Add dynamic/static mode support to VirtualMCPServer operator

[yrobla]

Update the VirtualMCPServer operator to generate different ConfigMap content and RBAC resources based on the outgoingAuth.source field, enabling two distinct operational modes:

Dynamic mode (source: discovered):

• Creates ServiceAccount, Role, and RoleBinding with K8s API permissions
• Generates minimal ConfigMap without backend details
• vMCP discovers backends at runtime via K8s API
• Role includes permissions for ConfigMaps, Secrets, ToolHive resources, and virtualmcpservers/status updates

Static mode (source: inline):

• Skips RBAC resource creation entirely
• Generates full ConfigMap with complete backend configurations
• vMCP has no K8s API access
• Uses default ServiceAccount

Closes: #3003

Large PR Justification

This is an atomic PR that covers a single functionality. It includes structure changes and comprehensive testing. Cannot be split.

[codecov]

Codecov Report

❌ Patch coverage is 42.65734% with 82 lines in your changes missing coverage. Please review.
✅ Project coverage is 63.60%. Comparing base (9f3611c) to head (121a008).
⚠️ Report is 6 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/vmcp/aggregator/discoverer.go	6.06%	30 Missing and 1 partial ⚠️
...perator/controllers/virtualmcpserver_vmcpconfig.go	52.63%	17 Missing and 10 partials ⚠️
cmd/vmcp/app/commands.go	0.00%	16 Missing ⚠️
...perator/controllers/virtualmcpserver_controller.go	77.14%	4 Missing and 4 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3235      +/-   ##
==========================================
+ Coverage   63.25%   63.60%   +0.34%     
==========================================
  Files         353      357       +4     
  Lines       35067    35278     +211     
==========================================
+ Hits        22183    22439     +256     
- Misses      10999    11023      +24     
+ Partials     1885     1816      -69     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[github-actions]

Large PR Detected

This PR exceeds 1000 lines of changes and requires justification before it can be reviewed.

How to unblock this PR:

Add a section to your PR description with the following format:

## Large PR Justification

[Explain why this PR must be large, such as:]
- Generated code that cannot be split
- Large refactoring that must be atomic
- Multiple related changes that would break if separated
- Migration or data transformation

Alternative:

Consider splitting this PR into smaller, focused changes (< 1000 lines each) for easier review and reduced risk.

See our Contributing Guidelines for more details.

---

This review will be automatically dismissed once you add the justification section.

[Copilot]

Pull request overview

This PR adds support for dynamic and static operational modes to the VirtualMCPServer operator. In dynamic mode (source: discovered), the vMCP server discovers backends at runtime via Kubernetes API with RBAC permissions and a minimal ConfigMap. In static mode (source: inline), backends are pre-configured in the ConfigMap with no RBAC resources created, eliminating the need for Kubernetes API access.

Key changes:

• Added mode-based RBAC resource management (create in dynamic, skip/cleanup in static)
• Modified ConfigMap generation to produce minimal or full content based on mode
• Updated deployment to use appropriate ServiceAccount based on mode

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
cmd/thv-operator/controllers/virtualmcpserver_controller.go	Adds ensureRBACResources logic for mode-based RBAC creation/cleanup and getServiceAccountNameForVmcp helper
cmd/thv-operator/controllers/virtualmcpserver_deployment.go	Updates RBAC rules to include mcptoolconfigs and virtualmcpservers/status permissions, adds service account determination
cmd/thv-operator/controllers/virtualmcpserver_vmcpconfig.go	Modifies ConfigMap generation to conditionally include backend details based on source mode
cmd/thv-operator/controllers/virtualmcpserver_vmcpconfig_test.go	Adds unit tests for dynamic and static mode ConfigMap content
test/e2e/thv-operator/virtualmcp/virtualmcp_lifecycle_test.go	Adds E2E tests for dynamic mode RBAC creation, static mode RBAC absence, and mode switching behavior

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 10 out of 10 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Large PR justification has been provided. Thank you!

[github-actions]

✅ Large PR justification has been provided. The size review has been dismissed and this PR can now proceed with normal review.

[Copilot]

Pull request overview

Copilot reviewed 16 out of 16 changed files in this pull request and generated 5 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.