Wire MCPOIDCConfig into VirtualMCPServer controller

[ChrisJBurns]

Summary

• VirtualMCPServer previously only supported inline OIDC configuration (oidcConfig), requiring each server to duplicate shared provider settings. This wires up the shared MCPOIDCConfig resource pattern already established for MCPServer, allowing VirtualMCPServers to reference a shared MCPOIDCConfig via oidcConfigRef with per-server audience and scopes overrides.
• The MCPOIDCConfig controller now also tracks VirtualMCPServer references in ReferencingWorkloads and blocks deletion while referenced.
• This addresses the loose ends from MCPOIDCConfig CRD — Types, Controller, and Tests #4248 (readiness probing via vMCP) and Workload CRD Config Reference Updates #4253 (token exchange via vMCP) by having VirtualMCPServer use the MCPOIDCConfig resource to configure OIDC through its existing vMCP config pipeline.

Closes #4253
Closes #4248

Stacked on #4492 — merge that first.

Type of change

• New feature

Test plan

• Unit tests (task test)
• Linting (task lint-fix)
• Integration tests (envtest-based tests in test-integration/mcp-oidc-config/)

Changes

File	Change
api/v1alpha1/virtualmcpserver_types.go	Add oidcConfigRef field to IncomingAuthConfig with CEL mutual-exclusivity validation; deprecate oidcConfig; add OIDCConfigHash to status
controllers/virtualmcpserver_controller.go	Add handleOIDCConfig for reference validation, hash tracking, and ReferencingWorkloads updates; add MCPOIDCConfig watch handler and RBAC
controllers/virtualmcpserver_deployment.go	Update buildOIDCEnvVars, buildVolumesForVmcp, and validateSecretReferences to handle MCPOIDCConfig inline client secrets and CA bundles; propagate errors
controllers/mcpoidcconfig_controller.go	Extend findReferencingWorkloads to include VirtualMCPServers; add VirtualMCPServer watch for reference tracking
pkg/vmcpconfig/converter.go	Add OIDCConfigRef resolution branch in convertIncomingAuth using ResolveFromConfigRef; add mapResolvedOIDCToVmcpConfigFromRef
test-integration/mcp-oidc-config/suite_test.go	Register VirtualMCPServer and MCPGroup controllers; add field indexers
test-integration/mcp-oidc-config/mcpoidcconfig_virtualmcpserver_integration_test.go	8 integration test specs covering OIDCConfigRef validation, hash tracking, ReferencingWorkloads, deletion protection, and cross-server-type references

Does this introduce a user-facing change?

Yes. VirtualMCPServer now supports spec.incomingAuth.oidcConfigRef to reference a shared MCPOIDCConfig resource for OIDC authentication. The inline spec.incomingAuth.oidcConfig field is deprecated and will be removed in v1beta1. The two fields are mutually exclusive.

Special notes for reviewers

• The converter's mapResolvedOIDCToVmcpConfigFromRef function is intentionally separate from mapResolvedOIDCToVmcpConfig because client secret detection differs: the MCPOIDCConfig path checks MCPOIDCConfig.Spec.Inline.ClientSecretRef rather than OIDCConfigRef.Inline.ClientSecretRef.
• The handleOIDCConfig method follows the same pattern as MCPServerReconciler.handleOIDCConfig but uses the StatusManager interface for batched status updates.
• Deployment builder functions (buildVolumesForVmcp, buildOIDCEnvVars, buildEnvVarsForVmcp) return errors instead of silently dropping MCPOIDCConfig fetch failures, unlike the MCPServer controller which uses the silent-swallow pattern.

Generated with Claude Code

[github-actions]

Large PR Detected

This PR exceeds 1000 lines of changes and requires justification before it can be reviewed.

How to unblock this PR:

Add a section to your PR description with the following format:

## Large PR Justification

[Explain why this PR must be large, such as:]
- Generated code that cannot be split
- Large refactoring that must be atomic
- Multiple related changes that would break if separated
- Migration or data transformation

Alternative:

Consider splitting this PR into smaller, focused changes (< 1000 lines each) for easier review and reduced risk.

See our Contributing Guidelines for more details.

---

This review will be automatically dismissed once you add the justification section.

[codecov]

Codecov Report

❌ Patch coverage is 7.40741% with 225 lines in your changes missing coverage. Please review.
✅ Project coverage is 69.05%. Comparing base (610075f) to head (059629c).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
...perator/controllers/virtualmcpserver_controller.go	5.20%	88 Missing and 3 partials ⚠️
...perator/controllers/virtualmcpserver_deployment.go	14.86%	58 Missing and 5 partials ⚠️
...v-operator/controllers/mcpoidcconfig_controller.go	2.70%	34 Missing and 2 partials ⚠️
cmd/thv-operator/pkg/vmcpconfig/converter.go	2.77%	34 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4493      +/-   ##
==========================================
- Coverage   69.34%   69.05%   -0.30%     
==========================================
  Files         502      502              
  Lines       51643    51869     +226     
==========================================
+ Hits        35814    35816       +2     
- Misses      13063    13273     +210     
- Partials     2766     2780      +14     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

justification provided