The webhook validates that spec.provider.credentialSecretName is non-empty (passthroughmodel_webhook.go:201) but nothing verifies the referenced Secret exists or carries the expected apiKey key. If it is missing or misnamed, all gateway resources still apply, the CR goes Ready, and every upstream request 401s with no signal in CR status. This is new surface (LLMModels have no upstream credential).
A webhook hard-fail would be wrong - the Secret may legitimately be created after the CR. Instead, add a status condition (e.g. CredentialResolved) that the controller sets based on the Secret's presence and apiKey key, turning a silent runtime 401 into a visible status signal.
Surfaced in review of #96.
Acceptance
- Controller reads the credential Secret during reconcile
- A status condition reflects present-and-valid vs missing/misnamed
- Condition does not block
Ready on transient absence but is visible
- Test coverage for both states
The webhook validates that
spec.provider.credentialSecretNameis non-empty (passthroughmodel_webhook.go:201) but nothing verifies the referenced Secret exists or carries the expectedapiKeykey. If it is missing or misnamed, all gateway resources still apply, the CR goesReady, and every upstream request 401s with no signal in CR status. This is new surface (LLMModels have no upstream credential).A webhook hard-fail would be wrong - the Secret may legitimately be created after the CR. Instead, add a status condition (e.g.
CredentialResolved) that the controller sets based on the Secret's presence andapiKeykey, turning a silent runtime 401 into a visible status signal.Surfaced in review of #96.
Acceptance
Readyon transient absence but is visible