Add SecretKeyRef support to InlineOIDCConfig for enhanced secret management

[JAORMX]

Summary

Add Kubernetes-native secret reference support to InlineOIDCConfig, following the pattern established by MCPExternalAuthConfig. This enables secure OIDC client secret management without exposing secrets in YAML manifests or ConfigMaps.

Note: This PR builds on #2325 which was merged to add runtime environment variable support.

Changes

API Changes

• ✅ Added ClientSecretRef *SecretKeyRef field to InlineOIDCConfig
• ✅ Deprecated plaintext ClientSecret field (backward compatible)
• ✅ ClientSecretRef takes precedence when both fields are provided

Implementation

• ✅ Updated OIDC resolver to skip embedding secrets when using SecretKeyRef
• ✅ Created GenerateOIDCClientSecretEnvVar() function for secret validation and env var generation
• ✅ Integrated secret injection in MCPServer controller (2 locations)
• ✅ Integrated secret injection in MCPRemoteProxy controller
• ✅ Uses TOOLHIVE_OIDC_CLIENT_SECRET environment variable (added in Add environment variable support for OIDC client secret #2325)

Infrastructure

• ✅ Bumped CRD chart version from 0.0.43 to 0.0.44
• ✅ Bumped operator chart version from 0.3.1 to 0.3.2
• ✅ Generated CRD manifests and API documentation
• ✅ Updated architecture documentation (docs/arch/04-secrets-management.md)

Examples

• ✅ Created mcpserver_with_inline_oidc_secretref.yaml
• ✅ Created mcpremoteproxy_with_inline_oidc_secretref.yaml
• ✅ Updated existing mcpserver_with_inline_oidc.yaml with notes about new approach

Security Benefits

✅ Secrets managed via Kubernetes RBAC
✅ Integration with external secret operators (Vault, AWS Secrets Manager)
✅ Secrets not exposed in YAML manifests or Git history
✅ Secrets not stored in ConfigMaps
✅ Namespace isolation enforced
✅ Audit trail via Kubernetes audit logs
✅ Consistent pattern across all ToolHive secret management

Example Usage

apiVersion: v1
kind: Secret
metadata:
  name: oidc-client-secret
  namespace: toolhive-system
type: Opaque
stringData:
  client-secret: "your-secret-value"
---
apiVersion: toolhive.stacklok.dev/v1alpha1
kind: MCPServer
metadata:
  name: my-server
spec:
  oidcConfig:
    type: inline
    inline:
      issuer: "https://github.com"
      clientId: "Iv1.abc123"
      clientSecretRef:
        name: oidc-client-secret
        key: client-secret

Testing

• ✅ All linting checks passed (0 issues)
• ✅ All unit tests passed
• ✅ Followed existing patterns from TokenExchange implementation
• ✅ Backward compatibility maintained

Related

Builds on #2325
Resolves #2321

🤖 Generated with Claude Code

[codecov]

Codecov Report

❌ Patch coverage is 59.25926% with 22 lines in your changes missing coverage. Please review.
✅ Project coverage is 54.11%. Comparing base (3fffdcc) to head (aed5a0d).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
...d/thv-operator/controllers/mcpserver_controller.go	0.00%	16 Missing and 1 partial ⚠️
...-operator/controllers/mcpremoteproxy_deployment.go	44.44%	3 Missing and 2 partials ⚠️

Additional details and impacted files

@@           Coverage Diff           @@
##             main    #2324   +/-   ##
=======================================
  Coverage   54.10%   54.11%           
=======================================
  Files         239      239           
  Lines       23400    23453   +53     
=======================================
+ Hits        12660    12691   +31     
- Misses       9541     9560   +19     
- Partials     1199     1202    +3     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.