Add passthroughHeaders to VirtualMCPServer for header forwarding

[juancarlosm]

Summary

When a client calls vMCP with a header its backend needs — e.g. x-mcp-api-key that the backend resolves to a specific user — vMCP silently drops it. vMCP opens a fresh request to each backend and sends only its own headers, so the caller's header never arrives. Backends that authenticate per-user from a header therefore can't be used through vMCP today — only by hitting the backend directly.

This adds spec.passthroughHeaders: an allowlist of incoming header names that vMCP forwards, unchanged, to every backend it calls.

spec:
  passthroughHeaders:
    - x-mcp-api-key

A listed header is read from the client request and attached to that session's backend requests. Headers not listed are ignored. Restricted names (Host, Authorization, X-Forwarded-*, hop-by-hop) are rejected.

Approach discussed and agreed with @jerm-dro on #3958 (assigned to me there).

Closes #3958

Type of change

• New feature

Test plan

• Unit tests across all layers (identity redaction, header merge, validation, capture middleware, converter precedence)
• Integration test (test/integration/vmcp/passthrough_headers_test.go): real client → capture → backend; asserts allowlisted header forwarded, non-allowlisted dropped
• golangci-lint clean; CRD/deepcopy/docs regenerated (no drift)

Does this introduce a user-facing change?

Yes:

spec:
  passthroughHeaders: [x-litellm-api-key]

Special notes for reviewers

• Implementation: the header is captured onto the per-request *auth.Identity at the incoming-auth boundary (cloned, not mutated) and injected by the per-session backend client — it flows as an explicit parameter, not a context value, so no vmcp-anti-patterns §1/§7 coupling and the round-tripper is unchanged. This is the no-context-plumbing path discussed in vMCP: add header_passthrough outgoing auth strategy to forward dynamic incoming headers to backends #3958 once the session refactor landed; the vmcp-review audit was clean.
• Limitation: on session restore (HA), only the (iss, sub) tuple is persisted — forwarded headers aren't, same as bearer tokens. Low impact with sessionAffinity: ClientIP.

Large PR Justification

Most of the diff is required tests (~700 lines: unit + an in-process e2e) and generated code that can't be split (CRD manifests in two API versions × two chart copies, deepcopy, API docs). Hand-written source is ~240 lines. Already trimmed from ~1157 to ~1030 added lines by de-duplicating tests (coverage unchanged); the remainder is cohesive single-feature code that wouldn't be safe to split.

[github-actions]

Large PR Detected

This PR exceeds 1000 lines of changes and requires justification before it can be reviewed.

How to unblock this PR:

Add a section to your PR description with the following format:

## Large PR Justification

[Explain why this PR must be large, such as:]
- Generated code that cannot be split
- Large refactoring that must be atomic
- Multiple related changes that would break if separated
- Migration or data transformation

Alternative:

Consider splitting this PR into smaller, focused changes (< 1000 lines each) for easier review and reduced risk.

See our Contributing Guidelines for more details.

---

This review will be automatically dismissed once you add the justification section.

[codecov]

Codecov Report

❌ Patch coverage is 94.38202% with 5 lines in your changes missing coverage. Please review.
✅ Project coverage is 69.47%. Comparing base (c813153) to head (3aea11e).

Files with missing lines	Patch %	Lines
pkg/vmcp/cli/serve.go	0.00%	5 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5466      +/-   ##
==========================================
+ Coverage   69.44%   69.47%   +0.02%     
==========================================
  Files         638      639       +1     
  Lines       65022    65099      +77     
==========================================
+ Hits        45155    45228      +73     
- Misses      16540    16546       +6     
+ Partials     3327     3325       -2     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Large PR justification has been provided. Thank you!

[github-actions]

✅ Large PR justification has been provided. The size review has been dismissed and this PR can now proceed with normal review.

[jerm-dro]

New direction LGTM — just a few minor notes inline.

[jerm-dro]

suggestion: Doc comment is stale after the refactor. "Resolved per-request at the auth boundary" doesn't match the code anymore — headerforward.CaptureMiddleware is mounted outside the auth middleware (it runs before auth in execution order), and the forwarded map is consumed once at session creation in createMCPClient, not per-request. Suggested rewording:

// PassthroughHeaders is an allowlist of incoming client request header names
// forwarded verbatim to all backends. Captured at the vMCP incoming edge by
// headerforward.CaptureMiddleware and consumed once at session creation
// when the per-session backend client's HeaderForwardConfig is built. Names
// must not be in the restricted set (Host, hop-by-hop, X-Forwarded-*, etc.).

[jerm-dro]

suggestion: Drop the "static config wins" precedence and fail loudly on collision instead. A header name appearing in both cfg.PassthroughHeaders and a backend's static HeaderForward (plaintext or secret) is an admin misconfiguration, not a precedence question — silently dropping one side hides the conflict, and the current wins-by-overwrite-ordering for secret-backed collisions is a latent bug waiting on someone trusting the comment.

Suggested shape: have mergeForwardedHeaders return (*HeaderForwardConfig, error) and error when a forwarded canonical name appears in base.AddPlaintextHeaders or base.AddHeadersFromSecret. Propagate through createMCPClient — the first session creation per misconfigured backend fails with a clear "forwarded header X collides with backend Y's static header-forward config" message, and the operator fixes the config.

[jerm-dro]

suggestion: Add Authorization to pkg/transport/middleware/header_forward.go's RestrictedHeaders map. Backend bearer tokens have a dedicated header_injection outgoing-auth strategy; allowing Authorization in HeaderForward / passthroughHeaders is a footgun (it silently survives to backends with the unauthenticated strategy) with no documented use case.

[juancarlosm]

Agreed the footgun is real, but I'd push back on blocking Authorization outright — I have a concrete use case that depends on it. I run a vMCP fronting gmail/calendar/drive MCPs behind LiteLLM's Zero Trust MCP setup (docs).

LiteLLM Zero Trust MCP works like this: the LiteLLM gateway signs a short-lived JWT on every MCP call so the downstream servers can verify the request genuinely came from LiteLLM (and which user). Concretely, its mcp_jwt_signer guardrail sends that JWT as Authorization: Bearer <jwt> (issuer=litellm, aud=mcp, 300s TTL). The flow:

LiteLLM (signs JWT) → vMCP (incomingAuth: anonymous — transparent aggregator)
   → passthrough authorization verbatim → backends validate the JWT (issuer/aud/JWKS)

vMCP isn't the enforcement point here by design — the backends are. They run the unauthenticated outgoing strategy because the caller supplies the token. Blocking Authorization in passthrough removes the only mechanism that makes this work, and this is in production for me, not hypothetical.

I think the real problem is the silence, not the header:

• authed backend → forwarded Authorization is silently clobbered by authRoundTripper
• unauthenticated backend → it silently survives (intended here, surprising elsewhere)

So rather than blocking, what if we fail loud on an actual collision? It lines up with your mergeForwardedHeaders comment: error when a passthrough header is also owned by the backend — its static HeaderForward, or its outgoing-auth strategy. The misconfig becomes a clear error, while the "anonymous vMCP → unauthenticated backend" passthrough stays valid since there's nothing backend-side to collide with.

Happy to keep the static-HeaderForward collision check in this PR and move the strategy-side check to a follow-up if that's cleaner. No objection to keeping Host/hop-by-hop/X-Forwarded-* restricted — it's specifically Authorization I'd like to keep allowed. What do you think?

[jerm-dro]

suggestion: Add a second CallTool on the same client to lock in the documented "captured once at session creation, stable for session lifetime" behavior. Right now a regression that re-reads forwarded headers on every request (or, worse, drops them after the first call) would pass this test. A second call with a changed X-Test-Api-Key value asserting the backend still sees the original would lock that contract.

[jerm-dro]

nitpick: Refactor was supposed to leave this file at its pre-PR shape, but the comment got rewritten and the two-line form collapsed. Behavior is identical; consider reverting verbatim to keep this PR's diff scoped to the passthrough feature.