feat: support customized TLS configuration to mcpserver

Signed-off-by: dahu.kdh <dahu.kdh@alibaba-inc.com>

Author: DahuK

go/api/v1alpha2/modelconfig_types.go

@@ -237,6 +237,13 @@ type TLSConfig struct {
 	// +optional
 	CACertSecretKey string `json:"caCertSecretKey,omitempty"`
 
+	// ClientSecretRef is a reference to a Kubernetes Secret containing
+	// the client certificate (tls.crt), key (tls.key), and optionally
+	// the CA certificate (ca.crt) for mTLS authentication.
+	// The Secret must be in the same namespace as the MCPServer/RemoteMCPServer.
+	// +optional
+	ClientSecretRef string `json:"clientSecretRef,omitempty"`
+
 	// DisableSystemCAs disables the use of system CA certificates.
 	// When false (default), system CA certificates are used for verification (safe behavior).
 	// When true, only the custom CA from CACertSecretRef is trusted.

go/api/v1alpha2/remotemcpserver_types.go

@@ -52,6 +52,8 @@ type RemoteMCPServerSpec struct {
 	// +optional
 	// +kubebuilder:default=true
 	TerminateOnClose *bool `json:"terminateOnClose,omitempty"`
+	// +optional
+	TLS *TLSConfig `json:"tls,omitempty"`
 }
 
 var _ sql.Scanner = (*RemoteMCPServerSpec)(nil)