Add Redis Cluster mode support to auth server storage

Managed Redis services like GCP Memorystore Cluster and AWS ElastiCache
Serverless use the Redis Cluster protocol rather than standalone or Sentinel
connections, making it impossible to use them without this third mode.

- Add ClusterConfig/ClusterRunConfig types to storage and runner layers
- Wire cluster client creation via redis.NewClusterClient in NewRedisStorage
- Update validateConfig, convertRedisRunConfig, and buildStorageRunConfig to
  enforce three-way mutual exclusion (addr / sentinel / cluster)
- Add RedisClusterConfig CRD type with MinItems=1 validation; update CEL rule
  to require exactly one of the three modes
- Regenerate deepcopy, CRD YAML, and Helm chart templates
- Add unit tests for all new validation and happy-path code paths

Closes #5010

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

Author: reyortiz3

cmd/thv-operator/api/v1beta1/mcpexternalauthconfig_types.go

@@ -525,23 +525,29 @@ type AuthServerStorageConfig struct {
 }
 
 // RedisStorageConfig configures Redis connection for auth server storage.
-// Exactly one of addr (standalone) or sentinelConfig (Sentinel) must be set.
+// Exactly one of addr (standalone), sentinelConfig (Sentinel), or clusterConfig (Cluster) must be set.
 //
-// +kubebuilder:validation:XValidation:rule="(self.addr.size() > 0) != has(self.sentinelConfig)",message="exactly one of addr (standalone) or sentinelConfig (Sentinel) must be set"
+// +kubebuilder:validation:XValidation:rule="(self.addr.size() > 0 ? 1 : 0) + (has(self.sentinelConfig) ? 1 : 0) + (has(self.clusterConfig) ? 1 : 0) == 1",message="exactly one of addr (standalone), sentinelConfig (Sentinel), or clusterConfig (Cluster) must be set"
 //
 //nolint:lll // CEL validation rules exceed line length limit
 type RedisStorageConfig struct {
 	// Addr is the Redis server address for standalone mode (e.g., "host:port").
 	// Use for managed Redis services (GCP Memorystore, AWS ElastiCache) that present
-	// a single endpoint and manage HA internally. Mutually exclusive with sentinelConfig.
+	// a single endpoint and manage HA internally. Mutually exclusive with sentinelConfig and clusterConfig.
 	// +optional
 	Addr string `json:"addr,omitempty"`
 
 	// SentinelConfig holds Redis Sentinel configuration.
-	// Use for self-managed Redis with Sentinel-based HA. Mutually exclusive with addr.
+	// Use for self-managed Redis with Sentinel-based HA. Mutually exclusive with addr and clusterConfig.
 	// +optional
 	SentinelConfig *RedisSentinelConfig `json:"sentinelConfig,omitempty"`
 
+	// ClusterConfig holds Redis Cluster configuration.
+	// Use for managed Redis services that use the Redis Cluster protocol (e.g., GCP Memorystore Cluster,
+	// AWS ElastiCache Serverless). Mutually exclusive with addr and sentinelConfig.
+	// +optional
+	ClusterConfig *RedisClusterConfig `json:"clusterConfig,omitempty"`
+
 	// ACLUserConfig configures Redis ACL user authentication.
 	// +kubebuilder:validation:Required
 	ACLUserConfig *RedisACLUserConfig `json:"aclUserConfig"`
@@ -601,6 +607,16 @@ type RedisSentinelConfig struct {
 	DB int32 `json:"db,omitempty"`
 }
 
+// RedisClusterConfig configures Redis Cluster connection.
+type RedisClusterConfig struct {
+	// Addrs is the list of seed node host:port addresses for the Redis Cluster.
+	// At least one address is required; go-redis discovers other nodes automatically.
+	// +kubebuilder:validation:Required
+	// +kubebuilder:validation:MinItems=1
+	// +listType=atomic
+	Addrs []string `json:"addrs"`
+}
+
 // SentinelServiceRef references a Kubernetes Service for Sentinel discovery.
 type SentinelServiceRef struct {
 	// Name of the Sentinel Service.

cmd/thv-operator/api/v1beta1/zz_generated.deepcopy.go

@@ -544,12 +544,8 @@ func buildStorageRunConfig(
 		return nil, fmt.Errorf("redis config is required when storage type is redis")
 	}
 
-	if redisConfig.Addr == "" && redisConfig.SentinelConfig == nil {
-		return nil, fmt.Errorf("either addr (standalone) or sentinel config is required for Redis storage")
-	}
-
-	if redisConfig.Addr != "" && redisConfig.SentinelConfig != nil {
-		return nil, fmt.Errorf("addr and sentinel config are mutually exclusive for Redis storage")
+	if err := validateRedisConnectionMode(redisConfig); err != nil {
+		return nil, err
 	}
 
 	if redisConfig.ACLUserConfig == nil ||
@@ -592,12 +588,41 @@ func buildStorageRunConfig(
 		rc.SentinelTLS = convertRedisTLSConfig(redisConfig.SentinelTLS, true)
 	}
 
+	if redisConfig.ClusterConfig != nil {
+		rc.ClusterConfig = &storage.ClusterRunConfig{
+			Addrs: redisConfig.ClusterConfig.Addrs,
+		}
+	}
+
 	return &storage.RunConfig{
 		Type:        string(storage.TypeRedis),
 		RedisConfig: rc,
 	}, nil
 }
 
+// validateRedisConnectionMode checks that exactly one of addr, sentinelConfig,
+// or clusterConfig is set on the Redis storage config.
+func validateRedisConnectionMode(cfg *mcpv1beta1.RedisStorageConfig) error {
+	modes := 0
+	if cfg.Addr != "" {
+		modes++
+	}
+	if cfg.SentinelConfig != nil {
+		modes++
+	}
+	if cfg.ClusterConfig != nil {
+		modes++
+	}
+	if modes > 1 {
+		return fmt.Errorf("addr, sentinelConfig, and clusterConfig are mutually exclusive for Redis storage")
+	}
+	if modes == 0 {
+		return fmt.Errorf("one of addr (standalone), sentinelConfig (Sentinel)," +
+			" or clusterConfig (Cluster) is required for Redis storage")
+	}
+	return nil
+}
+
 // convertRedisTLSConfig converts CRD RedisTLSConfig to RunConfig.
 // isSentinel determines which mount path to use for the CA cert file.
 func convertRedisTLSConfig(cfg *mcpv1beta1.RedisTLSConfig, isSentinel bool) *storage.RedisTLSRunConfig {

cmd/thv-operator/pkg/controllerutil/authserver.go

@@ -1674,7 +1674,7 @@ func TestBuildStorageRunConfig(t *testing.T) {
 			errContains: "redis config is required",
 		},
 		{
-			name: "Redis storage missing both addr and sentinelConfig returns error",
+			name: "Redis storage missing addr, sentinelConfig, and clusterConfig returns error",
 			authConfig: &mcpv1beta1.EmbeddedAuthServerConfig{
 				Issuer: "https://auth.example.com",
 				Storage: &mcpv1beta1.AuthServerStorageConfig{
@@ -1688,7 +1688,7 @@ func TestBuildStorageRunConfig(t *testing.T) {
 				},
 			},
 			wantErr:     true,
-			errContains: "either addr (standalone) or sentinel config is required",
+			errContains: "one of addr (standalone), sentinelConfig (Sentinel), or clusterConfig (Cluster) is required",
 		},
 		{
 			name: "Redis storage with both addr and sentinelConfig returns error",
@@ -1710,7 +1710,85 @@ func TestBuildStorageRunConfig(t *testing.T) {
 				},
 			},
 			wantErr:     true,
-			errContains: "addr and sentinel config are mutually exclusive",
+			errContains: "mutually exclusive",
+		},
+		{
+			name: "Redis storage with addr and clusterConfig returns error",
+			authConfig: &mcpv1beta1.EmbeddedAuthServerConfig{
+				Issuer: "https://auth.example.com",
+				Storage: &mcpv1beta1.AuthServerStorageConfig{
+					Type: mcpv1beta1.AuthServerStorageTypeRedis,
+					Redis: &mcpv1beta1.RedisStorageConfig{
+						Addr: "redis.example.com:6379",
+						ClusterConfig: &mcpv1beta1.RedisClusterConfig{
+							Addrs: []string{"node1.example.com:6379"},
+						},
+						ACLUserConfig: &mcpv1beta1.RedisACLUserConfig{
+							UsernameSecretRef: &mcpv1beta1.SecretKeyRef{Name: "s", Key: "u"},
+							PasswordSecretRef: &mcpv1beta1.SecretKeyRef{Name: "s", Key: "p"},
+						},
+					},
+				},
+			},
+			wantErr:     true,
+			errContains: "mutually exclusive",
+		},
+		{
+			name: "Redis storage with sentinelConfig and clusterConfig returns error",
+			authConfig: &mcpv1beta1.EmbeddedAuthServerConfig{
+				Issuer: "https://auth.example.com",
+				Storage: &mcpv1beta1.AuthServerStorageConfig{
+					Type: mcpv1beta1.AuthServerStorageTypeRedis,
+					Redis: &mcpv1beta1.RedisStorageConfig{
+						SentinelConfig: &mcpv1beta1.RedisSentinelConfig{
+							MasterName:    "mymaster",
+							SentinelAddrs: []string{"10.0.0.1:26379"},
+						},
+						ClusterConfig: &mcpv1beta1.RedisClusterConfig{
+							Addrs: []string{"node1.example.com:6379"},
+						},
+						ACLUserConfig: &mcpv1beta1.RedisACLUserConfig{
+							UsernameSecretRef: &mcpv1beta1.SecretKeyRef{Name: "s", Key: "u"},
+							PasswordSecretRef: &mcpv1beta1.SecretKeyRef{Name: "s", Key: "p"},
+						},
+					},
+				},
+			},
+			wantErr:     true,
+			errContains: "mutually exclusive",
+		},
+		{
+			name: "Redis cluster config builds correctly",
+			authConfig: &mcpv1beta1.EmbeddedAuthServerConfig{
+				Issuer: "https://auth.example.com",
+				Storage: &mcpv1beta1.AuthServerStorageConfig{
+					Type: mcpv1beta1.AuthServerStorageTypeRedis,
+					Redis: &mcpv1beta1.RedisStorageConfig{
+						ClusterConfig: &mcpv1beta1.RedisClusterConfig{
+							Addrs: []string{"node1.example.com:6379", "node2.example.com:6379"},
+						},
+						ACLUserConfig: &mcpv1beta1.RedisACLUserConfig{
+							UsernameSecretRef: &mcpv1beta1.SecretKeyRef{Name: "redis-secret", Key: "username"},
+							PasswordSecretRef: &mcpv1beta1.SecretKeyRef{Name: "redis-secret", Key: "password"},
+						},
+					},
+				},
+			},
+			checkFunc: func(t *testing.T, cfg *storage.RunConfig) {
+				t.Helper()
+				assert.Equal(t, string(storage.TypeRedis), cfg.Type)
+				require.NotNil(t, cfg.RedisConfig)
+				require.NotNil(t, cfg.RedisConfig.ClusterConfig)
+				assert.Equal(t, []string{"node1.example.com:6379", "node2.example.com:6379"},
+					cfg.RedisConfig.ClusterConfig.Addrs)
+				assert.Empty(t, cfg.RedisConfig.Addr)
+				assert.Nil(t, cfg.RedisConfig.SentinelConfig)
+				assert.Equal(t, storage.AuthTypeACLUser, cfg.RedisConfig.AuthType)
+				require.NotNil(t, cfg.RedisConfig.ACLUserConfig)
+				assert.Equal(t, authrunner.RedisUsernameEnvVar, cfg.RedisConfig.ACLUserConfig.UsernameEnvVar)
+				assert.Equal(t, authrunner.RedisPasswordEnvVar, cfg.RedisConfig.ACLUserConfig.PasswordEnvVar)
+				assert.Equal(t, "thv:auth:{default:test-server}:", cfg.RedisConfig.KeyPrefix)
+			},
 		},
 		{
 			name: "Redis storage with standalone addr builds correctly",

cmd/thv-operator/pkg/controllerutil/authserver_test.go

@@ -318,8 +318,26 @@ spec:
                             description: |-
                               Addr is the Redis server address for standalone mode (e.g., "host:port").
                               Use for managed Redis services (GCP Memorystore, AWS ElastiCache) that present
-                              a single endpoint and manage HA internally. Mutually exclusive with sentinelConfig.
+                              a single endpoint and manage HA internally. Mutually exclusive with sentinelConfig and clusterConfig.
                             type: string
+                          clusterConfig:
+                            description: |-
+                              ClusterConfig holds Redis Cluster configuration.
+                              Use for managed Redis services that use the Redis Cluster protocol (e.g., GCP Memorystore Cluster,
+                              AWS ElastiCache Serverless). Mutually exclusive with addr and sentinelConfig.
+                            properties:
+                              addrs:
+                                description: |-
+                                  Addrs is the list of seed node host:port addresses for the Redis Cluster.
+                                  At least one address is required; go-redis discovers other nodes automatically.
+                                items:
+                                  type: string
+                                minItems: 1
+                                type: array
+                                x-kubernetes-list-type: atomic
+                            required:
+                            - addrs
+                            type: object
                           dialTimeout:
                             default: 5s
                             description: |-
@@ -337,7 +355,7 @@ spec:
                           sentinelConfig:
                             description: |-
                               SentinelConfig holds Redis Sentinel configuration.
-                              Use for self-managed Redis with Sentinel-based HA. Mutually exclusive with addr.
+                              Use for self-managed Redis with Sentinel-based HA. Mutually exclusive with addr and clusterConfig.
                             properties:
                               db:
                                 default: 0
@@ -442,9 +460,10 @@ spec:
                         - aclUserConfig
                         type: object
                         x-kubernetes-validations:
-                        - message: exactly one of addr (standalone) or sentinelConfig
-                            (Sentinel) must be set
-                          rule: (self.addr.size() > 0) != has(self.sentinelConfig)
+                        - message: exactly one of addr (standalone), sentinelConfig
+                            (Sentinel), or clusterConfig (Cluster) must be set
+                          rule: '(self.addr.size() > 0 ? 1 : 0) + (has(self.sentinelConfig)
+                            ? 1 : 0) + (has(self.clusterConfig) ? 1 : 0) == 1'
                       type:
                         default: memory
                         description: |-
@@ -1366,8 +1385,26 @@ spec:
                             description: |-
                               Addr is the Redis server address for standalone mode (e.g., "host:port").
                               Use for managed Redis services (GCP Memorystore, AWS ElastiCache) that present
-                              a single endpoint and manage HA internally. Mutually exclusive with sentinelConfig.
+                              a single endpoint and manage HA internally. Mutually exclusive with sentinelConfig and clusterConfig.
                             type: string
+                          clusterConfig:
+                            description: |-
+                              ClusterConfig holds Redis Cluster configuration.
+                              Use for managed Redis services that use the Redis Cluster protocol (e.g., GCP Memorystore Cluster,
+                              AWS ElastiCache Serverless). Mutually exclusive with addr and sentinelConfig.
+                            properties:
+                              addrs:
+                                description: |-
+                                  Addrs is the list of seed node host:port addresses for the Redis Cluster.
+                                  At least one address is required; go-redis discovers other nodes automatically.
+                                items:
+                                  type: string
+                                minItems: 1
+                                type: array
+                                x-kubernetes-list-type: atomic
+                            required:
+                            - addrs
+                            type: object
                           dialTimeout:
                             default: 5s
                             description: |-
@@ -1385,7 +1422,7 @@ spec:
                           sentinelConfig:
                             description: |-
                               SentinelConfig holds Redis Sentinel configuration.
-                              Use for self-managed Redis with Sentinel-based HA. Mutually exclusive with addr.
+                              Use for self-managed Redis with Sentinel-based HA. Mutually exclusive with addr and clusterConfig.
                             properties:
                               db:
                                 default: 0
@@ -1490,9 +1527,10 @@ spec:
                         - aclUserConfig
                         type: object
                         x-kubernetes-validations:
-                        - message: exactly one of addr (standalone) or sentinelConfig
-                            (Sentinel) must be set
-                          rule: (self.addr.size() > 0) != has(self.sentinelConfig)
+                        - message: exactly one of addr (standalone), sentinelConfig
+                            (Sentinel), or clusterConfig (Cluster) must be set
+                          rule: '(self.addr.size() > 0 ? 1 : 0) + (has(self.sentinelConfig)
+                            ? 1 : 0) + (has(self.clusterConfig) ? 1 : 0) == 1'
                       type:
                         default: memory
                         description: |-