Operator: deploymentNeedsUpdate doesn't mirror Redis password env var (perpetual drift on Redis session storage)

## Summary

`MCPServerReconciler.deploymentNeedsUpdate` does not mirror the Redis password env var that `deploymentForMCPServer` adds. When `sessionStorage.provider == "redis"` and a `passwordRef` is set, the actual proxy Deployment carries the `THV_SESSION_REDIS_PASSWORD` entry but the expected env slice built by `deploymentNeedsUpdate` does not — `equality.Semantic.DeepEqual` then flags drift and the controller rewrites the Deployment on every reconcile.

## Where

- Construction site: [`cmd/thv-operator/controllers/mcpserver_controller.go:1153`](https://github.com/stacklok/toolhive/blob/main/cmd/thv-operator/controllers/mcpserver_controller.go#L1153) — `env = append(env, r.buildRedisPasswordEnvVar(m)...)`
- Drift comparison: `MCPServerReconciler.deploymentNeedsUpdate` rebuilds `expectedProxyEnv` (around line 1710 onwards) but never calls `buildRedisPasswordEnvVar`.

The only call site for `buildRedisPasswordEnvVar` is the construction path. Confirmed by:

```
$ grep -n 'buildRedisPasswordEnvVar' cmd/thv-operator/controllers/mcpserver_controller.go
1153:	env = append(env, r.buildRedisPasswordEnvVar(m)...)
2489:// buildRedisPasswordEnvVar returns the THV_SESSION_REDIS_PASSWORD env var when
2491:func (*MCPServerReconciler) buildRedisPasswordEnvVar(m *mcpv1beta1.MCPServer) []corev1.EnvVar {
```

## Impact

- For MCPServers using Redis-backed session storage, the proxy Deployment's `resourceVersion` increments on every reconcile.
- Each rewrite triggers a pod-template diff and could destabilize rolling-update behavior in combination with #5360 (now fixed in #5364) since each reconcile bumps the deployment's apiserver generation but not the MCPServer's.
- Pre-existing — not introduced by #5364. Spotted during code review of #5364 where the position-mirror comment originally referenced the Redis slot.

## Suggested fix

Mirror `buildRedisPasswordEnvVar` in `deploymentNeedsUpdate` at the same relative position it occupies in `deploymentForMCPServer` (after user-override env vars, before the new `THV_MCPSERVER_GENERATION` downward-API entry from #5364).

```go
// In deploymentNeedsUpdate, before the THV_MCPSERVER_GENERATION block:
expectedProxyEnv = append(expectedProxyEnv, r.buildRedisPasswordEnvVar(mcpServer)...)
```

Add a focused unit test asserting `deploymentNeedsUpdate` returns `false` after `deploymentForMCPServer` when an MCPServer has `sessionStorage.provider: redis` with a `passwordRef`. There's no such regression test today.

## Related

- Surfaced during review of #5364 (PR comment: https://github.com/stacklok/toolhive/pull/5364#discussion_r3284498492)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Operator: deploymentNeedsUpdate doesn't mirror Redis password env var (perpetual drift on Redis session storage) #5365

Summary

Where

Impact

Suggested fix

Related

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Operator: deploymentNeedsUpdate doesn't mirror Redis password env var (perpetual drift on Redis session storage) #5365

Description

Summary

Where

Impact

Suggested fix

Related

Metadata

Metadata

Assignees

Labels

Type

Fields

Projects

Milestone

Relationships

Development

Issue actions