Add embeddedAuthServer type to MCPExternalAuthConfig CRD

[tgrunnagle]

Summary

Add the embeddedAuthServer authentication type to the MCPExternalAuthConfig CRD, enabling MCP servers in Kubernetes to integrate with an embedded OAuth2/OIDC authorization server.

Issue: stacklok/stacklok-epics#226

Changes

• Add ExternalAuthTypeEmbeddedAuthServer constant with value "embeddedAuthServer"
• Add EmbeddedAuthServerConfig struct with configuration for:
  • Issuer URL (HTTPS required, no trailing slash per RFC 8414)
  • Signing key secret references (1-5 keys for rotation)
  • HMAC secret references for opaque token signing
  • Token lifespan configuration (access, refresh, auth code)
  • Upstream provider configuration (OIDC or OAuth2)
  • Allowed audiences for RFC 8707 resource validation
• Add TokenLifespanConfig, UpstreamProviderConfig, OIDCUpstreamConfig, and OAuth2UpstreamConfig structs
• Add webhook validation ensuring:
  • Config exclusivity (embeddedAuthServer not set with other auth types)
  • Single upstream provider limit (runtime validation for future multi-IDP support)
  • Upstream provider type/config consistency
• Add placeholder handling in controller code for future integration
• Bump operator-crds chart version to 0.0.105

Test Plan

• New unit tests for embeddedAuthServer webhook validation (15+ test cases)
• Existing webhook tests pass
• CRD generation succeeds (task operator-generate && task operator-manifests)
• Helm template renders correctly
• Chart linting passes

Large PR Justification

• Most lines are generated.
• Majority of remaining lines are unit tests with no logical redundancy.

[github-actions]

Large PR Detected

This PR exceeds 1000 lines of changes and requires justification before it can be reviewed.

How to unblock this PR:

Add a section to your PR description with the following format:

## Large PR Justification

[Explain why this PR must be large, such as:]
- Generated code that cannot be split
- Large refactoring that must be atomic
- Multiple related changes that would break if separated
- Migration or data transformation

Alternative:

Consider splitting this PR into smaller, focused changes (< 1000 lines each) for easier review and reduced risk.

See our Contributing Guidelines for more details.

---

This review will be automatically dismissed once you add the justification section.

[codecov]

Codecov Report

❌ Patch coverage is 76.92308% with 12 lines in your changes missing coverage. Please review.
✅ Project coverage is 65.25%. Comparing base (e00d514) to head (9efd3fb).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
...ator/api/v1alpha1/mcpexternalauthconfig_webhook.go	83.33%	5 Missing and 3 partials ⚠️
...perator/controllers/virtualmcpserver_deployment.go	0.00%	2 Missing ⚠️
...d/thv-operator/pkg/controllerutil/tokenexchange.go	0.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3488      +/-   ##
==========================================
+ Coverage   65.15%   65.25%   +0.09%     
==========================================
  Files         398      399       +1     
  Lines       38821    38960     +139     
==========================================
+ Hits        25295    25422     +127     
- Misses      11564    11568       +4     
- Partials     1962     1970       +8     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

Large PR justification has been provided. Thank you!

[github-actions]

✅ Large PR justification has been provided. The size review has been dismissed and this PR can now proceed with normal review.

[jhrozek]

I think the audiences field should be removed, I think it would be also nice to at least provide a nice default for scopes and redirectUrl

[jhrozek]

I don't think the AllowedAudiences should be part of this type - sorry I missed that in the initial RFC. The fact that we even have an array in the Go package was me planning for the shared authserver deployment where we'd track the allowed audiences based on what servers are using this authserver instance.

I think an interesting dichotomy here is - each MCPServer will get its own authserver instance. This means that we can infer the allowed audience from this server's oidcConfig.inline.audience (or equivalent for oidc.Config.configMap/kubernetes). We can also default the scopesSupported to the scopes from that section.

However, I think it would be nice UX if the externalauthconfig could be shared and used by multiple MCPServer instances - in that case audience must not be shared (and thus not part of this CRD).

It's a similar issue with the scopes parameter.

[jhrozek]

Umm re-reading my comment I realize that maybe it might be easier to understand with an example: we'd have a single MCPExternalAuthConfig pointing with an AuthServer definition with the same issuer (although the issuer could very well default to resourceUrl I guess). The MCPExternalAuthConfig would list a github IDP, pointing to a secret and client_id.

This ExternalAuthConfig could then be linked to by a MCP server that allows listing github issues (aud=mcp-github-issues-lister, scopes=[github:issues]) and another MCP server that allows reading github repos (aud=mcp-github-repos-reader, scopes=[github:repos])

[jhrozek]

FYI I haven't merged the OIDC provider yet. Will do soon.

[jhrozek]

This is another piece that could prevent from sharing the mcpexternalauthconfig CR - I wonder if we could default to resourceUrl/oauth/callback?

[jhrozek]

nit: only minItems exists

[yrobla]

i see lots of code duplication here, maybe we can create a helper for validating embeddedauthserver, passing some param for different error logs?