Only schema changes, no runtime behavior

Signed-off-by: Sanskarzz <sanskar.gur@gmail.com>

Author: Sanskarzz

cmd/thv-operator/api/v1beta1/mcpserver_types.go

@@ -7,8 +7,6 @@ import (
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/runtime"
-
-	rlconfig "github.com/stacklok/toolhive/pkg/ratelimit/config"
 )
 
 // Condition types for MCPServer
@@ -513,26 +511,26 @@ type SessionStorageConfig struct {
 type RateLimitConfig struct {
 	// Global is a token bucket shared across all users for the entire server.
 	// +optional
-	Global *RateLimitBucket `json:"global,omitempty"`
+	Global *RateLimitBucket `json:"global,omitempty" yaml:"global,omitempty"`
 
 	// Shared is a deprecated alias for Global. Use global instead.
 	// +optional
-	Shared *RateLimitBucket `json:"shared,omitempty"`
+	Shared *RateLimitBucket `json:"shared,omitempty" yaml:"shared,omitempty"`
 
 	// PerUser is a token bucket applied independently to each authenticated user
 	// at the server level. Requires authentication to be enabled.
 	// Each unique userID creates Redis keys that expire after 2x refillPeriod.
 	// Memory formula: unique_users_per_TTL_window * (1 + num_tools_with_per_user_limits) keys.
 	// +optional
-	PerUser *RateLimitBucket `json:"perUser,omitempty"`
+	PerUser *RateLimitBucket `json:"perUser,omitempty" yaml:"perUser,omitempty"`
 
 	// Tools defines per-tool rate limit overrides.
 	// Each entry applies additional rate limits to calls targeting a specific tool name.
 	// A request must pass both the server-level limit and the per-tool limit.
 	// +listType=map
 	// +listMapKey=name
 	// +optional
-	Tools []ToolRateLimitConfig `json:"tools,omitempty"`
+	Tools []ToolRateLimitConfig `json:"tools,omitempty" yaml:"tools,omitempty"`
 }
 
 // RateLimitBucket defines a token bucket configuration with a maximum capacity
@@ -543,13 +541,13 @@ type RateLimitBucket struct {
 	// instantaneously before the bucket is depleted.
 	// +kubebuilder:validation:Required
 	// +kubebuilder:validation:Minimum=1
-	MaxTokens int32 `json:"maxTokens"`
+	MaxTokens int32 `json:"maxTokens" yaml:"maxTokens"`
 
 	// RefillPeriod is the duration to fully refill the bucket from zero to maxTokens.
 	// The effective refill rate is maxTokens / refillPeriod tokens per second.
 	// Format: Go duration string (e.g., "1m0s", "30s", "1h0m0s").
 	// +kubebuilder:validation:Required
-	RefillPeriod metav1.Duration `json:"refillPeriod"`
+	RefillPeriod metav1.Duration `json:"refillPeriod" yaml:"refillPeriod"`
 }
 
 // ToolRateLimitConfig defines rate limits for a specific tool.
@@ -562,53 +560,19 @@ type ToolRateLimitConfig struct {
 	// Name is the MCP tool name this limit applies to.
 	// +kubebuilder:validation:Required
 	// +kubebuilder:validation:MinLength=1
-	Name string `json:"name"`
+	Name string `json:"name" yaml:"name"`
 
 	// Global token bucket for this specific tool.
 	// +optional
-	Global *RateLimitBucket `json:"global,omitempty"`
+	Global *RateLimitBucket `json:"global,omitempty" yaml:"global,omitempty"`
 
 	// Shared is a deprecated alias for Global. Use global instead.
 	// +optional
-	Shared *RateLimitBucket `json:"shared,omitempty"`
+	Shared *RateLimitBucket `json:"shared,omitempty" yaml:"shared,omitempty"`
 
 	// PerUser token bucket configuration for this tool.
 	// +optional
-	PerUser *RateLimitBucket `json:"perUser,omitempty"`
-}
-
-// ToInternal converts the Kubernetes API rate limit config to the runtime-neutral representation.
-func (in *RateLimitConfig) ToInternal() *rlconfig.Config {
-	if in == nil {
-		return nil
-	}
-	out := &rlconfig.Config{
-		Global:  rateLimitBucketToInternal(in.Global),
-		Shared:  rateLimitBucketToInternal(in.Shared),
-		PerUser: rateLimitBucketToInternal(in.PerUser),
-	}
-	if len(in.Tools) > 0 {
-		out.Tools = make([]rlconfig.ToolConfig, 0, len(in.Tools))
-		for _, tool := range in.Tools {
-			out.Tools = append(out.Tools, rlconfig.ToolConfig{
-				Name:    tool.Name,
-				Global:  rateLimitBucketToInternal(tool.Global),
-				Shared:  rateLimitBucketToInternal(tool.Shared),
-				PerUser: rateLimitBucketToInternal(tool.PerUser),
-			})
-		}
-	}
-	return out
-}
-
-func rateLimitBucketToInternal(in *RateLimitBucket) *rlconfig.Bucket {
-	if in == nil {
-		return nil
-	}
-	return &rlconfig.Bucket{
-		MaxTokens:    in.MaxTokens,
-		RefillPeriod: in.RefillPeriod,
-	}
+	PerUser *RateLimitBucket `json:"perUser,omitempty" yaml:"perUser,omitempty"`
 }
 
 // Permission profile types

cmd/thv-operator/controllers/virtualmcpserver_vmcpconfig_test.go

@@ -530,12 +530,20 @@ func TestEnsureVmcpConfigConfigMap(t *testing.T) {
 	var cfg vmcpconfig.Config
 	require.NoError(t, yaml.Unmarshal([]byte(cm.Data["config.yaml"]), &cfg))
 	require.NotNil(t, cfg.RateLimiting, "runtime config must include spec.rateLimiting")
-	require.NotNil(t, cfg.RateLimiting.PerUser)
-	assert.Equal(t, int32(2), cfg.RateLimiting.PerUser.MaxTokens)
-	require.Len(t, cfg.RateLimiting.Tools, 1)
-	assert.Equal(t, "backend_a_echo", cfg.RateLimiting.Tools[0].Name)
-	require.NotNil(t, cfg.RateLimiting.Tools[0].Global)
-	assert.Equal(t, int32(5), cfg.RateLimiting.Tools[0].Global.MaxTokens)
+
+	rateLimiting := cfg.RateLimiting.Get()
+	perUser, ok := rateLimiting["perUser"].(map[string]any)
+	require.True(t, ok)
+	assert.EqualValues(t, 2, perUser["maxTokens"])
+	tools, ok := rateLimiting["tools"].([]any)
+	require.True(t, ok)
+	require.Len(t, tools, 1)
+	tool, ok := tools[0].(map[string]any)
+	require.True(t, ok)
+	assert.Equal(t, "backend_a_echo", tool["name"])
+	global, ok := tool["global"].(map[string]any)
+	require.True(t, ok)
+	assert.EqualValues(t, 5, global["maxTokens"])
 }
 
 // TestSetAuthConfigConditions tests that auth config conditions reflect the current state

cmd/thv-operator/pkg/vmcpconfig/converter.go

@@ -6,6 +6,7 @@ package vmcpconfig
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
 
 	"github.com/go-logr/logr"
@@ -19,6 +20,7 @@ import (
 	"github.com/stacklok/toolhive/cmd/thv-operator/pkg/oidc"
 	"github.com/stacklok/toolhive/cmd/thv-operator/pkg/spectoconfig"
 	"github.com/stacklok/toolhive/pkg/authserver"
+	thvjson "github.com/stacklok/toolhive/pkg/json"
 	"github.com/stacklok/toolhive/pkg/telemetry"
 	"github.com/stacklok/toolhive/pkg/vmcp/auth/converters"
 	authtypes "github.com/stacklok/toolhive/pkg/vmcp/auth/types"
@@ -140,7 +142,13 @@ func (c *Converter) Convert(
 	}
 
 	config.SessionStorage = convertSessionStorage(vmcp)
-	config.RateLimiting = vmcp.Spec.RateLimiting.ToInternal()
+	if vmcp.Spec.RateLimiting != nil {
+		rateLimiting, err := convertRateLimiting(vmcp.Spec.RateLimiting)
+		if err != nil {
+			return nil, nil, fmt.Errorf("failed to convert rate limiting: %w", err)
+		}
+		config.RateLimiting = rateLimiting
+	}
 
 	// Apply operational defaults (fills missing values)
 	config.EnsureOperationalDefaults()
@@ -158,6 +166,22 @@ func (c *Converter) Convert(
 	return config, authServerRC, nil
 }
 
+func convertRateLimiting(rateLimiting *mcpv1beta1.RateLimitConfig) (*thvjson.Map, error) {
+	if rateLimiting == nil {
+		return nil, nil
+	}
+	raw, err := json.Marshal(rateLimiting)
+	if err != nil {
+		return nil, err
+	}
+	var value map[string]any
+	if err := json.Unmarshal(raw, &value); err != nil {
+		return nil, err
+	}
+	converted := thvjson.NewMap(value)
+	return &converted, nil
+}
+
 // convertIncomingAuth converts IncomingAuthConfig from CRD to vmcp config.
 func (c *Converter) convertIncomingAuth(
 	ctx context.Context,

cmd/thv-operator/pkg/vmcpconfig/converter_test.go

@@ -127,10 +127,65 @@ func TestConverter_RateLimitingFromTopLevelSpec(t *testing.T) {
 	cfg, _, err := converter.Convert(context.Background(), vmcp, nil)
 	require.NoError(t, err)
 	require.NotNil(t, cfg.RateLimiting)
-	require.NotNil(t, cfg.RateLimiting.Global)
-	assert.Equal(t, int32(10), cfg.RateLimiting.Global.MaxTokens)
-	require.Len(t, cfg.RateLimiting.Tools, 1)
-	assert.Equal(t, "backend_a_echo", cfg.RateLimiting.Tools[0].Name)
+
+	rateLimiting := cfg.RateLimiting.Get()
+	global, ok := rateLimiting["global"].(map[string]any)
+	require.True(t, ok)
+	assert.EqualValues(t, 10, global["maxTokens"])
+	tools, ok := rateLimiting["tools"].([]any)
+	require.True(t, ok)
+	require.Len(t, tools, 1)
+	tool, ok := tools[0].(map[string]any)
+	require.True(t, ok)
+	assert.Equal(t, "backend_a_echo", tool["name"])
+}
+
+func TestConverter_RateLimitingPreservesSharedAliasAndCopiesInput(t *testing.T) {
+	t.Parallel()
+
+	vmcp := &mcpv1beta1.VirtualMCPServer{
+		ObjectMeta: metav1.ObjectMeta{Name: "test-vmcp", Namespace: "default"},
+		Spec: mcpv1beta1.VirtualMCPServerSpec{
+			GroupRef:     &mcpv1beta1.MCPGroupRef{Name: "test-group"},
+			IncomingAuth: &mcpv1beta1.IncomingAuthConfig{Type: "anonymous"},
+			RateLimiting: &mcpv1beta1.RateLimitConfig{
+				Shared: &mcpv1beta1.RateLimitBucket{
+					MaxTokens:    10,
+					RefillPeriod: metav1.Duration{Duration: time.Minute},
+				},
+				Tools: []mcpv1beta1.ToolRateLimitConfig{
+					{
+						Name: "backend_a_echo",
+						Shared: &mcpv1beta1.RateLimitBucket{
+							MaxTokens:    1,
+							RefillPeriod: metav1.Duration{Duration: time.Second},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	converter := newTestConverter(t, newNoOpMockResolver(t))
+	cfg, _, err := converter.Convert(context.Background(), vmcp, nil)
+	require.NoError(t, err)
+	require.NotNil(t, cfg.RateLimiting)
+
+	vmcp.Spec.RateLimiting.Shared.MaxTokens = 99
+	vmcp.Spec.RateLimiting.Tools[0].Shared.MaxTokens = 88
+
+	rateLimiting := cfg.RateLimiting.Get()
+	shared, ok := rateLimiting["shared"].(map[string]any)
+	require.True(t, ok)
+	assert.EqualValues(t, 10, shared["maxTokens"])
+	tools, ok := rateLimiting["tools"].([]any)
+	require.True(t, ok)
+	require.Len(t, tools, 1)
+	tool, ok := tools[0].(map[string]any)
+	require.True(t, ok)
+	toolShared, ok := tool["shared"].(map[string]any)
+	require.True(t, ok)
+	assert.EqualValues(t, 1, toolShared["maxTokens"])
 }
 
 func TestConverter_OIDCResolution(t *testing.T) {

cmd/thv-operator/test-integration/virtualmcp/virtualmcpserver_sessionstorage_cel_test.go

@@ -147,8 +147,11 @@ var _ = Describe("CEL Validation for SessionStorageConfig on VirtualMCPServer",
 					Address:  "redis:6379",
 				})
 				vmcp.Spec.IncomingAuth = &mcpv1beta1.IncomingAuthConfig{
-					Type:          "oidc",
-					OIDCConfigRef: &mcpv1beta1.MCPOIDCConfigReference{Name: "oidc"},
+					Type: "oidc",
+					OIDCConfigRef: &mcpv1beta1.MCPOIDCConfigReference{
+						Name:     "oidc",
+						Audience: "test-audience",
+					},
 				}
 				vmcp.Spec.RateLimiting = &mcpv1beta1.RateLimitConfig{
 					PerUser: &mcpv1beta1.RateLimitBucket{