add option to skip Virtual MCP CRDs and controllers installation

Author: amirejaz

.github/workflows/operator-ci.yml

@@ -95,7 +95,7 @@ jobs:
       - name: Check for changes
         id: git-check
         run: |
-          git diff --exit-code deploy/charts/operator-crds/crds || echo "crd-changes=true" >> $GITHUB_OUTPUT
+          git diff --exit-code deploy/charts/operator-crds/crd-files || echo "crd-changes=true" >> $GITHUB_OUTPUT
           git diff --exit-code deploy/charts/operator/templates || echo "operator-changes=true" >> $GITHUB_OUTPUT
 
       - name: Fail if CRDs are not up to date

.github/workflows/test-helm-charts.yml

@@ -34,5 +34,13 @@ jobs:
       - name: Create KIND Cluster
         uses: helm/kind-action@92086f6be054225fa813e0a4b13787fc9088faab # v1.13.0
 
+      - name: Cleanup stale cluster-scoped RBAC before CT install
+        run: |
+          echo "Deleting stale cluster-scoped RBAC to avoid Helm ownership conflicts..."
+          kubectl delete clusterrole toolhive-operator-manager-role --ignore-not-found=true
+          kubectl delete clusterrole toolhive-registry-api-role --ignore-not-found=true
+          kubectl delete clusterrolebinding toolhive-operator-manager-rolebinding --ignore-not-found=true
+          kubectl delete clusterrolebinding toolhive-registry-api-rolebinding --ignore-not-found=true
+
       - name: Run chart-testing (install)
         run: ct install --config ct-install.yaml

cmd/thv-operator/Taskfile.yml

@@ -184,7 +184,7 @@ tasks:
         platforms: [windows]
         ignore_error: true   # Windows has no mkdir -p, so just ignore error if it exists
       - go install sigs.k8s.io/controller-tools/cmd/[email protected]
-      - $(go env GOPATH)/bin/controller-gen crd webhook paths="./cmd/thv-operator/..." output:crd:artifacts:config=deploy/charts/operator-crds/crds
+      - $(go env GOPATH)/bin/controller-gen crd webhook paths="./cmd/thv-operator/..." output:crd:artifacts:config=deploy/charts/operator-crds/crd-files
       - $(go env GOPATH)/bin/controller-gen rbac:roleName=toolhive-operator-manager-role paths="./cmd/thv-operator/..." output:rbac:artifacts:config=deploy/charts/operator/templates/clusterrole
 
   operator-test:

cmd/thv-operator/main.go

@@ -7,13 +7,14 @@ import (
 	"flag"
 	"fmt"
 	"os"
+	"strconv"
 	"strings"
 
+	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
+	// to ensure that exec-entrypoint and run can make use of them.
 	"k8s.io/apimachinery/pkg/runtime"
 	utilruntime "k8s.io/apimachinery/pkg/util/runtime"
 	clientgoscheme "k8s.io/client-go/kubernetes/scheme"
-	// Import all Kubernetes client auth plugins (e.g. Azure, GCP, OIDC, etc.)
-	// to ensure that exec-entrypoint and run can make use of them.
 	_ "k8s.io/client-go/plugin/pkg/client/auth"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/cache"
@@ -36,6 +37,18 @@ var (
 	setupLog = log.Log.WithName("setup")
 )
 
+// Feature flags for controller groups
+const (
+	featureServer   = "ENABLE_SERVER"
+	featureRegistry = "ENABLE_REGISTRY"
+	featureVMCP     = "ENABLE_VMCP"
+)
+
+// controllerDependencies maps each controller group to its required dependencies
+var controllerDependencies = map[string][]string{
+	featureVMCP: {featureServer}, // Virtual MCP requires server controllers
+}
+
 func init() {
 	utilruntime.Must(clientgoscheme.AddToScheme(scheme))
 	utilruntime.Must(mcpv1alpha1.AddToScheme(scheme))
@@ -111,6 +124,69 @@ func main() {
 
 // setupControllersAndWebhooks sets up all controllers and webhooks with the manager
 func setupControllersAndWebhooks(mgr ctrl.Manager) error {
+	// Check feature flags
+	enableServer := isFeatureEnabled(featureServer, true)
+	enableRegistry := isFeatureEnabled(featureRegistry, true)
+	enableVMCP := isFeatureEnabled(featureVMCP, true)
+
+	// Track enabled features for dependency checking
+	enabledFeatures := map[string]bool{
+		featureServer:   enableServer,
+		featureRegistry: enableRegistry,
+		featureVMCP:     enableVMCP,
+	}
+
+	// Check dependencies and log warnings for missing dependencies
+	for feature, deps := range controllerDependencies {
+		if !enabledFeatures[feature] {
+			continue // Skip if feature itself is disabled
+		}
+		for _, dep := range deps {
+			if !enabledFeatures[dep] {
+				setupLog.Info(
+					fmt.Sprintf("%s requires %s to be enabled, skipping %s controllers", feature, dep, feature),
+					"feature", feature,
+					"required_dependency", dep,
+				)
+				enabledFeatures[feature] = false // Mark as effectively disabled
+				break
+			}
+		}
+	}
+
+	// Set up server-related controllers
+	if enabledFeatures[featureServer] {
+		if err := setupServerControllers(mgr, enableRegistry); err != nil {
+			return err
+		}
+	} else {
+		setupLog.Info("ENABLE_SERVER is disabled, skipping server-related controllers")
+	}
+
+	// Set up registry controller
+	if enabledFeatures[featureRegistry] {
+		if err := setupRegistryController(mgr); err != nil {
+			return err
+		}
+	} else {
+		setupLog.Info("ENABLE_REGISTRY is disabled, skipping MCPRegistry controller")
+	}
+
+	// Set up Virtual MCP controllers and webhooks
+	if enabledFeatures[featureVMCP] {
+		if err := setupAggregationControllers(mgr); err != nil {
+			return err
+		}
+	} else {
+		setupLog.Info("ENABLE_VMCP is disabled, skipping Virtual MCP controllers and webhooks")
+	}
+
+	//+kubebuilder:scaffold:builder
+	return nil
+}
+
+// setupServerControllers sets up server-related controllers (MCPServer, MCPExternalAuthConfig, MCPRemoteProxy, ToolConfig)
+func setupServerControllers(mgr ctrl.Manager, enableRegistry bool) error {
 	// Set up field indexing for MCPServer.Spec.GroupRef
 	if err := mgr.GetFieldIndexer().IndexField(
 		context.Background(),
@@ -127,37 +203,43 @@ func setupControllersAndWebhooks(mgr ctrl.Manager) error {
 		return fmt.Errorf("unable to create field index for spec.groupRef: %w", err)
 	}
 
-	// Create a shared platform detector for all controllers
-	sharedPlatformDetector := ctrlutil.NewSharedPlatformDetector()
+	// Set image validation mode based on whether registry is enabled
+	// If ENABLE_REGISTRY is enabled, enforce registry-based image validation
+	// Otherwise, allow all images
+	imageValidation := validation.ImageValidationAlwaysAllow
+	if enableRegistry {
+		imageValidation = validation.ImageValidationRegistryEnforcing
+	}
+
+	// Set up MCPServer controller
 	rec := &controllers.MCPServerReconciler{
 		Client:           mgr.GetClient(),
 		Scheme:           mgr.GetScheme(),
 		Recorder:         mgr.GetEventRecorderFor("mcpserver-controller"),
-		PlatformDetector: sharedPlatformDetector,
-		ImageValidation:  validation.ImageValidationAlwaysAllow,
+		PlatformDetector: ctrlutil.NewSharedPlatformDetector(),
+		ImageValidation:  imageValidation,
 	}
-
 	if err := rec.SetupWithManager(mgr); err != nil {
 		return fmt.Errorf("unable to create controller MCPServer: %w", err)
 	}
 
-	// Register MCPToolConfig controller
+	// Set up MCPToolConfig controller
 	if err := (&controllers.ToolConfigReconciler{
 		Client: mgr.GetClient(),
 		Scheme: mgr.GetScheme(),
 	}).SetupWithManager(mgr); err != nil {
 		return fmt.Errorf("unable to create controller MCPToolConfig: %w", err)
 	}
 
-	// Register MCPExternalAuthConfig controller
+	// Set up MCPExternalAuthConfig controller
 	if err := (&controllers.MCPExternalAuthConfigReconciler{
 		Client: mgr.GetClient(),
 		Scheme: mgr.GetScheme(),
 	}).SetupWithManager(mgr); err != nil {
 		return fmt.Errorf("unable to create controller MCPExternalAuthConfig: %w", err)
 	}
 
-	// Register MCPRemoteProxy controller
+	// Set up MCPRemoteProxy controller
 	if err := (&controllers.MCPRemoteProxyReconciler{
 		Client:           mgr.GetClient(),
 		Scheme:           mgr.GetScheme(),
@@ -166,13 +248,22 @@ func setupControllersAndWebhooks(mgr ctrl.Manager) error {
 		return fmt.Errorf("unable to create controller MCPRemoteProxy: %w", err)
 	}
 
-	// Only register MCPRegistry controller if feature flag is enabled
-	rec.ImageValidation = validation.ImageValidationRegistryEnforcing
+	return nil
+}
 
+// setupRegistryController sets up the MCPRegistry controller
+func setupRegistryController(mgr ctrl.Manager) error {
 	if err := (controllers.NewMCPRegistryReconciler(mgr.GetClient(), mgr.GetScheme())).SetupWithManager(mgr); err != nil {
 		return fmt.Errorf("unable to create controller MCPRegistry: %w", err)
 	}
+	return nil
+}
 
+// setupAggregationControllers sets up Virtual MCP-related controllers and webhooks
+// (MCPGroup, VirtualMCPServer, and their webhooks)
+// Note: This function assumes server controllers are enabled (enforced by dependency check)
+// The field index for MCPServer.Spec.GroupRef is created in setupServerControllers
+func setupAggregationControllers(mgr ctrl.Manager) error {
 	// Set up MCPGroup controller
 	if err := (&controllers.MCPGroupReconciler{
 		Client: mgr.GetClient(),
@@ -199,11 +290,25 @@ func setupControllersAndWebhooks(mgr ctrl.Manager) error {
 	if err := (&mcpv1alpha1.VirtualMCPCompositeToolDefinition{}).SetupWebhookWithManager(mgr); err != nil {
 		return fmt.Errorf("unable to create webhook VirtualMCPCompositeToolDefinition: %w", err)
 	}
-	//+kubebuilder:scaffold:builder
 
 	return nil
 }
 
+// isFeatureEnabled checks if a feature flag environment variable is enabled.
+// If the environment variable is not set, it returns the default value.
+// The environment variable is considered enabled if it's set to "true" (case-insensitive).
+func isFeatureEnabled(envVar string, defaultValue bool) bool {
+	value, found := os.LookupEnv(envVar)
+	if !found {
+		return defaultValue
+	}
+	enabled, err := strconv.ParseBool(value)
+	if err != nil {
+		return defaultValue
+	}
+	return enabled
+}
+
 // getDefaultNamespaces returns a map of namespaces to cache.Config for the operator to watch.
 // if WATCH_NAMESPACE is not set, returns nil which is defaulted to a cluster scope.
 func getDefaultNamespaces() map[string]cache.Config {

cmd/thv-operator/test-integration/mcp-external-auth/suite_test.go

@@ -57,7 +57,9 @@ var _ = BeforeSuite(func() {
 
 	By("bootstrapping test environment")
 	testEnv = &envtest.Environment{
-		CRDDirectoryPaths:     []string{filepath.Join("..", "..", "..", "..", "deploy", "charts", "operator-crds", "crds")},
+		CRDDirectoryPaths: []string{
+			filepath.Join("..", "..", "..", "..", "deploy", "charts", "operator-crds", "crd-files"),
+		},
 		ErrorIfCRDPathMissing: true,
 	}
 

cmd/thv-operator/test-integration/mcp-group/suite_test.go

@@ -58,7 +58,9 @@ var _ = BeforeSuite(func() {
 
 	By("bootstrapping test environment")
 	testEnv = &envtest.Environment{
-		CRDDirectoryPaths:     []string{filepath.Join("..", "..", "..", "..", "deploy", "charts", "operator-crds", "crds")},
+		CRDDirectoryPaths: []string{
+			filepath.Join("..", "..", "..", "..", "deploy", "charts", "operator-crds", "crd-files"),
+		},
 		ErrorIfCRDPathMissing: true,
 	}
 

cmd/thv-operator/test-integration/mcp-registry/suite_test.go

@@ -68,7 +68,7 @@ var _ = BeforeSuite(func() {
 	testEnv = &envtest.Environment{
 		UseExistingCluster: &useExistingCluster,
 		CRDDirectoryPaths: []string{
-			filepath.Join("..", "..", "..", "..", "deploy", "charts", "operator-crds", "crds"),
+			filepath.Join("..", "..", "..", "..", "deploy", "charts", "operator-crds", "crd-files"),
 		},
 		ErrorIfCRDPathMissing: true,
 		BinaryAssetsDirectory: kubebuilderAssets,

cmd/thv-operator/test-integration/mcp-server/suite_test.go

@@ -61,7 +61,9 @@ var _ = BeforeSuite(func() {
 
 	By("bootstrapping test environment")
 	testEnv = &envtest.Environment{
-		CRDDirectoryPaths:     []string{filepath.Join("..", "..", "..", "..", "deploy", "charts", "operator-crds", "crds")},
+		CRDDirectoryPaths: []string{
+			filepath.Join("..", "..", "..", "..", "deploy", "charts", "operator-crds", "crd-files"),
+		},
 		ErrorIfCRDPathMissing: true,
 	}
 

cmd/thv-operator/test-integration/virtualmcp/suite_test.go

@@ -61,7 +61,9 @@ var _ = BeforeSuite(func() {
 
 	By("bootstrapping test environment")
 	testEnv = &envtest.Environment{
-		CRDDirectoryPaths:     []string{filepath.Join("..", "..", "..", "..", "deploy", "charts", "operator-crds", "crds")},
+		CRDDirectoryPaths: []string{
+			filepath.Join("..", "..", "..", "..", "deploy", "charts", "operator-crds", "crd-files"),
+		},
 		ErrorIfCRDPathMissing: true,
 	}
 
@@ -125,6 +127,14 @@ var _ = BeforeSuite(func() {
 	}).SetupWithManager(k8sManager)
 	Expect(err).ToNot(HaveOccurred())
 
+	// Set up VirtualMCPServer webhook
+	err = (&mcpv1alpha1.VirtualMCPServer{}).SetupWebhookWithManager(k8sManager)
+	Expect(err).ToNot(HaveOccurred())
+
+	// Set up VirtualMCPCompositeToolDefinition webhook
+	err = (&mcpv1alpha1.VirtualMCPCompositeToolDefinition{}).SetupWebhookWithManager(k8sManager)
+	Expect(err).ToNot(HaveOccurred())
+
 	// Start the manager in a goroutine
 	go func() {
 		defer GinkgoRecover()

ct-install.yaml

@@ -1,6 +1,7 @@
 # Configuration for chart-testing (ct) install command
 # See: https://github.com/helm/chart-testing
 
+skip-clean-up: true
 charts:
   - deploy/charts/operator-crds
   - deploy/charts/operator