stacklok / toolhive / 27842164967
67%

DEFAULT BRANCH: main
Ran
Jobs 1
Files 764
Run time 2min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 67.158% (-0.02%) from 67.173%
27842164967

push

github

web-flow 
Wire MCPAuthzConfig references into the MCPServer controller (#5563)

* Wire MCPAuthzConfig references into the MCPServer controller

An MCPServer that sets spec.authzConfigRef now resolves and enforces the
referenced MCPAuthzConfig at runtime, mirroring the OIDCConfigRef pattern and
building on the Stage-1 controllerutil helpers. Backend-agnostic: the proxy
runner's authz factory handles cedarv1 and httpv1 alike.

- handleAuthzConfig: fetch + validate-ready, track AuthzConfigHash, set the
  AuthzConfigRefValidated condition; on nil-ref it clears the hash AND removes
  the condition so a stale "valid" signal does not linger (unlike the OIDC
  version). Wired into Reconcile after handleOIDCConfig.
- mapAuthzConfigToServers watch (extracted as a named method) + Watches on
  MCPAuthzConfig so a config change re-reconciles referencing servers.
- Runtime resolution via AddAuthzConfigRefOptions in the runconfig builder;
  ConfigMap materialization via EnsureAuthzConfigMapFromRef and a mounted volume
  via GenerateAuthzVolumeConfigFromRef. Inline spec.authzConfig is untouched and
  remains mutually exclusive (CRD XValidation).
- Add the mcpauthzconfigs get;list;watch RBAC marker.
- Unit tests for handleAuthzConfig and an envtest integration suite proving both
  backends, the watch re-reconcile, ConfigMap materialization, and the invalid
  case.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* Guard ref authz volume against duplicate volume name

Belt-and-suspenders for review feedback: only add the spec.authzConfigRef
volume when the inline authz volume was not added. Inline and ref share the
"authz-config" volume name and are mutually exclusive via CRD XValidation, so a
hypothetical CEL regression now degrades to "inline wins" rather than producing
an invalid pod spec with a duplicate volume name.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* Address review feedback on MCPServer authz wiring

- Document fai... (continued)

68 of 134 new or added lines in 2 files covered. (50.75%)

12 existing lines in 4 files now uncovered.

69580 of 103607 relevant lines covered (67.16%)

62.21 hits per line

Uncovered Changes

Lines Coverage File
64
67.73
 -1.19% cmd/thv-operator/controllers/mcpserver_controller.go
2
73.54
 -0.29% cmd/thv-operator/controllers/mcpserver_runconfig.go

Coverage Regressions

Lines Coverage File
6
76.15
 -5.5% pkg/secrets/keyring/keyctl_linux.go
3
80.42
 -0.71% pkg/transport/proxy/httpsse/http_proxy.go
2
96.47
 0.0% pkg/authserver/storage/memory.go
1
67.73
 -1.19% cmd/thv-operator/controllers/mcpserver_controller.go
Jobs
ID Job ID Ran Files Coverage
1 27842164967.1 764
67.16
 GitHub Action Run
Source Files on build 27842164967