fix and test mcptoolconfig for vmcp #2891
Conversation
Codecov Report❌ Patch coverage is
Additional details and impacted files@@ Coverage Diff @@
## main #2891 +/- ##
==========================================
+ Coverage 56.36% 56.50% +0.14%
==========================================
Files 323 323
Lines 31764 31816 +52
==========================================
+ Hits 17904 17978 +74
+ Misses 12331 12308 -23
- Partials 1529 1530 +1 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
yrobla
force-pushed
the
feat/add_tool_filter_mcptoolconfig
branch
from
f2fdec4 to
7d4a1db
Compare
yrobla
force-pushed
the
feat/add_tool_filter_mcptoolconfig
branch
from
7d4a1db to
d59dd3b
Compare
github-actions
bot
added
size/L
There was a problem hiding this comment.
Pull request overview
This PR adds proper MCPToolConfig reconciliation, dynamic updates, and override support for VirtualMCPServer, along with comprehensive e2e tests to validate the functionality.
Key changes:
- Added MCPToolConfig reference resolution in the VirtualMCPServer converter with proper filter and override merging
- Implemented watch-based reconciliation to trigger VirtualMCPServer updates when referenced MCPToolConfigs change
- Added comprehensive e2e tests covering filtering, overrides, and dynamic configuration updates
Reviewed changes
Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.
Show a summary per file
| File | Description |
|---|---|
| test/e2e/thv-operator/virtualmcp/virtualmcp_toolconfig_test.go | New e2e tests for MCPToolConfig filtering, overrides, and dynamic updates |
| cmd/thv-operator/pkg/vmcpconfig/converter.go | Extended converter to resolve MCPToolConfig references and merge filters/overrides with precedence rules |
| cmd/thv-operator/pkg/vmcpconfig/converter_test.go | Updated test helper to pass required k8sClient parameter to converter |
| cmd/thv-operator/controllers/virtualmcpserver_vmcpconfig_test.go | Updated test to create fake k8s client for converter initialization |
| cmd/thv-operator/controllers/virtualmcpserver_vmcpconfig.go | Updated to pass k8sClient to converter constructor |
| cmd/thv-operator/controllers/virtualmcpserver_podtemplatespec_reconcile_test.go | Updated test calls to include workloadNames parameter |
| cmd/thv-operator/controllers/virtualmcpserver_controller.go | Updated function call to include workloadNames parameter and added MCPToolConfig watch |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
github-actions
bot
added
size/XL
![github-actions[bot]](https://avatars.githubusercontent.com/in/15368?s=60&v=4){kind=small}
There was a problem hiding this comment.
Large PR Detected
This PR exceeds 1000 lines of changes and requires justification before it can be reviewed.
How to unblock this PR:
Add a section to your PR description with the following format:
## Large PR Justification
[Explain why this PR must be large, such as:]
- Generated code that cannot be split
- Large refactoring that must be atomic
- Multiple related changes that would break if separated
- Migration or data transformationAlternative:
Consider splitting this PR into smaller, focused changes (< 1000 lines each) for easier review and reduced risk.
See our Contributing Guidelines for more details.
This review will be automatically dismissed once you add the justification section.
yrobla
force-pushed
the
feat/add_tool_filter_mcptoolconfig
branch
from
512c37c to
eb5430a
Compare
github-actions
bot
added
size/XL
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 5 out of 5 changed files in this pull request and generated 2 comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
yrobla
force-pushed
the
feat/add_tool_filter_mcptoolconfig
branch
from
eb5430a to
8d52325
Compare
github-actions
bot
added
size/XL
github-actions
bot
dismissed
their stale review
Large PR justification has been provided. Thank you!
|
✅ Large PR justification has been provided. The size review has been dismissed and this PR can now proceed with normal review. |
jhrozek
left a comment
jhrozek
left a comment
There was a problem hiding this comment.
PR Review: MCPToolConfig Support for VirtualMCPServer
Overall, this is a solid implementation with excellent test coverage. I have a few observations about error handling patterns and code organization that are worth considering.
Error Handling: Fails Open vs Fails Closed
In applyToolConfigRef (converter.go:337-341), the error handling logs the failure but continues with an empty/incomplete configuration. This is different from how OIDC resolution handles errors (lines 135-138), which fails closed by returning an error.
Concern: If a user explicitly references an MCPToolConfig that doesn't exist (typo, not yet created, deleted), the VirtualMCPServer will deploy with no tool filtering applied instead of failing. This could be a security concern if tool filtering was intended to restrict exposed tools.
Question: Was this intentional to allow graceful degradation, or should this fail closed like OIDC resolution to ensure explicit configuration errors are caught?
// OIDC resolution (fails closed):
return nil, fmt.Errorf("OIDC resolution failed for type %q: %w", ...)
// MCPToolConfig resolution (fails open):
ctxLogger.Error(err, "failed to resolve MCPToolConfig reference", ...)
return // continues without configUnreachable Code (converter.go:344-346)
The nil check if resolvedConfig == nil appears unreachable. Looking at resolveMCPToolConfig (lines 407-421), it either returns (toolConfig, nil) on success or (nil, error) on failure - it never returns (nil, nil).
If this is intentional defensive coding, consider adding a comment explaining the reasoning.
Minor: Method Receiver Pattern (converter.go:353, 363, 386)
The methods mergeToolConfigFilter, mergeToolConfigOverrides, and applyInlineOverrides use (*Converter) receiver but don't access any Converter fields - they're pure functions operating only on their parameters.
Question: Would it be cleaner to make these package-level functions, or use a value receiver (Converter) to signal they're stateless? This is a minor stylistic point.
Summary:
- 3 observations/questions noted
- No blocking issues identified
- Test coverage is comprehensive
jhrozek
left a comment
jhrozek
left a comment
There was a problem hiding this comment.
PR Review: MCPToolConfig Support for VirtualMCPServer
Overall, this is a solid implementation with excellent test coverage. I have a few observations about error handling patterns and code organization that are worth considering.
Error Handling: Fails Open vs Fails Closed
In applyToolConfigRef (converter.go:337-341), the error handling logs the failure but continues with an empty/incomplete configuration. This is different from how OIDC resolution handles errors (lines 135-138), which fails closed by returning an error.
Concern: If a user explicitly references an MCPToolConfig that doesn't exist (typo, not yet created, deleted), the VirtualMCPServer will deploy with no tool filtering applied instead of failing. This could be a security concern if tool filtering was intended to restrict exposed tools.
Question: Was this intentional to allow graceful degradation, or should this fail closed like OIDC resolution to ensure explicit configuration errors are caught?
// OIDC resolution (fails closed):
return nil, fmt.Errorf("OIDC resolution failed for type %q: %w", ...)
// MCPToolConfig resolution (fails open):
ctxLogger.Error(err, "failed to resolve MCPToolConfig reference", ...)
return // continues without configUnreachable Code (converter.go:344-346)
The nil check if resolvedConfig == nil appears unreachable. Looking at resolveMCPToolConfig (lines 407-421), it either returns (toolConfig, nil) on success or (nil, error) on failure - it never returns (nil, nil).
If this is intentional defensive coding, consider adding a comment explaining the reasoning.
Minor: Method Receiver Pattern (converter.go:353, 363, 386)
The methods mergeToolConfigFilter, mergeToolConfigOverrides, and applyInlineOverrides use (*Converter) receiver but don't access any Converter fields - they're pure functions operating only on their parameters.
Question: Would it be cleaner to make these package-level functions, or use a value receiver (Converter) to signal they're stateless? This is a minor stylistic point.
Summary:
- 3 observations/questions noted
- No blocking issues identified
- Test coverage is comprehensive
github-actions
bot
added
size/XL
yrobla
force-pushed
the
feat/add_tool_filter_mcptoolconfig
branch
from
b7eb620 to
ddb20ce
Compare
github-actions
bot
added
size/XL
Add proper reconciliation, dynamic updates and overrides support Add tests to validate it
yrobla
force-pushed
the
feat/add_tool_filter_mcptoolconfig
branch
from
ddb20ce to
3a788d4
Compare
github-actions
bot
added
size/XL
yrobla
force-pushed
the
feat/add_tool_filter_mcptoolconfig
branch
from
3a788d4 to
5473c52
Compare
github-actions
bot
added
size/XL
yrobla
force-pushed
the
feat/add_tool_filter_mcptoolconfig
branch
from
5473c52 to
d644395
Compare
github-actions
bot
added
size/XL
There was a problem hiding this comment.
Pull request overview
Copilot reviewed 4 out of 4 changed files in this pull request and generated no new comments.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
github-actions
bot
added
size/XL
please review again |
Add proper reconciliation, dynamic updates and overrides support Add tests to validate it
Large PR Justification
This is an atomic PR, that captured some bugs and needs for improvement, and also added relevant tests.