Skip to content

Account for embedded auth env in deployment drift checks#4878

Open
JAORMX wants to merge 3 commits intomainfrom
fix/mcp-embedded-auth-drift-4877
Open

Account for embedded auth env in deployment drift checks#4878
JAORMX wants to merge 3 commits intomainfrom
fix/mcp-embedded-auth-drift-4877

Conversation

@JAORMX
Copy link
Copy Markdown
Collaborator

@JAORMX JAORMX commented Apr 16, 2026

Summary

  • include embedded auth env vars when comparing expected proxy deployment env for MCPServer
  • do the same for MCPRemoteProxy so self-generated deployments are not treated as drifted
  • add regression tests for embedded auth and token exchange cases, plus associative-list reordering checks in the Kubernetes client tests

This is the concrete operator-side fix identified while debugging #4877.

Testing

  • go test ./cmd/thv-operator/controllers ./pkg/container/kubernetes

Closes #4877.

@github-actions github-actions bot added the size/M Medium PR: 300-599 lines changed label Apr 16, 2026
@codecov
Copy link
Copy Markdown

codecov bot commented Apr 16, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 78.94737% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 69.25%. Comparing base (12f25e5) to head (c0660ca).
⚠️ Report is 6 commits behind head on main.

Files with missing lines Patch % Lines
...-operator/controllers/mcpremoteproxy_controller.go 80.00% 1 Missing and 1 partial ⚠️
...d/thv-operator/controllers/mcpserver_controller.go 77.77% 1 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #4878      +/-   ##
==========================================
+ Coverage   69.12%   69.25%   +0.12%     
==========================================
  Files         531      531              
  Lines       55183    55178       -5     
==========================================
+ Hits        38146    38212      +66     
+ Misses      14113    14028      -85     
- Partials     2924     2938      +14

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

jhrozek
jhrozek previously approved these changes Apr 16, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@jhrozek jhrozek left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good — the core fix is correct, env var ordering between creation and drift check paths is consistent, and test coverage directly validates the bug fix.

One nit: the two SSA reordering tests in pkg/container/kubernetes/client_test.go (TestStatefulSetApplyAssociativeListReorderingDoesNotChangeGeneration, TestServiceApplyAssociativeListReorderingDoesNotChangeGeneration) test the behavior of fake.NewClientset(), not any production code in this package. The fake client doesn't implement real SSA merge semantics, so these document an assumption about SSA associative-list handling rather than validating it. If real validation is wanted, these would need to run against envtest. They're also unrelated to the drift check fix itself — might be cleaner as a separate commit.

@JAORMX @claude
Break long line to satisfy lll linter
938f6ad 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@github-actions github-actions bot added size/M Medium PR: 300-599 lines changed and removed size/M Medium PR: 300-599 lines changed labels Apr 16, 2026
@JAORMX JAORMX changed the title fix(operator): account for embedded auth env in deployment drift checks Account for embedded auth env in deployment drift checks Apr 16, 2026
@github-actions github-actions bot added size/M Medium PR: 300-599 lines changed and removed size/M Medium PR: 300-599 lines changed labels Apr 16, 2026
jhrozek
jhrozek previously approved these changes Apr 16, 2026
View reviewed changes
@JAORMX @claude
Remove SSA reordering tests that only exercise fake client
c0660ca 
These tests validated behavior of fake.NewClientset(), not any
production code. The fake client does not implement real SSA merge
semantics, so the assertions were meaningless. The actual drift
check regression is covered by the controller-level tests.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@github-actions github-actions bot added size/M Medium PR: 300-599 lines changed and removed size/M Medium PR: 300-599 lines changed labels Apr 16, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jhrozek jhrozek jhrozek approved these changes

@blkt blkt Awaiting requested review from blkt blkt is a code owner

@amirejaz amirejaz Awaiting requested review from amirejaz amirejaz is a code owner

@ChrisJBurns ChrisJBurns Awaiting requested review from ChrisJBurns ChrisJBurns is a code owner

@yrobla yrobla Awaiting requested review from yrobla yrobla is a code owner

@jerm-dro jerm-dro Awaiting requested review from jerm-dro jerm-dro is a code owner

Assignees

No one assigned

Labels

size/M Medium PR: 300-599 lines changed

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Proxy runner triggers StatefulSet rolling update on every restart, causing crash loop

2 participants

@JAORMX @jhrozek