[Gap]: Document vMCP deployment modes and backend discovery

[jerm-dro]

What needs documentation?

The vMCP operator supports two deployment modes based on the outgoingAuth.source field, allowing operators to choose between operational convenience and minimal attack surface.

Mode	ConfigMap	RBAC	vMCP K8s Access
discovered (dynamic)	Minimal	Full	Namespace-scoped read + status write
inline (static)	Full with backends	None	Zero

Key features that need documentation:

• How to configure each mode via the outgoingAuth.source field
• Security trade-offs and when to use each mode
• For dynamic mode:
  • What happens when MCPServer resources are added, modified, or removed
  • How to verify backend status via the /status HTTP endpoint
  • How the VirtualMCPServer CRD status reflects discovered backends and runtime health
• For static mode:
  • How to configure backends inline
• Mode switching behavior (triggers pod restart)

Context and references

Implementation issues:

• Refactor VirtualMCPServer controller to use runtime-reported status toolhive#2855
• Mode-aware ConfigMap and RBAC generation in operator toolhive#3003

Use case

As a platform operator running vMCP in production, I want to choose between dynamic mode (enables zero-downtime backend updates) and static mode (zero K8s access, minimal attack surface), so that I can optimize for either operational convenience or security based on my deployment's requirements.

Additional context

Dynamic mode example:

outgoing_auth:
  source: discovered  # vMCP discovers backends at runtime

Static mode example:

outgoing_auth:
  source: inline
backends:
  - name: github-mcp
    url: http://github-mcp.default.svc:8080
    auth:
      type: token_exchange