Add AuthServerConfigRef CRD field, config model, and JwksAllowPrivateIP

[jhrozek]

Summary

• The vMCP embedded authorization server feature (Phase 1: Foundation — add AuthServerConfig model, CRD field, and structural validation #4140) needs CRD and config scaffolding before the runtime can be wired. This PR adds the foundational types and validation without changing any runtime behavior.
• Add AuthServerConfigRef field to VirtualMCPServerSpec for referencing an MCPExternalAuthConfig with type embeddedAuthServer
• Add AuthServer field (*authserver.RunConfig) to the vMCP runtime config model
• Add JwksAllowPrivateIP to OIDCConfig for loopback JWKS fetches when the embedded auth server's OIDC discovery endpoint is on a private address
• Move ExternalAuthConfigRef to mcpexternalauthconfig_types.go (same package, pure code organization)
• Add structural validation and condition constants for the new field

Fixes #4140

Type of change

• New feature

Test plan

• e2e testing as part of a large branch from which I cherry-picked this PR from

Changes

File	Change
cmd/thv-operator/api/v1alpha1/virtualmcpserver_types.go	Add AuthServerConfigRef field with godoc, kubebuilder markers, and validation
cmd/thv-operator/api/v1alpha1/virtualmcpserver_types_test.go	Table-driven tests for validateAuthServerConfig()
cmd/thv-operator/api/v1alpha1/mcpexternalauthconfig_types.go	Move ExternalAuthConfigRef here from mcpserver_types.go
cmd/thv-operator/api/v1alpha1/mcpserver_types.go	Remove ExternalAuthConfigRef (moved)
pkg/vmcp/config/config.go	Add RuntimeConfig.AuthServer and OIDCConfig.JwksAllowPrivateIP
pkg/vmcp/auth/factory/incoming.go	OR JwksAllowPrivateIP with ProtectedResourceAllowPrivateIP
Generated files	deepcopy, CRD manifests, CRD reference docs

Does this introduce a user-facing change?

No. This adds CRD fields and config types but does not wire them into any runtime code path yet.

Special notes for reviewers

• JwksAllowPrivateIP is OR'd with ProtectedResourceAllowPrivateIP in the auth factory so that either flag enables private-IP JWKS fetches. This is needed because the embedded auth server runs on a loopback address in-cluster.
• The AuthServerConfigRef validation only checks structural correctness (non-empty name, correct type). Full semantic validation (e.g., referenced resource exists and is ready) will come in a follow-up controller reconciliation PR.

Generated with Claude Code

Large PR Justification

• added new fields into CRDs which adds a bunch of autogenerated YAML. The logic in this PR is minimal.

[codecov]

Codecov Report

❌ Patch coverage is 72.72727% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 68.56%. Comparing base (e735122) to head (4d134f3).

Files with missing lines	Patch %	Lines
...hv-operator/api/v1alpha1/virtualmcpserver_types.go	80.00%	0 Missing and 2 partials ⚠️
pkg/vmcp/auth/factory/incoming.go	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4286      +/-   ##
==========================================
- Coverage   68.61%   68.56%   -0.05%     
==========================================
  Files         478      478              
  Lines       48450    48466      +16     
==========================================
- Hits        33243    33233      -10     
- Misses      12367    12379      +12     
- Partials     2840     2854      +14     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[jerm-dro]

Nit: explain how this relates to the auth config available in config. "If set, then the embedded auth server will be used for inbound auth and config.inbound (or whatever the field is)."

[jhrozek]

will do (and will keep the comment unresolved until I do)

[jhrozek]

done in this push

[jerm-dro]

Blocker: Can we inline AuthServer into Config? This follows the pattern with other config fields that may be overwritten by "refs." It's nice to have this inline in the config because operators who don't want to bother with the external CRD may define the configuration directly on the vMCP. Also, it simplifies the plumbing of config for developers. The operator just reads the ref'ed CRD and writes it into the config, which already exists on the spec and plumbs through predictably.

[jhrozek]

OK, I thought the refs might be easier in the future because I'd like to move to a separate CRD fro configuring the authserver eventually but I haven't really started on that..plus we can always inline it.

[github-actions]

Large PR Detected

This PR exceeds 1000 lines of changes and requires justification before it can be reviewed.

How to unblock this PR:

Add a section to your PR description with the following format:

## Large PR Justification

[Explain why this PR must be large, such as:]
- Generated code that cannot be split
- Large refactoring that must be atomic
- Multiple related changes that would break if separated
- Migration or data transformation

Alternative:

Consider splitting this PR into smaller, focused changes (< 1000 lines each) for easier review and reduced risk.

See our Contributing Guidelines for more details.

---

This review will be automatically dismissed once you add the justification section.

Large PR justification has been provided. Thank you!

[github-actions]

✅ Large PR justification has been provided. The size review has been dismissed and this PR can now proceed with normal review.