fix(operator): move defaults to admission webhook

[Agent-Hellboy]

Summary

• Move MCPServer defaulting into the admission webhook path and register webhook markers on API root types so controller-gen emits webhook configs.
• Keep reconciler compatibility for legacy/unadmitted objects by defaulting an in-memory copy without patching stored spec fields.
• Wire setup to install webhook service/configuration, generate webhook TLS, mount serving certs into the operator, and inject the CA bundle.
• Refresh generated manifests/docs and update tests for webhook setup and non-persisted defaults.

Fixes #18

Validation

• go test ./... -count=1
• go vet ./...
• pre-commit run gitleaks --all-files
• Commit hook: gitleaks, go fmt, staticcheck, go vet, go unit tests, go integration tests, generated file drift

[gemini-code-assist]

Code Review

This pull request transitions the application and persistence of default values from the operator's reconciliation loop to Kubernetes admission webhooks. It introduces a mechanism to pass environment-specific defaults to the webhooks via a new options structure and updates the reconciler to use in-memory defaulting for legacy objects. Additionally, the CLI setup process is enhanced to manage webhook TLS certificates and manifest injection. Review feedback identifies a missing yaml import in the setup package, suggests extending the CA certificate's lifespan for better rotation practices, and recommends using reliable path resolution for reading configuration files.

[gemini-code-assist]

The yaml package is used here (via yaml.NewDecoder), but it is not included in the file's import block. This will cause a compilation error. Please add "gopkg.in/yaml.v3" to the imports.

[gemini-code-assist]

The CA certificate and the serving certificate are configured with the same expiration date (1 year from now). It is a best practice for a Certificate Authority to have a longer lifetime than the certificates it signs to ensure continuity during rotation. Consider increasing the NotAfter duration for the caTemplate.

References

1. Certificates signed by a CA should generally have a shorter lifespan than the CA itself to avoid simultaneous expiration issues.

[gemini-code-assist]

These os.ReadFile calls use relative paths (config/webhook/...). While consistent with some other parts of this file, this makes the setup command fragile if executed from a directory other than the repository root. Consider using assetpath.ResolveRepoAssetPath to resolve these paths reliably.

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 907caeb45e

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[chatgpt-codex-connector]

Reinstate reconcile-time validation fallback

The reconcile loop now defaults the object and proceeds without any MCPServer spec validation, but webhook registration is still conditional on MCP_ENABLE_WEBHOOKS (cmd/operator/main.go). In installs where that env var is unset/false (for example config/default style deployments or older operator pods), malformed CRs such as OAuth without required issuer fields or invalid rollout values bypass admission and reach reconciliation, causing late runtime/deployment failures instead of deterministic API rejection. Please keep controller-side validation as a fallback (or hard-require webhooks at startup) so non-webhook environments don’t silently accept invalid specs.

Useful? React with 👍 / 👎.