Background
.claude/rules/operator.md ("Status Writes") requires controllerutil.MutateAndPatchStatus rather than r.Status().Update, because a full-replace Update can clobber the entire Status.Conditions array under concurrent reconciles (JSON merge-patch replaces the array wholesale).
The entire handle*Config family in both mcpserver_controller.go and mcpremoteproxy_controller.go (OIDC, telemetry, external-auth, authServerRef, authz, webhook, …) predates the helper and still calls r.Status().Update. The newly added MCPAuthzConfig watch makes concurrent config reconciles a bit more likely, which raised the question.
Raised by @jhrozek in review of #5564 (and noted on #5563). The agreed plan was to migrate the whole family in one focused sweep rather than piecemeal — piecemeal migration risks the very array-clobber the rule warns about.
Scope
- Migrate all
handle*Config status writes in both controllers to controllerutil.MutateAndPatchStatus.
- Verify each call site holds a freshly-
Getted object and is the sole owner of the conditions array (per the rule's checklist).
- One PR, atomic.
Tracked as a follow-up to #5564.
Background
.claude/rules/operator.md("Status Writes") requirescontrollerutil.MutateAndPatchStatusrather thanr.Status().Update, because a full-replaceUpdatecan clobber the entireStatus.Conditionsarray under concurrent reconciles (JSON merge-patch replaces the array wholesale).The entire
handle*Configfamily in bothmcpserver_controller.goandmcpremoteproxy_controller.go(OIDC, telemetry, external-auth, authServerRef, authz, webhook, …) predates the helper and still callsr.Status().Update. The newly addedMCPAuthzConfigwatch makes concurrent config reconciles a bit more likely, which raised the question.Raised by @jhrozek in review of #5564 (and noted on #5563). The agreed plan was to migrate the whole family in one focused sweep rather than piecemeal — piecemeal migration risks the very array-clobber the rule warns about.
Scope
handle*Configstatus writes in both controllers tocontrollerutil.MutateAndPatchStatus.Getted object and is the sole owner of the conditions array (per the rule's checklist).Tracked as a follow-up to #5564.