stacklok
diff --git a/‎cmd/thv-operator/api/v1beta1/mcpexternalauthconfig_types.go‎
Lines changed: 16 additions & 22 deletions b/‎cmd/thv-operator/api/v1beta1/mcpexternalauthconfig_types.go‎
Lines changed: 16 additions & 22 deletions
diff --git a/‎cmd/thv-operator/api/v1beta1/zz_generated.deepcopy.go‎
Lines changed: 0 additions & 25 deletions b/‎cmd/thv-operator/api/v1beta1/zz_generated.deepcopy.go‎
Lines changed: 0 additions & 25 deletions
diff --git a/‎cmd/thv-operator/pkg/controllerutil/authserver.go‎
Lines changed: 6 additions & 31 deletions b/‎cmd/thv-operator/pkg/controllerutil/authserver.go‎
Lines changed: 6 additions & 31 deletions
diff --git a/‎cmd/thv-operator/pkg/controllerutil/authserver_test.go‎
Lines changed: 7 additions & 55 deletions b/‎cmd/thv-operator/pkg/controllerutil/authserver_test.go‎
Lines changed: 7 additions & 55 deletions
diff --git a/‎deploy/charts/operator-crds/files/crds/toolhive.stacklok.dev_mcpexternalauthconfigs.yaml‎
Lines changed: 28 additions & 50 deletions b/‎deploy/charts/operator-crds/files/crds/toolhive.stacklok.dev_mcpexternalauthconfigs.yaml‎
Lines changed: 28 additions & 50 deletions
@@ -525,28 +525,32 @@ type AuthServerStorageConfig struct {
 }
 
 // RedisStorageConfig configures Redis connection for auth server storage.
-// Exactly one of addr (standalone), sentinelConfig (Sentinel), or clusterConfig (Cluster) must be set.
+// Exactly one of addr or sentinelConfig must be set. Set clusterMode to true when
+// addr points to a Redis Cluster discovery endpoint (GCP Memorystore Cluster,
+// AWS ElastiCache cluster mode enabled).
 //
-// +kubebuilder:validation:XValidation:rule="(self.addr.size() > 0 ? 1 : 0) + (has(self.sentinelConfig) ? 1 : 0) + (has(self.clusterConfig) ? 1 : 0) == 1",message="exactly one of addr (standalone), sentinelConfig (Sentinel), or clusterConfig (Cluster) must be set"
+// +kubebuilder:validation:XValidation:rule="(self.addr.size() > 0) != has(self.sentinelConfig)",message="exactly one of addr or sentinelConfig must be set"
+// +kubebuilder:validation:XValidation:rule="!self.clusterMode || self.addr.size() > 0",message="clusterMode requires addr to be set"
 //
 //nolint:lll // CEL validation rules exceed line length limit
 type RedisStorageConfig struct {
-	// Addr is the Redis server address for standalone mode (e.g., "host:port").
-	// Use for managed Redis services (GCP Memorystore, AWS ElastiCache) that present
-	// a single endpoint and manage HA internally. Mutually exclusive with sentinelConfig and clusterConfig.
+	// Addr is the Redis server address (host:port). Required for standalone and cluster modes.
+	// Use for managed Redis services that expose a single endpoint (GCP Memorystore basic tier,
+	// AWS ElastiCache without cluster mode, or cluster-mode services when clusterMode is true).
+	// Mutually exclusive with sentinelConfig.
 	// +optional
 	Addr string `json:"addr,omitempty"`
 
-	// SentinelConfig holds Redis Sentinel configuration.
-	// Use for self-managed Redis with Sentinel-based HA. Mutually exclusive with addr and clusterConfig.
+	// ClusterMode enables the Redis Cluster protocol. Set to true when addr points to a
+	// Redis Cluster discovery endpoint (e.g., GCP Memorystore Cluster, AWS ElastiCache
+	// cluster mode enabled). Requires addr to be set.
 	// +optional
-	SentinelConfig *RedisSentinelConfig `json:"sentinelConfig,omitempty"`
+	ClusterMode bool `json:"clusterMode,omitempty"`
 
-	// ClusterConfig holds Redis Cluster configuration.
-	// Use for managed Redis services that use the Redis Cluster protocol (e.g., GCP Memorystore Cluster,
-	// AWS ElastiCache Serverless). Mutually exclusive with addr and sentinelConfig.
+	// SentinelConfig holds Redis Sentinel configuration.
+	// Use for self-managed Redis with Sentinel-based HA. Mutually exclusive with addr.
 	// +optional
-	ClusterConfig *RedisClusterConfig `json:"clusterConfig,omitempty"`
+	SentinelConfig *RedisSentinelConfig `json:"sentinelConfig,omitempty"`
 
 	// ACLUserConfig configures Redis ACL user authentication.
 	// +kubebuilder:validation:Required
@@ -607,16 +611,6 @@ type RedisSentinelConfig struct {
 	DB int32 `json:"db,omitempty"`
 }
 
-// RedisClusterConfig configures Redis Cluster connection.
-type RedisClusterConfig struct {
-	// Addrs is the list of seed node host:port addresses for the Redis Cluster.
-	// At least one address is required; go-redis discovers other nodes automatically.
-	// +kubebuilder:validation:Required
-	// +kubebuilder:validation:MinItems=1
-	// +listType=atomic
-	Addrs []string `json:"addrs"`
-}
-
 // SentinelServiceRef references a Kubernetes Service for Sentinel discovery.
 type SentinelServiceRef struct {
 	// Name of the Sentinel Service.
 
@@ -544,8 +544,11 @@ func buildStorageRunConfig(
 		return nil, fmt.Errorf("redis config is required when storage type is redis")
 	}
 
-	if err := validateRedisConnectionMode(redisConfig); err != nil {
-		return nil, err
+	if redisConfig.Addr != "" && redisConfig.SentinelConfig != nil {
+		return nil, fmt.Errorf("addr and sentinelConfig are mutually exclusive for Redis storage")
+	}
+	if redisConfig.Addr == "" && redisConfig.SentinelConfig == nil {
+		return nil, fmt.Errorf("one of addr (standalone or cluster) or sentinelConfig (Sentinel) is required for Redis storage")
 	}
 
 	if redisConfig.ACLUserConfig == nil ||
@@ -565,6 +568,7 @@ func buildStorageRunConfig(
 
 	rc := &storage.RedisRunConfig{
 		Addr:          redisConfig.Addr,
+		ClusterMode:   redisConfig.ClusterMode,
 		AuthType:      storage.AuthTypeACLUser,
 		ACLUserConfig: aclRunConfig,
 		KeyPrefix:     keyPrefix,
@@ -588,41 +592,12 @@ func buildStorageRunConfig(
 		rc.SentinelTLS = convertRedisTLSConfig(redisConfig.SentinelTLS, true)
 	}
 
-	if redisConfig.ClusterConfig != nil {
-		rc.ClusterConfig = &storage.ClusterRunConfig{
-			Addrs: redisConfig.ClusterConfig.Addrs,
-		}
-	}
-
 	return &storage.RunConfig{
 		Type:        string(storage.TypeRedis),
 		RedisConfig: rc,
 	}, nil
 }
 
-// validateRedisConnectionMode checks that exactly one of addr, sentinelConfig,
-// or clusterConfig is set on the Redis storage config.
-func validateRedisConnectionMode(cfg *mcpv1beta1.RedisStorageConfig) error {
-	modes := 0
-	if cfg.Addr != "" {
-		modes++
-	}
-	if cfg.SentinelConfig != nil {
-		modes++
-	}
-	if cfg.ClusterConfig != nil {
-		modes++
-	}
-	if modes > 1 {
-		return fmt.Errorf("addr, sentinelConfig, and clusterConfig are mutually exclusive for Redis storage")
-	}
-	if modes == 0 {
-		return fmt.Errorf("one of addr (standalone), sentinelConfig (Sentinel)," +
-			" or clusterConfig (Cluster) is required for Redis storage")
-	}
-	return nil
-}
-
 // convertRedisTLSConfig converts CRD RedisTLSConfig to RunConfig.
 // isSentinel determines which mount path to use for the CA cert file.
 func convertRedisTLSConfig(cfg *mcpv1beta1.RedisTLSConfig, isSentinel bool) *storage.RedisTLSRunConfig {
 
@@ -1674,7 +1674,7 @@ func TestBuildStorageRunConfig(t *testing.T) {
 			errContains: "redis config is required",
 		},
 		{
-			name: "Redis storage missing addr, sentinelConfig, and clusterConfig returns error",
+			name: "Redis storage missing addr and sentinelConfig returns error",
 			authConfig: &mcpv1beta1.EmbeddedAuthServerConfig{
 				Issuer: "https://auth.example.com",
 				Storage: &mcpv1beta1.AuthServerStorageConfig{
@@ -1688,7 +1688,7 @@ func TestBuildStorageRunConfig(t *testing.T) {
 				},
 			},
 			wantErr:     true,
-			errContains: "one of addr (standalone), sentinelConfig (Sentinel), or clusterConfig (Cluster) is required",
+			errContains: "one of addr (standalone or cluster) or sentinelConfig (Sentinel) is required",
 		},
 		{
 			name: "Redis storage with both addr and sentinelConfig returns error",
@@ -1713,60 +1713,14 @@ func TestBuildStorageRunConfig(t *testing.T) {
 			errContains: "mutually exclusive",
 		},
 		{
-			name: "Redis storage with addr and clusterConfig returns error",
+			name: "Redis cluster mode builds correctly",
 			authConfig: &mcpv1beta1.EmbeddedAuthServerConfig{
 				Issuer: "https://auth.example.com",
 				Storage: &mcpv1beta1.AuthServerStorageConfig{
 					Type: mcpv1beta1.AuthServerStorageTypeRedis,
 					Redis: &mcpv1beta1.RedisStorageConfig{
-						Addr: "redis.example.com:6379",
-						ClusterConfig: &mcpv1beta1.RedisClusterConfig{
-							Addrs: []string{"node1.example.com:6379"},
-						},
-						ACLUserConfig: &mcpv1beta1.RedisACLUserConfig{
-							UsernameSecretRef: &mcpv1beta1.SecretKeyRef{Name: "s", Key: "u"},
-							PasswordSecretRef: &mcpv1beta1.SecretKeyRef{Name: "s", Key: "p"},
-						},
-					},
-				},
-			},
-			wantErr:     true,
-			errContains: "mutually exclusive",
-		},
-		{
-			name: "Redis storage with sentinelConfig and clusterConfig returns error",
-			authConfig: &mcpv1beta1.EmbeddedAuthServerConfig{
-				Issuer: "https://auth.example.com",
-				Storage: &mcpv1beta1.AuthServerStorageConfig{
-					Type: mcpv1beta1.AuthServerStorageTypeRedis,
-					Redis: &mcpv1beta1.RedisStorageConfig{
-						SentinelConfig: &mcpv1beta1.RedisSentinelConfig{
-							MasterName:    "mymaster",
-							SentinelAddrs: []string{"10.0.0.1:26379"},
-						},
-						ClusterConfig: &mcpv1beta1.RedisClusterConfig{
-							Addrs: []string{"node1.example.com:6379"},
-						},
-						ACLUserConfig: &mcpv1beta1.RedisACLUserConfig{
-							UsernameSecretRef: &mcpv1beta1.SecretKeyRef{Name: "s", Key: "u"},
-							PasswordSecretRef: &mcpv1beta1.SecretKeyRef{Name: "s", Key: "p"},
-						},
-					},
-				},
-			},
-			wantErr:     true,
-			errContains: "mutually exclusive",
-		},
-		{
-			name: "Redis cluster config builds correctly",
-			authConfig: &mcpv1beta1.EmbeddedAuthServerConfig{
-				Issuer: "https://auth.example.com",
-				Storage: &mcpv1beta1.AuthServerStorageConfig{
-					Type: mcpv1beta1.AuthServerStorageTypeRedis,
-					Redis: &mcpv1beta1.RedisStorageConfig{
-						ClusterConfig: &mcpv1beta1.RedisClusterConfig{
-							Addrs: []string{"node1.example.com:6379", "node2.example.com:6379"},
-						},
+						Addr:        "discovery.example.com:6379",
+						ClusterMode: true,
 						ACLUserConfig: &mcpv1beta1.RedisACLUserConfig{
 							UsernameSecretRef: &mcpv1beta1.SecretKeyRef{Name: "redis-secret", Key: "username"},
 							PasswordSecretRef: &mcpv1beta1.SecretKeyRef{Name: "redis-secret", Key: "password"},
@@ -1778,10 +1732,8 @@ func TestBuildStorageRunConfig(t *testing.T) {
 				t.Helper()
 				assert.Equal(t, string(storage.TypeRedis), cfg.Type)
 				require.NotNil(t, cfg.RedisConfig)
-				require.NotNil(t, cfg.RedisConfig.ClusterConfig)
-				assert.Equal(t, []string{"node1.example.com:6379", "node2.example.com:6379"},
-					cfg.RedisConfig.ClusterConfig.Addrs)
-				assert.Empty(t, cfg.RedisConfig.Addr)
+				assert.Equal(t, "discovery.example.com:6379", cfg.RedisConfig.Addr)
+				assert.True(t, cfg.RedisConfig.ClusterMode)
 				assert.Nil(t, cfg.RedisConfig.SentinelConfig)
 				assert.Equal(t, storage.AuthTypeACLUser, cfg.RedisConfig.AuthType)
 				require.NotNil(t, cfg.RedisConfig.ACLUserConfig)
 
@@ -316,28 +316,17 @@ spec:
                             type: object
                           addr:
                             description: |-
-                              Addr is the Redis server address for standalone mode (e.g., "host:port").
-                              Use for managed Redis services (GCP Memorystore, AWS ElastiCache) that present
-                              a single endpoint and manage HA internally. Mutually exclusive with sentinelConfig and clusterConfig.
+                              Addr is the Redis server address (host:port). Required for standalone and cluster modes.
+                              Use for managed Redis services that expose a single endpoint (GCP Memorystore basic tier,
+                              AWS ElastiCache without cluster mode, or cluster-mode services when clusterMode is true).
+                              Mutually exclusive with sentinelConfig.
                             type: string
-                          clusterConfig:
+                          clusterMode:
                             description: |-
-                              ClusterConfig holds Redis Cluster configuration.
-                              Use for managed Redis services that use the Redis Cluster protocol (e.g., GCP Memorystore Cluster,
-                              AWS ElastiCache Serverless). Mutually exclusive with addr and sentinelConfig.
-                            properties:
-                              addrs:
-                                description: |-
-                                  Addrs is the list of seed node host:port addresses for the Redis Cluster.
-                                  At least one address is required; go-redis discovers other nodes automatically.
-                                items:
-                                  type: string
-                                minItems: 1
-                                type: array
-                                x-kubernetes-list-type: atomic
-                            required:
-                            - addrs
-                            type: object
+                              ClusterMode enables the Redis Cluster protocol. Set to true when addr points to a
+                              Redis Cluster discovery endpoint (e.g., GCP Memorystore Cluster, AWS ElastiCache
+                              cluster mode enabled). Requires addr to be set.
+                            type: boolean
                           dialTimeout:
                             default: 5s
                             description: |-
@@ -355,7 +344,7 @@ spec:
                           sentinelConfig:
                             description: |-
                               SentinelConfig holds Redis Sentinel configuration.
-                              Use for self-managed Redis with Sentinel-based HA. Mutually exclusive with addr and clusterConfig.
+                              Use for self-managed Redis with Sentinel-based HA. Mutually exclusive with addr.
                             properties:
                               db:
                                 default: 0
@@ -460,10 +449,10 @@ spec:
                         - aclUserConfig
                         type: object
                         x-kubernetes-validations:
-                        - message: exactly one of addr (standalone), sentinelConfig
-                            (Sentinel), or clusterConfig (Cluster) must be set
-                          rule: '(self.addr.size() > 0 ? 1 : 0) + (has(self.sentinelConfig)
-                            ? 1 : 0) + (has(self.clusterConfig) ? 1 : 0) == 1'
+                        - message: exactly one of addr or sentinelConfig must be set
+                          rule: (self.addr.size() > 0) != has(self.sentinelConfig)
+                        - message: clusterMode requires addr to be set
+                          rule: '!self.clusterMode || self.addr.size() > 0'
                       type:
                         default: memory
                         description: |-
@@ -1383,28 +1372,17 @@ spec:
                             type: object
                           addr:
                             description: |-
-                              Addr is the Redis server address for standalone mode (e.g., "host:port").
-                              Use for managed Redis services (GCP Memorystore, AWS ElastiCache) that present
-                              a single endpoint and manage HA internally. Mutually exclusive with sentinelConfig and clusterConfig.
+                              Addr is the Redis server address (host:port). Required for standalone and cluster modes.
+                              Use for managed Redis services that expose a single endpoint (GCP Memorystore basic tier,
+                              AWS ElastiCache without cluster mode, or cluster-mode services when clusterMode is true).
+                              Mutually exclusive with sentinelConfig.
                             type: string
-                          clusterConfig:
+                          clusterMode:
                             description: |-
-                              ClusterConfig holds Redis Cluster configuration.
-                              Use for managed Redis services that use the Redis Cluster protocol (e.g., GCP Memorystore Cluster,
-                              AWS ElastiCache Serverless). Mutually exclusive with addr and sentinelConfig.
-                            properties:
-                              addrs:
-                                description: |-
-                                  Addrs is the list of seed node host:port addresses for the Redis Cluster.
-                                  At least one address is required; go-redis discovers other nodes automatically.
-                                items:
-                                  type: string
-                                minItems: 1
-                                type: array
-                                x-kubernetes-list-type: atomic
-                            required:
-                            - addrs
-                            type: object
+                              ClusterMode enables the Redis Cluster protocol. Set to true when addr points to a
+                              Redis Cluster discovery endpoint (e.g., GCP Memorystore Cluster, AWS ElastiCache
+                              cluster mode enabled). Requires addr to be set.
+                            type: boolean
                           dialTimeout:
                             default: 5s
                             description: |-
@@ -1422,7 +1400,7 @@ spec:
                           sentinelConfig:
                             description: |-
                               SentinelConfig holds Redis Sentinel configuration.
-                              Use for self-managed Redis with Sentinel-based HA. Mutually exclusive with addr and clusterConfig.
+                              Use for self-managed Redis with Sentinel-based HA. Mutually exclusive with addr.
                             properties:
                               db:
                                 default: 0
@@ -1527,10 +1505,10 @@ spec:
                         - aclUserConfig
                         type: object
                         x-kubernetes-validations:
-                        - message: exactly one of addr (standalone), sentinelConfig
-                            (Sentinel), or clusterConfig (Cluster) must be set
-                          rule: '(self.addr.size() > 0 ? 1 : 0) + (has(self.sentinelConfig)
-                            ? 1 : 0) + (has(self.clusterConfig) ? 1 : 0) == 1'
+                        - message: exactly one of addr or sentinelConfig must be set
+                          rule: (self.addr.size() > 0) != has(self.sentinelConfig)
+                        - message: clusterMode requires addr to be set
+                          rule: '!self.clusterMode || self.addr.size() > 0'
                       type:
                         default: memory
                         description: |-