From aa08a66daeb2cc92e59516810d7d5317ec09efc9 Mon Sep 17 00:00:00 2001
From: Danijel Simeunovic <danijel.simeunovic@trumf.no>
Date: Tue, 17 Mar 2026 12:19:30 +0100
Subject: [PATCH] mcp auth sidecar

---
 .../policies/auth-sidecar-injector.yaml       | 74 +++++++++++++++++++
 1 file changed, 74 insertions(+)

diff --git a/cluster-resources/policies/auth-sidecar-injector.yaml b/cluster-resources/policies/auth-sidecar-injector.yaml
index 2027336..bc59807 100644
--- a/cluster-resources/policies/auth-sidecar-injector.yaml
+++ b/cluster-resources/policies/auth-sidecar-injector.yaml
@@ -192,6 +192,80 @@ spec:
           - cert-manager
           - monitoring
     context:
+    - name: appPort
+      variable:
+        jmesPath: request.object.spec.containers[?name != 'authn'] | [0].ports[0].containerPort || `3000`
+    mutate:
+      patchStrategicMerge:
+        spec:
+          containers:
+          - name: authn
+            image: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-image\" || 'ghcr.io/snothub/stunning-memory' }}:{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-image-version\" || 'latest' }}"
+            imagePullPolicy: Always
+            ports:
+            - containerPort: 8080
+              name: auth
+              protocol: TCP
+            env:
+            - name: AUTH_MODE
+              value: "mcp"
+            - name: AUTH_LISTEN_ADDR
+              value: ":8080"
+            - name: AUTH_LOG_LEVEL
+              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-log-level\" || 'info' }}"
+            - name: AUTH_UPSTREAM_URL
+              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-upstream-url\" || join('', ['http://localhost:', to_string(appPort)]) }}"
+            - name: AUTH_MCP_RESOURCE
+              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-mcp-resource\" }}"
+            - name: AUTH_MCP_AUTHORIZATION_SERVERS
+              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-mcp-authority\" }}"
+            - name: AUTH_MCP_SCOPES_SUPPORTED
+              value: "{{ request.object.metadata.annotations.\"policies.forteapps.io/auth-mcp-scopes\" || 'read,write'  }}"
+            resources:
+              limits:
+                cpu: 50m
+                memory: 64Mi
+              requests:
+                cpu: 10m
+                memory: 32Mi
+            readinessProbe:
+              httpGet:
+                path: /healthz
+                port: 8080
+              initialDelaySeconds: 2
+              periodSeconds: 5
+            livenessProbe:
+              httpGet:
+                path: /healthz
+                port: 8080
+              initialDelaySeconds: 5
+              periodSeconds: 10
+            securityContext:
+              allowPrivilegeEscalation: false
+              readOnlyRootFilesystem: true
+              capabilities:
+                drop:
+                - ALL
+  - name: inject-sidecar-mcp
+    skipBackgroundRequests: true
+    match:
+      any:
+      - resources:
+          kinds:
+          - Pod
+          annotations:
+            policies.forteapps.io/auth: "true"
+            policies.forteapps.io/auth-type: "mcp"
+    exclude:
+      any:
+      - resources:
+          namespaces:
+          - kube-system
+          - kyverno
+          - argocd
+          - cert-manager
+          - monitoring
+    context:
     - name: appPort
       variable:
         jmesPath: request.object.spec.containers[?name != 'authn'] | [0].ports[0].containerPort || `3000`