fix(noderesource): forward auth headers from kube-rbac-proxy to sidecar

[bdchatham]

Summary

Adds `--auth-header-fields-enabled=true` to the kube-rbac-proxy args so the proxy emits `X-Remote-User` after a successful TokenReview + SAR. The sidecar runs in `trusted-header` authn mode and rejects any upstream-forwarded request that lacks this header with 401.

How it surfaced

After PR #274 fixed the `apiGroup` field name, the smoke test progressed past the proxy's SAR check — and immediately tripped the sidecar's authn:

sidecar generate-identity task submission returned 401: {"error":"missing X-Remote-User header"}

`--auth-header-fields-enabled` defaults to `false` in kube-rbac-proxy v0.19.x. With it off, the proxy authorizes successfully but forwards a bare request — the sidecar then has no way to know which identity passed auth, so it rejects.

Scope

• SeiNode StatefulSet proxy (`internal/noderesource/noderesource.go`)
• Bootstrap pod proxy (`internal/task/bootstrap_resources.go`)

Both proxy instances need the flag; the bootstrap pod uses the same sidecar trusted-header authn path.

Test plan

• `TestPodSpec_KubeRBACProxyContainerArgs` asserts the new flag is present
• `make test` passes
• After merge + image build + harbor manager-patch bump: re-trigger nightly-load, confirm both SNDs reach Ready

🤖 Generated with Claude Code

[cursor]

You have used all Bugbot PR reviews included in your free trial for your GitHub account on this workspace.

To continue using Bugbot reviews, enable Bugbot for your team in the Cursor dashboard.