Add header injection authentication support

[yrobla]

Implement header injection authentication type for MCPExternalAuthConfig, enabling backend MCP servers to receive custom authentication headers.

Changes:

• Add HeaderInjectionConfig to CRD with headerName and value/valueSecretRef
• Implement converter registry pattern for extensible auth type handling
• Create HeaderInjectionConverter for header_injection strategy
• Refactor TokenExchangeConverter to use new registry pattern
• Update RBAC rules to grant vMCP access to mcpexternalauthconfigs
• Add controllerutil support for header injection validation
• Bump operator CRD chart version to 0.0.63
• Include example YAML demonstrating header injection usage

Header injection allows backends to authenticate using custom HTTP headers (e.g., X-API-Key) with values from either direct configuration or K8s secrets.

The converter registry provides a clean abstraction for adding new auth types without modifying core authentication logic, following the Open/Closed Principle.

Large PR Justification

This PR implements header injection authentication for vMCP with two refactorings that must be atomic:

1. Security fix cannot be separated: Removes Value field from HeaderInjectionConfig before initial release to prevent users from hardcoding
   credentials in CRDs. Shipping the feature with this field would introduce a security vulnerability.
2. Factory simplification addresses review feedback: Simplifies outgoing auth factory per @jhrozek's request, removing on-demand registration
   complexity (176→72 lines). Must ship together since both modify the same auth infrastructure - splitting would cause merge conflicts and require
   multiple CRD regenerations.
3. Generated code: CRD manifests and extensive test updates that cannot be meaningfully split.

Separating these changes would either compromise security or require maintaining deprecated code paths temporarily.

🤖 Generated with Claude Code

[codecov]

Codecov Report

❌ Patch coverage is 90.34483% with 14 lines in your changes missing coverage. Please review.
✅ Project coverage is 55.96%. Comparing base (cbdb755) to head (10dc1f6).
⚠️ Report is 10 commits behind head on main.

Files with missing lines	Patch %	Lines
...d/thv-operator/pkg/controllerutil/tokenexchange.go	0.00%	9 Missing ⚠️
pkg/vmcp/auth/factory/outgoing.go	75.00%	0 Missing and 3 partials ⚠️
cmd/vmcp/app/commands.go	0.00%	1 Missing ⚠️
test/integration/vmcp/helpers/vmcp_server.go	0.00%	1 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2730      +/-   ##
==========================================
+ Coverage   55.57%   55.96%   +0.38%     
==========================================
  Files         314      318       +4     
  Lines       30460    30677     +217     
==========================================
+ Hits        16928    17168     +240     
+ Misses      12040    12022      -18     
+ Partials     1492     1487       -5     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull request overview

This PR adds header injection authentication support to the MCP system, enabling backend MCP servers to receive custom authentication headers (like API keys). The implementation follows a clean registry pattern that allows for extensible auth type handling without modifying core authentication logic.

Key changes:

• Introduced HeaderInjectionConfig CRD type with XOR validation between direct value and secret reference
• Implemented converter registry pattern with StrategyConverter interface for pluggable auth types
• Added HeaderInjectionConverter and refactored existing token exchange logic to use the new registry

Reviewed changes

Copilot reviewed 13 out of 13 changed files in this pull request and generated 6 comments.

Show a summary per file

File	Description
cmd/thv-operator/api/v1alpha1/mcpexternalauthconfig_types.go	Added HeaderInjectionConfig struct and ExternalAuthType enum with headerInjection support
cmd/thv-operator/api/v1alpha1/zz_generated.deepcopy.go	Auto-generated deepcopy methods for HeaderInjectionConfig
deploy/charts/operator-crds/crds/toolhive.stacklok.dev_mcpexternalauthconfigs.yaml	Added headerInjection CRD schema with XOR validation rule
deploy/charts/operator-crds/Chart.yaml	Bumped CRD chart version to 0.0.63
deploy/charts/operator-crds/README.md	Updated version badge to 0.0.63
docs/operator/crd-api.md	Added documentation for ExternalAuthType and HeaderInjectionConfig
pkg/vmcp/auth/converters/interface.go	New converter registry pattern with StrategyConverter interface
pkg/vmcp/auth/converters/token_exchange.go	Refactored token exchange converter to implement StrategyConverter interface
pkg/vmcp/auth/converters/header_injection.go	New header injection converter with secret resolution support
pkg/vmcp/auth/converters/external_auth_config.go	Backward compatibility wrapper for existing external auth config usage
cmd/thv-operator/pkg/controllerutil/tokenexchange.go	Added header injection handling in AddExternalAuthConfigOptions
cmd/thv-operator/controllers/virtualmcpserver_deployment.go	Updated RBAC rules to grant vMCP access to mcpexternalauthconfigs
examples/operator/external-auth/header_injection_example.yaml	Example YAML demonstrating header injection usage

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[github-actions]

Large PR Detected

This PR exceeds 1000 lines of changes and requires justification before it can be reviewed.

How to unblock this PR:

Add a section to your PR description with the following format:

## Large PR Justification

[Explain why this PR must be large, such as:]
- Generated code that cannot be split
- Large refactoring that must be atomic
- Multiple related changes that would break if separated
- Migration or data transformation

Alternative:

Consider splitting this PR into smaller, focused changes (< 1000 lines each) for easier review and reduced risk.

See our Contributing Guidelines for more details.

---

This review will be automatically dismissed once you add the justification section.

[github-actions]

✅ Large PR justification has been provided. The size review has been dismissed and this PR can now proceed with normal review.

Large PR justification has been provided. Thank you!

[Copilot]

Pull request overview

Copilot reviewed 20 out of 20 changed files in this pull request and generated 4 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 21 out of 21 changed files in this pull request and generated 5 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 22 out of 22 changed files in this pull request and generated no new comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 23 out of 23 changed files in this pull request and generated 4 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[jhrozek]

I have two nits for later, but I'm fine cleaning them in a follow up