include missing auth confgured in status (#2493)

Co-authored-by: taskbot <taskbot@users.noreply.github.com>

Author: yrobla

cmd/thv-operator/controllers/virtualmcpserver_controller.go

@@ -228,6 +228,12 @@ func (r *VirtualMCPServerReconciler) ensureAllResources(
 	// This catches configuration errors early, providing faster feedback than waiting for pod startup failures
 	if err := r.validateSecretReferences(ctx, vmcp); err != nil {
 		ctxLogger.Error(err, "Secret validation failed")
+		// Set AuthConfigured condition to False
+		statusManager.SetAuthConfiguredCondition(
+			mcpv1alpha1.ConditionReasonAuthInvalid,
+			fmt.Sprintf("Authentication configuration is invalid: %v", err),
+			metav1.ConditionFalse,
+		)
 		// Record event for secret validation failure
 		if r.Recorder != nil {
 			r.Recorder.Eventf(vmcp, corev1.EventTypeWarning, "SecretValidationFailed",
@@ -236,6 +242,13 @@ func (r *VirtualMCPServerReconciler) ensureAllResources(
 		return err
 	}
 
+	// Authentication secrets validated successfully
+	statusManager.SetAuthConfiguredCondition(
+		mcpv1alpha1.ConditionReasonAuthValid,
+		"Authentication configuration is valid",
+		metav1.ConditionTrue,
+	)
+
 	// Ensure RBAC resources
 	if err := r.ensureRBACResources(ctx, vmcp); err != nil {
 		ctxLogger.Error(err, "Failed to ensure RBAC resources")

cmd/thv-operator/controllers/virtualmcpserver_controller_test.go

@@ -696,3 +696,95 @@ func TestVirtualMCPServerNaming(t *testing.T) {
 	url := createVmcpServiceURL(vmcpName, "default", 8080)
 	assert.Equal(t, "http://vmcp-my-vmcp.default.svc.cluster.local:8080", url)
 }
+
+// TestVirtualMCPServerAuthConfiguredCondition tests AuthConfigured condition setting
+func TestVirtualMCPServerAuthConfiguredCondition(t *testing.T) {
+	t.Parallel()
+
+	scheme := runtime.NewScheme()
+	_ = mcpv1alpha1.AddToScheme(scheme)
+	_ = corev1.AddToScheme(scheme)
+
+	tests := []struct {
+		name                string
+		vmcp                *mcpv1alpha1.VirtualMCPServer
+		secrets             []client.Object
+		expectAuthCondition bool
+		expectedAuthStatus  metav1.ConditionStatus
+		expectedAuthReason  string
+		expectError         bool
+	}{
+		{
+			name: "valid auth with no secrets required",
+			vmcp: &mcpv1alpha1.VirtualMCPServer{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test-vmcp",
+					Namespace: "default",
+				},
+				Spec: mcpv1alpha1.VirtualMCPServerSpec{
+					GroupRef: mcpv1alpha1.GroupRef{
+						Name: "test-group",
+					},
+					IncomingAuth: &mcpv1alpha1.IncomingAuthConfig{
+						Type: "anonymous",
+					},
+				},
+			},
+			secrets:             []client.Object{},
+			expectAuthCondition: true,
+			expectedAuthStatus:  metav1.ConditionTrue,
+			expectedAuthReason:  mcpv1alpha1.ConditionReasonAuthValid,
+			expectError:         false,
+		},
+		// Note: We can't easily test OIDC secret validation without creating the full
+		// OIDCConfigRef structure with ConfigMaps, which is complex for a unit test.
+		// The secret validation is tested implicitly through the ensureAllResources flow.
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			objs := append([]client.Object{tt.vmcp}, tt.secrets...)
+
+			fakeClient := fake.NewClientBuilder().
+				WithScheme(scheme).
+				WithObjects(objs...).
+				WithStatusSubresource(&mcpv1alpha1.VirtualMCPServer{}).
+				Build()
+
+			r := &VirtualMCPServerReconciler{
+				Client:           fakeClient,
+				Scheme:           scheme,
+				PlatformDetector: ctrlutil.NewSharedPlatformDetector(),
+			}
+
+			statusManager := virtualmcpserverstatus.NewStatusManager(tt.vmcp)
+			err := r.ensureAllResources(context.Background(), tt.vmcp, statusManager)
+
+			if tt.expectError {
+				assert.Error(t, err)
+			}
+			// ensureAllResources may return errors for missing resources like MCPGroup
+			// We're only testing the auth condition setting
+
+			// Apply status updates to check condition
+			_ = statusManager.UpdateStatus(context.Background(), &tt.vmcp.Status)
+
+			if tt.expectAuthCondition {
+				// Find AuthConfigured condition
+				var authCondition *metav1.Condition
+				for i := range tt.vmcp.Status.Conditions {
+					if tt.vmcp.Status.Conditions[i].Type == mcpv1alpha1.ConditionTypeAuthConfigured {
+						authCondition = &tt.vmcp.Status.Conditions[i]
+						break
+					}
+				}
+
+				require.NotNil(t, authCondition, "AuthConfigured condition should be set")
+				assert.Equal(t, tt.expectedAuthStatus, authCondition.Status)
+				assert.Equal(t, tt.expectedAuthReason, authCondition.Reason)
+			}
+		})
+	}
+}

cmd/thv-operator/pkg/virtualmcpserverstatus/collector.go

@@ -77,6 +77,11 @@ func (s *StatusCollector) SetReadyCondition(reason, message string, status metav
 	s.SetCondition(mcpv1alpha1.ConditionTypeVirtualMCPServerReady, reason, message, status)
 }
 
+// SetAuthConfiguredCondition sets the AuthConfigured condition.
+func (s *StatusCollector) SetAuthConfiguredCondition(reason, message string, status metav1.ConditionStatus) {
+	s.SetCondition(mcpv1alpha1.ConditionTypeAuthConfigured, reason, message, status)
+}
+
 // UpdateStatus applies all collected status changes in a single batch update.
 // Expects vmcpStatus to be freshly fetched from the cluster to ensure the update operates on the latest resource version.
 func (s *StatusCollector) UpdateStatus(ctx context.Context, vmcpStatus *mcpv1alpha1.VirtualMCPServerStatus) bool {

cmd/thv-operator/pkg/virtualmcpserverstatus/collector_test.go

@@ -161,6 +161,25 @@ func TestStatusCollector_NoChanges(t *testing.T) {
 	assert.False(t, hasUpdates)
 }
 
+func TestStatusCollector_SetAuthConfiguredCondition(t *testing.T) {
+	t.Parallel()
+
+	vmcp := &mcpv1alpha1.VirtualMCPServer{}
+	collector := NewStatusManager(vmcp)
+
+	collector.SetAuthConfiguredCondition("AuthValid", "auth is configured", metav1.ConditionTrue)
+
+	status := &mcpv1alpha1.VirtualMCPServerStatus{}
+	hasUpdates := collector.UpdateStatus(context.Background(), status)
+
+	assert.True(t, hasUpdates)
+	assert.Len(t, status.Conditions, 1)
+	assert.Equal(t, mcpv1alpha1.ConditionTypeAuthConfigured, status.Conditions[0].Type)
+	assert.Equal(t, metav1.ConditionTrue, status.Conditions[0].Status)
+	assert.Equal(t, "AuthValid", status.Conditions[0].Reason)
+	assert.Equal(t, "auth is configured", status.Conditions[0].Message)
+}
+
 func TestStatusCollector_MultipleConditions(t *testing.T) {
 	t.Parallel()
 
@@ -169,18 +188,20 @@ func TestStatusCollector_MultipleConditions(t *testing.T) {
 
 	collector.SetGroupRefValidatedCondition("GroupValid", "group is valid", metav1.ConditionTrue)
 	collector.SetReadyCondition("DeploymentReady", "deployment is ready", metav1.ConditionTrue)
+	collector.SetAuthConfiguredCondition("AuthValid", "auth is configured", metav1.ConditionTrue)
 
 	status := &mcpv1alpha1.VirtualMCPServerStatus{}
 	hasUpdates := collector.UpdateStatus(context.Background(), status)
 
 	assert.True(t, hasUpdates)
-	assert.Len(t, status.Conditions, 2)
+	assert.Len(t, status.Conditions, 3)
 
-	// Verify both conditions are present
+	// Verify all conditions are present
 	conditionTypes := make(map[string]bool)
 	for _, cond := range status.Conditions {
 		conditionTypes[cond.Type] = true
 	}
 	assert.True(t, conditionTypes[mcpv1alpha1.ConditionTypeVirtualMCPServerGroupRefValidated])
 	assert.True(t, conditionTypes[mcpv1alpha1.ConditionTypeVirtualMCPServerReady])
+	assert.True(t, conditionTypes[mcpv1alpha1.ConditionTypeAuthConfigured])
 }

cmd/thv-operator/pkg/virtualmcpserverstatus/types.go

@@ -35,6 +35,9 @@ type StatusManager interface {
 	// SetReadyCondition sets the Ready condition
 	SetReadyCondition(reason, message string, status metav1.ConditionStatus)
 
+	// SetAuthConfiguredCondition sets the AuthConfigured condition
+	SetAuthConfiguredCondition(reason, message string, status metav1.ConditionStatus)
+
 	// UpdateStatus applies all collected status changes in a single batch update.
 	// Returns true if updates were applied, false if no changes were collected.
 	UpdateStatus(ctx context.Context, vmcpStatus *mcpv1alpha1.VirtualMCPServerStatus) bool