Move endpoint validation to Validate(), fix smart quote corruption

ChrisJBurns · claude · ChrisJBurns · commit 41bd22ca28a5 · 2026-04-01T23:05:33.000+01:00
The gci linter was replacing ASCII quotes with Unicode smart quotes
(U+201C/U+201D) in kubebuilder annotations, breaking controller-gen
CRD generation. Additionally, the CEL rule for endpoint validation
generated double-quoted YAML that the Helm wrapper mishandled.

Move the endpoint-requires-signals validation from a CEL rule to the
programmatic Validate() method, which avoids both issues and provides
clearer error messages. Add test case for this validation.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/cmd/thv-operator/api/v1alpha1/mcptelemetryconfig_types.go b/cmd/thv-operator/api/v1alpha1/mcptelemetryconfig_types.go
@@ -31,7 +31,6 @@ type SensitiveHeader struct {
 //   - Adds ResourceAttributes for shared OTel resource attributes
 //
 // +kubebuilder:validation:XValidation:rule="!has(self.headers) || !has(self.sensitiveHeaders) || self.sensitiveHeaders.all(sh, !(sh.name in self.headers))",message="a header name cannot appear in both headers and sensitiveHeaders"
-// +kubebuilder:validation:XValidation:rule=”!has(self.endpoint) || size(self.endpoint) == 0 || (has(self.tracing) && self.tracing.enabled) || (has(self.metrics) && self.metrics.enabled)”,message=”endpoint requires at least one of tracing or metrics to be enabled”
 //
 //nolint:lll // CEL validation rules exceed line length limit
 type MCPTelemetryOTelConfig struct {
@@ -178,9 +177,30 @@ type MCPTelemetryConfigReference struct {
 // CEL catches issues at API admission time, but this method also validates
 // stored objects to catch any that bypassed CEL or were stored before CEL rules were added.
 func (r *MCPTelemetryConfig) Validate() error {
+	if err := r.validateEndpointRequiresSignals(); err != nil {
+		return err
+	}
 	return r.validateSensitiveHeaders()
 }
 
+// validateEndpointRequiresSignals rejects an endpoint when neither tracing nor metrics is enabled.
+// Without this check the config would pass CRD validation but fail at runtime in telemetry.NewProvider.
+func (r *MCPTelemetryConfig) validateEndpointRequiresSignals() error {
+	if r.Spec.OpenTelemetry == nil {
+		return nil
+	}
+	otel := r.Spec.OpenTelemetry
+	if otel.Endpoint == "" {
+		return nil
+	}
+	tracingEnabled := otel.Tracing != nil && otel.Tracing.Enabled
+	metricsEnabled := otel.Metrics != nil && otel.Metrics.Enabled
+	if !tracingEnabled && !metricsEnabled {
+		return fmt.Errorf("endpoint requires at least one of tracing or metrics to be enabled")
+	}
+	return nil
+}
+
 // validateSensitiveHeaders validates sensitive header entries and checks for overlap with plaintext headers.
 func (r *MCPTelemetryConfig) validateSensitiveHeaders() error {
 	if r.Spec.OpenTelemetry == nil {
diff --git a/cmd/thv-operator/controllers/mcptelemetryconfig_controller_test.go b/cmd/thv-operator/controllers/mcptelemetryconfig_controller_test.go
@@ -498,6 +498,19 @@ func TestMCPTelemetryConfig_Validate(t *testing.T) {
 			},
 			expectError: true,
 		},
+		{
+			name: "invalid endpoint without tracing or metrics",
+			config: &mcpv1alpha1.MCPTelemetryConfig{
+				Spec: mcpv1alpha1.MCPTelemetryConfigSpec{
+					OpenTelemetry: &mcpv1alpha1.MCPTelemetryOTelConfig{
+						Enabled:  true,
+						Endpoint: "otel-collector:4317",
+						// No Tracing or Metrics configured
+					},
+				},
+			},
+			expectError: true,
+		},
 		{
 			name: "invalid empty secret ref name",
 			config: &mcpv1alpha1.MCPTelemetryConfig{
diff --git a/deploy/charts/operator-crds/files/crds/toolhive.stacklok.dev_mcptelemetryconfigs.yaml b/deploy/charts/operator-crds/files/crds/toolhive.stacklok.dev_mcptelemetryconfigs.yaml
@@ -163,9 +163,6 @@ spec:
                 - message: a header name cannot appear in both headers and sensitiveHeaders
                   rule: '!has(self.headers) || !has(self.sensitiveHeaders) || self.sensitiveHeaders.all(sh,
                     !(sh.name in self.headers))'
-                - message: endpoint requires at least one of tracing or metrics to be enabled
-                  rule: '!has(self.endpoint) || size(self.endpoint) == 0 || (has(self.tracing)
-                    && self.tracing.enabled) || (has(self.metrics) && self.metrics.enabled)'
               prometheus:
                 description: Prometheus defines Prometheus-specific configuration
                 properties:
diff --git a/deploy/charts/operator-crds/templates/toolhive.stacklok.dev_mcptelemetryconfigs.yaml b/deploy/charts/operator-crds/templates/toolhive.stacklok.dev_mcptelemetryconfigs.yaml
@@ -166,9 +166,6 @@ spec:
                 - message: a header name cannot appear in both headers and sensitiveHeaders
                   rule: '!has(self.headers) || !has(self.sensitiveHeaders) || self.sensitiveHeaders.all(sh,
                     !(sh.name in self.headers))'
-                - message: endpoint requires at least one of tracing or metrics to be enabled
-                  rule: '!has(self.endpoint) || size(self.endpoint) == 0 || (has(self.tracing)
-                    && self.tracing.enabled) || (has(self.metrics) && self.metrics.enabled)'
               prometheus:
                 description: Prometheus defines Prometheus-specific configuration
                 properties:
