Document caBundleRef for custom OIDC CA certificates#946
Open
danbarr wants to merge 2 commits into
Open
Conversation
Add a worked example under the MCPOIDCConfig section showing how to trust a non-public CA (e.g., corporate Keycloak) via caBundleRef. Covers creating the CA ConfigMap and checking the CABundleRefValidated status condition on the referencing MCPServer. Closes #466 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
Contributor
There was a problem hiding this comment.
Pull request overview
This PR updates the Kubernetes authentication/authorization guide to document how to trust an internal/self-signed CA when using OIDC with MCPOIDCConfig, which is a common requirement for corporate IdPs like Keycloak.
Changes:
- Adds a new subsection explaining how to create a CA bundle ConfigMap and reference it via
spec.inline.caBundleRefon anMCPOIDCConfig. - Documents how to verify CA bundle resolution by checking the
CABundleRefValidatedcondition on the referencingMCPServer.
Address Copilot review on #946: the CA bundle is used to reach the issuer's discovery and JWKS endpoints over TLS, not for token validation directly. Also name the MCPServer whose oidcConfigRef must point at the config before the CABundleRefValidated condition appears. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Adds a "Use a custom CA certificate for the OIDC issuer" subsection to the K8s auth guide, under the MCPOIDCConfig section. It covers the corporate-Keycloak / non-public-CA scenario: creating the CA bundle ConfigMap, referencing it via
caBundleRefon anMCPOIDCConfig, and checking theCABundleRefValidatedcondition.The original issue was written against the pre-v1beta1 shape (inline
oidcConfig, deprecatingthvCABundlePath), which is now stale:thvCABundlePathwas removed in v0.15.0, the migration is already covered inmigrate-to-v1beta1.mdx, and OIDC config now lives on the dedicatedMCPOIDCConfigCRD. This PR is the rescoped remainder, the one missing piece inauth-k8s.mdx.Two details were verified against the operator source rather than the issue text:
CABundleRefValidatedcondition is set on the MCPServer status, not the MCPOIDCConfig (mcpserver_controller.go).Type of change
Related issues/PRs
Closes #466
Documents stacklok/toolhive#3391
Submitter checklist
Content and formatting
🤖 Generated with Claude Code