fix ci

Author: taskbot

cmd/thv-operator/controllers/virtualmcpserver_controller.go

@@ -8,8 +8,6 @@ import (
 	"fmt"
 	"maps"
 	"reflect"
-	"regexp"
-	"strings"
 	"time"
 
 	appsv1 "k8s.io/api/apps/v1"
@@ -1271,37 +1269,17 @@ func (*VirtualMCPServerReconciler) convertExternalAuthConfigToStrategy(
 	if strategy.TokenExchange != nil &&
 		externalAuthConfig.Spec.TokenExchange != nil &&
 		externalAuthConfig.Spec.TokenExchange.ClientSecretRef != nil {
-		strategy.TokenExchange.ClientSecretEnv = generateUniqueTokenExchangeEnvVarName(externalAuthConfig.Name)
+		strategy.TokenExchange.ClientSecretEnv = ctrlutil.GenerateUniqueTokenExchangeEnvVarName(externalAuthConfig.Name)
 	}
 	if strategy.HeaderInjection != nil &&
 		externalAuthConfig.Spec.HeaderInjection != nil &&
 		externalAuthConfig.Spec.HeaderInjection.ValueSecretRef != nil {
-		strategy.HeaderInjection.HeaderValueEnv = generateUniqueHeaderInjectionEnvVarName(externalAuthConfig.Name)
+		strategy.HeaderInjection.HeaderValueEnv = ctrlutil.GenerateUniqueHeaderInjectionEnvVarName(externalAuthConfig.Name)
 	}
 
 	return strategy, nil
 }
 
-// generateUniqueTokenExchangeEnvVarName generates a unique environment variable name for token exchange
-// client secrets, incorporating the ExternalAuthConfig name to ensure uniqueness.
-func generateUniqueTokenExchangeEnvVarName(configName string) string {
-	// Sanitize config name for use in env var (uppercase, replace invalid chars with underscore)
-	sanitized := strings.ToUpper(strings.ReplaceAll(configName, "-", "_"))
-	// Remove any remaining invalid characters (keep only alphanumeric and underscore)
-	sanitized = regexp.MustCompile(`[^A-Z0-9_]`).ReplaceAllString(sanitized, "_")
-	return fmt.Sprintf("TOOLHIVE_TOKEN_EXCHANGE_CLIENT_SECRET_%s", sanitized)
-}
-
-// generateUniqueHeaderInjectionEnvVarName generates a unique environment variable name for header injection
-// values, incorporating the ExternalAuthConfig name to ensure uniqueness.
-func generateUniqueHeaderInjectionEnvVarName(configName string) string {
-	// Sanitize config name for use in env var (uppercase, replace invalid chars with underscore)
-	sanitized := strings.ToUpper(strings.ReplaceAll(configName, "-", "_"))
-	// Remove any remaining invalid characters (keep only alphanumeric and underscore)
-	sanitized = regexp.MustCompile(`[^A-Z0-9_]`).ReplaceAllString(sanitized, "_")
-	return fmt.Sprintf("TOOLHIVE_HEADER_INJECTION_VALUE_%s", sanitized)
-}
-
 // convertBackendAuthConfigToVMCP converts a BackendAuthConfig from CRD to vmcp config.
 func (r *VirtualMCPServerReconciler) convertBackendAuthConfigToVMCP(
 	ctx context.Context,

cmd/thv-operator/controllers/virtualmcpserver_deployment.go

@@ -425,7 +425,7 @@ func (r *VirtualMCPServerReconciler) getExternalAuthConfigSecretEnvVar(
 		if externalAuthConfig.Spec.TokenExchange.ClientSecretRef == nil {
 			return nil, nil // No secret to mount
 		}
-		envVarName = generateUniqueTokenExchangeEnvVarName(externalAuthConfigName)
+		envVarName = ctrlutil.GenerateUniqueTokenExchangeEnvVarName(externalAuthConfigName)
 		secretRef = externalAuthConfig.Spec.TokenExchange.ClientSecretRef
 
 	case mcpv1alpha1.ExternalAuthTypeHeaderInjection:
@@ -435,7 +435,7 @@ func (r *VirtualMCPServerReconciler) getExternalAuthConfigSecretEnvVar(
 		if externalAuthConfig.Spec.HeaderInjection.ValueSecretRef == nil {
 			return nil, nil // No secret to mount
 		}
-		envVarName = generateUniqueHeaderInjectionEnvVarName(externalAuthConfigName)
+		envVarName = ctrlutil.GenerateUniqueHeaderInjectionEnvVarName(externalAuthConfigName)
 		secretRef = externalAuthConfig.Spec.HeaderInjection.ValueSecretRef
 
 	case mcpv1alpha1.ExternalAuthTypeUnauthenticated:

cmd/thv-operator/controllers/virtualmcpserver_externalauth_test.go

@@ -950,7 +950,7 @@ func TestGenerateUniqueTokenExchangeEnvVarName(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()
-			result := generateUniqueTokenExchangeEnvVarName(tt.configName)
+			result := ctrlutil.GenerateUniqueTokenExchangeEnvVarName(tt.configName)
 			assert.Contains(t, result, expectedPrefix)
 			assert.Contains(t, result, tt.expectedSuffix)
 			// Verify format: PREFIX_SUFFIX
@@ -1007,7 +1007,7 @@ func TestGenerateUniqueHeaderInjectionEnvVarName(t *testing.T) {
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
 			t.Parallel()
-			result := generateUniqueHeaderInjectionEnvVarName(tt.configName)
+			result := ctrlutil.GenerateUniqueHeaderInjectionEnvVarName(tt.configName)
 			assert.True(t, strings.HasPrefix(result, expectedPrefix+"_"), "Result should start with prefix")
 			assert.True(t, strings.HasSuffix(result, tt.expectedSuffix), "Result should end with suffix")
 			// Verify format: PREFIX_SUFFIX

cmd/thv-operator/controllers/virtualmcpserver_vmcpconfig_test.go

@@ -196,7 +196,8 @@ func TestConvertBackendAuthConfig(t *testing.T) {
 			authConfig: &mcpv1alpha1.BackendAuthConfig{
 				Type: mcpv1alpha1.BackendAuthTypeDiscovered,
 			},
-			expectedType: mcpv1alpha1.BackendAuthTypeDiscovered,
+			// "discovered" type is converted to "unauthenticated" by the converter
+			expectedType: "unauthenticated",
 		},
 		{
 			name: "external auth config ref",
@@ -206,7 +207,8 @@ func TestConvertBackendAuthConfig(t *testing.T) {
 					Name: "auth-config",
 				},
 			},
-			expectedType: mcpv1alpha1.BackendAuthTypeExternalAuthConfigRef,
+			// For external_auth_config_ref, the type comes from the referenced MCPExternalAuthConfig
+			expectedType: "unauthenticated",
 		},
 	}
 
@@ -216,6 +218,10 @@ func TestConvertBackendAuthConfig(t *testing.T) {
 			t.Parallel()
 
 			vmcpServer := &mcpv1alpha1.VirtualMCPServer{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test-vmcp",
+					Namespace: "default",
+				},
 				Spec: mcpv1alpha1.VirtualMCPServerSpec{
 					GroupRef: mcpv1alpha1.GroupRef{
 						Name: "test-group",
@@ -226,7 +232,34 @@ func TestConvertBackendAuthConfig(t *testing.T) {
 				},
 			}
 
-			converter := newTestConverter(t, newNoOpMockResolver(t))
+			// For external_auth_config_ref test, create the referenced MCPExternalAuthConfig
+			var converter *vmcpconfig.Converter
+			if tt.authConfig.Type == mcpv1alpha1.BackendAuthTypeExternalAuthConfigRef {
+				// Create a fake MCPExternalAuthConfig
+				externalAuthConfig := &mcpv1alpha1.MCPExternalAuthConfig{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "auth-config",
+						Namespace: "default",
+					},
+					Spec: mcpv1alpha1.MCPExternalAuthConfigSpec{
+						Type: mcpv1alpha1.ExternalAuthTypeUnauthenticated,
+					},
+				}
+
+				// Create converter with fake client that has the external auth config
+				scheme := runtime.NewScheme()
+				_ = mcpv1alpha1.AddToScheme(scheme)
+				fakeClient := fake.NewClientBuilder().
+					WithScheme(scheme).
+					WithObjects(externalAuthConfig).
+					Build()
+				var err error
+				converter, err = vmcpconfig.NewConverter(newNoOpMockResolver(t), fakeClient)
+				require.NoError(t, err)
+			} else {
+				converter = newTestConverter(t, newNoOpMockResolver(t))
+			}
+
 			config, err := converter.Convert(context.Background(), vmcpServer)
 			require.NoError(t, err)
 

cmd/thv-operator/pkg/controllerutil/externalauth.go

@@ -0,0 +1,38 @@
+// Package controllerutil provides utility functions for Kubernetes controllers.
+package controllerutil
+
+import (
+	"fmt"
+	"regexp"
+	"strings"
+)
+
+// GenerateUniqueTokenExchangeEnvVarName generates a unique environment variable name for token exchange
+// client secrets, incorporating the ExternalAuthConfig name to ensure uniqueness.
+// This function is used by both the converter and deployment controller to ensure consistent
+// environment variable naming across the system.
+//
+// Example: For an ExternalAuthConfig named "my-auth-config", this returns:
+// "TOOLHIVE_TOKEN_EXCHANGE_CLIENT_SECRET_MY_AUTH_CONFIG"
+func GenerateUniqueTokenExchangeEnvVarName(configName string) string {
+	// Sanitize config name for use in env var (uppercase, replace invalid chars with underscore)
+	sanitized := strings.ToUpper(strings.ReplaceAll(configName, "-", "_"))
+	// Remove any remaining invalid characters (keep only alphanumeric and underscore)
+	sanitized = regexp.MustCompile(`[^A-Z0-9_]`).ReplaceAllString(sanitized, "_")
+	return fmt.Sprintf("TOOLHIVE_TOKEN_EXCHANGE_CLIENT_SECRET_%s", sanitized)
+}
+
+// GenerateUniqueHeaderInjectionEnvVarName generates a unique environment variable name for header injection
+// values, incorporating the ExternalAuthConfig name to ensure uniqueness.
+// This function is used by both the converter and deployment controller to ensure consistent
+// environment variable naming across the system.
+//
+// Example: For an ExternalAuthConfig named "my-auth-config", this returns:
+// "TOOLHIVE_HEADER_INJECTION_VALUE_MY_AUTH_CONFIG"
+func GenerateUniqueHeaderInjectionEnvVarName(configName string) string {
+	// Sanitize config name for use in env var (uppercase, replace invalid chars with underscore)
+	sanitized := strings.ToUpper(strings.ReplaceAll(configName, "-", "_"))
+	// Remove any remaining invalid characters (keep only alphanumeric and underscore)
+	sanitized = regexp.MustCompile(`[^A-Z0-9_]`).ReplaceAllString(sanitized, "_")
+	return fmt.Sprintf("TOOLHIVE_HEADER_INJECTION_VALUE_%s", sanitized)
+}

cmd/thv-operator/pkg/controllerutil/externalauth_test.go

@@ -0,0 +1,102 @@
+package controllerutil
+
+import (
+	"regexp"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+// TestGenerateUniqueTokenExchangeEnvVarName tests the GenerateUniqueTokenExchangeEnvVarName function
+func TestGenerateUniqueTokenExchangeEnvVarName(t *testing.T) {
+	t.Parallel()
+
+	expectedPrefix := "TOOLHIVE_TOKEN_EXCHANGE_CLIENT_SECRET"
+	tests := []struct {
+		name           string
+		configName     string
+		expectedSuffix string
+	}{
+		{
+			name:           "simple name",
+			configName:     "test-config",
+			expectedSuffix: "TEST_CONFIG",
+		},
+		{
+			name:           "multiple hyphens",
+			configName:     "my-test-config",
+			expectedSuffix: "MY_TEST_CONFIG",
+		},
+		{
+			name:           "with special characters",
+			configName:     "test.config@123",
+			expectedSuffix: "TEST_CONFIG_123",
+		},
+		{
+			name:           "single character",
+			configName:     "a",
+			expectedSuffix: "A",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			result := GenerateUniqueTokenExchangeEnvVarName(tt.configName)
+			assert.Contains(t, result, expectedPrefix)
+			assert.Contains(t, result, tt.expectedSuffix)
+			// Verify format: PREFIX_SUFFIX
+			assert.Contains(t, result, "_")
+			// Verify all characters are valid for env vars (uppercase, alphanumeric, underscore)
+			envVarPattern := regexp.MustCompile(`^[A-Z0-9_]+$`)
+			assert.Regexp(t, envVarPattern, result, "Result should be a valid environment variable name")
+		})
+	}
+}
+
+// TestGenerateUniqueHeaderInjectionEnvVarName tests the GenerateUniqueHeaderInjectionEnvVarName function
+func TestGenerateUniqueHeaderInjectionEnvVarName(t *testing.T) {
+	t.Parallel()
+
+	expectedPrefix := "TOOLHIVE_HEADER_INJECTION_VALUE"
+	tests := []struct {
+		name           string
+		configName     string
+		expectedSuffix string
+	}{
+		{
+			name:           "simple name",
+			configName:     "test-config",
+			expectedSuffix: "TEST_CONFIG",
+		},
+		{
+			name:           "multiple hyphens",
+			configName:     "my-test-config",
+			expectedSuffix: "MY_TEST_CONFIG",
+		},
+		{
+			name:           "with special characters",
+			configName:     "test.config@123",
+			expectedSuffix: "TEST_CONFIG_123",
+		},
+		{
+			name:           "single character",
+			configName:     "x",
+			expectedSuffix: "X",
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+			result := GenerateUniqueHeaderInjectionEnvVarName(tt.configName)
+			assert.True(t, regexp.MustCompile("^"+expectedPrefix+"_").MatchString(result), "Result should start with prefix")
+			assert.True(t, regexp.MustCompile(tt.expectedSuffix+"$").MatchString(result), "Result should end with suffix")
+			// Verify format: PREFIX_SUFFIX
+			assert.Contains(t, result, "_")
+			// Verify all characters are valid for env vars (uppercase, alphanumeric, underscore)
+			envVarPattern := regexp.MustCompile(`^[A-Z0-9_]+$`)
+			assert.Regexp(t, envVarPattern, result, "Result should be a valid environment variable name")
+		})
+	}
+}

cmd/thv-operator/pkg/vmcpconfig/converter.go

@@ -5,8 +5,6 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
-	"regexp"
-	"strings"
 	"time"
 
 	"github.com/go-logr/logr"
@@ -17,6 +15,7 @@ import (
 	"sigs.k8s.io/controller-runtime/pkg/log"
 
 	mcpv1alpha1 "github.com/stacklok/toolhive/cmd/thv-operator/api/v1alpha1"
+	"github.com/stacklok/toolhive/cmd/thv-operator/pkg/controllerutil"
 	"github.com/stacklok/toolhive/cmd/thv-operator/pkg/oidc"
 	authtypes "github.com/stacklok/toolhive/pkg/vmcp/auth/types"
 	vmcpconfig "github.com/stacklok/toolhive/pkg/vmcp/config"
@@ -267,14 +266,14 @@ func (c *Converter) convertBackendAuthConfig(
 	crdConfig *mcpv1alpha1.BackendAuthConfig,
 ) (*authtypes.BackendAuthStrategy, error) {
 	// If type is "discovered", return unauthenticated strategy
-	if crdConfig.Type == "discovered" {
+	if crdConfig.Type == mcpv1alpha1.BackendAuthTypeDiscovered {
 		return &authtypes.BackendAuthStrategy{
-			Type: "unauthenticated",
+			Type: authtypes.StrategyTypeUnauthenticated,
 		}, nil
 	}
 
 	// If type is "external_auth_config_ref", resolve the MCPExternalAuthConfig
-	if crdConfig.Type == "external_auth_config_ref" {
+	if crdConfig.Type == mcpv1alpha1.BackendAuthTypeExternalAuthConfigRef {
 		if crdConfig.ExternalAuthConfigRef == nil {
 			return nil, fmt.Errorf("backend %s: external_auth_config_ref type requires externalAuthConfigRef field", backendName)
 		}
@@ -307,27 +306,27 @@ func (*Converter) convertExternalAuthConfigToStrategy(
 
 	switch externalAuthConfig.Spec.Type {
 	case mcpv1alpha1.ExternalAuthTypeUnauthenticated:
-		strategy.Type = "unauthenticated"
+		strategy.Type = authtypes.StrategyTypeUnauthenticated
 
 	case mcpv1alpha1.ExternalAuthTypeHeaderInjection:
 		if externalAuthConfig.Spec.HeaderInjection == nil {
 			return nil, fmt.Errorf("headerInjection config is required when type is headerInjection")
 		}
 
-		strategy.Type = "header_injection"
+		strategy.Type = authtypes.StrategyTypeHeaderInjection
 		strategy.HeaderInjection = &authtypes.HeaderInjectionConfig{
 			HeaderName: externalAuthConfig.Spec.HeaderInjection.HeaderName,
 			// The secret value will be mounted as an environment variable by the deployment controller
 			// Use the same env var naming convention as the deployment controller
-			HeaderValueEnv: generateUniqueHeaderInjectionEnvVarName(externalAuthConfig.Name),
+			HeaderValueEnv: controllerutil.GenerateUniqueHeaderInjectionEnvVarName(externalAuthConfig.Name),
 		}
 
 	case mcpv1alpha1.ExternalAuthTypeTokenExchange:
 		if externalAuthConfig.Spec.TokenExchange == nil {
 			return nil, fmt.Errorf("tokenExchange config is required when type is tokenExchange")
 		}
 
-		strategy.Type = "token_exchange"
+		strategy.Type = authtypes.StrategyTypeTokenExchange
 		strategy.TokenExchange = &authtypes.TokenExchangeConfig{
 			TokenURL:         externalAuthConfig.Spec.TokenExchange.TokenURL,
 			ClientID:         externalAuthConfig.Spec.TokenExchange.ClientID,
@@ -340,7 +339,7 @@ func (*Converter) convertExternalAuthConfigToStrategy(
 		if externalAuthConfig.Spec.TokenExchange.ClientSecretRef != nil {
 			// The secret value will be mounted as an environment variable by the deployment controller
 			// Use the same env var naming convention as the deployment controller
-			strategy.TokenExchange.ClientSecretEnv = generateUniqueTokenExchangeEnvVarName(externalAuthConfig.Name)
+			strategy.TokenExchange.ClientSecretEnv = controllerutil.GenerateUniqueTokenExchangeEnvVarName(externalAuthConfig.Name)
 		}
 
 	default:
@@ -880,25 +879,3 @@ func (*Converter) convertOperational(
 
 	return operational
 }
-
-// generateUniqueTokenExchangeEnvVarName generates a unique environment variable name for token exchange
-// client secrets, incorporating the ExternalAuthConfig name to ensure uniqueness.
-// This must match the naming convention used by the deployment controller.
-func generateUniqueTokenExchangeEnvVarName(configName string) string {
-	// Sanitize config name for use in env var (uppercase, replace invalid chars with underscore)
-	sanitized := strings.ToUpper(strings.ReplaceAll(configName, "-", "_"))
-	// Remove any remaining invalid characters (keep only alphanumeric and underscore)
-	sanitized = regexp.MustCompile(`[^A-Z0-9_]`).ReplaceAllString(sanitized, "_")
-	return fmt.Sprintf("TOOLHIVE_TOKEN_EXCHANGE_CLIENT_SECRET_%s", sanitized)
-}
-
-// generateUniqueHeaderInjectionEnvVarName generates a unique environment variable name for header injection
-// values, incorporating the ExternalAuthConfig name to ensure uniqueness.
-// This must match the naming convention used by the deployment controller.
-func generateUniqueHeaderInjectionEnvVarName(configName string) string {
-	// Sanitize config name for use in env var (uppercase, replace invalid chars with underscore)
-	sanitized := strings.ToUpper(strings.ReplaceAll(configName, "-", "_"))
-	// Remove any remaining invalid characters (keep only alphanumeric and underscore)
-	sanitized = regexp.MustCompile(`[^A-Z0-9_]`).ReplaceAllString(sanitized, "_")
-	return fmt.Sprintf("TOOLHIVE_HEADER_INJECTION_VALUE_%s", sanitized)
-}