Report discovered auth config errors via conditions#3822
Conversation
yrobla
requested review from
ChrisJBurns,
JAORMX,
jerm-dro and
jhrozek
as code owners
github-actions
bot
added
size/S
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #3822 +/- ##
==========================================
+ Coverage 66.80% 66.89% +0.08%
==========================================
Files 444 444
Lines 44083 44226 +143
==========================================
+ Hits 29451 29583 +132
- Misses 12325 12335 +10
- Partials 2307 2308 +1 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
There was a problem hiding this comment.
Pull request overview
This PR improves observability for discovered outgoing auth configuration failures in the VirtualMCPServer controller by collecting non-fatal conversion/discovery errors and surfacing them via Kubernetes status conditions, allowing reconciliation to proceed in a degraded mode.
Changes:
- Add a
SetAuthConfigConditionAPI on the VirtualMCPServer status manager to support dynamically-typed, per-backend auth config conditions. - Extend discovered ExternalAuthConfig handling to return non-fatal errors (
[]AuthConfigError) instead of only logging/skipping. - Wire discovered auth conversion errors into status condition updates during ConfigMap generation, and update unit tests for the new method signatures.
Reviewed changes
Copilot reviewed 7 out of 7 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| cmd/thv-operator/pkg/virtualmcpserverstatus/types.go | Extends StatusManager interface with SetAuthConfigCondition for granular conditions. |
| cmd/thv-operator/pkg/virtualmcpserverstatus/collector.go | Implements SetAuthConfigCondition in the status collector. |
| cmd/thv-operator/pkg/virtualmcpserverstatus/mocks/mock_collector.go | Updates gomock implementation to include SetAuthConfigCondition. |
| cmd/thv-operator/controllers/virtualmcpserver_vmcpconfig.go | Passes a StatusManager into ConfigMap reconciliation and sets discovered-auth conditions. |
| cmd/thv-operator/controllers/virtualmcpserver_controller.go | Returns discovered auth errors from discovery/build steps and adds condition-setting helper. |
| cmd/thv-operator/controllers/virtualmcpserver_vmcpconfig_test.go | Adapts tests to new ensureVmcpConfigConfigMap signature; adds a no-op status manager helper. |
| cmd/thv-operator/controllers/virtualmcpserver_externalauth_test.go | Updates tests for new buildOutgoingAuthConfig return values and asserts discovered errors. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
cmd/thv-operator/controllers/virtualmcpserver_vmcpconfig_test.go
Outdated
Show resolved
Hide resolved
github-actions
bot
added
size/M
github-actions
bot
added
size/M
github-actions
bot
added
size/M
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 7 out of 7 changed files in this pull request and generated 1 comment.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
github-actions
bot
added
size/M
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
cmd/thv-operator/controllers/virtualmcpserver_vmcpconfig_test.go
Outdated
Show resolved
Hide resolved
github-actions
bot
added
size/XL
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Large PR Detected
This PR exceeds 1000 lines of changes and requires justification before it can be reviewed.
How to unblock this PR:
Add a section to your PR description with the following format:
## Large PR Justification
[Explain why this PR must be large, such as:]
- Generated code that cannot be split
- Large refactoring that must be atomic
- Multiple related changes that would break if separated
- Migration or data transformationAlternative:
Consider splitting this PR into smaller, focused changes (< 1000 lines each) for easier review and reduced risk.
See our Contributing Guidelines for more details.
This review will be automatically dismissed once you add the justification section.
github-actions
bot
added
size/XL
github-actions
bot
added
size/XL
github-actions
bot
dismissed
their stale review
Large PR justification has been provided. Thank you!
|
✅ Large PR justification has been provided. The size review has been dismissed and this PR can now proceed with normal review. |
github-actions
bot
added
size/XL
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 9 out of 9 changed files in this pull request and generated 3 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
test/e2e/thv-operator/virtualmcp/virtualmcp_auth_discovery_test.go
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 9 out of 9 changed files in this pull request and generated 6 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 9 out of 9 changed files in this pull request and generated 4 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Enhance VirtualMCPServer controller to continue in degraded mode when discovered authentication configurations fail to convert, while exposing failures via Kubernetes status conditions for better observability. Previously, when authentication configuration discovery failed (e.g., missing MCPExternalAuthConfig), errors were silently skipped with only log messages. Users had no visibility into these failures via kubectl or the Kubernetes API. Closes: #2838 Report discovered auth config errors via conditions Enhance VirtualMCPServer controller to continue in degraded mode when discovered authentication configurations fail to convert, while exposing failures via Kubernetes status conditions for better observability. Previously, when authentication configuration discovery failed (e.g., missing MCPExternalAuthConfig), errors were silently skipped with only log messages. Users had no visibility into these failures via kubectl or the Kubernetes API. Changes: - Add AuthConfigError type to capture conversion failure context - Modify discoverExternalAuthConfigs() to return error list instead of silently skipping - Add SetAuthConfigCondition() to StatusManager for granular conditions - Add setDiscoveredAuthConfigConditions() helper to set individual conditions per discovered auth error - Update ensureVmcpConfigConfigMap() to accept statusManager and set conditions for auth failures - Update all tests to pass statusManager parameter The controller now sets DiscoveredAuthConfig-<backend-name> conditions with status False when discovered auth configs fail, allowing users to see issues in VirtualMCPServer status while the system continues operating with available backends. This addresses part of issue #2838. Future PRs will handle default and backend-specific auth config errors. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
fix ci
Enhance VirtualMCPServer controller to continue in degraded mode when discovered authentication configurations fail to convert, while exposing failures via Kubernetes status conditions for better observability.
Previously, when authentication configuration discovery failed (e.g., missing MCPExternalAuthConfig), errors were silently skipped with only log messages. Users had no visibility into these failures via kubectl or the Kubernetes API.
Closes: #2838
Large PR Justification
This is a complete and isolated PR, including complete tests. Cannot be split.