Background
The operator never sets RunConfig.AuthzConfigPath, so the standalone authz ConfigMap the operator materializes from spec.authzConfig (via EnsureAuthzConfigMap) and mounts at /etc/toolhive/authz (via GenerateAuthzVolumeConfig) is never read. Enforcement happens entirely through the authz config embedded in the RunConfig (addAuthzInlineConfigOptions -> WithAuthzConfig), which the proxy reads from /etc/runconfig/runconfig.json.
The equivalent ref path (spec.authzConfigRef) was removed in #5564 (commit "Stop materializing authzConfigRef into an unread ConfigMap"). The inline path is equally vestigial but pre-existing, so it was left untouched there to keep that change scoped.
Originally flagged by @jhrozek in review of #5563 (the inline GenerateAuthzVolumeConfig is "equally unread").
Scope
- Remove the inline authz ConfigMap materialization (
EnsureAuthzConfigMap) and its volume mount (GenerateAuthzVolumeConfig) from mcpserver_controller.go and mcpremoteproxy_controller.go / mcpremoteproxy_deployment.go.
- Delete the helpers and their tests once unused.
- Confirm nothing reads the mounted file (no
AuthzConfigPath is ever set in the operator path).
NOTE: the user-supplied authzConfig.type: configMap input (read via LoadAuthzConfigFromConfigMap) is a separate, genuinely-read mechanism — do not remove that.
Tracked as a follow-up to #5564.
Background
The operator never sets
RunConfig.AuthzConfigPath, so the standalone authz ConfigMap the operator materializes fromspec.authzConfig(viaEnsureAuthzConfigMap) and mounts at/etc/toolhive/authz(viaGenerateAuthzVolumeConfig) is never read. Enforcement happens entirely through the authz config embedded in the RunConfig (addAuthzInlineConfigOptions -> WithAuthzConfig), which the proxy reads from/etc/runconfig/runconfig.json.The equivalent ref path (
spec.authzConfigRef) was removed in #5564 (commit "Stop materializing authzConfigRef into an unread ConfigMap"). The inline path is equally vestigial but pre-existing, so it was left untouched there to keep that change scoped.Originally flagged by @jhrozek in review of #5563 (the inline
GenerateAuthzVolumeConfigis "equally unread").Scope
EnsureAuthzConfigMap) and its volume mount (GenerateAuthzVolumeConfig) frommcpserver_controller.goandmcpremoteproxy_controller.go/mcpremoteproxy_deployment.go.AuthzConfigPathis ever set in the operator path).NOTE: the user-supplied
authzConfig.type: configMapinput (read viaLoadAuthzConfigFromConfigMap) is a separate, genuinely-read mechanism — do not remove that.Tracked as a follow-up to #5564.