Generated with Claude Code
Description
After the isolated gateway deployment work in #436 / #472, MCPGatewayExtension and MCPServerRegistration controllers correctly write to per-namespace config secrets using config.NamespaceName(namespace). However, the MCPVirtualServer controller was not updated — it still writes to the hardcoded config.DefaultNamespaceName (mcp-system/mcp-gateway-config).
This means VirtualMCPServer CRs have no effect in gateway-per-namespace deployments, since the broker in each namespace reads its own mcp-gateway-config secret, not the one in mcp-system.
Code Reference
internal/controller/mcpvirtualserver_controller.go:87:
if err := r.ConfigReaderWriter.WriteVirtualServerConfig(ctx, vsConfig, config.DefaultNamespaceName); err != nil {Compare with the other controllers which were updated:
internal/controller/mcpserverregistration_controller.go:224:
r.ConfigReaderWriter.UpsertMCPServer(ctx, *mcpServerconfig, config.NamespaceName(configNs))
internal/controller/mcpgatewayextension_controller.go:208:
r.ConfigWriterDeleter.EnsureConfigExists(ctx, config.NamespaceName(mcpExt.Namespace))
Impact
In multi-tenant deployments (gateway-per-namespace), VirtualMCPServer tool filtering does not work. The workaround is to manually patch the target namespace's mcp-gateway-config secret with the virtualServers: section and restart the broker.
Related Issues
Notes
I understand #708 is reviewing the overall MCPVirtualServer API direction. This issue is narrower — regardless of API direction, the current controller should write to the same namespace as the MCPGatewayExtension it serves, consistent with how the other controllers were updated in #472.
Description
After the isolated gateway deployment work in #436 / #472,
MCPGatewayExtensionandMCPServerRegistrationcontrollers correctly write to per-namespace config secrets usingconfig.NamespaceName(namespace). However, theMCPVirtualServercontroller was not updated — it still writes to the hardcodedconfig.DefaultNamespaceName(mcp-system/mcp-gateway-config).This means VirtualMCPServer CRs have no effect in gateway-per-namespace deployments, since the broker in each namespace reads its own
mcp-gateway-configsecret, not the one inmcp-system.Code Reference
internal/controller/mcpvirtualserver_controller.go:87:Compare with the other controllers which were updated:
internal/controller/mcpserverregistration_controller.go:224:internal/controller/mcpgatewayextension_controller.go:208:Impact
In multi-tenant deployments (gateway-per-namespace), VirtualMCPServer tool filtering does not work. The workaround is to manually patch the target namespace's
mcp-gateway-configsecret with thevirtualServers:section and restart the broker.Related Issues
targetRef)Notes
I understand #708 is reviewing the overall MCPVirtualServer API direction. This issue is narrower — regardless of API direction, the current controller should write to the same namespace as the MCPGatewayExtension it serves, consistent with how the other controllers were updated in #472.