moved onto config.Config as spec.config.rateLimiting

Signed-off-by: Sanskarzz <sanskar.gur@gmail.com>

Author: Sanskarzz

cmd/thv-operator/api/v1beta1/mcpserver_types_test.go

@@ -11,6 +11,8 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+
+	vmcpconfig "github.com/stacklok/toolhive/pkg/vmcp/config"
 )
 
 func TestSessionStorageConfigJSONRoundtrip(t *testing.T) {
@@ -126,18 +128,20 @@ func TestVirtualMCPServerSpecRateLimitingJSONRoundtrip(t *testing.T) {
 			Provider: "redis",
 			Address:  "redis.default.svc.cluster.local:6379",
 		},
-		RateLimiting: &RateLimitConfig{
-			Shared: &RateLimitBucket{MaxTokens: 10, RefillPeriod: metav1.Duration{Duration: time.Minute}},
-			PerUser: &RateLimitBucket{
-				MaxTokens:    2,
-				RefillPeriod: metav1.Duration{Duration: time.Minute},
-			},
-			Tools: []ToolRateLimitConfig{
-				{
-					Name: "backend_a_echo",
-					Shared: &RateLimitBucket{
-						MaxTokens:    5,
-						RefillPeriod: metav1.Duration{Duration: 30 * time.Second},
+		Config: vmcpconfig.Config{
+			RateLimiting: &vmcpconfig.RateLimitConfig{
+				Shared: &vmcpconfig.RateLimitBucket{MaxTokens: 10, RefillPeriod: metav1.Duration{Duration: time.Minute}},
+				PerUser: &vmcpconfig.RateLimitBucket{
+					MaxTokens:    2,
+					RefillPeriod: metav1.Duration{Duration: time.Minute},
+				},
+				Tools: []vmcpconfig.ToolRateLimitConfig{
+					{
+						Name: "backend_a_echo",
+						Shared: &vmcpconfig.RateLimitBucket{
+							MaxTokens:    5,
+							RefillPeriod: metav1.Duration{Duration: 30 * time.Second},
+						},
 					},
 				},
 			},
@@ -151,7 +155,7 @@ func TestVirtualMCPServerSpecRateLimitingJSONRoundtrip(t *testing.T) {
 	assert.Contains(t, out, `"shared"`)
 	assert.Contains(t, out, `"perUser"`)
 	assert.Contains(t, out, `"backend_a_echo"`)
-	assert.NotContains(t, out, `"config":{"rateLimiting"`)
+	assert.Contains(t, out, `"config":{"rateLimiting"`)
 }
 
 func TestMCPServerSpecScalingFieldsJSONRoundtrip(t *testing.T) {

cmd/thv-operator/api/v1beta1/virtualmcpserver_types.go

@@ -16,9 +16,9 @@ import (
 
 // VirtualMCPServerSpec defines the desired state of VirtualMCPServer
 //
-// +kubebuilder:validation:XValidation:rule="!has(self.rateLimiting) || (has(self.sessionStorage) && self.sessionStorage.provider == 'redis')",message="rateLimiting requires sessionStorage with provider 'redis'"
-// +kubebuilder:validation:XValidation:rule="!(has(self.rateLimiting) && has(self.rateLimiting.perUser)) || (has(self.incomingAuth) && self.incomingAuth.type == 'oidc')",message="rateLimiting.perUser requires incomingAuth.type oidc"
-// +kubebuilder:validation:XValidation:rule="!has(self.rateLimiting) || !has(self.rateLimiting.tools) || self.rateLimiting.tools.all(t, !has(t.perUser)) || (has(self.incomingAuth) && self.incomingAuth.type == 'oidc')",message="per-tool perUser rate limiting requires incomingAuth.type oidc"
+// +kubebuilder:validation:XValidation:rule="!has(self.config) || !has(self.config.rateLimiting) || (has(self.sessionStorage) && self.sessionStorage.provider == 'redis')",message="config.rateLimiting requires sessionStorage with provider 'redis'"
+// +kubebuilder:validation:XValidation:rule="!(has(self.config) && has(self.config.rateLimiting) && has(self.config.rateLimiting.perUser)) || (has(self.incomingAuth) && self.incomingAuth.type == 'oidc')",message="config.rateLimiting.perUser requires incomingAuth.type oidc"
+// +kubebuilder:validation:XValidation:rule="!has(self.config) || !has(self.config.rateLimiting) || !has(self.config.rateLimiting.tools) || self.config.rateLimiting.tools.all(t, !has(t.perUser)) || (has(self.incomingAuth) && self.incomingAuth.type == 'oidc')",message="per-tool perUser rate limiting requires incomingAuth.type oidc"
 //
 //nolint:lll // CEL validation rules exceed line length limit
 type VirtualMCPServerSpec struct {
@@ -147,11 +147,6 @@ type VirtualMCPServerSpec struct {
 	// +listType=atomic
 	// +optional
 	ImagePullSecrets []corev1.LocalObjectReference `json:"imagePullSecrets,omitempty"`
-
-	// RateLimiting defines rate limiting configuration for the Virtual MCP server.
-	// Requires Redis session storage to be configured for distributed rate limiting.
-	// +optional
-	RateLimiting *RateLimitConfig `json:"rateLimiting,omitempty"`
 }
 
 // EmbeddingServerRef references an existing EmbeddingServer resource by name.

cmd/thv-operator/api/v1beta1/zz_generated.deepcopy.go

@@ -1601,6 +1601,51 @@ func TestConverter_SessionStorage(t *testing.T) {
 	}
 }
 
+func TestConverter_RateLimitingPassThrough(t *testing.T) {
+	t.Parallel()
+
+	vmcpServer := &mcpv1beta1.VirtualMCPServer{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test-vmcp",
+			Namespace: "default",
+		},
+		Spec: mcpv1beta1.VirtualMCPServerSpec{
+			GroupRef: &mcpv1beta1.MCPGroupRef{Name: "test-group"},
+			Config: vmcpconfig.Config{
+				RateLimiting: &vmcpconfig.RateLimitConfig{
+					PerUser: &vmcpconfig.RateLimitBucket{
+						MaxTokens:    2,
+						RefillPeriod: metav1.Duration{Duration: time.Minute},
+					},
+					Tools: []vmcpconfig.ToolRateLimitConfig{
+						{
+							Name: "backend_a_echo",
+							Shared: &vmcpconfig.RateLimitBucket{
+								MaxTokens:    5,
+								RefillPeriod: metav1.Duration{Duration: 30 * time.Second},
+							},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	converter := newTestConverter(t, newNoOpMockResolver(t))
+	ctx := log.IntoContext(context.Background(), logr.Discard())
+
+	config, _, err := converter.Convert(ctx, vmcpServer, nil)
+	require.NoError(t, err)
+	require.NotNil(t, config)
+	require.NotNil(t, config.RateLimiting)
+
+	assert.EqualValues(t, 2, config.RateLimiting.PerUser.MaxTokens)
+	require.Len(t, config.RateLimiting.Tools, 1)
+	assert.Equal(t, "backend_a_echo", config.RateLimiting.Tools[0].Name)
+	require.NotNil(t, config.RateLimiting.Tools[0].Shared)
+	assert.EqualValues(t, 5, config.RateLimiting.Tools[0].Shared.MaxTokens)
+}
+
 func TestDeriveAllowedAudiences(t *testing.T) {
 	t.Parallel()
 

cmd/thv-operator/pkg/vmcpconfig/converter_test.go

@@ -112,33 +112,33 @@ var _ = Describe("CEL Validation for SessionStorageConfig on VirtualMCPServer",
 		Context("rateLimiting", func() {
 			It("should reject rate limiting without redis session storage", func() {
 				vmcp := newVirtualMCPServerWithSessionStorage("vmcp-rl-no-redis", nil)
-				vmcp.Spec.RateLimiting = &mcpv1beta1.RateLimitConfig{
-					Shared: &mcpv1beta1.RateLimitBucket{
+				vmcp.Spec.Config.RateLimiting = &vmcpconfig.RateLimitConfig{
+					Shared: &vmcpconfig.RateLimitBucket{
 						MaxTokens:    1,
 						RefillPeriod: metav1.Duration{Duration: time.Minute},
 					},
 				}
 
 				err := k8sClient.Create(ctx, vmcp)
 				Expect(err).To(HaveOccurred())
-				Expect(err.Error()).To(ContainSubstring("rateLimiting requires sessionStorage with provider 'redis'"))
+				Expect(err.Error()).To(ContainSubstring("config.rateLimiting requires sessionStorage with provider 'redis'"))
 			})
 
 			It("should reject perUser rate limiting with anonymous auth", func() {
 				vmcp := newVirtualMCPServerWithSessionStorage("vmcp-rl-peruser-anon", &mcpv1beta1.SessionStorageConfig{
 					Provider: "redis",
 					Address:  "redis:6379",
 				})
-				vmcp.Spec.RateLimiting = &mcpv1beta1.RateLimitConfig{
-					PerUser: &mcpv1beta1.RateLimitBucket{
+				vmcp.Spec.Config.RateLimiting = &vmcpconfig.RateLimitConfig{
+					PerUser: &vmcpconfig.RateLimitBucket{
 						MaxTokens:    1,
 						RefillPeriod: metav1.Duration{Duration: time.Minute},
 					},
 				}
 
 				err := k8sClient.Create(ctx, vmcp)
 				Expect(err).To(HaveOccurred())
-				Expect(err.Error()).To(ContainSubstring("rateLimiting.perUser requires incomingAuth.type oidc"))
+				Expect(err.Error()).To(ContainSubstring("config.rateLimiting.perUser requires incomingAuth.type oidc"))
 			})
 
 			It("should accept perUser rate limiting with oidc auth and redis session storage", func() {
@@ -153,8 +153,8 @@ var _ = Describe("CEL Validation for SessionStorageConfig on VirtualMCPServer",
 						Audience: "test-audience",
 					},
 				}
-				vmcp.Spec.RateLimiting = &mcpv1beta1.RateLimitConfig{
-					PerUser: &mcpv1beta1.RateLimitBucket{
+				vmcp.Spec.Config.RateLimiting = &vmcpconfig.RateLimitConfig{
+					PerUser: &vmcpconfig.RateLimitBucket{
 						MaxTokens:    1,
 						RefillPeriod: metav1.Duration{Duration: time.Minute},
 					},