Add SecretKeyRef support to InlineOIDCConfig for enhanced secret management (#2324)

* Add SecretKeyRef support to InlineOIDCConfig for enhanced secret management

Add Kubernetes-native secret reference support to InlineOIDCConfig,
following the pattern established by MCPExternalAuthConfig. This enables
secure OIDC client secret management without exposing secrets in YAML
manifests or ConfigMaps.

Changes:
- Add ClientSecretRef field to InlineOIDCConfig CRD type
- Deprecate plaintext ClientSecret field (backward compatible)
- Update OIDC resolver to skip embedding secrets when using SecretKeyRef
- Create GenerateOIDCClientSecretEnvVar function for secret validation
- Integrate secret injection in MCPServer and MCPRemoteProxy controllers
- Update token validator to load secrets from TOOLHIVE_OIDC_CLIENT_SECRET
- Bump CRD chart version from 0.0.43 to 0.0.44
- Update architecture documentation and add example manifests

Security benefits:
- Secrets managed via Kubernetes RBAC
- Integration with external secret operators (Vault, AWS Secrets Manager)
- Secrets not exposed in YAML manifests or Git history
- Consistent pattern across all ToolHive secret management

Resolves: #2321

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* Bump operator chart version to 0.3.2 for CRD compatibility

The operator chart version needs to be bumped when CRDs are updated to ensure
compatibility during Helm chart testing.

This fixes the Helm chart test failure where the operator pod was crashing
due to CRD version mismatch.

* Add comprehensive tests for OIDC ClientSecretRef functionality

Add unit tests to verify:
- GenerateOIDCClientSecretEnvVar function with various scenarios
- OIDC resolver behavior with ClientSecretRef
- Precedence when both ClientSecret and ClientSecretRef are provided
- Backward compatibility with existing ClientSecret field

All tests pass successfully.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* adds an order to chart installation

Signed-off-by: ChrisJBurns <29541485+ChrisJBurns@users.noreply.github.com>

* covnerges lint and install to same step

Signed-off-by: ChrisJBurns <29541485+ChrisJBurns@users.noreply.github.com>

* separtes lint

Signed-off-by: ChrisJBurns <29541485+ChrisJBurns@users.noreply.github.com>

* cannot have `all` and `charts` together

Signed-off-by: ChrisJBurns <29541485+ChrisJBurns@users.noreply.github.com>

* removes operator bump because its not needed yet

Signed-off-by: ChrisJBurns <29541485+ChrisJBurns@users.noreply.github.com>

---------

Signed-off-by: ChrisJBurns <29541485+ChrisJBurns@users.noreply.github.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: ChrisJBurns <29541485+ChrisJBurns@users.noreply.github.com>

Author: 3 people

cmd/thv-operator/api/v1alpha1/mcpserver_types.go

@@ -465,9 +465,15 @@ type InlineOIDCConfig struct {
 	ClientID string `json:"clientId,omitempty"`
 
 	// ClientSecret is the client secret for introspection (optional)
+	// Deprecated: Use ClientSecretRef instead for better security
 	// +optional
 	ClientSecret string `json:"clientSecret,omitempty"`
 
+	// ClientSecretRef is a reference to a Kubernetes Secret containing the client secret
+	// If both ClientSecret and ClientSecretRef are provided, ClientSecretRef takes precedence
+	// +optional
+	ClientSecretRef *SecretKeyRef `json:"clientSecretRef,omitempty"`
+
 	// ThvCABundlePath is the path to CA certificate bundle file for HTTPS requests
 	// The file must be mounted into the pod (e.g., via ConfigMap or Secret volume)
 	// +optional

cmd/thv-operator/api/v1alpha1/zz_generated.deepcopy.go

@@ -151,6 +151,19 @@ func (r *MCPRemoteProxyReconciler) buildEnvVarsForProxy(
 		}
 	}
 
+	// Add OIDC client secret environment variable if using inline config with secretRef
+	if proxy.Spec.OIDCConfig.Type == "inline" && proxy.Spec.OIDCConfig.Inline != nil {
+		oidcClientSecretEnvVar, err := ctrlutil.GenerateOIDCClientSecretEnvVar(
+			ctx, r.Client, proxy.Namespace, proxy.Spec.OIDCConfig.Inline.ClientSecretRef,
+		)
+		if err != nil {
+			ctxLogger := log.FromContext(ctx)
+			ctxLogger.Error(err, "Failed to generate OIDC client secret environment variable")
+		} else if oidcClientSecretEnvVar != nil {
+			env = append(env, *oidcClientSecretEnvVar)
+		}
+	}
+
 	// Add user-specified environment variables
 	if proxy.Spec.ResourceOverrides != nil && proxy.Spec.ResourceOverrides.ProxyDeployment != nil {
 		for _, envVar := range proxy.Spec.ResourceOverrides.ProxyDeployment.Env {

cmd/thv-operator/controllers/mcpremoteproxy_deployment.go

@@ -986,6 +986,19 @@ func (r *MCPServerReconciler) deploymentForMCPServer(
 		}
 	}
 
+	// Add OIDC client secret environment variable if using inline config with secretRef
+	if m.Spec.OIDCConfig != nil && m.Spec.OIDCConfig.Inline != nil {
+		oidcClientSecretEnvVar, err := ctrlutil.GenerateOIDCClientSecretEnvVar(
+			ctx, r.Client, m.Namespace, m.Spec.OIDCConfig.Inline.ClientSecretRef,
+		)
+		if err != nil {
+			ctxLogger := log.FromContext(ctx)
+			ctxLogger.Error(err, "Failed to generate OIDC client secret environment variable")
+		} else if oidcClientSecretEnvVar != nil {
+			env = append(env, *oidcClientSecretEnvVar)
+		}
+	}
+
 	// Add user-specified proxy environment variables from ResourceOverrides
 	if m.Spec.ResourceOverrides != nil && m.Spec.ResourceOverrides.ProxyDeployment != nil {
 		for _, envVar := range m.Spec.ResourceOverrides.ProxyDeployment.Env {
@@ -1442,6 +1455,20 @@ func (r *MCPServerReconciler) deploymentNeedsUpdate(
 			expectedProxyEnv = append(expectedProxyEnv, tokenExchangeEnvVars...)
 		}
 
+		// Add OIDC client secret environment variable if using inline config with secretRef
+		if mcpServer.Spec.OIDCConfig != nil && mcpServer.Spec.OIDCConfig.Inline != nil {
+			oidcClientSecretEnvVar, err := ctrlutil.GenerateOIDCClientSecretEnvVar(
+				ctx, r.Client, mcpServer.Namespace, mcpServer.Spec.OIDCConfig.Inline.ClientSecretRef,
+			)
+			if err != nil {
+				// If we can't generate env var, consider the deployment needs update
+				return true
+			}
+			if oidcClientSecretEnvVar != nil {
+				expectedProxyEnv = append(expectedProxyEnv, *oidcClientSecretEnvVar)
+			}
+		}
+
 		// Add user-specified environment variables
 		if mcpServer.Spec.ResourceOverrides != nil && mcpServer.Spec.ResourceOverrides.ProxyDeployment != nil {
 			for _, envVar := range mcpServer.Spec.ResourceOverrides.ProxyDeployment.Env {

cmd/thv-operator/controllers/mcpserver_controller.go

@@ -4,8 +4,11 @@ import (
 	"context"
 	"fmt"
 
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
+	mcpv1alpha1 "github.com/stacklok/toolhive/cmd/thv-operator/api/v1alpha1"
 	"github.com/stacklok/toolhive/cmd/thv-operator/pkg/oidc"
 	"github.com/stacklok/toolhive/pkg/runner"
 )
@@ -45,3 +48,46 @@ func AddOIDCConfigOptions(
 
 	return nil
 }
+
+// GenerateOIDCClientSecretEnvVar generates environment variable for OIDC client secret
+// when using a SecretKeyRef.
+// Returns nil if clientSecretRef is nil.
+func GenerateOIDCClientSecretEnvVar(
+	ctx context.Context,
+	c client.Client,
+	namespace string,
+	clientSecretRef *mcpv1alpha1.SecretKeyRef,
+) (*corev1.EnvVar, error) {
+	if clientSecretRef == nil {
+		return nil, nil
+	}
+
+	// Validate that the referenced secret exists
+	var secret corev1.Secret
+	if err := c.Get(ctx, types.NamespacedName{
+		Namespace: namespace,
+		Name:      clientSecretRef.Name,
+	}, &secret); err != nil {
+		return nil, fmt.Errorf("failed to get OIDC client secret %s/%s: %w",
+			namespace, clientSecretRef.Name, err)
+	}
+
+	// Validate that the key exists in the secret
+	if _, ok := secret.Data[clientSecretRef.Key]; !ok {
+		return nil, fmt.Errorf("OIDC client secret %s/%s is missing key %q",
+			namespace, clientSecretRef.Name, clientSecretRef.Key)
+	}
+
+	// Return environment variable with secret reference
+	return &corev1.EnvVar{
+		Name: "TOOLHIVE_OIDC_CLIENT_SECRET",
+		ValueFrom: &corev1.EnvVarSource{
+			SecretKeyRef: &corev1.SecretKeySelector{
+				LocalObjectReference: corev1.LocalObjectReference{
+					Name: clientSecretRef.Name,
+				},
+				Key: clientSecretRef.Key,
+			},
+		},
+	}, nil
+}

cmd/thv-operator/pkg/controllerutil/oidc.go

@@ -0,0 +1,130 @@
+package controllerutil
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	corev1 "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+
+	mcpv1alpha1 "github.com/stacklok/toolhive/cmd/thv-operator/api/v1alpha1"
+)
+
+func TestGenerateOIDCClientSecretEnvVar(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name            string
+		clientSecretRef *mcpv1alpha1.SecretKeyRef
+		secret          *corev1.Secret
+		expectError     bool
+		errContains     string
+		validate        func(*testing.T, *corev1.EnvVar)
+	}{
+		{
+			name:            "nil client secret ref returns nil",
+			clientSecretRef: nil,
+			expectError:     false,
+			validate: func(t *testing.T, envVar *corev1.EnvVar) {
+				t.Helper()
+				assert.Nil(t, envVar)
+			},
+		},
+		{
+			name: "valid secret ref generates env var",
+			clientSecretRef: &mcpv1alpha1.SecretKeyRef{
+				Name: "oidc-secret",
+				Key:  "client-secret",
+			},
+			secret: &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "oidc-secret",
+					Namespace: "default",
+				},
+				Data: map[string][]byte{
+					"client-secret": []byte("secret-value"),
+				},
+			},
+			expectError: false,
+			validate: func(t *testing.T, envVar *corev1.EnvVar) {
+				t.Helper()
+				require.NotNil(t, envVar)
+				assert.Equal(t, "TOOLHIVE_OIDC_CLIENT_SECRET", envVar.Name)
+				require.NotNil(t, envVar.ValueFrom)
+				require.NotNil(t, envVar.ValueFrom.SecretKeyRef)
+				assert.Equal(t, "oidc-secret", envVar.ValueFrom.SecretKeyRef.Name)
+				assert.Equal(t, "client-secret", envVar.ValueFrom.SecretKeyRef.Key)
+			},
+		},
+		{
+			name: "missing secret returns error",
+			clientSecretRef: &mcpv1alpha1.SecretKeyRef{
+				Name: "missing-secret",
+				Key:  "client-secret",
+			},
+			expectError: true,
+			errContains: "failed to get OIDC client secret",
+		},
+		{
+			name: "missing key in secret returns error",
+			clientSecretRef: &mcpv1alpha1.SecretKeyRef{
+				Name: "oidc-secret",
+				Key:  "wrong-key",
+			},
+			secret: &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "oidc-secret",
+					Namespace: "default",
+				},
+				Data: map[string][]byte{
+					"client-secret": []byte("secret-value"),
+				},
+			},
+			expectError: true,
+			errContains: "is missing key",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			scheme := runtime.NewScheme()
+			err := corev1.AddToScheme(scheme)
+			require.NoError(t, err)
+			err = mcpv1alpha1.AddToScheme(scheme)
+			require.NoError(t, err)
+
+			var fakeClient *fake.ClientBuilder
+			if tt.secret != nil {
+				fakeClient = fake.NewClientBuilder().WithScheme(scheme).WithObjects(tt.secret)
+			} else {
+				fakeClient = fake.NewClientBuilder().WithScheme(scheme)
+			}
+
+			ctx := context.TODO()
+			envVar, err := GenerateOIDCClientSecretEnvVar(
+				ctx,
+				fakeClient.Build(),
+				"default",
+				tt.clientSecretRef,
+			)
+
+			if tt.expectError {
+				assert.Error(t, err)
+				if tt.errContains != "" {
+					assert.Contains(t, err.Error(), tt.errContains)
+				}
+			} else {
+				assert.NoError(t, err)
+				if tt.validate != nil {
+					tt.validate(t, envVar)
+				}
+			}
+		})
+	}
+}

cmd/thv-operator/pkg/controllerutil/oidc_test.go

@@ -204,13 +204,20 @@ func (*resolver) resolveInlineConfig(
 		return nil, nil
 	}
 
+	// Don't embed ClientSecret in the config if ClientSecretRef is set
+	// The secret will be injected via environment variable instead
+	clientSecret := config.ClientSecret
+	if config.ClientSecretRef != nil {
+		clientSecret = ""
+	}
+
 	return &OIDCConfig{
 		Issuer:             config.Issuer,
 		Audience:           config.Audience,
 		JWKSURL:            config.JWKSURL,
 		IntrospectionURL:   config.IntrospectionURL,
 		ClientID:           config.ClientID,
-		ClientSecret:       config.ClientSecret,
+		ClientSecret:       clientSecret,
 		ThvCABundlePath:    config.ThvCABundlePath,
 		JWKSAuthTokenPath:  config.JWKSAuthTokenPath,
 		ResourceURL:        resourceURL,