Fix VirtualMCPServer reconciliation for discovered auth config updates (#2957)

* Fix VirtualMCPServer reconciliation for discovered auth config updates

When an MCPExternalAuthConfig is updated, VirtualMCPServer resources
should reconcile to pick up the changes. However, the watch handler only
checked inline references in the VirtualMCPServer.Spec.OutgoingAuth field
and ignored discovered references when source: discovered mode is used.

In discovered mode, auth configs are referenced through MCPServer
resources in the group rather than inline in the VirtualMCPServer spec.
The watch handler now checks both inline and discovered references by
listing MCPServers in the group and checking if any reference the
updated MCPExternalAuthConfig.

This ensures that VirtualMCPServers using discovered mode will properly
reconcile when their backend auth configurations change.

Fixes #2831

* changes from review

---------

Co-authored-by: taskbot <[email protected]>
Co-authored-by: Jakub Hrozek <[email protected]>

Author: 3 people

cmd/thv-operator/controllers/virtualmcpserver_controller.go

@@ -1717,7 +1717,8 @@ func (r *VirtualMCPServerReconciler) mapExternalAuthConfigToVirtualMCPServer(
 	var requests []reconcile.Request
 	for _, vmcp := range vmcpList.Items {
 		// Only reconcile VirtualMCPServers that actually reference this ExternalAuthConfig
-		if r.vmcpReferencesExternalAuthConfig(&vmcp, externalAuthConfig.Name) {
+		// This includes both inline references and discovered references (via MCPServers)
+		if r.vmcpReferencesExternalAuthConfig(ctx, &vmcp, externalAuthConfig.Name) {
 			requests = append(requests, reconcile.Request{
 				NamespacedName: types.NamespacedName{
 					Name:      vmcp.Name,
@@ -1773,15 +1774,18 @@ func (*VirtualMCPServerReconciler) vmcpReferencesToolConfig(vmcp *mcpv1alpha1.Vi
 	return false
 }
 
-// vmcpReferencesExternalAuthConfig checks if a VirtualMCPServer references the given MCPExternalAuthConfig
-func (*VirtualMCPServerReconciler) vmcpReferencesExternalAuthConfig(
+// vmcpReferencesExternalAuthConfig checks if a VirtualMCPServer references the given MCPExternalAuthConfig.
+// It checks both inline references (in outgoingAuth spec) and discovered references (via MCPServers in the group).
+func (r *VirtualMCPServerReconciler) vmcpReferencesExternalAuthConfig(
+	ctx context.Context,
 	vmcp *mcpv1alpha1.VirtualMCPServer,
 	authConfigName string,
 ) bool {
 	if vmcp.Spec.OutgoingAuth == nil {
 		return false
 	}
 
+	// Check inline references in outgoing auth configuration
 	// Check default backend auth configuration
 	if vmcp.Spec.OutgoingAuth.Default != nil &&
 		vmcp.Spec.OutgoingAuth.Default.ExternalAuthConfigRef != nil &&
@@ -1797,6 +1801,60 @@ func (*VirtualMCPServerReconciler) vmcpReferencesExternalAuthConfig(
 		}
 	}
 
+	// Check discovered references when source is "discovered"
+	// When using discovered mode, auth configs are referenced through MCPServers, not inline
+	if vmcp.Spec.OutgoingAuth.Source == OutgoingAuthSourceDiscovered {
+		if r.mcpGroupBackendsReferenceExternalAuthConfig(ctx, vmcp, authConfigName) {
+			return true
+		}
+	}
+
+	return false
+}
+
+// mcpGroupBackendsReferenceExternalAuthConfig checks if any MCPServers in the VirtualMCPServer's group
+// reference the given MCPExternalAuthConfig
+func (r *VirtualMCPServerReconciler) mcpGroupBackendsReferenceExternalAuthConfig(
+	ctx context.Context,
+	vmcp *mcpv1alpha1.VirtualMCPServer,
+	authConfigName string,
+) bool {
+	// Get the MCPGroup to verify it exists
+	mcpGroup := &mcpv1alpha1.MCPGroup{}
+	err := r.Get(ctx, types.NamespacedName{
+		Name:      vmcp.Spec.GroupRef.Name,
+		Namespace: vmcp.Namespace,
+	}, mcpGroup)
+	if err != nil {
+		// If we can't get the group, we can't determine if it references the auth config
+		// Return false to avoid false positives
+		log.FromContext(ctx).Error(err, "Failed to get MCPGroup for ExternalAuthConfig reference check",
+			"group", vmcp.Spec.GroupRef.Name,
+			"vmcp", vmcp.Name)
+		return false
+	}
+
+	// List all MCPServers in the group using field selector (same as MCPGroup controller)
+	mcpServerList := &mcpv1alpha1.MCPServerList{}
+	listOpts := []client.ListOption{
+		client.InNamespace(vmcp.Namespace),
+		client.MatchingFields{"spec.groupRef": mcpGroup.Name},
+	}
+	err = r.List(ctx, mcpServerList, listOpts...)
+	if err != nil {
+		log.FromContext(ctx).Error(err, "Failed to list MCPServers for ExternalAuthConfig reference check",
+			"group", mcpGroup.Name)
+		return false
+	}
+
+	// Check if any MCPServer references the ExternalAuthConfig
+	for _, mcpServer := range mcpServerList.Items {
+		if mcpServer.Spec.ExternalAuthConfigRef != nil &&
+			mcpServer.Spec.ExternalAuthConfigRef.Name == authConfigName {
+			return true
+		}
+	}
+
 	return false
 }