Summary
The enforceServers field on MCPRegistrySpec and its associated image validation code should be removed. The feature has been broken and non-functional since PR #2568 removed the data sources from the operator.
Why it's broken
The image validation code in checkImageInRegistry reads from a {name}-registry-storage ConfigMap to check whether an MCPServer's image exists in a registry. This ConfigMap was originally created by the operator's StorageManager (in cmd/thv-operator/pkg/sources/storage_manager.go), which synced registry data from sources (Git, API, ConfigMap) and persisted it.
PR #2568 moved all data source handling from the operator into the registry server itself and deleted the StorageManager. Nothing creates the {name}-registry-storage ConfigMap anymore. As a result, the ConfigMap lookup always returns NotFound, and enforceServers: true silently does nothing — every image check returns "not found" but the validator treats this as "registry data not available" and allows the image through.
Why we can't just fix it
The registry server now manages its own data lifecycle — it fetches from configured sources (Git repos, API endpoints, Kubernetes, files) and stores the results in its own database. The operator treats the registry configuration as opaque (configYAML). This means:
- The operator doesn't have the resolved data — it only has source definitions, not the actual server/image list
- Querying the registry API would add HTTP dependencies to the validation path, which is undesirable in a controller's reconciliation loop
- The registry server doesn't write resolved data to a ConfigMap — it uses its own internal storage
Resolution
Remove the feature entirely:
- Remove
EnforceServers field from MCPRegistrySpec
- Delete
image_validation.go and its tests
- Remove image validation wiring from MCPServer and EmbeddingServer controllers
- Remove
ConditionImageValidated and related status condition constants
- Remove
GetStorageName() and getConfigMapName() dead code
- Clean up documentation references
- Regenerate CRD manifests
Related
Summary
The
enforceServersfield onMCPRegistrySpecand its associated image validation code should be removed. The feature has been broken and non-functional since PR #2568 removed the data sources from the operator.Why it's broken
The image validation code in
checkImageInRegistryreads from a{name}-registry-storageConfigMap to check whether an MCPServer's image exists in a registry. This ConfigMap was originally created by the operator'sStorageManager(incmd/thv-operator/pkg/sources/storage_manager.go), which synced registry data from sources (Git, API, ConfigMap) and persisted it.PR #2568 moved all data source handling from the operator into the registry server itself and deleted the
StorageManager. Nothing creates the{name}-registry-storageConfigMap anymore. As a result, the ConfigMap lookup always returns NotFound, andenforceServers: truesilently does nothing — every image check returns "not found" but the validator treats this as "registry data not available" and allows the image through.Why we can't just fix it
The registry server now manages its own data lifecycle — it fetches from configured sources (Git repos, API endpoints, Kubernetes, files) and stores the results in its own database. The operator treats the registry configuration as opaque (
configYAML). This means:Resolution
Remove the feature entirely:
EnforceServersfield fromMCPRegistrySpecimage_validation.goand its testsConditionImageValidatedand related status condition constantsGetStorageName()andgetConfigMapName()dead codeRelated