Add Entra ID version of the Infra vMCP addon

[danbarr]

Adds an Entra ID variant of the vmcp-infra-okta addon.

Signed-off-by: Dan Barr 6922515+danbarr@users.noreply.github.com

[Copilot]

Pull request overview

Adds a new vmcp-infra-entra addon that mirrors the existing authenticated infra vMCP gateway pattern, but uses ToolHive’s embedded OAuth authorization server delegating upstream authentication to Microsoft Entra ID and exposes the gateway externally via a Cloudflare tunnel.

Changes:

• Adds a new Entra ID–backed VirtualMCPServer + MCPOIDCConfig with tiered Cedar authorization driven by Entra app-role claims.
• Adds deploy/teardown automation to create required Kubernetes secrets and deploy a Cloudflare tunnel.
• Adds end-user documentation and an .env.example describing required Entra ID + Cloudflare configuration.

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
addons/vmcp-infra-entra/vmcp.yaml	Defines the embedded auth server, incoming OIDC validation, Cedar policies, and aggregated tool configuration for the Entra-authenticated vMCP.
addons/vmcp-infra-entra/deploy.sh	Automates namespace creation, secret creation, applying the vMCP config, and deploying the Cloudflare tunnel.
addons/vmcp-infra-entra/teardown.sh	Removes tunnel deployment, vMCP resources, secrets, and the addon namespace.
addons/vmcp-infra-entra/cloudflared.yaml	Kubernetes Deployment that runs cloudflared to expose the vMCP service externally.
addons/vmcp-infra-entra/README.md	Documents purpose, tier model, Entra app registration setup, Cloudflare tunnel setup, and verification steps.
addons/vmcp-infra-entra/.env.example	Provides environment variable template for Entra issuer/client credentials and Cloudflare tunnel configuration.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.