Add Redis Sentinel session storage guide and TLS docs

Add a new how-to guide at docs/toolhive/guides-k8s/redis-session-storage.mdx
that walks through deploying Redis Sentinel as the session storage backend
for the embedded authorization server. The guide uses self-contained
Kubernetes manifests instead of the Bitnami Helm chart, which Broadcom
moved behind a paid subscription in August 2025. No maintained, freely
available Helm chart with Sentinel support exists as a replacement, so
the manifests are provided inline.

Also adds TLS configuration documentation for Redis connections (both
master and Sentinel), updates the auth-k8s guide's session storage
snippet for consistency, and resolves a merge conflict in backend-auth.mdx.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: jhrozek

docs/toolhive/concepts/backend-auth.mdx

@@ -274,9 +274,11 @@ single ToolHive-issued JWT.
 By default, session storage is in-memory only. Upstream tokens are lost when
 pods restart, requiring users to re-authenticate. For production deployments,
 configure Redis Sentinel as the storage backend for persistent, highly available
-session storage. See the
-[CRD specification](../reference/crd-spec.md#apiv1alpha1authserverstorageconfig)
-for configuration details.
+session storage. See
+[Configure session storage](../guides-k8s/auth-k8s.mdx#configure-session-storage)
+for a quick setup, or the full
+[Redis Sentinel session storage](../guides-k8s/redis-session-storage.mdx)
+tutorial for an end-to-end walkthrough.
 
 :::
 

docs/toolhive/guides-k8s/auth-k8s.mdx

@@ -527,6 +527,43 @@ authorization endpoints automatically.
 
 :::
 
+### Configure session storage
+
+By default, the embedded authorization server stores sessions in memory.
+Upstream tokens are lost when pods restart, requiring users to re-authenticate.
+For production deployments, configure Redis Sentinel as the storage backend by
+adding a `storage` block to your `MCPExternalAuthConfig`:
+
+```yaml title="storage block for MCPExternalAuthConfig"
+storage:
+  type: redis
+  redis:
+    sentinelConfig:
+      masterName: mymaster
+      sentinelService:
+        name: redis-sentinel
+        namespace: redis
+    aclUserConfig:
+      usernameSecretRef:
+        name: redis-acl-secret
+        key: username
+      passwordSecretRef:
+        name: redis-acl-secret
+        key: password
+```
+
+Create the Secret containing your Redis ACL credentials:
+
+```bash
+kubectl create secret generic redis-acl-secret \
+  --namespace toolhive-system \
+  --from-literal=username=toolhive-auth \
+  --from-literal=password="<REDIS_ACL_PASSWORD>"
+```
+
+For a complete walkthrough including deploying Redis Sentinel from scratch, see
+[Redis Sentinel session storage](./redis-session-storage.mdx).
+
 ### Using an OAuth 2.0 upstream provider
 
 If your upstream identity provider does not support OIDC discovery, you can