stacklok / toolhive / 27842164967

coverage: 67.158% (-0.02%) from 67.173%
27842164967

push

github

web-flow 
Wire MCPAuthzConfig references into the MCPServer controller (#5563)

* Wire MCPAuthzConfig references into the MCPServer controller

An MCPServer that sets spec.authzConfigRef now resolves and enforces the
referenced MCPAuthzConfig at runtime, mirroring the OIDCConfigRef pattern and
building on the Stage-1 controllerutil helpers. Backend-agnostic: the proxy
runner's authz factory handles cedarv1 and httpv1 alike.

- handleAuthzConfig: fetch + validate-ready, track AuthzConfigHash, set the
  AuthzConfigRefValidated condition; on nil-ref it clears the hash AND removes
  the condition so a stale "valid" signal does not linger (unlike the OIDC
  version). Wired into Reconcile after handleOIDCConfig.
- mapAuthzConfigToServers watch (extracted as a named method) + Watches on
  MCPAuthzConfig so a config change re-reconciles referencing servers.
- Runtime resolution via AddAuthzConfigRefOptions in the runconfig builder;
  ConfigMap materialization via EnsureAuthzConfigMapFromRef and a mounted volume
  via GenerateAuthzVolumeConfigFromRef. Inline spec.authzConfig is untouched and
  remains mutually exclusive (CRD XValidation).
- Add the mcpauthzconfigs get;list;watch RBAC marker.
- Unit tests for handleAuthzConfig and an envtest integration suite proving both
  backends, the watch re-reconcile, ConfigMap materialization, and the invalid
  case.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* Guard ref authz volume against duplicate volume name

Belt-and-suspenders for review feedback: only add the spec.authzConfigRef
volume when the inline authz volume was not added. Inline and ref share the
"authz-config" volume name and are mutually exclusive via CRD XValidation, so a
hypothetical CEL regression now degrades to "inline wins" rather than producing
an invalid pod spec with a duplicate volume name.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* Address review feedback on MCPServer authz wiring

- Document fai... (continued)

68 of 134 new or added lines in 2 files covered. (50.75%)

12 existing lines in 4 files now uncovered.

69580 of 103607 relevant lines covered (67.16%)

62.21 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

80.42
/pkg/transport/proxy/httpsse/http_proxy.go


Source Not Available