes.default.svc/openid/v1/jwks"
+	// If empty, OIDC discovery will be used to automatically determine the JWKS URL
 	// +optional
 	JWKSURL string `json:"jwksUrl,omitempty"`
+
+	// UseClusterAuth enables using the Kubernetes cluster's CA bundle and service account token
+	// When true, uses /var/run/secrets/kubernetes.io/serviceaccount/ca.crt for TLS verification
+	// and /var/run/secrets/kubernetes.io/serviceaccount/token for bearer token authentication
+	// Defaults to true if not specified
+	// +optional
+	UseClusterAuth *bool `json:"useClusterAuth"`
 }
 
 // ConfigMapOIDCRef references a ConfigMap containing OIDC configuration
@@ -333,6 +340,22 @@ type InlineOIDCConfig struct {
 	// ClientID is deprecated and will be removed in a future release.
 	// +optional
 	ClientID string `json:"clientId,omitempty"`
+
+	// ThvCABundlePath is the path to CA certificate bundle file for HTTPS requests
+	// The file must be mounted into the pod (e.g., via ConfigMap or Secret volume)
+	// +optional
+	ThvCABundlePath string `json:"thvCABundlePath,omitempty"`
+
+	// JWKSAuthTokenPath is the path to file containing bearer token for JWKS/OIDC requests
+	// The file must be mounted into the pod (e.g., via Secret volume)
+	// +optional
+	JWKSAuthTokenPath string `json:"jwksAuthTokenPath,omitempty"`
+
+	// JWKSAllowPrivateIP allows JWKS/OIDC endpoints on private IP addresses
+	// Use with caution - only enable for trusted internal IDPs
+	// +kubebuilder:default=false
+	// +optional
+	JWKSAllowPrivateIP bool `json:"jwksAllowPrivateIP"`
 }
 
 // AuthzConfigRef defines a reference to authorization configuration

cmd/thv-operator/api/v1alpha1/zz_generated.deepcopy.go

@@ -1147,7 +1147,17 @@ func (*MCPServerReconciler) generateKubernetesOIDCArgs(m *mcpv1alpha1.MCPServer)
 
 	// Set defaults if config is nil
 	if config == nil {
-		config = &mcpv1alpha1.KubernetesOIDCConfig{}
+		logger.Infof("Kubernetes OIDCConfig is nil for MCPServer %s, using default configuration", m.Name)
+		defaultUseClusterAuth := true
+		config = &mcpv1alpha1.KubernetesOIDCConfig{
+			UseClusterAuth: &defaultUseClusterAuth, // Default to true
+		}
+	}
+
+	// Handle UseClusterAuth with default of true if nil
+	useClusterAuth := true // default value
+	if config.UseClusterAuth != nil {
+		useClusterAuth = *config.UseClusterAuth
 	}
 
 	// Issuer (default: https://kubernetes.default.svc)
@@ -1164,18 +1174,27 @@ func (*MCPServerReconciler) generateKubernetesOIDCArgs(m *mcpv1alpha1.MCPServer)
 	}
 	args = append(args, fmt.Sprintf("--oidc-audience=%s", audience))
 
-	// JWKS URL (default: https://kubernetes.default.svc/openid/v1/jwks)
+	// JWKS URL (optional - if empty, thv will use OIDC discovery)
 	jwksURL := config.JWKSURL
-	if jwksURL == "" {
-		jwksURL = "https://kubernetes.default.svc/openid/v1/jwks"
+	if jwksURL != "" {
+		args = append(args, fmt.Sprintf("--oidc-jwks-url=%s", jwksURL))
+	}
+
+	// Add cluster auth flags if enabled (default is true)
+	if useClusterAuth {
+		args = append(args, "--thv-ca-bundle=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt")
+		args = append(args, "--jwks-auth-token-file=/var/run/secrets/kubernetes.io/serviceaccount/token")
+		args = append(args, "--jwks-allow-private-ip")
 	}
-	args = append(args, fmt.Sprintf("--oidc-jwks-url=%s", jwksURL))
 
 	return args
 }
 
 // generateConfigMapOIDCArgs generates OIDC args for ConfigMap-based configuration
-func (r *MCPServerReconciler) generateConfigMapOIDCArgs(ctx context.Context, m *mcpv1alpha1.MCPServer) []string {
+func (r *MCPServerReconciler) generateConfigMapOIDCArgs( // nolint:gocyclo
+	ctx context.Context,
+	m *mcpv1alpha1.MCPServer,
+) []string {
 	var args []string
 	config := m.Spec.OIDCConfig.ConfigMap
 
@@ -1207,6 +1226,15 @@ func (r *MCPServerReconciler) generateConfigMapOIDCArgs(ctx context.Context, m *
 	if clientID, exists := configMap.Data["clientId"]; exists && clientID != "" {
 		args = append(args, fmt.Sprintf("--oidc-client-id=%s", clientID))
 	}
+	if thvCABundlePath, exists := configMap.Data["thvCABundlePath"]; exists && thvCABundlePath != "" {
+		args = append(args, fmt.Sprintf("--thv-ca-bundle=%s", thvCABundlePath))
+	}
+	if jwksAuthTokenPath, exists := configMap.Data["jwksAuthTokenPath"]; exists && jwksAuthTokenPath != "" {
+		args = append(args, fmt.Sprintf("--jwks-auth-token-file=%s", jwksAuthTokenPath))
+	}
+	if jwksAllowPrivateIP, exists := configMap.Data["jwksAllowPrivateIP"]; exists && jwksAllowPrivateIP == "true" {
+		args = append(args, "--jwks-allow-private-ip")
+	}
 
 	return args
 }
@@ -1235,6 +1263,21 @@ func (*MCPServerReconciler) generateInlineOIDCArgs(m *mcpv1alpha1.MCPServer) []s
 		args = append(args, fmt.Sprintf("--oidc-jwks-url=%s", config.JWKSURL))
 	}
 
+	// CA Bundle path (optional)
+	if config.ThvCABundlePath != "" {
+		args = append(args, fmt.Sprintf("--thv-ca-bundle=%s", config.ThvCABundlePath))
+	}
+
+	// Auth token path (optional)
+	if config.JWKSAuthTokenPath != "" {
+		args = append(args, fmt.Sprintf("--jwks-auth-token-file=%s", config.JWKSAuthTokenPath))
+	}
+
+	// Allow private IP access (optional)
+	if config.JWKSAllowPrivateIP {
+		args = append(args, "--jwks-allow-private-ip")
+	}
+
 	return args
 }
 

cmd/thv-operator/controllers/mcpserver_controller.go

@@ -27,8 +27,14 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 
 	mcpv1alpha1 "github.com/stacklok/toolhive/cmd/thv-operator/api/v1alpha1"
+	"github.com/stacklok/toolhive/pkg/logger"
 )
 
+func init() {
+	// Initialize logger for tests
+	logger.Initialize()
+}
+
 func TestGenerateOIDCArgs(t *testing.T) {
 	t.Parallel()
 
@@ -73,7 +79,9 @@ func TestGenerateOIDCArgs(t *testing.T) {
 			expectedArgs: []string{
 				"--oidc-issuer=https://kubernetes.default.svc",
 				"--oidc-audience=toolhive",
-				"--oidc-jwks-url=https://kubernetes.default.svc/openid/v1/jwks",
+				"--thv-ca-bundle=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt",
+				"--jwks-auth-token-file=/var/run/secrets/kubernetes.io/serviceaccount/token",
+				"--jwks-allow-private-ip",
 			},
 		},
 		{
@@ -100,6 +108,9 @@ func TestGenerateOIDCArgs(t *testing.T) {
 				"--oidc-issuer=https://custom.issuer.com",
 				"--oidc-audience=custom-audience",
 				"--oidc-jwks-url=https://custom.issuer.com/jwks",
+				"--thv-ca-bundle=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt",
+				"--jwks-auth-token-file=/var/run/secrets/kubernetes.io/serviceaccount/token",
+				"--jwks-allow-private-ip",
 			},
 		},
 		{
@@ -258,7 +269,9 @@ func TestGenerateKubernetesOIDCArgs(t *testing.T) {
 			expectedArgs: []string{
 				"--oidc-issuer=https://kubernetes.default.svc",
 				"--oidc-audience=toolhive",
-				"--oidc-jwks-url=https://kubernetes.default.svc/openid/v1/jwks",
+				"--thv-ca-bundle=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt",
+				"--jwks-auth-token-file=/var/run/secrets/kubernetes.io/serviceaccount/token",
+				"--jwks-allow-private-ip",
 			},
 		},
 		{
@@ -278,7 +291,9 @@ func TestGenerateKubernetesOIDCArgs(t *testing.T) {
 			expectedArgs: []string{
 				"--oidc-issuer=https://kubernetes.default.svc",
 				"--oidc-audience=toolhive",
-				"--oidc-jwks-url=https://kubernetes.default.svc/openid/v1/jwks",
+				"--thv-ca-bundle=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt",
+				"--jwks-auth-token-file=/var/run/secrets/kubernetes.io/serviceaccount/token",
+				"--jwks-allow-private-ip",
 			},
 		},
 		{
@@ -298,7 +313,9 @@ func TestGenerateKubernetesOIDCArgs(t *testing.T) {
 			expectedArgs: []string{
 				"--oidc-issuer=https://kubernetes.default.svc",
 				"--oidc-audience=toolhive",
-				"--oidc-jwks-url=https://kubernetes.default.svc/openid/v1/jwks",
+				"--thv-ca-bundle=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt",
+				"--jwks-auth-token-file=/var/run/secrets/kubernetes.io/serviceaccount/token",
+				"--jwks-allow-private-ip",
 			},
 		},
 		{
@@ -320,7 +337,9 @@ func TestGenerateKubernetesOIDCArgs(t *testing.T) {
 			expectedArgs: []string{
 				"--oidc-issuer=https://kubernetes.default.svc",
 				"--oidc-audience=toolhive",
-				"--oidc-jwks-url=https://kubernetes.default.svc/openid/v1/jwks",
+				"--thv-ca-bundle=/var/run/secrets/kubernetes.io/serviceaccount/ca.crt",
+				"--jwks-auth-token-file=/var/run/secrets/kubernetes.io/serviceaccount/token",
+				"--jwks-allow-private-ip",
 			},
 		},
 	}

cmd/thv-operator/controllers/mcpserver_oidc_test.go

@@ -285,8 +285,11 @@ func setRegistryURLCmdFunc(_ *cobra.Command, args []string) error {
 	}
 
 	if !allowPrivateRegistryIp {
-		registryClient := networking.GetHttpClient(false)
-		_, err := registryClient.Get(registryURL)
+		registryClient, err := networking.NewHttpClientBuilder().Build()
+		if err != nil {
+			return fmt.Errorf("failed to create HTTP client: %w", err)
+		}
+		_, err = registryClient.Get(registryURL)
 		if err != nil && strings.Contains(fmt.Sprint(err), networking.ErrPrivateIpAddress) {
 			return err
 		}

cmd/thv/app/config.go

@@ -58,25 +58,28 @@ permission profile. Additional configuration can be provided via flags.`,
 }
 
 var (
-	runTransport         string
-	runProxyMode         string
-	runName              string
-	runHost              string
-	runPort              int
-	runProxyPort         int
-	runTargetPort        int
-	runTargetHost        string
-	runPermissionProfile string
-	runEnv               []string
-	runForeground        bool
-	runVolumes           []string
-	runSecrets           []string
-	runAuthzConfig       string
-	runAuditConfig       string
-	runEnableAudit       bool
-	runK8sPodPatch       string
-	runCACertPath        string
-	runVerifyImage       string
+	runTransport          string
+	runProxyMode          string
+	runName               string
+	runHost               string
+	runPort               int
+	runProxyPort          int
+	runTargetPort         int
+	runTargetHost         string
+	runPermissionProfile  string
+	runEnv                []string
+	runForeground         bool
+	runVolumes            []string
+	runSecrets            []string
+	runAuthzConfig        string
+	runAuditConfig        string
+	runEnableAudit        bool
+	runK8sPodPatch        string
+	runCACertPath         string
+	runVerifyImage        string
+	runThvCABundle        string
+	runJWKSAuthTokenFile  string
+	runJWKSAllowPrivateIP bool
 
 	// OpenTelemetry flags
 	runOtelEndpoint                    string
@@ -176,6 +179,24 @@ func init() {
 			retriever.VerifyImageDisabled,
 		),
 	)
+	runCmd.Flags().StringVar(
+		&runThvCABundle,
+		"thv-ca-bundle",
+		"",
+		"Path to CA certificate bundle for ToolHive HTTP operations (JWKS, OIDC discovery, etc.)",
+	)
+	runCmd.Flags().StringVar(
+		&runJWKSAuthTokenFile,
+		"jwks-auth-token-file",
+		"",
+		"Path to file containing bearer token for authenticating JWKS/OIDC requests",
+	)
+	runCmd.Flags().BoolVar(
+		&runJWKSAllowPrivateIP,
+		"jwks-allow-private-ip",
+		false,
+		"Allow JWKS/OIDC endpoints on private IP addresses (use with caution)",
+	)
 
 	// This is used for the K8s operator which wraps the run command, but shouldn't be visible to users.
 	if err := runCmd.Flags().MarkHidden("k8s-pod-patch"); err != nil {
@@ -359,6 +380,9 @@ func runCmdFunc(cmd *cobra.Command, args []string) error {
 		finalOtelEnvironmentVariables,
 		runIsolateNetwork,
 		runK8sPodPatch,
+		runThvCABundle,
+		runJWKSAuthTokenFile,
+		runJWKSAllowPrivateIP,
 		envVarValidator,
 		types.ProxyMode(runProxyMode),
 	)

cmd/thv/app/run.go

@@ -2,5 +2,5 @@ apiVersion: v2
 name: toolhive-operator-crds
 description: A Helm chart for installing the ToolHive Operator CRDs into Kubernetes.
 type: application
-version: 0.0.9
+version: 0.0.10
 appVersion: "0.0.1"

deploy/charts/operator-crds/Chart.yaml

@@ -1,7 +1,7 @@
 
 # ToolHive Operator CRDs Helm Chart
 
-![Version: 0.0.9](https://img.shields.io/badge/Version-0.0.9-informational?style=flat-square)
+![Version: 0.0.10](https://img.shields.io/badge/Version-0.0.10-informational?style=flat-square)
 ![Type: application](https://img.shields.io/badge/Type-application-informational?style=flat-square)
 
 A Helm chart for installing the ToolHive Operator CRDs into Kubernetes.

deploy/charts/operator-crds/README.md

@@ -158,9 +158,25 @@ spec:
                       issuer:
                         description: Issuer is the OIDC issuer URL
                         type: string
+                      jwksAllowPrivateIP:
+                        default: false
+                        description: |-
+                          JWKSAllowPrivateIP allows JWKS/OIDC endpoints on private IP addresses
+                          Use with caution - only enable for trusted internal IDPs
+                        type: boolean
+                      jwksAuthTokenPath:
+                        description: |-
+                          JWKSAuthTokenPath is the path to file containing bearer token for JWKS/OIDC requests
+                          The file must be mounted into the pod (e.g., via Secret volume)
+                        type: string
                       jwksUrl:
                         description: JWKSURL is the URL to fetch the JWKS from
                         type: string
+                      thvCABundlePath:
+                        description: |-
+                          ThvCABundlePath is the path to CA certificate bundle file for HTTPS requests
+                          The file must be mounted into the pod (e.g., via ConfigMap or Secret volume)
+                        type: string
                     required:
                     - issuer
                     type: object
@@ -178,8 +194,9 @@ spec:
                         description: Issuer is the OIDC issuer URL
                         type: string
                       jwksUrl:
-                        default: https://kubernetes.default.svc/openid/v1/jwks
-                        description: JWKSURL is the URL to fetch the JWKS from
+                        description: |-
+                          JWKSURL is the URL to fetch the JWKS from
+                          If empty, OIDC discovery will be used to automatically determine the JWKS URL
                         type: string
                       namespace:
                         description: |-
@@ -190,6 +207,13 @@ spec:
                         description: ServiceAccount is deprecated and will be removed
                           in a future release.
                         type: string
+                      useClusterAuth:
+                        description: |-
+                          UseClusterAuth enables using the Kubernetes cluster's CA bundle and service account token
+                          When true, uses /var/run/secrets/kubernetes.io/serviceaccount/ca.crt for TLS verification
+                          and /var/run/secrets/kubernetes.io/serviceaccount/token for bearer token authentication
+                          Defaults to true if not specified
+                        type: boolean
                     type: object
                   type:
                     default: kubernetes