Allow standalone Redis in auth server storage

[reyortiz3]

Summary

• The auth server storage previously required Redis Sentinel, which is not available on managed Redis services such as GCP Memorystore, AWS ElastiCache, and Azure Cache for Redis — these services expose a single endpoint and manage HA internally.
• Adds a mutually exclusive Addr field (standalone mode) alongside the existing SentinelConfig (Sentinel mode). Exactly one must be set. Mirrors the pattern already used in pkg/transport/session/redis_config.go.
• Propagates standalone support through all layers: RedisConfig/RedisRunConfig in storage, convertRedisRunConfig in the embedded auth server runner, RedisStorageConfig CRD type with CEL XValidation, and buildStorageRunConfig in the operator controller.
• Makes usernameSecretRef optional in the CRD and removes the empty-username validation in validateConfig. When username is omitted, go-redis v9 sends HELLO with "default" as the username and falls back to legacy AUTH <password> for servers that predate HELLO. This is required for managed Redis tiers that do not expose ACL users (GCP Memorystore Basic/Standard HA, Azure Cache for Redis).
• Updates docs/redis-storage.md and docs/arch/11-auth-server-storage.md to document both connection modes, the optional username, TLS CA cert guidance for managed services (e.g. gcloud redis instances get-server-ca-certs), and the known limitation that Redis Cluster mode is not supported (tracked in Add Redis Cluster mode support to auth server storage #5010).

Fixes #4990

Type of change

• New feature

Test plan

• Unit tests (task test)
• Linting (task lint-fix)

New tests added in the standalone addr PR:

• TestRedisConfig_Validation extended with standalone/conflict/neither cases
• TestNewRedisStorage_Standalone_ConnectionFailure — unreachable addr returns error
• TestNewRedisStorage_Standalone_WithMiniredis — successful standalone connection via miniredis
• TestConvertRedisRunConfig extended with standalone happy path, both-set, neither-set cases
• TestBuildStorageRunConfig extended with standalone addr case and both-set error case

New tests added in the optional-username commit:

• TestConvertRedisRunConfig_WithEnvVars: "empty UsernameEnvVar uses legacy password-only auth" — verifies empty UsernameEnvVar resolves to empty username without error
• TestBuildStorageRunConfig: "Redis standalone with password-only auth omits UsernameEnvVar" — verifies operator omits UsernameEnvVar from RunConfig when usernameSecretRef is absent

API Compatibility

This PR adds an optional addr field to RedisStorageConfig, makes sentinelConfig optional (it was previously implicitly required), and makes usernameSecretRef optional in RedisACLUserConfig. All changes are additive and backward compatible — existing Sentinel-based EmbeddedAuthServerConfig resources with a username are unchanged.

• This PR does not break the v1beta1 API, OR the api-break-allowed label is applied and the migration guidance is described above.

Changes

File	Change
pkg/authserver/storage/redis.go	Add Addr to RedisConfig; update validateConfig (XOR, drop empty-username check); branch NewRedisStorage on standalone vs Sentinel
pkg/authserver/storage/config.go	Add Addr to RedisRunConfig
pkg/authserver/runner/embeddedauthserver.go	Update convertRedisRunConfig to handle Addr XOR SentinelConfig; make convertRedisACLConfig skip username resolution when UsernameEnvVar is empty
cmd/thv-operator/api/v1beta1/mcpexternalauthconfig_types.go	Add Addr to RedisStorageConfig; make SentinelConfig optional; add CEL XValidation; make usernameSecretRef optional
cmd/thv-operator/pkg/controllerutil/authserver.go	Update buildStorageRunConfig to handle standalone path; only populate UsernameEnvVar when usernameSecretRef is present
docs/redis-storage.md	Rewritten to document standalone and Sentinel modes, optional username, TLS CA cert setup, and cluster mode limitation
docs/arch/11-auth-server-storage.md	Updated to reflect standalone support and optional username
docs/server/swagger.json/yaml	Regenerated to include addr field
CRD YAMLs, crd-api.md	Regenerated

Does this introduce a user-facing change?

Yes. Two user-facing changes:

1. Operators can now configure auth server Redis storage with a single addr: "host:port" field instead of requiring a Sentinel deployment. Existing Sentinel configurations are unchanged.
2. usernameSecretRef is now optional. Operators targeting managed Redis tiers without ACL support (GCP Memorystore Basic/Standard HA, Azure Cache for Redis) can omit it and rely on password-only AUTH.

Implementation plan

Approved implementation plan

See docs/superpowers/plans/2026-04-21-authserver-standalone-redis.md.

Special notes for reviewers

• The CEL XValidation rule uses self.addr.size() > 0 rather than self.addr != '' because the gci formatter in golangci-lint converts single-quoted CEL string literals to Unicode curly quotes, which corrupts the generated CRD YAML. The size() > 0 form is semantically equivalent and linter-safe.
• SentinelTLS is only populated when SentinelConfig is non-nil, matching the standalone path that has no separate dialer TLS config.
• go-redis v9 Hello() substitutes "default" for an empty username (see commands.go:363), so HELLO 2 AUTH default <password> is sent for password-only connections. Servers that reject HELLO fall back to legacy AUTH <password> automatically.
• Redis Cluster mode (GCP Memorystore Cluster, ElastiCache Serverless) is out of scope and tracked in Add Redis Cluster mode support to auth server storage #5010.

Generated with Claude Code

[codecov]

Codecov Report

❌ Patch coverage is 89.71963% with 11 lines in your changes missing coverage. Please review.
✅ Project coverage is 69.78%. Comparing base (68f4c2f) to head (f9489a4).
⚠️ Report is 57 commits behind head on main.

Files with missing lines	Patch %	Lines
pkg/authserver/runner/embeddedauthserver.go	88.37%	4 Missing and 1 partial ⚠️
pkg/authserver/storage/redis.go	88.88%	2 Missing and 2 partials ⚠️
cmd/thv-operator/pkg/controllerutil/authserver.go	92.85%	1 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #4994      +/-   ##
==========================================
+ Coverage   69.76%   69.78%   +0.01%     
==========================================
  Files         560      560              
  Lines       56475    56513      +38     
==========================================
+ Hits        39399    39436      +37     
  Misses      14053    14053              
- Partials     3023     3024       +1     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[reyortiz3]

@jhrozek comment addressed

[jhrozek]

I think you forgot to push the new code @reyortiz3 ? I only see main merges.

[reyortiz3]

@jhrozek ya, sorry the changes were not pushed, should be updated now/

[jhrozek]

One small item worth a follow-up: the default timeouts (3s read/write, 5s dial) are likely too short for managed-service failover windows — Memorystore and ElastiCache typically take 15–30s to complete a failover, so in-flight ops will error during that window. Worth either raising the defaults or adding a note in the user guide recommending higher values for managed deployments.