Add MCPOIDCConfig controller for lifecycle management

[ChrisJBurns]

Summary

• Adds the controller that reconciles MCPOIDCConfig resources, managing the core CRD lifecycle: adds a finalizer on first reconciliation, validates the spec and sets a Valid condition, and computes a config hash for change detection stored in status.
• Registers the controller in the operator's manager startup alongside the existing controllers.
• Generated RBAC ClusterRole updated with permissions for mcpoidcconfigs resources.
• Includes unit tests and integration tests covering the controller's lifecycle management.
• Reference tracking, cascade to workloads, and deletion protection are deferred to Workload CRD Config Reference Updates #4253 when workload CRDs gain OIDCConfigRef fields.

Ref #4248

Type of change

• New feature

Test plan

• Unit tests (task test)
• Linting (task lint-fix)

Unit tests (6 functions, 15 subtests) cover hash computation, reconciliation lifecycle, deletion handling, config change detection, validation failure conditions, and type validation. Integration tests (3 cases via envtest) cover creation with Valid condition and hash, hash updates on spec changes, and deletion with finalizer removal.

Changes

File	Change
cmd/thv-operator/controllers/mcpoidcconfig_controller.go	New controller: Reconcile (finalizer, validation, hash), handleDeletion, SetupWithManager
cmd/thv-operator/controllers/mcpoidcconfig_controller_test.go	Unit tests for controller lifecycle
cmd/thv-operator/test-integration/mcp-oidc-config/suite_test.go	Integration test suite setup (envtest)
cmd/thv-operator/test-integration/mcp-oidc-config/mcpoidcconfig_controller_integration_test.go	Integration tests for creation, hash change, deletion
cmd/thv-operator/main.go	Register MCPOIDCConfig controller in setupServerControllers()
deploy/charts/operator/templates/clusterrole/role.yaml	Generated RBAC for mcpoidcconfigs resources

Large PR Justification

• mostly unit tests and integration tests

Special notes for reviewers

• No MCPServer integration yet: The controller validates and hashes config but does not track referencing servers or cascade changes. That wiring depends on Workload CRD Config Reference Updates #4253 adding OIDCConfigRef to workload CRDs. Comments in the code mark where this will be extended.
• Deletion allows immediately: Without reference tracking there's nothing to block on, so the finalizer is removed on deletion. Deletion protection will be added with Workload CRD Config Reference Updates #4253.
• Stacked on: Add MCPOIDCConfig CRD types and MCPServer reference field #4461 (types PR)

Generated with Claude Code

[codecov]

Codecov Report

❌ Patch coverage is 62.16216% with 28 lines in your changes missing coverage. Please review.
✅ Project coverage is 69.61%. Comparing base (e69251a) to head (cb2f623).

Files with missing lines	Patch %	Lines
...v-operator/controllers/mcpoidcconfig_controller.go	66.66%	17 Missing and 6 partials ⚠️
cmd/thv-operator/main.go	0.00%	5 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4462      +/-   ##
==========================================
- Coverage   69.64%   69.61%   -0.04%     
==========================================
  Files         491      492       +1     
  Lines       50304    50378      +74     
==========================================
+ Hits        35036    35069      +33     
- Misses      12580    12618      +38     
- Partials     2688     2691       +3     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[github-actions]

Large PR Detected

This PR exceeds 1000 lines of changes and requires justification before it can be reviewed.

How to unblock this PR:

Add a section to your PR description with the following format:

## Large PR Justification

[Explain why this PR must be large, such as:]
- Generated code that cannot be split
- Large refactoring that must be atomic
- Multiple related changes that would break if separated
- Migration or data transformation

Alternative:

Consider splitting this PR into smaller, focused changes (< 1000 lines each) for easier review and reduced risk.

See our Contributing Guidelines for more details.

---

This review will be automatically dismissed once you add the justification section.

PR size has been reduced below the XL threshold. Thank you for splitting this up!

[github-actions]

✅ PR size has been reduced below the XL threshold. The size review has been dismissed and this PR can now proceed with normal review. Thank you for splitting this up!

[github-actions]

Large PR Detected

This PR exceeds 1000 lines of changes and requires justification before it can be reviewed.

How to unblock this PR:

Add a section to your PR description with the following format:

## Large PR Justification

[Explain why this PR must be large, such as:]
- Generated code that cannot be split
- Large refactoring that must be atomic
- Multiple related changes that would break if separated
- Migration or data transformation

Alternative:

Consider splitting this PR into smaller, focused changes (< 1000 lines each) for easier review and reduced risk.

See our Contributing Guidelines for more details.

---

This review will be automatically dismissed once you add the justification section.

Large PR justification has been provided. Thank you!

[github-actions]

✅ Large PR justification has been provided. The size review has been dismissed and this PR can now proceed with normal review.