Introduce MutateAndPatchSpec and adopt across spec-patch sites (#5004)

jhrozek · web-flow · commit bbe8b853a089 · 2026-04-23T13:48:16.000+02:00
* Introduce MutateAndPatchSpec and adopt across spec-patch sites The inline DeepCopy + Patch(MergeFromWithOptimisticLock) pattern from #4914 landed at five MCPServer spec-write sites, each carrying the same four-line rationale comment. Extract it into a MutateAndPatchSpec[T] generic helper in cmd/thv-operator/pkg/controllerutil, siblinged with the existing MutateAndPatchStatus. The helper mirrors its sibling exactly -- same reflection-based nil-guard, same DeepCopy-then-mutate-then-Patch flow -- with two deliberate differences: - Uses MergeFromWithOptions(original, MergeFromWithOptimisticLock{}) so concurrent writers get 409-and-requeue instead of silent clobber. This is the property that defends spec.authzConfig, which the forthcoming authorization controller will own, from being zeroed on every reconcile. - No no-op short-circuit. MergeFromWithOptimisticLock always emits metadata.resourceVersion into the body, so the status helper's "body == {}" check never fires; and every current spec call site carries a real mutation. All five inline sites (mcpserver_controller.go finalizer add/remove and restart-annotation stamp; toolconfig_controller.go and mcpexternalauthconfig_controller.go config-hash stamps) adopt the helper. Pure refactor at the call sites -- no behavior change. Tests mirror the status helper's shape: happy-path + optimistic-lock wire signal, DeepCopy isolation, 409 Conflict propagation, nil-obj rejection, and disjoint-spec-field preservation (the regression guard that would fire if the helper were ever swapped back to r.Update). Existing TestMCPServerSpecPatchesAreOptimisticLock and the mcpserver_spec_patch_integration_test.go envtest remain green. The operator-rules section on spec/metadata patching is updated to reference the helper as the canonical pattern. * Address MoE review feedback on MutateAndPatchSpec Three of five review findings applied (two skipped with rebuttal in the PR thread): - Add TestMutateAndPatchSpec_NoOpMutateStillPatches. The existing AppliesMutationWithOptimisticLock test asserts resourceVersion is present in the body when a patch is issued; it cannot detect a short-circuit regression that issues zero patches. Pin the documented divergence from MutateAndPatchStatus (which DOES short-circuit) with a direct no-op-mutate wire-level assertion. - Fix the godoc "Typical usage" example in both patch.go and status.go to use the ctrlutil alias. operator.md already uses this alias, and every real caller aliases the package to avoid colliding with controller-runtime's own controllerutil package. patch.go is updated to match; status.go is brought along for symmetry. - Document that obj is mutated before Patch is issued, so on error the caller's in-memory copy is post-mutation. Callers must re-fetch rather than retrying in place. Added to both helpers. The standard reconciler return-and-requeue pattern is the correct retry path; the sentence names it explicitly so a future caller reading the doc does not invent an in-place retry loop. Also tightened the "don't use this for status" cross-reference in status.go to name the sibling MutateAndPatchSpec directly.
diff --git a/.claude/rules/operator.md b/.claude/rules/operator.md
@@ -75,11 +75,11 @@ so any field our local copy does not track (e.g. `spec.authzConfig`
 written by a separate authorization controller) gets zeroed on every
 reconcile.
 
-Use an **optimistic-lock merge patch** instead. The merge-patch body
-only contains fields the caller changed, and `MergeFromWithOptimisticLock`
-sends `resourceVersion` as a precondition: if the server moved between
-our Get and Patch, the apiserver returns 409 and controller-runtime
-requeues with a fresh Get.
+Use `controllerutil.MutateAndPatchSpec` instead. The helper wraps an
+optimistic-lock merge patch: the body only contains fields the caller
+changed, and `MergeFromWithOptimisticLock` sends `resourceVersion` as a
+precondition, so if the server moved between our Get and Patch the
+apiserver returns 409 and controller-runtime requeues with a fresh Get.
 
 This is what protects `metadata.finalizers`. Merge-patch has no
 array-append semantics — arrays are replaced wholesale — so when our
@@ -90,20 +90,16 @@ fails our precondition, and the next reconcile observes it via a fresh
 Get before recomputing the diff.
 
 ```go
-original := mcpServer.DeepCopy()
-controllerutil.AddFinalizer(mcpServer, MCPServerFinalizerName)
-if err := r.Patch(ctx, mcpServer,
-    client.MergeFromWithOptions(original, client.MergeFromWithOptimisticLock{})); err != nil {
+if err := ctrlutil.MutateAndPatchSpec(ctx, r.Client, mcpServer, func(m *mcpv1beta1.MCPServer) {
+    controllerutil.AddFinalizer(m, MCPServerFinalizerName)
+}); err != nil {
     return ctrl.Result{}, err
 }
 ```
 
-Do not put unrelated work between the `DeepCopy` and the `Patch`: the
-wire diff is computed from that snapshot, so anything you mutate in
-between leaks into the patch body.
-
 Expect 409s as routine log noise once the external controller lands —
 the guard doing its job, not a bug.
 
-Status-subresource patching follows the same "never `Update`" rule and
-is covered separately once the shared helper lands (#4633).
+Status-subresource patching uses the sibling helper
+`controllerutil.MutateAndPatchStatus` (see the "Status Writes" section
+above).
diff --git a/cmd/thv-operator/controllers/mcpexternalauthconfig_controller.go b/cmd/thv-operator/controllers/mcpexternalauthconfig_controller.go
@@ -177,19 +177,13 @@ func (r *MCPExternalAuthConfigReconciler) handleConfigHashChange(
 		logger.Info("Triggering reconciliation of MCPServer due to MCPExternalAuthConfig change",
 			"mcpserver", server.Name, "externalAuthConfig", externalAuthConfig.Name)
 
-		// Use an optimistic-lock merge patch rather than Update so we do not
-		// silently overwrite spec fields (e.g. spec.authzConfig) that are owned
-		// by another controller. The resourceVersion is sent, so concurrent
-		// writers cause a 409 Conflict and a clean requeue.
-		original := server.DeepCopy()
-		// Add an annotation to the MCPServer to trigger reconciliation
-		if server.Annotations == nil {
-			server.Annotations = make(map[string]string)
-		}
-		server.Annotations["toolhive.stacklok.dev/externalauthconfig-hash"] = configHash
-
-		if err := r.Patch(ctx, &server,
-			client.MergeFromWithOptions(original, client.MergeFromWithOptimisticLock{})); err != nil {
+		// Add an annotation to the MCPServer to trigger reconciliation.
+		if err := ctrlutil.MutateAndPatchSpec(ctx, r.Client, &server, func(m *mcpv1beta1.MCPServer) {
+			if m.Annotations == nil {
+				m.Annotations = make(map[string]string)
+			}
+			m.Annotations["toolhive.stacklok.dev/externalauthconfig-hash"] = configHash
+		}); err != nil {
 			logger.Error(err, "Failed to patch MCPServer annotation", "mcpserver", server.Name)
 			// Continue with other servers even if one fails
 		}
diff --git a/cmd/thv-operator/controllers/mcpserver_controller.go b/cmd/thv-operator/controllers/mcpserver_controller.go
@@ -190,14 +190,9 @@ func (r *MCPServerReconciler) Reconcile(ctx context.Context, req ctrl.Request) (
 				return ctrl.Result{}, err
 			}
 
-			// Use an optimistic-lock merge patch rather than Update so we do not
-			// silently overwrite spec fields (e.g. spec.authzConfig) that are owned
-			// by another controller. The resourceVersion is sent, so concurrent
-			// writers cause a 409 Conflict and a clean requeue.
-			original := mcpServer.DeepCopy()
-			controllerutil.RemoveFinalizer(mcpServer, MCPServerFinalizerName)
-			if err := r.Patch(ctx, mcpServer,
-				client.MergeFromWithOptions(original, client.MergeFromWithOptimisticLock{})); err != nil {
+			if err := ctrlutil.MutateAndPatchSpec(ctx, r.Client, mcpServer, func(m *mcpv1beta1.MCPServer) {
+				controllerutil.RemoveFinalizer(m, MCPServerFinalizerName)
+			}); err != nil {
 				return ctrl.Result{}, err
 			}
 		}
@@ -206,14 +201,9 @@ func (r *MCPServerReconciler) Reconcile(ctx context.Context, req ctrl.Request) (
 
 	// Add finalizer for this CR
 	if !controllerutil.ContainsFinalizer(mcpServer, MCPServerFinalizerName) {
-		// Use an optimistic-lock merge patch rather than Update so we do not
-		// silently overwrite spec fields (e.g. spec.authzConfig) that are owned
-		// by another controller. The resourceVersion is sent, so concurrent
-		// writers cause a 409 Conflict and a clean requeue.
-		original := mcpServer.DeepCopy()
-		controllerutil.AddFinalizer(mcpServer, MCPServerFinalizerName)
-		if err := r.Patch(ctx, mcpServer,
-			client.MergeFromWithOptions(original, client.MergeFromWithOptimisticLock{})); err != nil {
+		if err := ctrlutil.MutateAndPatchSpec(ctx, r.Client, mcpServer, func(m *mcpv1beta1.MCPServer) {
+			controllerutil.AddFinalizer(m, MCPServerFinalizerName)
+		}); err != nil {
 			return ctrl.Result{}, err
 		}
 	}
@@ -759,17 +749,12 @@ func (r *MCPServerReconciler) handleRestartAnnotation(ctx context.Context, mcpSe
 	}
 
 	// Update the last processed restart timestamp in annotations.
-	// Use an optimistic-lock merge patch rather than Update so we do not
-	// silently overwrite spec fields (e.g. spec.authzConfig) that are owned
-	// by another controller. The resourceVersion is sent, so concurrent
-	// writers cause a 409 Conflict and a clean requeue.
-	original := mcpServer.DeepCopy()
-	if mcpServer.Annotations == nil {
-		mcpServer.Annotations = make(map[string]string)
-	}
-	mcpServer.Annotations[LastProcessedRestartAnnotationKey] = currentRestartedAt
-	if err := r.Patch(ctx, mcpServer,
-		client.MergeFromWithOptions(original, client.MergeFromWithOptimisticLock{})); err != nil {
+	if err := ctrlutil.MutateAndPatchSpec(ctx, r.Client, mcpServer, func(m *mcpv1beta1.MCPServer) {
+		if m.Annotations == nil {
+			m.Annotations = make(map[string]string)
+		}
+		m.Annotations[LastProcessedRestartAnnotationKey] = currentRestartedAt
+	}); err != nil {
 		return false, fmt.Errorf("failed to update MCPServer with last processed restart annotation: %w", err)
 	}
 
diff --git a/cmd/thv-operator/controllers/toolconfig_controller.go b/cmd/thv-operator/controllers/toolconfig_controller.go
@@ -159,18 +159,12 @@ func (r *ToolConfigReconciler) handleConfigHashChange(
 		logger.Info("Triggering reconciliation of MCPServer due to MCPToolConfig change",
 			"mcpserver", server.Name, "toolconfig", toolConfig.Name)
 
-		// Use an optimistic-lock merge patch rather than Update so we do not
-		// silently overwrite spec fields (e.g. spec.authzConfig) that are owned
-		// by another controller. The resourceVersion is sent, so concurrent
-		// writers cause a 409 Conflict and a clean requeue.
-		original := server.DeepCopy()
-		if server.Annotations == nil {
-			server.Annotations = make(map[string]string)
-		}
-		server.Annotations["toolhive.stacklok.dev/toolconfig-hash"] = configHash
-
-		if err := r.Patch(ctx, &server,
-			client.MergeFromWithOptions(original, client.MergeFromWithOptimisticLock{})); err != nil {
+		if err := ctrlutil.MutateAndPatchSpec(ctx, r.Client, &server, func(m *mcpv1beta1.MCPServer) {
+			if m.Annotations == nil {
+				m.Annotations = make(map[string]string)
+			}
+			m.Annotations["toolhive.stacklok.dev/toolconfig-hash"] = configHash
+		}); err != nil {
 			logger.Error(err, "Failed to patch MCPServer annotation", "mcpserver", server.Name)
 		}
 	}
diff --git a/cmd/thv-operator/pkg/controllerutil/doc.go b/cmd/thv-operator/pkg/controllerutil/doc.go
@@ -17,6 +17,7 @@
 //   - podtemplatespec_builder.go: PodTemplateSpec builder for constructing pod template patches
 //   - maps.go: Map comparison utilities (e.g. subset checks for annotations)
 //   - status.go: Status-subresource merge-patch helper (MutateAndPatchStatus)
+//   - patch.go: Spec/metadata optimistic-lock merge-patch helper (MutateAndPatchSpec)
 //
 // These utilities are used by multiple controllers including MCPServer, MCPRemoteProxy,
 // and ToolConfig controllers to maintain consistent behavior across the operator.
diff --git a/cmd/thv-operator/pkg/controllerutil/patch.go b/cmd/thv-operator/pkg/controllerutil/patch.go
@@ -0,0 +1,76 @@
+// SPDX-FileCopyrightText: Copyright 2025 Stacklok, Inc.
+// SPDX-License-Identifier: Apache-2.0
+
+package controllerutil
+
+import (
+	"context"
+	"fmt"
+	"reflect"
+
+	"sigs.k8s.io/controller-runtime/pkg/client"
+)
+
+// MutateAndPatchSpec captures the current state of obj, applies mutate, and
+// patches the object using a JSON merge patch with optimistic concurrency.
+// A concurrent writer that advances resourceVersion between our read and our
+// Patch triggers a 409 Conflict; controller-runtime then re-Gets, recomputes
+// the diff, and writes on a fresh view — preserving cross-writer coexistence
+// on the same resource.
+//
+// This is the canonical idiom for every spec or metadata write on a CR that
+// another controller may also write (see #4767). A full PUT (r.Update) is a
+// bug trap: any field the operator's local copy does not track — most
+// importantly spec.authzConfig on MCPServer, which a separate authorization
+// controller will own — is zeroed on every reconcile. A merge-patch body
+// only carries fields the caller actually changed, so untouched fields never
+// hit the wire and cannot be clobbered. MergeFromWithOptimisticLock sends
+// resourceVersion as a precondition, giving 409-on-collision semantics for
+// concurrent writers and defending metadata.finalizers (which has no
+// array-merge semantics under RFC 7396 merge-patch) against wholesale
+// replacement when another controller is mid-flight adding its own entry.
+//
+// Unlike MutateAndPatchStatus, this helper does NOT short-circuit on an
+// empty diff. MergeFromWithOptimisticLock always emits metadata.resourceVersion
+// into the patch body, so the status helper's "body == {}" check never fires;
+// and every current call site carries a real mutation (finalizer add/remove,
+// annotation stamp), so there is no no-op caller to optimize for.
+//
+// Do NOT use for status writes. Status-subresource writes are scoped to the
+// status stanza, and forcing a 409 on every disjoint-field overlap would
+// produce permanent churn with nothing gained — use MutateAndPatchStatus.
+//
+// If Patch returns an error, obj has already been mutated; callers must
+// re-fetch obj before retrying rather than reusing the modified in-memory
+// copy. The standard reconciler pattern — returning the error so
+// controller-runtime requeues with a fresh Get — is the correct retry path.
+//
+// Typical usage:
+//
+//	err := ctrlutil.MutateAndPatchSpec(ctx, r.Client, mcpServer,
+//	    func(m *mcpv1beta1.MCPServer) {
+//	        controllerutil.AddFinalizer(m, MCPServerFinalizerName)
+//	    })
+//	if err != nil {
+//	    return ctrl.Result{}, err
+//	}
+//
+// Expect 409s as routine log noise once external writers land — the guard
+// doing its job, not a bug.
+func MutateAndPatchSpec[T client.Object](
+	ctx context.Context, c client.Client, obj T, mutate func(T),
+) error {
+	// Reject both a true-nil interface and a typed-nil pointer. T is
+	// constrained to client.Object; every real implementer is a pointer
+	// to a struct, so a nil obj is always a programmer error. Returning
+	// an explicit error is nicer than the raw panic that the subsequent
+	// .(T) type assertion would produce.
+	v := reflect.ValueOf(obj)
+	if !v.IsValid() || (v.Kind() == reflect.Pointer && v.IsNil()) {
+		return fmt.Errorf("MutateAndPatchSpec: obj must be non-nil")
+	}
+	original := obj.DeepCopyObject().(T)
+	mutate(obj)
+	return c.Patch(ctx, obj, client.MergeFromWithOptions(
+		original, client.MergeFromWithOptimisticLock{}))
+}
diff --git a/cmd/thv-operator/pkg/controllerutil/patch_test.go b/cmd/thv-operator/pkg/controllerutil/patch_test.go
diff --git a/cmd/thv-operator/pkg/controllerutil/status.go b/cmd/thv-operator/pkg/controllerutil/status.go
