Add embeddedAuthServer type to MCPExternalAuthConfig CRD

[tgrunnagle]

Summary

Add the embeddedAuthServer authentication type to the MCPExternalAuthConfig CRD, enabling MCP servers in Kubernetes to integrate with an embedded OAuth2/OIDC authorization server.

Issue: stacklok/stacklok-epics#226

Changes

• Add ExternalAuthTypeEmbeddedAuthServer constant with value "embeddedAuthServer"
• Add EmbeddedAuthServerConfig struct with configuration for:
  • Issuer URL (HTTPS required, no trailing slash per RFC 8414)
  • Signing key secret references (1-5 keys for rotation)
  • HMAC secret references for opaque token signing
  • Token lifespan configuration (access, refresh, auth code)
  • Upstream provider configuration (OIDC or OAuth2)
  • Allowed audiences for RFC 8707 resource validation
• Add TokenLifespanConfig, UpstreamProviderConfig, OIDCUpstreamConfig, and OAuth2UpstreamConfig structs
• Add webhook validation ensuring:
  • Config exclusivity (embeddedAuthServer not set with other auth types)
  • Single upstream provider limit (runtime validation for future multi-IDP support)
  • Upstream provider type/config consistency
• Add placeholder handling in controller code for future integration
• Bump operator-crds chart version to 0.0.105

Test Plan

• New unit tests for embeddedAuthServer webhook validation (15+ test cases)
• Existing webhook tests pass
• CRD generation succeeds (task operator-generate && task operator-manifests)
• Helm template renders correctly
• Chart linting passes

Large PR Justification

• Most lines are generated.
• Majority of remaining lines are unit tests with no logical redundancy.

[github-actions]

Large PR Detected

This PR exceeds 1000 lines of changes and requires justification before it can be reviewed.

How to unblock this PR:

Add a section to your PR description with the following format:

## Large PR Justification

[Explain why this PR must be large, such as:]
- Generated code that cannot be split
- Large refactoring that must be atomic
- Multiple related changes that would break if separated
- Migration or data transformation

Alternative:

Consider splitting this PR into smaller, focused changes (< 1000 lines each) for easier review and reduced risk.

See our Contributing Guidelines for more details.

---

This review will be automatically dismissed once you add the justification section.

[codecov]

Codecov Report

❌ Patch coverage is 68.88889% with 14 lines in your changes missing coverage. Please review.
✅ Project coverage is 65.28%. Comparing base (d3c579d) to head (1ad3ede).
⚠️ Report is 2 commits behind head on main.

Files with missing lines	Patch %	Lines
...ator/api/v1alpha1/mcpexternalauthconfig_webhook.go	75.60%	5 Missing and 5 partials ⚠️
...perator/controllers/virtualmcpserver_deployment.go	0.00%	2 Missing ⚠️
...d/thv-operator/pkg/controllerutil/tokenexchange.go	0.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3488      +/-   ##
==========================================
- Coverage   65.34%   65.28%   -0.07%     
==========================================
  Files         403      403              
  Lines       39206    39223      +17     
==========================================
- Hits        25618    25605      -13     
- Misses      11607    11627      +20     
- Partials     1981     1991      +10     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Large PR justification has been provided. Thank you!

[github-actions]

✅ Large PR justification has been provided. The size review has been dismissed and this PR can now proceed with normal review.

[jhrozek]

I think the audiences field should be removed, I think it would be also nice to at least provide a nice default for scopes and redirectUrl