Translate identityFromToken from CRD to runtime config
Description
Phase 4 of the Snowflake / identityFromToken story (#5150). Wire the
new CRD field through the operator-side run-config so the embedded
auth server actually receives it. Mirrors the existing
tokenResponseMapping plumbing exactly. Without this, the CRD field
exists and the provider integration honours it, but no real cluster
deployment can connect the two ends.
Context
The CRD field added in #5155 lives on the v1beta1
OAuth2UpstreamConfig. The runtime field consumed by the OAuth2
upstream provider in #5156 lives on pkg/authserver/upstream's
OAuth2Config. Two translation points carry it through:
cmd/thv-operator/pkg/controllerutil/'s auth-server config builder
takes the v1beta1 type and produces a pkg/authserver run-config.pkg/authserver/runner/'s embedded-auth-server bootstrapper takes
that run-config and produces the runtime pkg/authserver/upstream
config the provider consumes.
Both translations are mechanical mirrors of the existing
tokenResponseMapping translation — no validation logic in the
runner; that is owned by the CRD admission validator and the
OAuth2Config.Validate() method.
Dependencies: #5155 (CRD type), #5156 (runtime config mirror).
Blocks: nothing in the implementation chain — but a real cluster
deployment cannot honour identityFromToken until both translation
points are in place.
Acceptance Criteria
Out of Scope
Translate
identityFromTokenfrom CRD to runtime configDescription
Phase 4 of the Snowflake /
identityFromTokenstory (#5150). Wire thenew CRD field through the operator-side run-config so the embedded
auth server actually receives it. Mirrors the existing
tokenResponseMappingplumbing exactly. Without this, the CRD fieldexists and the provider integration honours it, but no real cluster
deployment can connect the two ends.
Context
The CRD field added in #5155 lives on the v1beta1
OAuth2UpstreamConfig. The runtime field consumed by the OAuth2upstream provider in #5156 lives on
pkg/authserver/upstream'sOAuth2Config. Two translation points carry it through:cmd/thv-operator/pkg/controllerutil/'s auth-server config buildertakes the v1beta1 type and produces a
pkg/authserverrun-config.pkg/authserver/runner/'s embedded-auth-server bootstrapper takesthat run-config and produces the runtime
pkg/authserver/upstreamconfig the provider consumes.
Both translations are mechanical mirrors of the existing
tokenResponseMappingtranslation — no validation logic in therunner; that is owned by the CRD admission validator and the
OAuth2Config.Validate()method.Dependencies: #5155 (CRD type), #5156 (runtime config mirror).
Blocks: nothing in the implementation chain — but a real cluster
deployment cannot honour
identityFromTokenuntil both translationpoints are in place.
Acceptance Criteria
identityFromTokenblock (with all three paths) into theauthserver run-config.
pkg/authserver/upstreamprovider config.pointers).
paths case and the nil case.
task lint-fixandtask testpass.Out of Scope
(Add identityFromToken to MCPExternalAuthConfig CRD #5155) and the runtime
Validate()(Wire identityFromToken into the OAuth2 upstream provider #5156).