Update MCPRemoteProxy Types and Controller for MCPOIDCConfig

[ChrisJBurns]

Description

Add MCPOIDCConfig reference support to MCPRemoteProxy and update its controller with the same resolution and fail-closed logic as MCPServer.

Implementation Notes

Type changes: Add to MCPRemoteProxySpec in cmd/thv-operator/api/v1alpha1/mcpremoteproxy_types.go:

// OIDCConfigRef references a shared MCPOIDCConfig resource for OIDC authentication.
// When set, the referenced MCPOIDCConfig provides shared OIDC provider config.
// Per-server overrides (audience, scopes) are specified here.
// +optional
OIDCConfigRef *MCPOIDCConfigReference `json:"oidcConfigRef,omitempty"`

Add to MCPRemoteProxyStatus:

// OIDCConfigHash is the hash of the referenced MCPOIDCConfig spec for change detection
// +optional
OIDCConfigHash string `json:"oidcConfigHash,omitempty"`

Add condition type and reason constants for OIDCConfigRef validation.

Controller changes: Same resolution, fail-closed logic as MCPServer (PR #4481):

• handleOIDCConfig() method: fetch MCPOIDCConfig, check Ready condition, track hash, set conditions
• updateOIDCConfigReferencingWorkloads() method: ensure proxy is listed in MCPOIDCConfig status
• Add handleOIDCConfig() call in validateAndHandleConfigs()
• Add MCPOIDCConfig watch handler in SetupWithManager()

MCPOIDCConfig controller updates:

• Add MCPRemoteProxy scanning in findReferencingWorkloads()
• Add MCPRemoteProxy watch in SetupWithManager()
• Add RBAC marker for mcpremoteproxies

Runconfig updates:

• Support resolving OIDC config from MCPOIDCConfigRef in createRunConfigFromMCPRemoteProxy()
• Fall back to existing inline OIDCConfig when no ref is set

Testing

Unit tests:

• handleOIDCConfig: happy path ref resolution, hash tracking, fail-closed on missing/not-ready refs
• MCPOIDCConfig controller: findReferencingWorkloads includes MCPRemoteProxy
• Runconfig: MCPOIDCConfigRef resolution in run config generation

Acceptance Criteria

• MCPRemoteProxy spec has oidcConfigRef field pointing to MCPOIDCConfigReference
• MCPRemoteProxy status has oidcConfigHash field for change detection
• Controller resolves MCPOIDCConfig refs with fail-closed behavior
• MCPOIDCConfig controller scans MCPRemoteProxy in findReferencingWorkloads()
• MCPOIDCConfig controller watches MCPRemoteProxy changes
• Runconfig generation supports MCPOIDCConfigRef resolution
• Condition type and reason constants added for OIDCConfigRef validation
• Unit tests cover ref resolution, hash tracking, and fail-closed behavior
• Tests pass in CI (task test)

[ChrisJBurns]

Closing — MCPRemoteProxy OIDC config ref support was implemented in #4509 (merged):

• OIDCConfigRef field added to MCPRemoteProxySpec with CEL mutual exclusivity against legacy oidcConfig
• handleOIDCConfig in mcpremoteproxy_controller.go — fail-closed validation, hash tracking, condition management
• Bidirectional watches between MCPOIDCConfig and MCPRemoteProxy controllers
• RunConfig resolution supporting both ref and legacy inline paths
• Integration tests in test-integration/mcp-oidc-config/mcpoidcconfig_mcpremoteproxy_integration_test.go (18 test scenarios)
• Condition persistence fix landed in Persist config ref condition on recovery from transient errors #4533

TelemetryConfigRef for MCPRemoteProxy is deferred and tracked on #4253. See parent #4253.