Wire identityFromToken through authserver config and runtime

[jhrozek]

Summary

The identityFromToken field was added to the v1beta1 CRD in #5269 but the translation layers that carry it from the CRD into the running auth server were missing, so the field was silently ignored.

• Add the operator-side translation: v1beta1.IdentityFromTokenConfig → authserver.IdentityFromTokenRunConfig in buildOAuth2UpstreamRunConfig (mirrors TokenResponseMapping plumbing)
• Add the runtime-side translation: authserver.IdentityFromTokenRunConfig → upstream.IdentityFromTokenConfig in buildPureOAuth2Config
• Add IdentityFromTokenRunConfig type to pkg/authserver/config.go alongside TokenResponseMappingRunConfig
• Fix RegisterModifiers() — the call existed only in test TestMain functions, so @upstreamjwt modifier paths silently no-op'd in production; move the call into NewEmbeddedAuthServer and guard it with sync.Once to prevent races between concurrent constructors
• Add startup validation: reject identity_from_token configs where subject_path is empty (would produce sub: "" in issued tokens)
• Remove omitempty from SubjectPath struct tag to reflect its required-when-set semantics

Type of change

• New feature

Test plan

• Unit tests (task test)
• Linting (task lint-fix)

Unit tests cover:

• Round-trip translation on both the operator side (TestBuildAuthServerRunConfig) and runner side (TestBuildPureOAuth2ConfigIdentityFromToken) for nil, partial, and full-fields cases
• New OAuth2UpstreamRunConfig.Validate cases for empty SubjectPath rejection

API Compatibility

• This PR does not break the v1beta1 API, OR the api-break-allowed label is applied and the migration guidance is described above.

Changes

File	Change
cmd/thv-operator/pkg/controllerutil/authserver.go	CRD → RunConfig translation for IdentityFromToken, moved inside buildOAuth2UpstreamRunConfig
cmd/thv-operator/pkg/controllerutil/authserver_test.go	Three new table cases covering full, partial, and nil IdentityFromToken
pkg/authserver/config.go	New IdentityFromTokenRunConfig type; field on OAuth2UpstreamRunConfig; Validate rejects empty SubjectPath
pkg/authserver/config_test.go	Three new Validate cases for IdentityFromToken
pkg/authserver/runner/embeddedauthserver.go	RegisterModifiers() call in constructor; RunConfig → upstream translation
pkg/authserver/runner/embeddedauthserver_test.go	Three new subtests for nil/partial/full round-trip
pkg/authserver/upstream/identity_from_token.go	sync.Once guard on modifier registration; fix stale v1alpha1 → v1beta1 comment

Special notes for reviewers

RegisterModifiers() previously relied on callers (only test TestMain functions) to register the @upstreamjwt gjson modifier before use. The sync.Once guard ensures registration happens exactly once even under concurrent NewEmbeddedAuthServer calls, which is safe because gjson's modifier map has no internal synchronisation.

Generated with Claude Code

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 68.41%. Comparing base (17451d1) to head (1c1749c).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #5285      +/-   ##
==========================================
+ Coverage   68.37%   68.41%   +0.04%     
==========================================
  Files         619      619              
  Lines       63318    63334      +16     
==========================================
+ Hits        43293    43333      +40     
+ Misses      16794    16765      -29     
- Partials     3231     3236       +5     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.