Add Operator CRD Types for Auth Server Redis Storage

[tgrunnagle]

Closes #3792

Summary

Adds Kubernetes CRD types for configuring Redis storage in the embedded authorization server. This defines the declarative schema that operators will use to configure Redis-backed storage for horizontal scaling, building on the core Redis storage backend (#3628) and integration tests (#3629). The controller and runner integration that consumes these types is tracked separately in #3630.

Changes Made

CRD Types (mcpexternalauthconfig_types.go)

• Added AuthServerStorageConfig with type field supporting memory (default) and redis backends
• Added RedisStorageConfig with Sentinel configuration, ACL user authentication, and configurable timeouts (dial, read, write)
• Added RedisSentinelConfig with masterName, sentinelAddrs (explicit addresses), and sentinelService (Kubernetes Service discovery) — mutually exclusive
• Added SentinelServiceRef for referencing a Kubernetes Service for Sentinel discovery (name, namespace, port)
• Added RedisACLUserConfig with SecretKeyRef references for username and password
• Added Storage field to EmbeddedAuthServerConfig

Validation Webhooks (mcpexternalauthconfig_webhook.go)

• Added validateStorageConfig enforcing type-specific configuration presence
• Added validateRedisStorageConfig requiring sentinelConfig and aclUserConfig, plus Go duration format validation for timeout fields
• Added validateRedisSentinelConfig enforcing exactly one of sentinelAddrs or sentinelService
• Added validateRedisACLUserConfig requiring both secret references
• Integrated storage validation into existing validateEmbeddedAuthServer flow

Generated Files

• Updated zz_generated.deepcopy.go with DeepCopy methods for all new types
• Updated CRD manifests in deploy/charts/operator-crds/ (both files/ and templates/)

Implementation Details

• Simplified the issue's proposed design by removing deploymentMode and authType enum fields — since only sentinel and aclUser are supported, these are implicit in the type structure rather than configurable enums
• Follows existing patterns: SecretKeyRef for secret references, kubebuilder validation annotations for enums and defaults, optional fields with sensible defaults

Testing

• Added TestMCPExternalAuthConfig_ValidateStorageConfig with 17 test cases covering:
  • Default/explicit memory storage, invalid memory+redis combinations
  • Valid Redis with sentinel addrs and sentinel service ref
  • Missing required fields (sentinel config, master name, ACL config, secret refs)
  • Mutual exclusivity of sentinelAddrs vs sentinelService (both set, neither set)
  • Empty sentinel service name
  • Valid and invalid Go duration timeout strings (dial, read, write)
• All tests are parallel and use table-driven patterns consistent with existing tests

Additional Notes

• Blocks Auth Server: Operator Controller & Runner Integration for Redis Storage #3630 (Controller & Runner Integration) which will consume these types
• Related: Auth Server: Add Redis Storage Documentation #3790 (Documentation)

Large PR Justification

• Isolated CRD updates and corresponding webhooks/tests only

[github-actions]

Large PR Detected

This PR exceeds 1000 lines of changes and requires justification before it can be reviewed.

How to unblock this PR:

Add a section to your PR description with the following format:

## Large PR Justification

[Explain why this PR must be large, such as:]
- Generated code that cannot be split
- Large refactoring that must be atomic
- Multiple related changes that would break if separated
- Migration or data transformation

Alternative:

Consider splitting this PR into smaller, focused changes (< 1000 lines each) for easier review and reduced risk.

See our Contributing Guidelines for more details.

---

This review will be automatically dismissed once you add the justification section.

[codecov]

Codecov Report

❌ Patch coverage is 96.15385% with 2 lines in your changes missing coverage. Please review.
✅ Project coverage is 66.83%. Comparing base (f1772c6) to head (f2c27bf).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
...ator/api/v1alpha1/mcpexternalauthconfig_webhook.go	96.15%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3793      +/-   ##
==========================================
- Coverage   66.84%   66.83%   -0.02%     
==========================================
  Files         439      439              
  Lines       43509    43561      +52     
==========================================
+ Hits        29083    29112      +29     
- Misses      12175    12197      +22     
- Partials     2251     2252       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[github-actions]

✅ Large PR justification has been provided. The size review has been dismissed and this PR can now proceed with normal review.

Large PR justification has been provided. Thank you!

[jhrozek]

Not sure what's up with the CI though..it doesn't seem to be an issue in your PR

[jhrozek]

@tgrunnagle we worked around the CI failures in #3815 would you mind rebasing atop origin/main? I'll ack the PR right away