[Gap]: Document vMCP deployment modes and backend discovery #490
Description
What needs documentation?
The vMCP operator supports two deployment modes based on the outgoingAuth.source field, allowing operators to choose between operational convenience and minimal attack surface.
| Mode | ConfigMap | RBAC | vMCP K8s Access |
|---|---|---|---|
discovered (dynamic) |
Minimal | Full | Namespace-scoped read + status write |
inline (static) |
Full with backends | None | Zero |
Key features that need documentation:
- How to configure each mode via the
outgoingAuth.sourcefield - Security trade-offs and when to use each mode
- For dynamic mode:
- What happens when MCPServer resources are added, modified, or removed
- How to verify backend status via the
/statusHTTP endpoint - How the VirtualMCPServer CRD status reflects discovered backends and runtime health
- For static mode:
- How to configure backends inline
- Mode switching behavior (triggers pod restart)
Context and references
Implementation issues:
- Refactor VirtualMCPServer controller to use runtime-reported status toolhive#2855
- Mode-aware ConfigMap and RBAC generation in operator toolhive#3003
Use case
As a platform operator running vMCP in production, I want to choose between dynamic mode (enables zero-downtime backend updates) and static mode (zero K8s access, minimal attack surface), so that I can optimize for either operational convenience or security based on my deployment's requirements.
Additional context
Dynamic mode example:
outgoing_auth:
source: discovered # vMCP discovers backends at runtimeStatic mode example:
outgoing_auth:
source: inline
backends:
- name: github-mcp
url: http://github-mcp.default.svc:8080
auth:
type: token_exchange