Drop stale AuthzConfigRef staging note from CRD docs

The AuthzConfigRef field docs on MCPServer and MCPRemoteProxy still
carried the TODO(#4778) + NOTE saying the ref is reference-tracked but
does NOT apply authorization. Both controllers now resolve the ref into
runtime authz, so the note states the opposite of the behavior and would
mislead anyone reading the generated CRD reference. Remove it and
regenerate manifests + API docs.

Addresses review feedback on #5563.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: ChrisJBurns

cmd/thv-operator/api/v1beta1/mcpremoteproxy_types.go

@@ -95,15 +95,6 @@ type MCPRemoteProxySpec struct {
 	// AuthzConfigRef references a shared MCPAuthzConfig resource for authorization.
 	// The referenced MCPAuthzConfig must exist in the same namespace as this MCPRemoteProxy.
 	// Mutually exclusive with authzConfig.
-	//
-	// TODO(#4778): remove the staging NOTE below once workload controllers
-	// resolve AuthzConfigRef into a runtime authz config.
-	//
-	// NOTE: this field is consumed by workload controllers in a follow-up PR.
-	// Until that lands, AuthzConfigRef is reference-tracked by the
-	// MCPAuthzConfig controller (deletion protection, status.referenceCount)
-	// but does NOT apply authorization to this MCPRemoteProxy. Use the
-	// inline AuthzConfig field in the meantime.
 	// +optional
 	AuthzConfigRef *MCPAuthzConfigReference `json:"authzConfigRef,omitempty"`
 

cmd/thv-operator/api/v1beta1/mcpserver_types.go

@@ -324,15 +324,6 @@ type MCPServerSpec struct {
 	// AuthzConfigRef references a shared MCPAuthzConfig resource for authorization.
 	// The referenced MCPAuthzConfig must exist in the same namespace as this MCPServer.
 	// Mutually exclusive with authzConfig.
-	//
-	// TODO(#4778): remove the staging NOTE below once workload controllers
-	// resolve AuthzConfigRef into a runtime authz config.
-	//
-	// NOTE: this field is consumed by workload controllers in a follow-up PR.
-	// Until that lands, AuthzConfigRef is reference-tracked by the
-	// MCPAuthzConfig controller (deletion protection, status.referenceCount)
-	// but does NOT apply authorization to this MCPServer. Use the inline
-	// AuthzConfig field in the meantime.
 	// +optional
 	AuthzConfigRef *MCPAuthzConfigReference `json:"authzConfigRef,omitempty"`
 

deploy/charts/operator-crds/files/crds/toolhive.stacklok.dev_mcpremoteproxies.yaml

@@ -212,14 +212,6 @@ spec:
                   AuthzConfigRef references a shared MCPAuthzConfig resource for authorization.
                   The referenced MCPAuthzConfig must exist in the same namespace as this MCPRemoteProxy.
                   Mutually exclusive with authzConfig.
-
-                  resolve AuthzConfigRef into a runtime authz config.
-
-                  NOTE: this field is consumed by workload controllers in a follow-up PR.
-                  Until that lands, AuthzConfigRef is reference-tracked by the
-                  MCPAuthzConfig controller (deletion protection, status.referenceCount)
-                  but does NOT apply authorization to this MCPRemoteProxy. Use the
-                  inline AuthzConfig field in the meantime.
                 properties:
                   name:
                     description: Name is the name of the MCPAuthzConfig resource in
@@ -949,14 +941,6 @@ spec:
                   AuthzConfigRef references a shared MCPAuthzConfig resource for authorization.
                   The referenced MCPAuthzConfig must exist in the same namespace as this MCPRemoteProxy.
                   Mutually exclusive with authzConfig.
-
-                  resolve AuthzConfigRef into a runtime authz config.
-
-                  NOTE: this field is consumed by workload controllers in a follow-up PR.
-                  Until that lands, AuthzConfigRef is reference-tracked by the
-                  MCPAuthzConfig controller (deletion protection, status.referenceCount)
-                  but does NOT apply authorization to this MCPRemoteProxy. Use the
-                  inline AuthzConfig field in the meantime.
                 properties:
                   name:
                     description: Name is the name of the MCPAuthzConfig resource in

deploy/charts/operator-crds/files/crds/toolhive.stacklok.dev_mcpservers.yaml

@@ -219,14 +219,6 @@ spec:
                   AuthzConfigRef references a shared MCPAuthzConfig resource for authorization.
                   The referenced MCPAuthzConfig must exist in the same namespace as this MCPServer.
                   Mutually exclusive with authzConfig.
-
-                  resolve AuthzConfigRef into a runtime authz config.
-
-                  NOTE: this field is consumed by workload controllers in a follow-up PR.
-                  Until that lands, AuthzConfigRef is reference-tracked by the
-                  MCPAuthzConfig controller (deletion protection, status.referenceCount)
-                  but does NOT apply authorization to this MCPServer. Use the inline
-                  AuthzConfig field in the meantime.
                 properties:
                   name:
                     description: Name is the name of the MCPAuthzConfig resource in
@@ -1171,14 +1163,6 @@ spec:
                   AuthzConfigRef references a shared MCPAuthzConfig resource for authorization.
                   The referenced MCPAuthzConfig must exist in the same namespace as this MCPServer.
                   Mutually exclusive with authzConfig.
-
-                  resolve AuthzConfigRef into a runtime authz config.
-
-                  NOTE: this field is consumed by workload controllers in a follow-up PR.
-                  Until that lands, AuthzConfigRef is reference-tracked by the
-                  MCPAuthzConfig controller (deletion protection, status.referenceCount)
-                  but does NOT apply authorization to this MCPServer. Use the inline
-                  AuthzConfig field in the meantime.
                 properties:
                   name:
                     description: Name is the name of the MCPAuthzConfig resource in

deploy/charts/operator-crds/templates/toolhive.stacklok.dev_mcpremoteproxies.yaml

@@ -215,14 +215,6 @@ spec:
                   AuthzConfigRef references a shared MCPAuthzConfig resource for authorization.
                   The referenced MCPAuthzConfig must exist in the same namespace as this MCPRemoteProxy.
                   Mutually exclusive with authzConfig.
-
-                  resolve AuthzConfigRef into a runtime authz config.
-
-                  NOTE: this field is consumed by workload controllers in a follow-up PR.
-                  Until that lands, AuthzConfigRef is reference-tracked by the
-                  MCPAuthzConfig controller (deletion protection, status.referenceCount)
-                  but does NOT apply authorization to this MCPRemoteProxy. Use the
-                  inline AuthzConfig field in the meantime.
                 properties:
                   name:
                     description: Name is the name of the MCPAuthzConfig resource in
@@ -952,14 +944,6 @@ spec:
                   AuthzConfigRef references a shared MCPAuthzConfig resource for authorization.
                   The referenced MCPAuthzConfig must exist in the same namespace as this MCPRemoteProxy.
                   Mutually exclusive with authzConfig.
-
-                  resolve AuthzConfigRef into a runtime authz config.
-
-                  NOTE: this field is consumed by workload controllers in a follow-up PR.
-                  Until that lands, AuthzConfigRef is reference-tracked by the
-                  MCPAuthzConfig controller (deletion protection, status.referenceCount)
-                  but does NOT apply authorization to this MCPRemoteProxy. Use the
-                  inline AuthzConfig field in the meantime.
                 properties:
                   name:
                     description: Name is the name of the MCPAuthzConfig resource in

deploy/charts/operator-crds/templates/toolhive.stacklok.dev_mcpservers.yaml

@@ -222,14 +222,6 @@ spec:
                   AuthzConfigRef references a shared MCPAuthzConfig resource for authorization.
                   The referenced MCPAuthzConfig must exist in the same namespace as this MCPServer.
                   Mutually exclusive with authzConfig.
-
-                  resolve AuthzConfigRef into a runtime authz config.
-
-                  NOTE: this field is consumed by workload controllers in a follow-up PR.
-                  Until that lands, AuthzConfigRef is reference-tracked by the
-                  MCPAuthzConfig controller (deletion protection, status.referenceCount)
-                  but does NOT apply authorization to this MCPServer. Use the inline
-                  AuthzConfig field in the meantime.
                 properties:
                   name:
                     description: Name is the name of the MCPAuthzConfig resource in
@@ -1174,14 +1166,6 @@ spec:
                   AuthzConfigRef references a shared MCPAuthzConfig resource for authorization.
                   The referenced MCPAuthzConfig must exist in the same namespace as this MCPServer.
                   Mutually exclusive with authzConfig.
-
-                  resolve AuthzConfigRef into a runtime authz config.
-
-                  NOTE: this field is consumed by workload controllers in a follow-up PR.
-                  Until that lands, AuthzConfigRef is reference-tracked by the
-                  MCPAuthzConfig controller (deletion protection, status.referenceCount)
-                  but does NOT apply authorization to this MCPServer. Use the inline
-                  AuthzConfig field in the meantime.
                 properties:
                   name:
                     description: Name is the name of the MCPAuthzConfig resource in