Add E2E test for upstreamInject identity propagation after cross-pod Redis restore

[tgrunnagle]

Summary

This PR is stacked on #5650 and adds only the E2E test infrastructure that was blocked by the lack of an in-cluster OIDC provider (see the `TODO(#5336)` removed here). All production code fixes are in #5650.

PR #5650 fixed two bugs in the cross-pod Redis session restore path for multi-replica vMCP deployments:

1. `RestoreSession` was fabricating a partial `*auth.Identity` with empty `Token`/`UpstreamTokens`; it now passes `nil`.
2. `loadSession` was using `context.Background()` for the backend `Initialize` handshake during restore; it now threads the incoming request's context (carrying a live `*auth.Identity` with populated `UpstreamTokens`) through `context.WithoutCancel`.

The existing cross-pod E2E tests exercised only anonymous sessions and could not catch regressions in the authenticated restore path. This PR adds the missing coverage.

Closes #5658

Type of change

• Tests only

Test plan

• E2E tests (`task test-e2e`)

The new test (Context 5 of `virtualmcp_redis_session_test.go`) exercises the full authenticated restore path:

1. Deploys Dex as an in-cluster OIDC provider (Option B from E2E test: vMCP cross-pod restore with upstreamInject outgoing auth #5658) with a `mockCallback` connector — no browser consent required.
2. Deploys an instrumented MCP backend that counts `initialize` JSON-RPC calls and logs `Authorization: Bearer` tokens to a `/stats` endpoint.
3. Wires the embedded auth server → Dex → `upstreamInject` outgoing auth chain.
4. Establishes an authenticated session on pod A; asserts `InitializeCalls >= 1` on the backend.
5. Restores the same session on pod B (triggering `RestoreSession` from Redis); asserts `InitializeCalls >= 2`.

The `InitializeCalls` metric is incremented only on the `initialize` JSON-RPC method, making the threshold strictly load-bearing: it can reach 2 only after both pod A's Initialize and pod B's RestoreSession-triggered Initialize succeed with a valid upstream token. The test fails if `context.WithoutCancel` in `loadSession` is reverted to `context.Background()`.

Changes

File	Change
`test/e2e/images/images.go`	Added `DexImage` constant (`ghcr.io/dexidp/dex:v2.42.0`)
`test/e2e/thv-operator/virtualmcp/helpers.go`	Added `deployDex`/`cleanupDex` helpers, `DexInfo` struct, `InstrumentedMCPBackendScript`, `GetInstrumentedMCPBackendStats`, and `getEmbeddedASToken` (OAuth2 PKCE flow helper)
`test/e2e/thv-operator/virtualmcp/virtualmcp_redis_session_test.go`	New Context 5, removed `TODO(#5336)`
`.github/workflows/test-e2e-lifecycle.yml`	Pre-pull and load `ghcr.io/dexidp/dex:v2.42.0` into Kind alongside the other test images

Special notes for reviewers

Why Dex: The existing `DeployParameterizedOIDCServer` only serves JWKS/discovery for token validation. The embedded auth server also needs OAuth2 authorization and token endpoints (`/auth`, `/token`) to complete the upstream token exchange that drives `upstreamInject`. Dex with the `mockCallback` connector provides these without browser interaction.

OAuth2 flow from the test process: The embedded AS runs inside vMCP pods (in-cluster) and Dex is in-cluster. `getEmbeddedASToken` bridges this by combining port-forwards (for the embedded AS endpoints) and Dex's NodePort (for external reachability), rewriting in-cluster URLs to local addresses at each redirect hop of the PKCE flow.

Shared Redis: The test reuses the session-storage Redis instance for the embedded AS's upstream token store (different key prefix), avoiding a second Redis deployment.

CI: The workflow triggers automatically on PRs touching `test/e2e/thv-operator/**`. Ginkgo runs all tests in that tree with `--procs=8` and no label filter, so Context 5 runs as part of every CI check. The Dex image is now pre-loaded into Kind in the same parallel pull step as the other test images.

Generated with Claude Code

[github-actions]

Large PR Detected

This PR exceeds 1000 lines of changes and requires justification before it can be reviewed.

How to unblock this PR:

Add a section to your PR description with the following format:

## Large PR Justification

[Explain why this PR must be large, such as:]
- Generated code that cannot be split
- Large refactoring that must be atomic
- Multiple related changes that would break if separated
- Migration or data transformation

Alternative:

Consider splitting this PR into smaller, focused changes (< 1000 lines each) for easier review and reduced risk.

See our Contributing Guidelines for more details.

---

This review will be automatically dismissed once you add the justification section.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 70.34%. Comparing base (533301f) to head (53a0f9d).

Additional details and impacted files

@@                             Coverage Diff                             @@
##           vmcp-restoresession-identity-issue_5336    #5660      +/-   ##
===========================================================================
- Coverage                                    70.34%   70.34%   -0.01%     
===========================================================================
  Files                                          649      649              
  Lines                                        66175    66091      -84     
===========================================================================
- Hits                                         46553    46490      -63     
+ Misses                                       16271    16255      -16     
+ Partials                                      3351     3346       -5     

☔ View full report in Codecov by Harness.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

PR size has been reduced below the XL threshold. Thank you for splitting this up!

[github-actions]

✅ PR size has been reduced below the XL threshold. The size review has been dismissed and this PR can now proceed with normal review. Thank you for splitting this up!

[tgrunnagle]

Review Summary

Finding	Severity	Score	Action
F01: Pod B BearerTokenRequests >= 2 not load-bearing	HIGH	8/10	Fix
F02: rewriteURLBase allows port-mismatch bypass	MEDIUM	9/10	Fix
F03: Intermediate bearer assertion satisfied by ListTools	MEDIUM	7/10	Fix
F04: rand.Read return value discarded without comment	MEDIUM	7/10	Fix
F05: HTTP response bodies not drained before close	LOW	8/10	Fix
F06: registerOAuthClient errors not wrapped with %w	LOW	9/10	Fix

Holistic Assessment

The infrastructure design is solid — Dex with mockCallback, the 9-step PKCE flow, and InstrumentedMCPBackendScript are all well-executed and correctly model the out-of-cluster test process accessing in-cluster endpoints. The Dex helper mirrors deployRedis/cleanupRedis cleanly, and the Deprecated annotation on InstrumentedBackendScript correctly directs future tests to InstrumentedMCPBackendScript.

The critical issue (F01) is that the final assertion uses BearerTokenRequests >= 2, which can be satisfied by pod A's Initialize + ListTools before pod B's RestoreSession fires — meaning the test would pass even if context.WithoutCancel in loadSession were reverted to context.Background(). The fix is to assert on InitializeCalls >= 2 instead, which is incremented only on the initialize JSON-RPC method and is strictly load-bearing.

Generated with Claude Code