Background
PR #5233 added baselineClientScopes to EmbeddedAuthServerConfig with a startup-time subset check (RunConfig.Validate: every entry must be in scopesSupported). If an operator misconfigures the baseline (a value absent from scopesSupported), the auth-server pod fails inside NewEmbeddedAuthServer and CrashLoopBackOffs. The error is loud in pod logs ("invalid run config: baseline_client_scopes contains ..."), but the CR itself carries no signal — operators have to know to read pod logs.
Raised by @tgrunnagle in PR #5233 review F7. Deferred from #5233 to keep that PR's scope tight.
Proposal
Pre-validate baselineClientScopes against the upstream-derived scopesSupported in the reconciler and surface the result as a status condition before the workload rolls.
Two CRDs are affected (per .claude/rules/operator.md "Status condition parity"):
MCPExternalAuthConfig (consumed by MCPServer, MCPRemoteProxy)VirtualMCPServer (spec.authServerConfig embeds EmbeddedAuthServerConfig inline)
Both must emit the same condition (e.g. BaselineScopesValid with status False + reason BaselineScopeNotSupported + message listing the offending scope). Status writes must go through controllerutil.MutateAndPatchStatus per the operator status-writes rule.
Acceptance criteria
Out of scope
- Generalizing scope validation to other
*Scopes fields (this issue is specifically about baselineClientScopes).
- Auto-correction (e.g. silently dropping the unsupported scope).
References
Background
PR #5233 added
baselineClientScopestoEmbeddedAuthServerConfigwith a startup-time subset check (RunConfig.Validate: every entry must be inscopesSupported). If an operator misconfigures the baseline (a value absent fromscopesSupported), the auth-server pod fails insideNewEmbeddedAuthServerand CrashLoopBackOffs. The error is loud in pod logs ("invalid run config: baseline_client_scopes contains ..."), but the CR itself carries no signal — operators have to know to read pod logs.Raised by @tgrunnagle in PR #5233 review F7. Deferred from #5233 to keep that PR's scope tight.
Proposal
Pre-validate
baselineClientScopesagainst the upstream-derivedscopesSupportedin the reconciler and surface the result as a status condition before the workload rolls.Two CRDs are affected (per
.claude/rules/operator.md"Status condition parity"):MCPExternalAuthConfig(consumed byMCPServer,MCPRemoteProxy)VirtualMCPServer(spec.authServerConfigembedsEmbeddedAuthServerConfiginline)Both must emit the same condition (e.g.
BaselineScopesValidwith statusFalse+ reasonBaselineScopeNotSupported+ message listing the offending scope). Status writes must go throughcontrollerutil.MutateAndPatchStatusper the operator status-writes rule.Acceptance criteria
scopesSupported(fromoidcConfig.Scopesfor MCPServer path, from the resolved vmcp Config for VirtualMCPServer) and checksbaselineClientScopesis a subset before allowing the workload to roll.BaselineScopesValidcondition (or equivalent name) emitted on bothMCPExternalAuthConfig.statusandVirtualMCPServer.statuswith parity per.claude/rules/operator.md.False, reason names the offending scope, the auth-server pod is NOT spawned (or its rollout is paused — design choice).controllerutil.MutateAndPatchStatuscontract (fresh Get, sole owner of Conditions array).Out of scope
*Scopesfields (this issue is specifically aboutbaselineClientScopes).References
requiredClientScopesto embedded auth server for DCR scope baseline #5224.claude/rules/operator.md