Emit Events from the three config controllers

[ChrisJBurns]

Summary

The MCPOIDCConfig, MCPExternalAuthConfig, and MCPAuthzConfig controllers logged validation failures and deletion-blocked transitions but emitted no Kubernetes Event objects — so an operator running kubectl describe mcpauthzconfig <name> (or the siblings) couldn't see why a config was rejected or which workloads were blocking its deletion. Per the operator Status Condition Parity rule, all three siblings gain an EventRecorder in a single change so the parity is established as one logical step. Flagged as F15 in the multi-agent review of #4777.

Closes #5496

Note: stacked on #5509 (cburns/migrate-sibling-controllers-mutatepatchstatus) — these controllers only exist in their migrated form on that branch. Rebase to main once #5509 merges.

Medium level

• New shared helper (config_controller_events.go): emitConfigEvent (nil-guarded Eventf wrapper), emitConfigRecoveryEvent (Normal ConfigValid, no-op unless recovering), conditionStatusIs (transition detection), and the shared ConfigInvalid / ConfigValid / DeletionBlocked event reasons.
• Each reconciler gains Recorder events.EventRecorder, wired in app.go via mgr.GetEventRecorder("<resource>-controller"), plus an events.k8s.io/events RBAC marker (matching the five sibling controllers that already carry it; regenerated manifests show no diff since the permission was already granted).
• Emission is transition-gated: the prior condition is read before MutateAndPatchStatus (which mutates conditions in place), so a Warning fires only on entering the invalid/blocked state and the recovery Normal fires only on the False→True transition — steady-state reconciles produce no event spam.
• ExternalAuth coverage: the inline-validation path, the OBO setInvalid path, and both success paths (handleConfigHashChange, updateReferencingWorkloads) are all covered.
• Security: event messages carry only structural validation errors (err.Error() from Validate()) and logical workload Kind/Name references — never raw policy, secrets, bearer tokens, or fully-qualified internal URLs. A test asserts the ExternalAuth deletion event omits the token URL and secret ref.

Low level

File	Change
cmd/thv-operator/controllers/config_controller_events.go	New: shared event reasons/actions, emitConfigEvent, emitConfigRecoveryEvent, conditionStatusIs.
cmd/thv-operator/controllers/mcpoidcconfig_controller.go	Recorder field + RBAC marker; emit ConfigInvalid, ConfigValid, DeletionBlocked.
cmd/thv-operator/controllers/mcpexternalauthconfig_controller.go	Recorder field + RBAC marker; emit on inline + OBO failure, both recovery paths, and deletion-block.
cmd/thv-operator/controllers/mcpauthzconfig_controller.go	Recorder field + RBAC marker; emit ConfigInvalid, ConfigValid, DeletionBlocked.
cmd/thv-operator/app/app.go	Wire Recorder for all three controllers.
cmd/thv-operator/controllers/config_controller_events_test.go	New: per-controller event tests (invalid → recovery, deletion-blocked), steady-state recovery path, nil-recorder safety, and message-sanitization assertions using events.NewFakeRecorder.

Type of change

• Bug fix
• New feature
• Breaking change
• Refactoring
• Documentation
• Other

Test plan

• task test (operator controllers + app unit suites) passes
• task build passes
• gofmt + go vet ./cmd/thv-operator/... clean (local task lint-fix blocked by a known golangci-lint go1.24/1.26 toolchain mismatch; CI lint is unaffected)
• New unit tests assert: Warning ConfigInvalid on validation failure, Normal ConfigValid on recovery (incl. the steady-state path), Warning DeletionBlocked when gated by a referencing workload, no event spam while staying invalid, nil-recorder safety, and that event messages don't leak the token URL / secret ref

Special notes for reviewers

• The events.k8s.io RBAC markers were added for parity with the sibling controllers, but task operator-manifests produces no diff — the aggregated role already granted events: create;patch from the existing five controllers.
• The integration suite (cmd/thv-operator/test-integration/...) was not run locally; it requires envtest control-plane binaries (/usr/local/kubebuilder/bin/etcd) that aren't installed in this environment.

Generated with Claude Code

[codecov]

Codecov Report

❌ Patch coverage is 83.01887% with 18 lines in your changes missing coverage. Please review.
✅ Project coverage is 69.86%. Comparing base (5310d73) to head (5e9e04a).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
cmd/thv-operator/app/app.go	0.00%	9 Missing ⚠️
...or/controllers/mcpexternalauthconfig_controller.go	87.50%	1 Missing and 3 partials ⚠️
...v-operator/controllers/mcpoidcconfig_controller.go	90.90%	1 Missing and 2 partials ⚠️
...-operator/controllers/mcpauthzconfig_controller.go	90.00%	0 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5514      +/-   ##
==========================================
+ Coverage   69.84%   69.86%   +0.02%     
==========================================
  Files         647      648       +1     
  Lines       65796    65873      +77     
==========================================
+ Hits        45957    46024      +67     
- Misses      16494    16504      +10     
  Partials     3345     3345              

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[jhrozek]

LGTM. The transition-gating is the tricky part here and it's done right — the wasInvalid/wasBlocked snapshot is read before MutateAndPatchStatus mutates conditions in place, so Warnings fire only on entering the bad state and the recovery Normal only on False->True. Verified the two ExternalAuth recovery sites are mutually exclusive, sanitization holds (events carry only Kind/Name, no token URL or secret ref), and the events.k8s.io RBAC markers produce no manifest diff since the aggregated role already grants them.

One minor thing, non-blocking: on the validation-failure path the event is emitted regardless of whether the status patch succeeded, so if the status write keeps failing the ConfigInvalid Warning will re-fire each reconcile. Fine to leave as-is given it's the only operator-visible signal in that case.

The base branch was changed.

[ChrisJBurns]

Thanks for the review @jhrozek. Addressed the non-blocking note about the validation-failure event re-firing in 38b69ff3:

on the validation-failure path the event is emitted regardless of whether the status patch succeeded, so if the status write keeps failing the ConfigInvalid Warning will re-fire each reconcile.

The transition gate (!wasInvalid / !wasBlocked) now also requires the MutateAndPatchStatus write to have succeeded (updateErr == nil) before emitting. If the status write keeps failing, the condition never persists, so previously the gate stayed open and the Warning re-fired every reconcile; it now fires once on a real, persisted transition. Applied to both the validation-failure and deletion-blocked paths across all three config controllers for parity. The OBO setInvalid path already returned on patch error before emitting, and the recovery Normal events already run only after a successful patch.

Also rebased onto latest main (resolved the controller conflicts against the squash-merged #5509), fixed the gocyclo regression the events introduced on MCPOIDCConfigReconciler.Reconcile, and reworded a comment that tripped codespell (PUTing).