Fix imagePullSecrets propagation to ProxyRunner

[Sanskarzz]

Fix: #3436

This PR fixes a bug where imagePullSecrets defined in the MCPServer PodTemplateSpec were ignored by the ProxyRunner deployment and ServiceAccount.

Update RBAC helper and MCPServer controller to extract secrets from PodTemplateSpec and apply them to generated resources.

[codecov]

Codecov Report

❌ Patch coverage is 83.33333% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 65.48%. Comparing base (a82c591) to head (51d15b8).

Files with missing lines	Patch %	Lines
...d/thv-operator/controllers/mcpserver_controller.go	82.35%	1 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3557      +/-   ##
==========================================
- Coverage   65.53%   65.48%   -0.05%     
==========================================
  Files         405      405              
  Lines       39678    39692      +14     
==========================================
- Hits        26004    25994      -10     
- Misses      11672    11693      +21     
- Partials     2002     2005       +3     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[jerm-dro]

Thanks for picking this issue up! Your fix here would resolve the user's reported problem, but I'd like to implement it differently.

A little background

The MCPServer consists of two separate servers: 1) the proxyrunner, which is deployed as a Deployment by the controller and 2) the mcp server / backend which is deployed as a statefulset by the proxyrunner.

My concern with this change

The proxyrunner has a hardcoded podTemplateSpec. The podTemplateSpec (defined here) on the MCPServer that the user was using is actually only intended to control the backend. We can see here the podTemplateSpec being used to construct the final spec and here it is plumbed into the proxyrunner as an arg so it can create the statefulset.

In summary, podTemplateSpec is only intended to provide configuration for the backend server, not the proxyrunner. Your change plucks a single field out of the podTemplateSpec and applies it to the proxyrunner. I think this makes the API more confusing as its unclear which fields within the spec will be applied to the proxyrunner.

Proposed Fix

1. The documentation around the podTemplateSpec should be more clear. This is ONLY for configuring the backend server and not the proxyrunner.
2. The actual fix should be introducing an imagePullSecrets field to the ProxyDeploymentOverrides, which allows for explicitly overwriting the imagePullSecrets used for the proxyrunner.