stacklok / toolhive / 28197356005

coverage: 67.41% (+0.06%) from 67.352%
28197356005

push

github

web-flow 
Mount and validate OIDC CA bundle on remote proxy (#5630)

* Mount and validate OIDC CA bundle on remote proxy

The MCPRemoteProxy runconfig builder emits the resolved OIDC CA bundle
path (resolved.ThvCABundlePath), but the controller never mounted the
referenced ConfigMap into the runner pod and never validated the
reference. The result was a file path the pod could not read — a silent
TLS failure — and, unlike MCPServer, no kubectl-visible signal that the
CA bundle was misconfigured.

Mirror MCPServer: mount the OIDC CA bundle ConfigMap via the shared
AddOIDCConfigRefCABundleVolumes helper, and validate the reference in
the reconcile loop, surfacing a CABundleRefValidated condition. This
also closes the Status Condition Parity gap between the two types.

Add unit tests for the validation branches and the deployment mount, and
an envtest integration test covering the happy path (condition True plus
an actual Deployment mount) and the missing-ConfigMap failure path.

Closes #4113

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

* Make CA bundle validation idempotent and add coverage

Address PR review feedback on the OIDC CA bundle validation:

- Persist the CABundleRefValidated condition only when it actually
  changes (status/reason/message/observedGeneration), so a steady-state
  reconcile is a no-op. This follows the needsUpdate idiom already used
  by handleOIDCConfig and the operator idempotency rule, instead of the
  unconditional status write copied from MCPServer. Validation logic is
  split into evaluateCABundleRef (pure) and the persisting wrapper.
- Log a missing ConfigMap key at Info rather than Error(nil): it is a
  configuration state surfaced via the condition, not a Go error.
- Add a unit case for OIDCConfigRef set but the MCPOIDCConfig absent
  (no mount), and a double-reconcile idempotency test asserting the
  resourceVersion is unchanged on the second pass.

Co-Authored-By: Claude Opus 4.8 (1M context) <norepl... (continued)

91 of 95 new or added lines in 2 files covered. (95.79%)

12 existing lines in 5 files now uncovered.

69532 of 103148 relevant lines covered (67.41%)

65.72 hits per line

Source File
Press 'n' to go to next uncovered line, 'b' for previous

80.42
/pkg/transport/proxy/httpsse/http_proxy.go


Source Not Available