Add AWS STS auth type to MCPExternalAuthConfig CRD

[jhrozek]

Extends the MCPExternalAuthConfig CRD with a new 'awsSts' authentication type that enables AWS STS token exchange with SigV4 request signing for MCP servers.

The AWSStsConfig supports:

• Region and service configuration for SigV4 signing
• Default IAM role ARN for token exchange
• Role claim-based mapping for multi-tenant scenarios
• Session name claim for CloudTrail correlation
• Configurable session duration

This allows vMCP to authenticate with AWS services (like AWS MCP Server) by exchanging incoming OIDC tokens for temporary AWS credentials using STS AssumeRoleWithWebIdentity.

Fixes: #3570

[codecov]

Codecov Report

❌ Patch coverage is 47.05882% with 36 lines in your changes missing coverage. Please review.
✅ Project coverage is 66.79%. Comparing base (3fed749) to head (a999985).
⚠️ Report is 2 commits behind head on main.

Files with missing lines	Patch %	Lines
...d/thv-operator/pkg/controllerutil/tokenexchange.go	0.00%	29 Missing ⚠️
...ator/api/v1alpha1/mcpexternalauthconfig_webhook.go	91.42%	1 Missing and 2 partials ⚠️
...perator/controllers/virtualmcpserver_deployment.go	0.00%	2 Missing ⚠️
pkg/auth/awssts/middleware.go	0.00%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3816      +/-   ##
==========================================
- Coverage   66.81%   66.79%   -0.02%     
==========================================
  Files         439      439              
  Lines       43437    43503      +66     
==========================================
+ Hits        29021    29058      +37     
- Misses      12168    12194      +26     
- Partials     2248     2251       +3     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.