Skip to content

Commit c14aa3e

Browse files
ChrisJBurnsclaude
authored andcommitted
Fix CRD field issues in vMCP and K8s quickstart docs (#720)
- MCPServer.spec.groupRef must be an object {name: ...}, not a string - Replace inline oidcConfig with oidcConfigRef and MCPOIDCConfig resource - Move resourceUrl to oidcConfigRef (per-server, not per-provider) - Update K8s quickstart mcpservers expected output (new READY/REPLICAS columns, /mcp URL path) - Update health endpoint expected response from OK to JSON Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
1 parent ea90bfe commit c14aa3e

4 files changed

Lines changed: 46 additions & 28 deletions

File tree

docs/toolhive/guides-k8s/quickstart.mdx

Lines changed: 4 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -171,8 +171,8 @@ kubectl get mcpservers -n toolhive-system
171171
You should see:
172172

173173
```text
174-
NAME STATUS URL AGE
175-
fetch Ready http://mcp-fetch-proxy.toolhive-system.svc.cluster.local:8080 30s
174+
NAME STATUS READY REPLICAS URL AGE
175+
fetch Ready True 1 http://mcp-fetch-proxy.toolhive-system.svc.cluster.local:8080/mcp 30s
176176
```
177177

178178
If the status is "Pending", wait a few moments and check again. If it remains
@@ -196,10 +196,10 @@ kubectl port-forward service/mcp-fetch-proxy -n toolhive-system 8080:8080
196196
In another terminal, test the server:
197197

198198
```bash
199-
curl http://localhost:8080/health
199+
curl -s http://localhost:8080/health | jq .status
200200
```
201201

202-
You should see a response of `OK`.
202+
You should see a response of `"healthy"`.
203203

204204
This confirms your MCP server is running and responding correctly.
205205

docs/toolhive/guides-vmcp/authentication.mdx

Lines changed: 29 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -427,26 +427,22 @@ at `authed_user.access_token`). Add a `tokenResponseMapping` block to the
427427
### Incoming auth with the embedded auth server
428428

429429
When using the embedded auth server, configure `incomingAuth` to validate the
430-
JWTs it issues. The `issuer` must match `authServerConfig.issuer`. Note that
430+
JWTs it issues. Create an `MCPOIDCConfig` resource whose `issuer` matches
431+
`authServerConfig.issuer`, then reference it with `oidcConfigRef`. Note that
431432
`jwksAllowPrivateIP: true` is no longer needed when using the embedded auth
432433
server because JWKS retrieval is done in-process.
433434

434435
```yaml title="VirtualMCPServer resource"
435436
spec:
436437
incomingAuth:
437438
type: oidc
438-
resourceUrl: https://mcp.example.com/mcp
439-
oidcConfig:
440-
type: inline
441-
inline:
442-
issuer: https://auth.example.com
443-
audience: https://mcp.example.com/mcp
439+
# highlight-start
440+
oidcConfigRef:
441+
name: my-oidc-config
442+
audience: https://mcp.example.com/mcp
443+
# highlight-end
444444
```
445445

446-
The `resourceUrl` is the externally reachable URL of the MCP endpoint. MCP
447-
clients use this for [RFC 9728](https://datatracker.ietf.org/doc/html/rfc9728)
448-
protected resource metadata discovery to find the authorization server.
449-
450446
### Session storage
451447

452448
By default, upstream tokens are stored in memory and lost on pod restart. For
@@ -468,7 +464,7 @@ provider credentials following the steps in
468464
You need: `auth-signing-key`, `auth-hmac-key`, `github-client-secret`, and
469465
`google-client-secret`.
470466

471-
**Step 1:** Create an MCPGroup and deploy the backend MCP server:
467+
**Step 1:** Create an MCPGroup, OIDC config, and deploy the backend MCP server:
472468

473469
```yaml title="backends.yaml"
474470
apiVersion: toolhive.stacklok.dev/v1alpha1
@@ -477,6 +473,18 @@ metadata:
477473
name: my-backends
478474
namespace: toolhive-system
479475
---
476+
# highlight-start
477+
apiVersion: toolhive.stacklok.dev/v1alpha1
478+
kind: MCPOIDCConfig
479+
metadata:
480+
name: my-oidc-config
481+
namespace: toolhive-system
482+
spec:
483+
type: inline
484+
inline:
485+
issuer: https://auth.example.com
486+
# highlight-end
487+
---
480488
apiVersion: toolhive.stacklok.dev/v1alpha1
481489
kind: MCPServer
482490
metadata:
@@ -485,7 +493,10 @@ metadata:
485493
spec:
486494
image: ghcr.io/github/github-mcp-server
487495
transport: streamable-http
488-
groupRef: my-backends
496+
# highlight-start
497+
groupRef:
498+
name: my-backends
499+
# highlight-end
489500
```
490501

491502
**Step 2:** Create the upstream token injection config:
@@ -567,12 +578,11 @@ spec:
567578
# highlight-end
568579
incomingAuth:
569580
type: oidc
570-
resourceUrl: https://mcp.example.com/mcp
571-
oidcConfig:
572-
type: inline
573-
inline:
574-
issuer: https://auth.example.com
575-
audience: https://mcp.example.com/mcp
581+
# highlight-start
582+
oidcConfigRef:
583+
name: my-oidc-config
584+
audience: https://mcp.example.com/mcp
585+
# highlight-end
576586
outgoingAuth:
577587
source: inline
578588
backends:

docs/toolhive/guides-vmcp/quickstart.mdx

Lines changed: 9 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -58,7 +58,7 @@ kubectl get mcpgroups -n toolhive-system
5858
Deploy two MCP servers that will be aggregated. Both reference the `demo-tools`
5959
group in the `groupRef` field:
6060

61-
```yaml {11,30} title="mcpservers.yaml"
61+
```yaml title="mcpservers.yaml"
6262
apiVersion: toolhive.stacklok.dev/v1alpha1
6363
kind: MCPServer
6464
metadata:
@@ -69,7 +69,10 @@ spec:
6969
transport: streamable-http
7070
proxyPort: 8080
7171
mcpPort: 8080
72-
groupRef: demo-tools
72+
# highlight-start
73+
groupRef:
74+
name: demo-tools
75+
# highlight-end
7376
resources:
7477
limits:
7578
cpu: '100m'
@@ -88,7 +91,10 @@ spec:
8891
transport: streamable-http
8992
proxyPort: 8080
9093
mcpPort: 8080
91-
groupRef: demo-tools
94+
# highlight-start
95+
groupRef:
96+
name: demo-tools
97+
# highlight-end
9298
resources:
9399
limits:
94100
cpu: '100m'

docs/toolhive/guides-vmcp/tool-aggregation.mdx

Lines changed: 4 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -236,7 +236,8 @@ spec:
236236
transport: streamable-http
237237
proxyPort: 8080
238238
mcpPort: 8080
239-
groupRef: demo-tools
239+
groupRef:
240+
name: demo-tools
240241
---
241242
# Second backend: osv server
242243
apiVersion: toolhive.stacklok.dev/v1alpha1
@@ -249,7 +250,8 @@ spec:
249250
transport: streamable-http
250251
proxyPort: 8080
251252
mcpPort: 8080
252-
groupRef: demo-tools
253+
groupRef:
254+
name: demo-tools
253255
---
254256
# VirtualMCPServer aggregating both backends
255257
apiVersion: toolhive.stacklok.dev/v1alpha1

0 commit comments

Comments
 (0)