Skip to content

PassthroughModel reports Ready even when the upstream credential Secret is missing/misnamed #110

Description

@dcmcand

The webhook validates that spec.provider.credentialSecretName is non-empty (passthroughmodel_webhook.go:201) but nothing verifies the referenced Secret exists or carries the expected apiKey key. If it is missing or misnamed, all gateway resources still apply, the CR goes Ready, and every upstream request 401s with no signal in CR status. This is new surface (LLMModels have no upstream credential).

A webhook hard-fail would be wrong - the Secret may legitimately be created after the CR. Instead, add a status condition (e.g. CredentialResolved) that the controller sets based on the Secret's presence and apiKey key, turning a silent runtime 401 into a visible status signal.

Surfaced in review of #96.

Acceptance

  • Controller reads the credential Secret during reconcile
  • A status condition reflects present-and-valid vs missing/misnamed
  • Condition does not block Ready on transient absence but is visible
  • Test coverage for both states

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    Priority

    None yet

    Start date

    None yet

    Target date

    None yet

    Size

    None yet

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions