Fix VirtualMCPServer reconciliation for discovered auth config updates

[yrobla]

When an MCPExternalAuthConfig is updated, VirtualMCPServer resources should reconcile to pick up the changes. However, the watch handler only checked inline references in the VirtualMCPServer.Spec.OutgoingAuth field and ignored discovered references when source: discovered mode is used.

In discovered mode, auth configs are referenced through MCPServer resources in the group rather than inline in the VirtualMCPServer spec. The watch handler now checks both inline and discovered references by listing MCPServers in the group and checking if any reference the updated MCPExternalAuthConfig.

This ensures that VirtualMCPServers using discovered mode will properly reconcile when their backend auth configurations change.

Fixes #2831

[codecov]

Codecov Report

❌ Patch coverage is 86.20690% with 4 lines in your changes missing coverage. Please review.
✅ Project coverage is 56.02%. Comparing base (71de38f) to head (5dbb028).
⚠️ Report is 1 commits behind head on main.

Files with missing lines	Patch %	Lines
...perator/controllers/virtualmcpserver_controller.go	86.20%	3 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2957      +/-   ##
==========================================
+ Coverage   56.00%   56.02%   +0.02%     
==========================================
  Files         328      328              
  Lines       32314    32342      +28     
==========================================
+ Hits        18096    18121      +25     
- Misses      12673    12675       +2     
- Partials     1545     1546       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull request overview

This PR fixes a bug in the VirtualMCPServer controller's watch handler for MCPExternalAuthConfig updates. Previously, the watch only detected inline auth config references and missed discovered mode references where auth configs are specified through MCPServer resources in the group. The fix adds logic to check MCPServers in the group when discovered mode is used, ensuring VirtualMCPServers properly reconcile when their backend auth configurations change.

Key Changes:

• Extended vmcpReferencesExternalAuthConfig to check discovered references via MCPServers when source: discovered is used
• Added new helper function mcpGroupBackendsReferenceExternalAuthConfig to list MCPServers in the group and check their auth config references
• Updated function signature to accept context parameter (needed for API calls)

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File	Description
cmd/thv-operator/controllers/virtualmcpserver_controller.go	Implements the core fix by adding discovered mode reference checking to the watch handler logic
cmd/thv-operator/controllers/virtualmcpserver_watch_test.go	Updates unit test to pass context parameter to the modified function signature
cmd/thv-operator/test-integration/virtualmcp/virtualmcpserver_externalauth_watch_test.go	Adds integration test to verify VirtualMCPServer reconciliation when auth config is updated in discovered mode

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

Pull request overview

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.