Add MCPServerEntry validation controller and MCPGroup integration

[JAORMX]

Summary

MCPServerEntry needs a controller to validate that referenced resources exist and to integrate with MCPGroup for discovery. This is the second PR in the RFC-55 implementation series, building on #4662 (CRD types).

• Introduce a validation-only controller that checks MCPGroup, MCPExternalAuthConfig, and CA bundle ConfigMap references exist, setting GroupRefValidated, ExternalAuthConfigValidated, and CABundleRefValidated conditions
• The controller never creates infrastructure (no pods, services, deployments) and never probes remote URLs
• Integrate MCPServerEntry into the MCPGroup controller: track membership in Entries/EntryCount, handle deletion notifications, watch for entry changes
• Wire field indexing for MCPServerEntry.Spec.GroupRef and register the controller in the operator main setup
• Watch MCPExternalAuthConfig, MCPGroup, and ConfigMap changes to re-validate entries when referenced resources are created/updated/deleted
• Use Failed phase (not Pending) when validations fail, matching the semantic distinction documented in the types

Refs #4656

Type of change

• New feature

Large PR Justification

• The diff is inflated by ~710 lines because Add custom CA certificate support for OTLP endpoints #4676 accidentally deleted mcpserverentry_types.go and both CRD YAML files that Add MCPServerEntry CRD types and MCPGroup status fields #4662 had already merged — those appear as new additions here but are restorations, not new code
• Excluding tests (538 lines), generated RBAC/CRD manifests (544 lines), and docs (104 lines), the actual new production code is ~427 lines (the controller) + ~127 lines (MCPGroup integration) + ~38 lines (main.go wiring)
• The controller + MCPGroup integration is a single logical change that cannot be split without shipping a controller with no tests or an MCPGroup integration with no controller

Test plan

• Unit tests (task test) — operator unit tests pass, including 8 table-driven subtests for MCPServerEntryReconciler and MCPGroup entry integration/deletion tests
• Linting (task lint-fix) — 0 issues
• RBAC regenerated via task operator-manifests

Changes

File	Change
mcpserverentry_types.go	Remove unused AllowInsecureAnnotation, align condition type names with shared constants
mcpserverentry_controller.go	New validation-only controller: validates GroupRef (existence + Ready phase), AuthConfig, CABundle; watches MCPGroup, ConfigMap, and AuthConfig; field-indexed lookups; transient errors requeue instead of persisting misleading conditions
mcpgroup_controller.go	Add MCPServerEntry integration: finder, populator, deletion handler, watch
main.go	Extract setupGroupRefFieldIndexes, add MCPServerEntry controller setup
mcpserverentry_controller_test.go	8 table-driven subtests + MCPGroup entry integration and deletion handler tests
mcpgroup_controller_test.go	Add MCPServerEntry field index to all fake client builders
test-integration/*/suite_test.go	Fix field indexer nesting bug (was inside MCPRemoteProxy error block) in 5 suites
role.yaml, CRD YAMLs, crd-api.md	Generated RBAC and CRD updates
chainsaw/*/assert-rbac-clusterrole.yaml	Add MCPServerEntry to RBAC assertions

Special notes for reviewers

• The controller has no finalizer since it owns no external resources. MCPGroup handles the "member disappeared" case via its existing watch pattern.
• Transient errors (non-NotFound) from Get calls are returned to controller-runtime for requeue rather than persisting a potentially misleading condition. Detailed errors are logged server-side only.
• SSRF-style URL validation for RemoteURL is tracked separately in Add URL validation to reject internal/metadata endpoints in RemoteURL fields #4695 — the existing ^https?:// CEL pattern matches what MCPRemoteProxy already uses today.

Generated with Claude Code

[codecov]

Codecov Report

❌ Patch coverage is 47.60563% with 186 lines in your changes missing coverage. Please review.
✅ Project coverage is 68.60%. Comparing base (3c5da31) to head (01991e7).
⚠️ Report is 2 commits behind head on main.

Files with missing lines	Patch %	Lines
...-operator/controllers/mcpserverentry_controller.go	52.15%	118 Missing and 4 partials ⚠️
...md/thv-operator/controllers/mcpgroup_controller.go	43.58%	39 Missing and 5 partials ⚠️
cmd/thv-operator/main.go	0.00%	20 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4664      +/-   ##
==========================================
- Coverage   68.66%   68.60%   -0.07%     
==========================================
  Files         509      515       +6     
  Lines       52987    53518     +531     
==========================================
+ Hits        36384    36715     +331     
- Misses      13782    13961     +179     
- Partials     2821     2842      +21     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[jhrozek]

Review of the controller and MCPGroup integration. Types-level comments on #4662.

[ChrisJBurns]

Agent-Assisted Code Review

This review was performed by three specialized agents: kubernetes-expert, code-reviewer, and security-advisor. Each finding is attributed to the agent(s) that identified it.

Summary

Priority	Count	Description
Must fix	3	Integration test nesting bug, AllowInsecureAnnotation dead code, overly broad RBAC
Should fix/defer	4	Failed phase never used, unused constant, condition naming inconsistency, missing ConfigMap watch
Medium	4	SSRF protection, client-side filtering, all-or-nothing status clearing, error info leak
Minor	1	Test field indexer duplication

Positive Aspects

• Clean validate-then-update-status pattern with no infrastructure side effects
• Good use of RequeueAfter: 500ms for conflict handling (consistent with existing controllers)
• Correct finalizer decision (none needed for validation-only controller)
• setupGroupRefFieldIndexes extraction is a nice improvement to main.go
• MCPGroup integration faithfully follows established patterns for MCPServer and MCPRemoteProxy
• CRD YAML, Helm charts, RBAC, and API docs are consistent and complete
• Short name mse is well-chosen

Generated with Claude Code

[github-actions]

Large PR Detected

This PR exceeds 1000 lines of changes and requires justification before it can be reviewed.

How to unblock this PR:

Add a section to your PR description with the following format:

## Large PR Justification

[Explain why this PR must be large, such as:]
- Generated code that cannot be split
- Large refactoring that must be atomic
- Multiple related changes that would break if separated
- Migration or data transformation

Alternative:

Consider splitting this PR into smaller, focused changes (< 1000 lines each) for easier review and reduced risk.

See our Contributing Guidelines for more details.

---

This review will be automatically dismissed once you add the justification section.

[jhrozek]

looks good but there are conflicts

[github-actions]

✅ Large PR justification has been provided. The size review has been dismissed and this PR can now proceed with normal review.

Large PR justification has been provided. Thank you!