Add Redis Storage Backend for Auth Server

[tgrunnagle]

Closes #3628

Summary

Implements a Redis Sentinel-backed storage backend for the authorization server's Storage interface, enabling horizontal scaling of ToolHive auth servers. Multiple instances can now share authentication state via Redis with automatic failover support. This is Phase 1 of the Redis Storage feature, providing the core implementation with comprehensive unit tests.

Changes Made

Storage Backend (pkg/authserver/storage/)

• Added RedisStorage struct implementing all 30+ methods of the Storage interface
• Implemented serialization wrappers (storedSession, storedClient, storedProviderIdentity, etc.) for JSON storage
• Used Redis TTL for automatic token expiration instead of background cleanup
• Created secondary indexes for request ID lookups required by RFC 7009 token revocation
• Added Lua script for atomic UpdateProviderIdentityLastUsed operation to prevent race conditions
• Implemented compile-time interface compliance check

Key Generation (pkg/authserver/storage/redis_keys.go)

• Added DeriveKeyPrefix function using hash tag format thv:auth:{ns:name}: for Redis Cluster slot co-location
• Defined key type constants for all stored data types (access tokens, refresh tokens, auth codes, PKCE, clients, users, etc.)
• Added helper functions for consistent key generation

Configuration (pkg/authserver/storage/config.go)

• Added TypeRedis storage type constant
• Added RedisRunConfig and related types for serializable configuration (Sentinel addresses, ACL credentials, timeouts)
• Credentials read from environment variables for security

Dependencies (go.mod)

• Added github.com/redis/go-redis/v9 for Redis client with Sentinel support
• Added github.com/alicebob/miniredis/v2 for unit testing

Implementation Details

• Sentinel-only deployment mode enforced (standalone Redis not supported for HA requirements)
• ACL user authentication required (legacy AUTH not supported for security)
• Hash tag format {ns:name} combines namespace and name to ensure all keys for a server land in the same Redis Cluster slot
• TTL set on secondary index sets to prevent memory growth from orphaned indexes
• Form field serialization preserves multi-value support (url.Values stored as map[string][]string)

Testing

• Comprehensive unit tests using miniredis (no external Redis required)
• 85.2% code coverage (exceeds 80% requirement)
• Tests cover all Storage interface methods, error handling, TTL behavior, and concurrent access
• Edge cases tested: expired tokens, non-existent resources, duplicate creation, input validation

Additional Notes

• Future work: Integration tests with real Redis (Phase 2), Operator CRD updates (Phase 3)
• Parent epic: stacklok/stacklok-epics#197

[github-actions]

Large PR Detected

This PR exceeds 1000 lines of changes and requires justification before it can be reviewed.

How to unblock this PR:

Add a section to your PR description with the following format:

## Large PR Justification

[Explain why this PR must be large, such as:]
- Generated code that cannot be split
- Large refactoring that must be atomic
- Multiple related changes that would break if separated
- Migration or data transformation

Alternative:

Consider splitting this PR into smaller, focused changes (< 1000 lines each) for easier review and reduced risk.

See our Contributing Guidelines for more details.

---

This review will be automatically dismissed once you add the justification section.

[codecov]

Codecov Report

❌ Patch coverage is 72.83582% with 182 lines in your changes missing coverage. Please review.
✅ Project coverage is 66.03%. Comparing base (f6ac332) to head (ac645ba).

Files with missing lines	Patch %	Lines
pkg/authserver/storage/redis.go	72.50%	123 Missing and 59 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3639      +/-   ##
==========================================
+ Coverage   65.86%   66.03%   +0.17%     
==========================================
  Files         413      415       +2     
  Lines       40953    41623     +670     
==========================================
+ Hits        26974    27487     +513     
- Misses      11891    11985      +94     
- Partials     2088     2151      +63     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.