From 75c664b3a0bfea29603efd8908da9741dc37ff12 Mon Sep 17 00:00:00 2001 From: Matt Van Horn <455140+mvanhorn@users.noreply.github.com> Date: Tue, 7 Apr 2026 00:04:38 -0700 Subject: [PATCH] fix(operator): standardize secret references to custom SecretKeyRef Replace corev1.SecretKeySelector with the custom SecretKeyRef type across all MCPRegistry CRD fields. This aligns MCPRegistry with the 5 other CRDs that already use SecretKeyRef, removing the inconsistent corev1.SecretKeySelector usage before the API stabilizes. Changes: - Convert 5 fields in mcpregistry_types.go to SecretKeyRef - Decouple secrets.GetValue from corev1 by accepting name/key strings - Update all callers and test fixtures The JSON wire format is identical for both types, so existing manifests continue to work without changes. Fixes #4540 --- .../api/v1alpha1/mcpregistry_types.go | 10 +-- .../api/v1alpha1/zz_generated.deepcopy.go | 8 +-- cmd/thv-operator/pkg/kubernetes/doc.go | 2 +- .../pkg/kubernetes/secrets/secrets.go | 9 ++- .../pkg/kubernetes/secrets/secrets_test.go | 45 ++---------- .../pkg/registryapi/config/config.go | 4 +- .../pkg/registryapi/config/config_test.go | 70 +++++++------------ .../pkg/registryapi/deployment_test.go | 24 +++---- cmd/thv-operator/pkg/registryapi/pgpass.go | 13 +++- .../pkg/registryapi/pgpass_test.go | 12 ++-- .../pkg/registryapi/podtemplatespec.go | 2 +- .../pkg/registryapi/podtemplatespec_test.go | 54 ++++++-------- .../mcp-registry/registry_helpers.go | 8 +-- .../registryserver_config_test.go | 16 ++--- 14 files changed, 103 insertions(+), 174 deletions(-) diff --git a/cmd/thv-operator/api/v1alpha1/mcpregistry_types.go b/cmd/thv-operator/api/v1alpha1/mcpregistry_types.go index c33c4b34a2..4d5391fb3f 100644 --- a/cmd/thv-operator/api/v1alpha1/mcpregistry_types.go +++ b/cmd/thv-operator/api/v1alpha1/mcpregistry_types.go @@ -178,7 +178,7 @@ type GitAuthConfig struct { // key: token // // +kubebuilder:validation:Required - PasswordSecretRef corev1.SecretKeySelector `json:"passwordSecretRef"` + PasswordSecretRef SecretKeyRef `json:"passwordSecretRef"` } // APISource defines API source configuration for ToolHive Registry APIs @@ -344,14 +344,14 @@ type MCPRegistryDatabaseConfig struct { // that is mounted to the registry API container. // // +kubebuilder:validation:Required - DBAppUserPasswordSecretRef corev1.SecretKeySelector `json:"dbAppUserPasswordSecretRef"` + DBAppUserPasswordSecretRef SecretKeyRef `json:"dbAppUserPasswordSecretRef"` // DBMigrationUserPasswordSecretRef references a Kubernetes Secret containing the password for the migration database user. // The operator will use this password along with DBAppUserPasswordSecretRef to generate a pgpass file // that is mounted to the registry API container. // // +kubebuilder:validation:Required - DBMigrationUserPasswordSecretRef corev1.SecretKeySelector `json:"dbMigrationUserPasswordSecretRef"` + DBMigrationUserPasswordSecretRef SecretKeyRef `json:"dbMigrationUserPasswordSecretRef"` } // MCPRegistryAuthMode represents the authentication mode for the registry API server @@ -441,7 +441,7 @@ type MCPRegistryOAuthProviderConfig struct { // ClientSecretRef is a reference to a Secret containing the client secret // The secret should have a key "clientSecret" containing the secret value // +optional - ClientSecretRef *corev1.SecretKeySelector `json:"clientSecretRef,omitempty"` + ClientSecretRef *SecretKeyRef `json:"clientSecretRef,omitempty"` // CACertRef is a reference to a ConfigMap containing the CA certificate bundle // for verifying the provider's TLS certificate. @@ -458,7 +458,7 @@ type MCPRegistryOAuthProviderConfig struct { // to OIDC/JWKS endpoints. Useful when the OIDC discovery or JWKS endpoint requires authentication. // Example: ServiceAccount token for Kubernetes API server // +optional - AuthTokenRef *corev1.SecretKeySelector `json:"authTokenRef,omitempty"` + AuthTokenRef *SecretKeyRef `json:"authTokenRef,omitempty"` // AuthTokenFile is the path to a file containing a bearer token for authenticating to OIDC/JWKS endpoints. // Useful when the OIDC discovery or JWKS endpoint requires authentication. diff --git a/cmd/thv-operator/api/v1alpha1/zz_generated.deepcopy.go b/cmd/thv-operator/api/v1alpha1/zz_generated.deepcopy.go index b8f06dc149..18649f9aee 100644 --- a/cmd/thv-operator/api/v1alpha1/zz_generated.deepcopy.go +++ b/cmd/thv-operator/api/v1alpha1/zz_generated.deepcopy.go @@ -1303,8 +1303,8 @@ func (in *MCPRegistryOAuthProviderConfig) DeepCopyInto(out *MCPRegistryOAuthProv *out = *in if in.ClientSecretRef != nil { in, out := &in.ClientSecretRef, &out.ClientSecretRef - *out = new(corev1.SecretKeySelector) - (*in).DeepCopyInto(*out) + *out = new(SecretKeyRef) + **out = **in } if in.CACertRef != nil { in, out := &in.CACertRef, &out.CACertRef @@ -1313,8 +1313,8 @@ func (in *MCPRegistryOAuthProviderConfig) DeepCopyInto(out *MCPRegistryOAuthProv } if in.AuthTokenRef != nil { in, out := &in.AuthTokenRef, &out.AuthTokenRef - *out = new(corev1.SecretKeySelector) - (*in).DeepCopyInto(*out) + *out = new(SecretKeyRef) + **out = **in } } diff --git a/cmd/thv-operator/pkg/kubernetes/doc.go b/cmd/thv-operator/pkg/kubernetes/doc.go index a94346d7e3..6d5d7c00b0 100644 --- a/cmd/thv-operator/pkg/kubernetes/doc.go +++ b/cmd/thv-operator/pkg/kubernetes/doc.go @@ -20,7 +20,7 @@ // kubeClient := kubernetes.NewClient(ctrlClient, scheme) // // // Access secrets operations via the Secrets field -// value, err := kubeClient.Secrets.GetValue(ctx, "default", secretKeySelector) +// value, err := kubeClient.Secrets.GetValue(ctx, "default", "secret-name", "secret-key") // // // Upsert a secret with owner reference // result, err := kubeClient.Secrets.UpsertWithOwnerReference(ctx, secret, ownerObject) diff --git a/cmd/thv-operator/pkg/kubernetes/secrets/secrets.go b/cmd/thv-operator/pkg/kubernetes/secrets/secrets.go index d2f86ae394..07d8517a31 100644 --- a/cmd/thv-operator/pkg/kubernetes/secrets/secrets.go +++ b/cmd/thv-operator/pkg/kubernetes/secrets/secrets.go @@ -45,17 +45,16 @@ func (c *Client) Get(ctx context.Context, name, namespace string) (*corev1.Secre } // GetValue retrieves a specific key's value from a Kubernetes Secret. -// Uses a SecretKeySelector to identify the secret name and key. // Returns the value as a string, or an error if the secret or key is not found. -func (c *Client) GetValue(ctx context.Context, namespace string, secretRef corev1.SecretKeySelector) (string, error) { - secret, err := c.Get(ctx, secretRef.Name, namespace) +func (c *Client) GetValue(ctx context.Context, namespace, name, key string) (string, error) { + secret, err := c.Get(ctx, name, namespace) if err != nil { return "", err } - value, exists := secret.Data[secretRef.Key] + value, exists := secret.Data[key] if !exists { - return "", fmt.Errorf("key %s not found in secret %s", secretRef.Key, secretRef.Name) + return "", fmt.Errorf("key %s not found in secret %s", key, name) } return string(value), nil diff --git a/cmd/thv-operator/pkg/kubernetes/secrets/secrets_test.go b/cmd/thv-operator/pkg/kubernetes/secrets/secrets_test.go index 2ec04b58ad..00be8c524b 100644 --- a/cmd/thv-operator/pkg/kubernetes/secrets/secrets_test.go +++ b/cmd/thv-operator/pkg/kubernetes/secrets/secrets_test.go @@ -140,14 +140,7 @@ func TestGetValue(t *testing.T) { Build() client := NewClient(fakeClient, scheme) - secretRef := corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: "test-secret", - }, - Key: "password", - } - - value, err := client.GetValue(ctx, "default", secretRef) + value, err := client.GetValue(ctx, "default", "test-secret", "password") require.NoError(t, err) assert.Equal(t, "super-secret-password", value) @@ -163,14 +156,7 @@ func TestGetValue(t *testing.T) { Build() client := NewClient(fakeClient, scheme) - secretRef := corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: "non-existent-secret", - }, - Key: "password", - } - - value, err := client.GetValue(ctx, "default", secretRef) + value, err := client.GetValue(ctx, "default", "non-existent-secret", "password") require.Error(t, err) assert.Empty(t, value) @@ -198,14 +184,7 @@ func TestGetValue(t *testing.T) { Build() client := NewClient(fakeClient, scheme) - secretRef := corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: "test-secret", - }, - Key: "non-existent-key", - } - - value, err := client.GetValue(ctx, "default", secretRef) + value, err := client.GetValue(ctx, "default", "test-secret", "non-existent-key") require.Error(t, err) assert.Empty(t, value) @@ -243,14 +222,7 @@ func TestGetValue(t *testing.T) { Build() client := NewClient(fakeClient, scheme) - secretRef := corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: "test-secret", - }, - Key: "password", - } - - value, err := client.GetValue(ctx, "namespace2", secretRef) + value, err := client.GetValue(ctx, "namespace2", "test-secret", "password") require.NoError(t, err) assert.Equal(t, "password2", value) @@ -277,14 +249,7 @@ func TestGetValue(t *testing.T) { Build() client := NewClient(fakeClient, scheme) - secretRef := corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: "test-secret", - }, - Key: "empty-key", - } - - value, err := client.GetValue(ctx, "default", secretRef) + value, err := client.GetValue(ctx, "default", "test-secret", "empty-key") require.NoError(t, err) assert.Empty(t, value) diff --git a/cmd/thv-operator/pkg/registryapi/config/config.go b/cmd/thv-operator/pkg/registryapi/config/config.go index 2822c9391f..8a029e7dc3 100644 --- a/cmd/thv-operator/pkg/registryapi/config/config.go +++ b/cmd/thv-operator/pkg/registryapi/config/config.go @@ -546,7 +546,7 @@ func buildGitAuthConfig(auth *mcpv1alpha1.GitAuthConfig) (*GitAuthConfig, error) // buildGitPasswordFilePath constructs the file path where a git password secret will be mounted. // The secretRef must have both Name and Key set (validated by buildGitAuthConfig). -func buildGitPasswordFilePath(secretRef *corev1.SecretKeySelector) string { +func buildGitPasswordFilePath(secretRef *mcpv1alpha1.SecretKeyRef) string { if secretRef == nil { return "" } @@ -761,7 +761,7 @@ func buildOAuthProviderConfig( } // buildSecretFilePath constructs the file path where a secret will be mounted -func buildSecretFilePath(secretRef *corev1.SecretKeySelector) string { +func buildSecretFilePath(secretRef *mcpv1alpha1.SecretKeyRef) string { if secretRef == nil { return "" } diff --git a/cmd/thv-operator/pkg/registryapi/config/config_test.go b/cmd/thv-operator/pkg/registryapi/config/config_test.go index e15de48aac..1082f81464 100644 --- a/cmd/thv-operator/pkg/registryapi/config/config_test.go +++ b/cmd/thv-operator/pkg/registryapi/config/config_test.go @@ -495,11 +495,9 @@ func TestBuildConfig_GitAuth(t *testing.T) { Path: "registry.json", Auth: &mcpv1alpha1.GitAuthConfig{ Username: "git", - PasswordSecretRef: corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: "git-credentials", - }, - Key: "token", + PasswordSecretRef: mcpv1alpha1.SecretKeyRef{ + Name: "git-credentials", + Key: "token", }, }, }, @@ -543,10 +541,8 @@ func TestBuildConfig_GitAuth(t *testing.T) { Path: "registry.json", Auth: &mcpv1alpha1.GitAuthConfig{ Username: "git", - PasswordSecretRef: corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: "git-credentials", - }, + PasswordSecretRef: mcpv1alpha1.SecretKeyRef{ + Name: "git-credentials", // Key is empty - should cause an error }, }, @@ -581,11 +577,9 @@ func TestBuildConfig_GitAuth(t *testing.T) { Path: "registry.json", Auth: &mcpv1alpha1.GitAuthConfig{ // Username is empty - should cause an error - PasswordSecretRef: corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: "git-credentials", - }, - Key: "token", + PasswordSecretRef: mcpv1alpha1.SecretKeyRef{ + Name: "git-credentials", + Key: "token", }, }, }, @@ -619,11 +613,9 @@ func TestBuildConfig_GitAuth(t *testing.T) { Path: "registry.json", Auth: &mcpv1alpha1.GitAuthConfig{ Username: "git", - PasswordSecretRef: corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: "", // Empty name should cause an error - }, - Key: "token", + PasswordSecretRef: mcpv1alpha1.SecretKeyRef{ + Name: "", // Empty name should cause an error + Key: "token", }, }, }, @@ -1673,11 +1665,9 @@ func TestBuildConfig_AuthConfig(t *testing.T) { IssuerURL: "https://keycloak.example.com/realms/myrealm", Audience: "registry-api", ClientID: "registry-client", - ClientSecretRef: &corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: "keycloak-secret", - }, - Key: "client-secret", + ClientSecretRef: &mcpv1alpha1.SecretKeyRef{ + Name: "keycloak-secret", + Key: "client-secret", }, CACertRef: &corev1.ConfigMapKeySelector{ LocalObjectReference: corev1.LocalObjectReference{ @@ -1984,11 +1974,9 @@ func TestBuildSecretFilePath(t *testing.T) { t.Run("secret ref with key", func(t *testing.T) { t.Parallel() - secretRef := &corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: "my-secret", - }, - Key: "my-key", + secretRef := &mcpv1alpha1.SecretKeyRef{ + Name: "my-secret", + Key: "my-key", } result := buildSecretFilePath(secretRef) assert.Equal(t, "/secrets/my-secret/my-key", result) @@ -1996,11 +1984,9 @@ func TestBuildSecretFilePath(t *testing.T) { t.Run("secret ref without key uses default", func(t *testing.T) { t.Parallel() - secretRef := &corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: "my-secret", - }, - Key: "", + secretRef := &mcpv1alpha1.SecretKeyRef{ + Name: "my-secret", + Key: "", } result := buildSecretFilePath(secretRef) assert.Equal(t, "/secrets/my-secret/clientSecret", result) @@ -2176,11 +2162,9 @@ func TestBuildOAuthProviderConfig_DirectPaths(t *testing.T) { IssuerURL: "https://issuer.example.com", Audience: "my-app", AuthTokenFile: "/var/run/secrets/kubernetes.io/serviceaccount/token", // Direct path - AuthTokenRef: &corev1.SecretKeySelector{ // Should be ignored - LocalObjectReference: corev1.LocalObjectReference{ - Name: "token-secret", - }, - Key: "token", + AuthTokenRef: &mcpv1alpha1.SecretKeyRef{ // Should be ignored + Name: "token-secret", + Key: "token", }, }, }, @@ -2228,11 +2212,9 @@ func TestBuildOAuthProviderConfig_DirectPaths(t *testing.T) { IssuerURL: "https://issuer.example.com", Audience: "my-app", // AuthTokenFile not set - AuthTokenRef: &corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: "token-secret", - }, - Key: "my-token", + AuthTokenRef: &mcpv1alpha1.SecretKeyRef{ + Name: "token-secret", + Key: "my-token", }, }, }, diff --git a/cmd/thv-operator/pkg/registryapi/deployment_test.go b/cmd/thv-operator/pkg/registryapi/deployment_test.go index 8a7e020ceb..0fedd319f6 100644 --- a/cmd/thv-operator/pkg/registryapi/deployment_test.go +++ b/cmd/thv-operator/pkg/registryapi/deployment_test.go @@ -190,11 +190,9 @@ func TestManagerBuildRegistryAPIDeployment(t *testing.T) { Path: "registry.json", Auth: &mcpv1alpha1.GitAuthConfig{ Username: "git", - PasswordSecretRef: corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: "git-credentials", - }, - Key: "token", + PasswordSecretRef: mcpv1alpha1.SecretKeyRef{ + Name: "git-credentials", + Key: "token", }, }, }, @@ -260,11 +258,9 @@ func TestManagerBuildRegistryAPIDeployment(t *testing.T) { Path: "registry.json", Auth: &mcpv1alpha1.GitAuthConfig{ Username: "git", - PasswordSecretRef: corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: "git-credentials-1", - }, - Key: "token", + PasswordSecretRef: mcpv1alpha1.SecretKeyRef{ + Name: "git-credentials-1", + Key: "token", }, }, }, @@ -278,11 +274,9 @@ func TestManagerBuildRegistryAPIDeployment(t *testing.T) { Path: "registry.json", Auth: &mcpv1alpha1.GitAuthConfig{ Username: "git", - PasswordSecretRef: corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: "git-credentials-2", - }, - Key: "password", + PasswordSecretRef: mcpv1alpha1.SecretKeyRef{ + Name: "git-credentials-2", + Key: "password", }, }, }, diff --git a/cmd/thv-operator/pkg/registryapi/pgpass.go b/cmd/thv-operator/pkg/registryapi/pgpass.go index b7c9737f89..a71d215290 100644 --- a/cmd/thv-operator/pkg/registryapi/pgpass.go +++ b/cmd/thv-operator/pkg/registryapi/pgpass.go @@ -33,7 +33,12 @@ func (m *manager) ensurePGPassSecret( dbConfig := mcpRegistry.GetDatabaseConfig() // Read app user password from secret - appUserPassword, err := m.kubeHelper.Secrets.GetValue(ctx, mcpRegistry.Namespace, dbConfig.DBAppUserPasswordSecretRef) + appUserPassword, err := m.kubeHelper.Secrets.GetValue( + ctx, + mcpRegistry.Namespace, + dbConfig.DBAppUserPasswordSecretRef.Name, + dbConfig.DBAppUserPasswordSecretRef.Key, + ) if err != nil { return fmt.Errorf("failed to read app user password from secret %s: %w", dbConfig.DBAppUserPasswordSecretRef.Name, err) @@ -41,7 +46,11 @@ func (m *manager) ensurePGPassSecret( // Read migration user password from secret migrationUserPassword, err := m.kubeHelper.Secrets.GetValue( - ctx, mcpRegistry.Namespace, dbConfig.DBMigrationUserPasswordSecretRef) + ctx, + mcpRegistry.Namespace, + dbConfig.DBMigrationUserPasswordSecretRef.Name, + dbConfig.DBMigrationUserPasswordSecretRef.Key, + ) if err != nil { return fmt.Errorf("failed to read migration user password from secret %s: %w", dbConfig.DBMigrationUserPasswordSecretRef.Name, err) diff --git a/cmd/thv-operator/pkg/registryapi/pgpass_test.go b/cmd/thv-operator/pkg/registryapi/pgpass_test.go index b0f09b3271..0d0fd4c277 100644 --- a/cmd/thv-operator/pkg/registryapi/pgpass_test.go +++ b/cmd/thv-operator/pkg/registryapi/pgpass_test.go @@ -256,13 +256,13 @@ func baseMCPRegistry(t *testing.T, opts ...func(*mcpv1alpha1.MCPRegistry)) *mcpv Database: "test_db", User: "app_user", MigrationUser: "migration_user", - DBAppUserPasswordSecretRef: corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{Name: "app-secret"}, - Key: "password", + DBAppUserPasswordSecretRef: mcpv1alpha1.SecretKeyRef{ + Name: "app-secret", + Key: "password", }, - DBMigrationUserPasswordSecretRef: corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{Name: "migration-secret"}, - Key: "password", + DBMigrationUserPasswordSecretRef: mcpv1alpha1.SecretKeyRef{ + Name: "migration-secret", + Key: "password", }, }, Registries: []mcpv1alpha1.MCPRegistryConfig{ diff --git a/cmd/thv-operator/pkg/registryapi/podtemplatespec.go b/cmd/thv-operator/pkg/registryapi/podtemplatespec.go index ee11a82189..3135f3852d 100644 --- a/cmd/thv-operator/pkg/registryapi/podtemplatespec.go +++ b/cmd/thv-operator/pkg/registryapi/podtemplatespec.go @@ -347,7 +347,7 @@ func WithPGPassMount(containerName, secretName string) PodTemplateSpecOption { // Parameters: // - containerName: The name of the container to add the mount to // - secretRef: The secret key selector referencing the password secret -func WithGitAuthMount(containerName string, secretRef corev1.SecretKeySelector) PodTemplateSpecOption { +func WithGitAuthMount(containerName string, secretRef mcpv1alpha1.SecretKeyRef) PodTemplateSpecOption { return func(pts *corev1.PodTemplateSpec) { // Both Name and Key are validated as required by buildGitAuthConfig() if secretRef.Name == "" || secretRef.Key == "" { diff --git a/cmd/thv-operator/pkg/registryapi/podtemplatespec_test.go b/cmd/thv-operator/pkg/registryapi/podtemplatespec_test.go index 22609893bf..88f74fd1e9 100644 --- a/cmd/thv-operator/pkg/registryapi/podtemplatespec_test.go +++ b/cmd/thv-operator/pkg/registryapi/podtemplatespec_test.go @@ -1099,11 +1099,9 @@ func TestWithGitAuthMount(t *testing.T) { t.Run("adds secret volume for git auth", func(t *testing.T) { t.Parallel() - secretRef := corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: testSecretName, - }, - Key: "token", + secretRef := mcpv1alpha1.SecretKeyRef{ + Name: testSecretName, + Key: "token", } builder := NewPodTemplateSpecBuilderFrom(nil) @@ -1132,11 +1130,9 @@ func TestWithGitAuthMount(t *testing.T) { t.Run("adds volume mount at correct path", func(t *testing.T) { t.Parallel() - secretRef := corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: testSecretName, - }, - Key: "token", + secretRef := mcpv1alpha1.SecretKeyRef{ + Name: testSecretName, + Key: "token", } builder := NewPodTemplateSpecBuilderFrom(nil) @@ -1165,10 +1161,8 @@ func TestWithGitAuthMount(t *testing.T) { t.Run("does nothing when key is empty", func(t *testing.T) { t.Parallel() - secretRef := corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: testSecretName, - }, + secretRef := mcpv1alpha1.SecretKeyRef{ + Name: testSecretName, // Key is empty - should be skipped (key is required) } @@ -1187,11 +1181,9 @@ func TestWithGitAuthMount(t *testing.T) { t.Run("does nothing when secret name is empty", func(t *testing.T) { t.Parallel() - secretRef := corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: "", // Empty name should be skipped - }, - Key: "token", + secretRef := mcpv1alpha1.SecretKeyRef{ + Name: "", // Empty name should be skipped + Key: "token", } builder := NewPodTemplateSpecBuilderFrom(nil) @@ -1215,17 +1207,13 @@ func TestWithGitAuthMount(t *testing.T) { secretName2 = "git-credentials-2" ) - secretRef1 := corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: secretName1, - }, - Key: "token", + secretRef1 := mcpv1alpha1.SecretKeyRef{ + Name: secretName1, + Key: "token", } - secretRef2 := corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: secretName2, - }, - Key: "password", + secretRef2 := mcpv1alpha1.SecretKeyRef{ + Name: secretName2, + Key: "password", } builder := NewPodTemplateSpecBuilderFrom(nil) @@ -1254,11 +1242,9 @@ func TestWithGitAuthMount(t *testing.T) { t.Run("volumes are idempotent when called multiple times with same secret", func(t *testing.T) { t.Parallel() - secretRef := corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: testSecretName, - }, - Key: "token", + secretRef := mcpv1alpha1.SecretKeyRef{ + Name: testSecretName, + Key: "token", } builder := NewPodTemplateSpecBuilderFrom(nil) diff --git a/cmd/thv-operator/test-integration/mcp-registry/registry_helpers.go b/cmd/thv-operator/test-integration/mcp-registry/registry_helpers.go index b610b014e0..b820cb91a4 100644 --- a/cmd/thv-operator/test-integration/mcp-registry/registry_helpers.go +++ b/cmd/thv-operator/test-integration/mcp-registry/registry_helpers.go @@ -107,11 +107,9 @@ func (rb *RegistryBuilder) WithGitAuth(username, secretName, secretKey string) * } registryConfig.Git.Auth = &mcpv1alpha1.GitAuthConfig{ Username: username, - PasswordSecretRef: corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: secretName, - }, - Key: secretKey, + PasswordSecretRef: mcpv1alpha1.SecretKeyRef{ + Name: secretName, + Key: secretKey, }, } return rb diff --git a/cmd/thv-operator/test-integration/mcp-registry/registryserver_config_test.go b/cmd/thv-operator/test-integration/mcp-registry/registryserver_config_test.go index 9ac5019b82..6e4935fa99 100644 --- a/cmd/thv-operator/test-integration/mcp-registry/registryserver_config_test.go +++ b/cmd/thv-operator/test-integration/mcp-registry/registryserver_config_test.go @@ -590,11 +590,9 @@ var _ = Describe("MCPRegistry Server Config (Consolidated)", Label("k8s", "regis Path: "registry.json", Auth: &mcpv1alpha1.GitAuthConfig{ Username: "user1", - PasswordSecretRef: corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: "git-auth-1", - }, - Key: "password", + PasswordSecretRef: mcpv1alpha1.SecretKeyRef{ + Name: "git-auth-1", + Key: "password", }, }, }, @@ -611,11 +609,9 @@ var _ = Describe("MCPRegistry Server Config (Consolidated)", Label("k8s", "regis Path: "servers.json", Auth: &mcpv1alpha1.GitAuthConfig{ Username: "user2", - PasswordSecretRef: corev1.SecretKeySelector{ - LocalObjectReference: corev1.LocalObjectReference{ - Name: "git-auth-2", - }, - Key: "token", + PasswordSecretRef: mcpv1alpha1.SecretKeyRef{ + Name: "git-auth-2", + Key: "token", }, }, },