Detect imagePullSecrets drift on proxy Deployments (#5113)

The MCPServer and MCPRemoteProxy controllers correctly include
spec.resourceOverrides.proxyDeployment.imagePullSecrets in newly built
proxy Deployments, but their deploymentNeedsUpdate drift checks never
compare Spec.Template.Spec.ImagePullSecrets. As a result, editing the
field on a live CR did not roll the existing Deployment: the proxy-
runner ServiceAccount was refreshed via EnsureRBACResources (so kubelet
recovered for new pods through the SA path), but the pod-spec field
on the live Deployment remained stale. In the user-managed-
ServiceAccount branch, where RBAC reconciliation is skipped, the pod-
spec field is the only mechanism — so that path stayed broken.

Add a comparison in both controllers using equality.Semantic.DeepEqual
so nil and empty slices are treated identically (matching Kubernetes'
own serialization semantics) and reorder/add/remove on populated
slices triggers a rollout. MCPRemoteProxy gets a new podSpecNeedsUpdate
sub-helper alongside the existing containerNeedsUpdate /
deploymentMetadataNeedsUpdate / podTemplateMetadataNeedsUpdate trio;
MCPServer gets an inline check that mirrors the surrounding style of
its single deploymentNeedsUpdate function.

Each controller gets a table-driven unit test covering seven cases:
the no-override baseline, the bug repro, the removal flow, the
populated match, the nil-vs-empty asymmetry from both sides, and the
slice-reorder case (which equality.Semantic.DeepEqual treats as
drift). Two envtest integration tests per controller exercise the
full reconcile-update path: create CR, assert Deployment, mutate
imagePullSecrets, assert Deployment rolls.

Co-authored-by: Claude Opus 4.7 <noreply@anthropic.com>

Author: jhrozek

cmd/thv-operator/controllers/mcpremoteproxy_controller.go

@@ -15,6 +15,7 @@ import (
 
 	appsv1 "k8s.io/api/apps/v1"
 	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/api/equality"
 	"k8s.io/apimachinery/pkg/api/errors"
 	"k8s.io/apimachinery/pkg/api/meta"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -1254,6 +1255,10 @@ func (r *MCPRemoteProxyReconciler) deploymentNeedsUpdate(
 		return true
 	}
 
+	if r.podSpecNeedsUpdate(deployment, proxy) {
+		return true
+	}
+
 	return false
 }
 
@@ -1383,6 +1388,20 @@ func (r *MCPRemoteProxyReconciler) podTemplateMetadataNeedsUpdate(
 	return false
 }
 
+// podSpecNeedsUpdate checks if pod-level fields (not container fields) have drifted.
+//
+// Currently compares ImagePullSecrets sourced from spec.resourceOverrides.proxyDeployment.
+// Uses equality.Semantic.DeepEqual so nil and empty slices are treated as equal,
+// which matches Kubernetes' own serialization semantics.
+func (*MCPRemoteProxyReconciler) podSpecNeedsUpdate(
+	deployment *appsv1.Deployment,
+	proxy *mcpv1beta1.MCPRemoteProxy,
+) bool {
+	expected := imagePullSecretsForRemoteProxy(proxy)
+	current := deployment.Spec.Template.Spec.ImagePullSecrets
+	return !equality.Semantic.DeepEqual(current, expected)
+}
+
 // serviceNeedsUpdate checks if the service needs to be updated
 func (*MCPRemoteProxyReconciler) serviceNeedsUpdate(service *corev1.Service, proxy *mcpv1beta1.MCPRemoteProxy) bool {
 	// Check if port has changed

cmd/thv-operator/controllers/mcpremoteproxy_deployment_test.go

@@ -880,6 +880,104 @@ func TestMCPRemoteProxyDeploymentNeedsUpdate_TokenExchangeDoesNotDrift(t *testin
 	assert.False(t, reconciler.deploymentNeedsUpdate(t.Context(), deployment, proxy, "test-checksum"))
 }
 
+func TestMCPRemoteProxyDeploymentNeedsUpdate_ImagePullSecretsDrift(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name              string
+		specSecrets       []corev1.LocalObjectReference // set on proxy.Spec.ResourceOverrides
+		deploymentSecrets []corev1.LocalObjectReference // overrides deployment after build
+		expectNeedsUpdate bool
+	}{
+		{
+			name:              "both empty - no update",
+			specSecrets:       nil,
+			deploymentSecrets: nil,
+			expectNeedsUpdate: false,
+		},
+		{
+			name:              "spec has secrets, deployment has nil - needs update",
+			specSecrets:       []corev1.LocalObjectReference{{Name: "regsec"}},
+			deploymentSecrets: nil,
+			expectNeedsUpdate: true,
+		},
+		{
+			name:              "spec cleared, deployment has stale - needs update",
+			specSecrets:       nil,
+			deploymentSecrets: []corev1.LocalObjectReference{{Name: "old-regsec"}},
+			expectNeedsUpdate: true,
+		},
+		{
+			name:              "match - no update",
+			specSecrets:       []corev1.LocalObjectReference{{Name: "regsec"}},
+			deploymentSecrets: []corev1.LocalObjectReference{{Name: "regsec"}},
+			expectNeedsUpdate: false,
+		},
+		{
+			name:              "spec nil vs deployment empty slice - no update",
+			specSecrets:       nil,
+			deploymentSecrets: []corev1.LocalObjectReference{},
+			expectNeedsUpdate: false,
+		},
+		{
+			name:              "spec empty slice vs deployment empty slice - no update",
+			specSecrets:       []corev1.LocalObjectReference{},
+			deploymentSecrets: []corev1.LocalObjectReference{},
+			expectNeedsUpdate: false,
+		},
+		{
+			name:              "reorder triggers update",
+			specSecrets:       []corev1.LocalObjectReference{{Name: "a"}, {Name: "b"}},
+			deploymentSecrets: []corev1.LocalObjectReference{{Name: "b"}, {Name: "a"}},
+			expectNeedsUpdate: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			scheme := createRunConfigTestScheme()
+			fakeClient := fake.NewClientBuilder().WithScheme(scheme).Build()
+
+			proxy := &mcpv1beta1.MCPRemoteProxy{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test-proxy",
+					Namespace: "default",
+				},
+				Spec: mcpv1beta1.MCPRemoteProxySpec{
+					RemoteURL: "https://mcp.example.com",
+					ProxyPort: 8080,
+				},
+			}
+			if tt.specSecrets != nil {
+				proxy.Spec.ResourceOverrides = &mcpv1beta1.ResourceOverrides{
+					ProxyDeployment: &mcpv1beta1.ProxyDeploymentOverrides{
+						ImagePullSecrets: tt.specSecrets,
+					},
+				}
+			}
+
+			reconciler := &MCPRemoteProxyReconciler{
+				Client:           fakeClient,
+				Scheme:           scheme,
+				PlatformDetector: ctrlutil.NewSharedPlatformDetector(),
+			}
+
+			deployment := reconciler.deploymentForMCPRemoteProxy(t.Context(), proxy, "test-checksum")
+			require.NotNil(t, deployment)
+
+			// Simulate the "stored" state by overwriting ImagePullSecrets only.
+			// The freshly built deployment is otherwise fully aligned with the proxy spec,
+			// so any detected drift is caused solely by this field.
+			deployment.Spec.Template.Spec.ImagePullSecrets = tt.deploymentSecrets
+
+			needsUpdate := reconciler.deploymentNeedsUpdate(t.Context(), deployment, proxy, "test-checksum")
+			assert.Equal(t, tt.expectNeedsUpdate, needsUpdate, "ImagePullSecrets drift detection mismatch")
+		})
+	}
+}
+
 // TestBuildEnvVarsForProxy tests environment variable building
 func TestBuildEnvVarsForProxy(t *testing.T) {
 	t.Parallel()

cmd/thv-operator/controllers/mcpserver_controller.go

@@ -1723,6 +1723,18 @@ func (r *MCPServerReconciler) deploymentNeedsUpdate(
 			return true
 		}
 
+		// Check if image pull secrets have changed.
+		// Sourced from spec.resourceOverrides.proxyDeployment.imagePullSecrets.
+		// Uses equality.Semantic.DeepEqual so nil and empty slices are treated as equal.
+		var expectedPullSecrets []corev1.LocalObjectReference
+		if mcpServer.Spec.ResourceOverrides != nil &&
+			mcpServer.Spec.ResourceOverrides.ProxyDeployment != nil {
+			expectedPullSecrets = mcpServer.Spec.ResourceOverrides.ProxyDeployment.ImagePullSecrets
+		}
+		if !equality.Semantic.DeepEqual(deployment.Spec.Template.Spec.ImagePullSecrets, expectedPullSecrets) {
+			return true
+		}
+
 		// Check if the resource requirements have changed
 		if !equality.Semantic.DeepEqual(container.Resources, resourceRequirementsForMCPServer(mcpServer)) {
 			return true

cmd/thv-operator/controllers/mcpserver_resource_overrides_test.go

@@ -824,6 +824,102 @@ func TestDeploymentNeedsUpdateProxyEnv(t *testing.T) {
 	}
 }
 
+func TestMCPServerDeploymentNeedsUpdate_ImagePullSecretsDrift(t *testing.T) {
+	t.Parallel()
+
+	tests := []struct {
+		name              string
+		specSecrets       []corev1.LocalObjectReference // set on mcpServer.Spec.ResourceOverrides
+		deploymentSecrets []corev1.LocalObjectReference // overrides deployment after build
+		expectNeedsUpdate bool
+	}{
+		{
+			name:              "both empty - no update",
+			specSecrets:       nil,
+			deploymentSecrets: nil,
+			expectNeedsUpdate: false,
+		},
+		{
+			name:              "spec has secrets, deployment has nil - needs update",
+			specSecrets:       []corev1.LocalObjectReference{{Name: "regsec"}},
+			deploymentSecrets: nil,
+			expectNeedsUpdate: true,
+		},
+		{
+			name:              "spec cleared, deployment has stale - needs update",
+			specSecrets:       nil,
+			deploymentSecrets: []corev1.LocalObjectReference{{Name: "old-regsec"}},
+			expectNeedsUpdate: true,
+		},
+		{
+			name:              "match - no update",
+			specSecrets:       []corev1.LocalObjectReference{{Name: "regsec"}},
+			deploymentSecrets: []corev1.LocalObjectReference{{Name: "regsec"}},
+			expectNeedsUpdate: false,
+		},
+		{
+			name:              "spec nil vs deployment empty slice - no update",
+			specSecrets:       nil,
+			deploymentSecrets: []corev1.LocalObjectReference{},
+			expectNeedsUpdate: false,
+		},
+		{
+			name:              "spec empty slice vs deployment empty slice - no update",
+			specSecrets:       []corev1.LocalObjectReference{},
+			deploymentSecrets: []corev1.LocalObjectReference{},
+			expectNeedsUpdate: false,
+		},
+		{
+			name:              "reorder triggers update",
+			specSecrets:       []corev1.LocalObjectReference{{Name: "a"}, {Name: "b"}},
+			deploymentSecrets: []corev1.LocalObjectReference{{Name: "b"}, {Name: "a"}},
+			expectNeedsUpdate: true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			t.Parallel()
+
+			scheme := runtime.NewScheme()
+			require.NoError(t, mcpv1beta1.AddToScheme(scheme))
+
+			fakeClient := fake.NewClientBuilder().WithScheme(scheme).Build()
+			r := newTestMCPServerReconciler(fakeClient, scheme, kubernetes.PlatformKubernetes)
+
+			mcpServer := &mcpv1beta1.MCPServer{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "test-server",
+					Namespace: "default",
+				},
+				Spec: mcpv1beta1.MCPServerSpec{
+					Image:     "test-image",
+					ProxyPort: 8080,
+				},
+			}
+			if tt.specSecrets != nil {
+				mcpServer.Spec.ResourceOverrides = &mcpv1beta1.ResourceOverrides{
+					ProxyDeployment: &mcpv1beta1.ProxyDeploymentOverrides{
+						ImagePullSecrets: tt.specSecrets,
+					},
+				}
+			}
+
+			ctx := t.Context()
+			deployment := r.deploymentForMCPServer(ctx, mcpServer, "test-checksum")
+			require.NotNil(t, deployment)
+
+			// Simulate the "stored" state by overwriting ImagePullSecrets only.
+			// The freshly built deployment is otherwise fully aligned with the mcpServer spec,
+			// so any detected drift is caused solely by this field.
+			deployment.Spec.Template.Spec.ImagePullSecrets = tt.deploymentSecrets
+
+			needsUpdate := r.deploymentNeedsUpdate(ctx, deployment, mcpServer, "test-checksum")
+			assert.Equal(t, tt.expectNeedsUpdate, needsUpdate, "ImagePullSecrets drift detection mismatch")
+		})
+	}
+}
+
 func TestMCPServerSessionAffinityNone(t *testing.T) {
 	t.Parallel()