Freeze MCPServer generation per pod via downward API (#5364)

* Add tests for MCPServer generation freeze invariant

Lock-in test in pkg/container/kubernetes/client_test.go documenting
the gate's blind spot when two callers pass equal MCPServerGeneration
with different images.

TDD test in cmd/thv-proxyrunner/app/run_test.go for the env-var override
(THV_MCPSERVER_GENERATION) that the fix in #5360 will introduce. Fails
today; goes green when the override is implemented.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Freeze proxyrunner MCPServerGeneration via env var

The /etc/runconfig ConfigMap volume mounts live (no subPath), so a
restarted old-RS proxyrunner pod re-reads runconfig.json after a helm
upgrade and picks up the new MCPServer generation. Both old and new
pods then call DeployWorkload with the same ourGen, defeating the
strict-greater-than gate at shouldSkipStatefulSetApply.

Honor THV_MCPSERVER_GENERATION (sourced via downward API in a
follow-up operator change) as an override on the file value, freezing
the generation per pod at creation time. Parallel to how the image is
already frozen via the CLI positional arg.

Part of #5360.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Project MCPServer generation into proxyrunner via downward API

Stamp the MCPServer generation as a pod-template annotation on the
proxy Deployment, and project that annotation into the proxyrunner
container as the THV_MCPSERVER_GENERATION env var via the downward
API. The env var is bound to the pod's own annotations at creation
time, so a restarted old-RS pod cannot acquire the new generation by
re-reading the live-mounted RunConfig ConfigMap.

The proxyrunner already honors this env var as an override on the
file value (see prior commit). With both sides wired, two coexisting
proxyrunner pods during a rolling update carry distinct generations
again and the strict-greater-than gate at shouldSkipStatefulSetApply
fires correctly.

Mirror the new env var and annotation in deploymentNeedsUpdate so
drift detection stays stable.

Closes #5360.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Add envtest coverage for generation-freeze contract

Two new integration specs assert the operator side of the freeze
end-to-end against a real apiserver:

- On initial reconcile, the proxy Deployment's pod template carries
  the mcpserver-generation annotation set to MCPServer.metadata.generation,
  and the proxyrunner container declares THV_MCPSERVER_GENERATION via
  a downward-API FieldRef pointing at that exact annotation key.
- On a Spec.Image patch the controller bumps the annotation value to
  the new generation and keeps the FieldRef wired correctly. This is
  the rolling-update path: new pods get a strictly-greater frozen
  generation than any restarted old-RS pod.

Catches typos in either the annotation key or the FieldRef path that
would silently produce an empty env var and let the proxyrunner fall
through to the (live-mounted) file value. Complements the unit-level
TestDeploymentForMCPServer_MCPServerGenerationDownwardAPI and
TestTryLoadConfigFromFile_MCPServerGenerationEnvOverride.

Part of #5360.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Address review feedback on #5360 freeze

- Defend applyMCPServerGenerationOverride against negative env values.
  metadata.generation is monotonic non-negative per K8s convention, so a
  negative override cannot come from a legitimate downward-API projection
  and must not be allowed to silently disable the apply-gate stamp.
  Add a Debug log on the success path so the override is observable in
  pod logs when diagnosing future occurrences.
- Add TestApplyMCPServerGenerationOverride exercising the empty,
  valid, zero, unparseable, and negative branches in isolation.
- Soften the position-mirror comment in deploymentNeedsUpdate. The
  prior text referenced the Redis password slot, but
  deploymentNeedsUpdate does not include the Redis password env var
  (pre-existing latent drift bug, tracked separately).
- Add a header comment to TestResourceOverrides explaining that the
  "0" mcpserver-generation annotation value comes from the fake client
  not auto-incrementing metadata.generation. Realistic generation
  tracking is exercised by the envtest in
  mcpserver_generation_freeze_integration_test.go.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Fix CI: codespell typo and gofmt alignment

- "unparseable" → "unparsable" (codespell) in run.go, run_test.go.
- Realign env-var map literals to gofmt's preferred column for the
  longest key (THV_MCPSERVER_GENERATION).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* Set FieldRef.APIVersion=v1 to avoid perpetual drift

ObjectFieldSelector.APIVersion is defaulted to "v1" by the API server on
persistence. The drift comparator at deploymentNeedsUpdate was rebuilding
the expected env var with an empty APIVersion, so equality.Semantic.DeepEqual
returned false on every reconcile and the controller perpetually rewrote
the proxy Deployment. That constant churn re-triggered the exact rolling-
update race the freeze was supposed to close — confirmed by the failing
VirtualMCPServer Optimizer + Circuit Breaker recovery spec in
test-e2e-lifecycle: stale-image proxyrunner pods kept clobbering the new
StatefulSet apply, leaving the backend mcp container in ImagePullBackOff.

Explicitly set APIVersion: "v1" on both the construction site and the
drift comparator so they match the API-server-defaulted value.

Add unit-level assertion in TestDeploymentForMCPServer_MCPServerGenerationDownwardAPI
and a new envtest spec "Does not flag spurious drift on a no-op reconcile"
that watches the Deployment's resourceVersion across multiple reconciles
and fails fast if drift detection misfires.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* TEMP debug: promote gate skip log + override log to INFO

Temporary diagnostic for #5360 v1.33/v1.34 E2E failure. Will be reverted
before merge.

* Revert debug INFO logs; port STS-template wait to optimizer test

The debug commit (8ed6e39) confirmed the override + gate are working
correctly end-to-end on a real cluster:

  pod env=3 (latest): file=3 env=3, apply proceeds — writes GOOD image
  pod env=2 (stale): file=3 env=2, gate skips (theirs=3 > ours=2)

Revert the INFO promotion now that diagnosis is complete; both logs go
back to Debug.

The remaining E2E flake is a pre-existing race in
virtualmcp_optimizer_circuit_breaker_test.go: the test deletes the
Pending StatefulSet pod immediately after patching Spec.Image without
waiting for the proxyrunner to apply the new template, so the pod can
be recreated against the stale (bad) template and the StatefulSet
controller may not re-roll an already-unhealthy pod afterwards. Mirrors
the same guard added to virtualmcp_circuit_breaker_test.go in #5079.

Before the apply-gate, the race "resolved" by the stale-image apply
periodically resetting the template, letting the test catch a lucky
good window. With the gate in place the apply order is deterministic,
which makes the missing wait visible — hence the test fix lands here.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: ChrisJBurns

cmd/thv-operator/controllers/mcpserver_controller.go

@@ -11,6 +11,7 @@ import (
 	"fmt"
 	"maps"
 	"os"
+	"strconv"
 	"strings"
 	"time"
 
@@ -1151,6 +1152,25 @@ func (r *MCPServerReconciler) deploymentForMCPServer(
 	// name collision (ResourceOverrides.Env only accepts plain strings).
 	env = append(env, r.buildRedisPasswordEnvVar(m)...)
 
+	// Project the MCPServer generation pod-template annotation into the
+	// proxyrunner container via the downward API. The proxyrunner uses this
+	// to override the value read from the live-mounted RunConfig ConfigMap,
+	// freezing it per pod at creation time. See #5360.
+	//
+	// APIVersion must be explicitly "v1" — the API server defaults it on
+	// persistence and equality.Semantic.DeepEqual treats "" != "v1" as drift,
+	// which would otherwise force a Deployment update on every reconcile.
+	env = append(env, corev1.EnvVar{
+		Name: kubernetes.EnvVarMCPServerGeneration,
+		ValueFrom: &corev1.EnvVarSource{
+			FieldRef: &corev1.ObjectFieldSelector{
+				APIVersion: "v1",
+				FieldPath: fmt.Sprintf("metadata.annotations['%s']",
+					kubernetes.RunConfigMCPServerGenerationAnnotation),
+			},
+		},
+	})
+
 	// Add volume mounts for user-defined volumes
 	for _, v := range m.Spec.Volumes {
 		volumeMounts = append(volumeMounts, corev1.VolumeMount{
@@ -1264,6 +1284,12 @@ func (r *MCPServerReconciler) deploymentForMCPServer(
 	// Add RunConfig checksum annotation to trigger pod rollout when config changes
 	deploymentTemplateAnnotations = checksum.AddRunConfigChecksumToPodTemplate(deploymentTemplateAnnotations, runConfigChecksum)
 
+	// Stamp the MCPServer generation on the proxy Deployment's pod template so the
+	// downward-API env var below resolves to a value that is frozen at pod creation
+	// time, not live-updated like the runconfig.json ConfigMap mount. See #5360.
+	deploymentTemplateAnnotations[kubernetes.RunConfigMCPServerGenerationAnnotation] =
+		strconv.FormatInt(m.Generation, 10)
+
 	if m.Spec.ResourceOverrides != nil && m.Spec.ResourceOverrides.ProxyDeployment != nil {
 		if m.Spec.ResourceOverrides.ProxyDeployment.Labels != nil {
 			deploymentLabels = ctrlutil.MergeLabels(ls, m.Spec.ResourceOverrides.ProxyDeployment.Labels)
@@ -1759,6 +1785,26 @@ func (r *MCPServerReconciler) deploymentNeedsUpdate(
 			}
 		}
 
+		// Project the MCPServer generation pod-template annotation into the
+		// proxyrunner container via the downward API. Position must come
+		// before the embedded-auth env vars below so the slice order matches
+		// deploymentForMCPServer and equality.Semantic.DeepEqual against
+		// container.Env succeeds.
+		//
+		// APIVersion must mirror the construction site at "v1" — the API
+		// server defaults it on persistence and an empty string here would
+		// produce false drift on every reconcile. See #5360.
+		expectedProxyEnv = append(expectedProxyEnv, corev1.EnvVar{
+			Name: kubernetes.EnvVarMCPServerGeneration,
+			ValueFrom: &corev1.EnvVarSource{
+				FieldRef: &corev1.ObjectFieldSelector{
+					APIVersion: "v1",
+					FieldPath: fmt.Sprintf("metadata.annotations['%s']",
+						kubernetes.RunConfigMCPServerGenerationAnnotation),
+				},
+			},
+		})
+
 		// Add embedded auth server environment variables. AuthServerRef takes precedence;
 		// externalAuthConfigRef is used as a fallback (legacy path).
 		if configName := ctrlutil.EmbeddedAuthServerConfigName(
@@ -1879,6 +1925,11 @@ func (r *MCPServerReconciler) deploymentNeedsUpdate(
 	// Check if pod template annotations have changed (including runconfig checksum)
 	expectedPodTemplateAnnotations := make(map[string]string)
 	expectedPodTemplateAnnotations = checksum.AddRunConfigChecksumToPodTemplate(expectedPodTemplateAnnotations, runConfigChecksum)
+	// Mirrors deploymentForMCPServer: stamp the MCPServer generation so the
+	// downward-API env var injected into the proxyrunner container resolves
+	// to a frozen-per-pod value (#5360).
+	expectedPodTemplateAnnotations[kubernetes.RunConfigMCPServerGenerationAnnotation] =
+		strconv.FormatInt(mcpServer.Generation, 10)
 
 	if mcpServer.Spec.ResourceOverrides != nil &&
 		mcpServer.Spec.ResourceOverrides.ProxyDeployment != nil &&

cmd/thv-operator/controllers/mcpserver_resource_overrides_test.go

@@ -222,6 +222,13 @@ func TestResourceOverrides(t *testing.T) {
 	scheme := runtime.NewScheme()
 	require.NoError(t, mcpv1beta1.AddToScheme(scheme))
 
+	// Note: expectedPodTemplateAnns entries below carry
+	// "toolhive.stacklok.dev/mcpserver-generation": "0" because the controller
+	// stamps strconv.FormatInt(m.Generation, 10) and the fake client does not
+	// auto-increment metadata.generation on Create (the real API server starts
+	// at 1). Envtest coverage in
+	// cmd/thv-operator/test-integration/mcp-server/mcpserver_generation_freeze_integration_test.go
+	// exercises the realistic generation-tracking behavior.
 	tests := []struct {
 		name                     string
 		mcpServer                *mcpv1beta1.MCPServer
@@ -252,7 +259,8 @@ func TestResourceOverrides(t *testing.T) {
 			},
 			expectedDeploymentAnns: map[string]string{},
 			expectedPodTemplateAnns: map[string]string{
-				"toolhive.stacklok.dev/runconfig-checksum": "test-checksum",
+				"toolhive.stacklok.dev/runconfig-checksum":   "test-checksum",
+				"toolhive.stacklok.dev/mcpserver-generation": "0",
 			},
 			expectedServiceLabels: map[string]string{
 				"app":                        "mcpserver",
@@ -315,7 +323,8 @@ func TestResourceOverrides(t *testing.T) {
 				"monitoring/scrape": "true",
 			},
 			expectedPodTemplateAnns: map[string]string{
-				"toolhive.stacklok.dev/runconfig-checksum": "test-checksum",
+				"toolhive.stacklok.dev/runconfig-checksum":   "test-checksum",
+				"toolhive.stacklok.dev/mcpserver-generation": "0",
 			},
 			expectedServiceLabels: map[string]string{
 				"app":                        "mcpserver",
@@ -376,7 +385,8 @@ func TestResourceOverrides(t *testing.T) {
 			},
 			expectedDeploymentAnns: map[string]string{},
 			expectedPodTemplateAnns: map[string]string{
-				"toolhive.stacklok.dev/runconfig-checksum": "test-checksum",
+				"toolhive.stacklok.dev/runconfig-checksum":   "test-checksum",
+				"toolhive.stacklok.dev/mcpserver-generation": "0",
 			},
 			expectedServiceLabels: map[string]string{
 				"app":                        "mcpserver",
@@ -415,7 +425,8 @@ func TestResourceOverrides(t *testing.T) {
 			},
 			expectedDeploymentAnns: map[string]string{},
 			expectedPodTemplateAnns: map[string]string{
-				"toolhive.stacklok.dev/runconfig-checksum": "test-checksum",
+				"toolhive.stacklok.dev/runconfig-checksum":   "test-checksum",
+				"toolhive.stacklok.dev/mcpserver-generation": "0",
 			},
 			expectedServiceLabels: map[string]string{
 				"app":                        "mcpserver",
@@ -481,7 +492,8 @@ func TestResourceOverrides(t *testing.T) {
 				"version":            "v1.2.3",
 			},
 			expectedPodTemplateAnns: map[string]string{
-				"toolhive.stacklok.dev/runconfig-checksum": "test-checksum",
+				"toolhive.stacklok.dev/runconfig-checksum":   "test-checksum",
+				"toolhive.stacklok.dev/mcpserver-generation": "0",
 			},
 			expectedServiceLabels: map[string]string{
 				"app":                        "mcpserver",
@@ -525,9 +537,10 @@ func TestResourceOverrides(t *testing.T) {
 			},
 			expectedDeploymentAnns: map[string]string{},
 			expectedPodTemplateAnns: map[string]string{
-				"vault.hashicorp.com/agent-inject":         "true",
-				"vault.hashicorp.com/role":                 "toolhive-mcp-workloads",
-				"toolhive.stacklok.dev/runconfig-checksum": "test-checksum",
+				"vault.hashicorp.com/agent-inject":           "true",
+				"vault.hashicorp.com/role":                   "toolhive-mcp-workloads",
+				"toolhive.stacklok.dev/runconfig-checksum":   "test-checksum",
+				"toolhive.stacklok.dev/mcpserver-generation": "0",
 			},
 			expectedServiceLabels: map[string]string{
 				"app":                        "mcpserver",
@@ -582,30 +595,33 @@ func TestResourceOverrides(t *testing.T) {
 				switch tt.name {
 				case "with proxy environment variables":
 					expectedEnvVars = map[string]string{
-						"HTTP_PROXY":        "http://proxy.example.com:8080",
-						"NO_PROXY":          "localhost,127.0.0.1",
-						"CUSTOM_ENV":        "custom-value",
-						"XDG_CONFIG_HOME":   "/tmp",
-						"HOME":              "/tmp",
-						"TOOLHIVE_RUNTIME":  "kubernetes",
-						"UNSTRUCTURED_LOGS": "false",
+						"HTTP_PROXY":               "http://proxy.example.com:8080",
+						"NO_PROXY":                 "localhost,127.0.0.1",
+						"CUSTOM_ENV":               "custom-value",
+						"THV_MCPSERVER_GENERATION": "", // downward API; Value is empty, ValueFrom set
+						"XDG_CONFIG_HOME":          "/tmp",
+						"HOME":                     "/tmp",
+						"TOOLHIVE_RUNTIME":         "kubernetes",
+						"UNSTRUCTURED_LOGS":        "false",
 					}
 				case "with debug logging via TOOLHIVE_DEBUG env var":
 					expectedEnvVars = map[string]string{
-						"TOOLHIVE_DEBUG":    "true",
-						"XDG_CONFIG_HOME":   "/tmp",
-						"HOME":              "/tmp",
-						"TOOLHIVE_RUNTIME":  "kubernetes",
-						"UNSTRUCTURED_LOGS": "false",
+						"TOOLHIVE_DEBUG":           "true",
+						"THV_MCPSERVER_GENERATION": "", // downward API; Value is empty, ValueFrom set
+						"XDG_CONFIG_HOME":          "/tmp",
+						"HOME":                     "/tmp",
+						"TOOLHIVE_RUNTIME":         "kubernetes",
+						"UNSTRUCTURED_LOGS":        "false",
 					}
 				default:
 					expectedEnvVars = map[string]string{
-						"LOG_LEVEL":         "debug",
-						"METRICS_ENABLED":   "true",
-						"XDG_CONFIG_HOME":   "/tmp",
-						"HOME":              "/tmp",
-						"TOOLHIVE_RUNTIME":  "kubernetes",
-						"UNSTRUCTURED_LOGS": "false",
+						"LOG_LEVEL":                "debug",
+						"METRICS_ENABLED":          "true",
+						"THV_MCPSERVER_GENERATION": "", // downward API; Value is empty, ValueFrom set
+						"XDG_CONFIG_HOME":          "/tmp",
+						"HOME":                     "/tmp",
+						"TOOLHIVE_RUNTIME":         "kubernetes",
+						"UNSTRUCTURED_LOGS":        "false",
 					}
 				}
 
@@ -657,7 +673,10 @@ func TestDeploymentForMCPServer_PodTemplateOverridesPreserveRunConfigChecksum(t
 	assert.Equal(t, "value",
 		deployment.Spec.Template.Annotations["user.example.com/some-key"],
 		"user override must survive")
-	assert.Len(t, deployment.Spec.Template.Annotations, 2,
+	assert.Contains(t, deployment.Spec.Template.Annotations,
+		kubernetes.RunConfigMCPServerGenerationAnnotation,
+		"mcpserver-generation must be stamped for the downward-API env var (#5360)")
+	assert.Len(t, deployment.Spec.Template.Annotations, 3,
 		"no extra keys should leak into the pod template")
 }
 
@@ -1140,3 +1159,64 @@ func TestMCPServerServiceNeedsUpdate(t *testing.T) {
 		})
 	}
 }
+
+// TestDeploymentForMCPServer_MCPServerGenerationDownwardAPI verifies that the
+// proxy Deployment stamps the MCPServer generation as a pod-template annotation
+// AND projects that annotation into the proxyrunner container as the
+// THV_MCPSERVER_GENERATION env var via the downward API. This is the
+// frozen-per-pod path that closes the race described in #5360 — the env var's
+// value is bound to the pod's own annotations at creation time, so a restarted
+// old-RS pod cannot acquire the new generation by re-reading the live-mounted
+// RunConfig ConfigMap.
+func TestDeploymentForMCPServer_MCPServerGenerationDownwardAPI(t *testing.T) {
+	t.Parallel()
+
+	scheme := runtime.NewScheme()
+	require.NoError(t, mcpv1beta1.AddToScheme(scheme))
+	require.NoError(t, corev1.AddToScheme(scheme))
+
+	client := fake.NewClientBuilder().WithScheme(scheme).Build()
+	r := newTestMCPServerReconciler(client, scheme, kubernetes.PlatformKubernetes)
+
+	mcpServer := &mcpv1beta1.MCPServer{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:       "test-server",
+			Namespace:  "default",
+			Generation: 7,
+		},
+		Spec: mcpv1beta1.MCPServerSpec{
+			Image:     "test-image",
+			ProxyPort: 8080,
+		},
+	}
+
+	deployment, err := r.deploymentForMCPServer(t.Context(), mcpServer, "test-checksum")
+	require.NoError(t, err)
+	require.NotNil(t, deployment)
+
+	assert.Equal(t, "7",
+		deployment.Spec.Template.Annotations[kubernetes.RunConfigMCPServerGenerationAnnotation],
+		"pod template must stamp the MCPServer generation so the downward-API env var resolves")
+
+	require.Len(t, deployment.Spec.Template.Spec.Containers, 1)
+	var got *corev1.EnvVar
+	for i := range deployment.Spec.Template.Spec.Containers[0].Env {
+		if deployment.Spec.Template.Spec.Containers[0].Env[i].Name == kubernetes.EnvVarMCPServerGeneration {
+			got = &deployment.Spec.Template.Spec.Containers[0].Env[i]
+			break
+		}
+	}
+	require.NotNil(t, got, "container must declare the %s env var", kubernetes.EnvVarMCPServerGeneration)
+	require.NotNil(t, got.ValueFrom, "env var must use ValueFrom (downward API), not a literal Value")
+	require.NotNil(t, got.ValueFrom.FieldRef)
+	assert.Equal(t,
+		"metadata.annotations['"+kubernetes.RunConfigMCPServerGenerationAnnotation+"']",
+		got.ValueFrom.FieldRef.FieldPath,
+		"FieldRef must point at the mcpserver-generation pod annotation")
+	// APIVersion must be set explicitly so the drift comparator at
+	// deploymentNeedsUpdate matches the API-server-defaulted value. An empty
+	// APIVersion here results in equality.Semantic.DeepEqual returning false on
+	// every reconcile, causing perpetual Deployment rewrites. See #5360.
+	assert.Equal(t, "v1", got.ValueFrom.FieldRef.APIVersion,
+		"FieldRef.APIVersion must match the API server default of v1 to avoid false drift")
+}