feat: add basic and OAuth authentication

[LucasMrqes]

This PR adds authentication methods to secure both the UI and API.
Available methods are Basic Auth (with a randomly generated password set in a k8s secret on first server startup) and OAuth.
SAML auth should be added in an other PR.
This PR does not implement any authorization mechanism. Any user that is able to login with the configured OIDC provider has full access to the UI and API.

The helm interface for configuring oidc is as follows:

config:
  burrito:
    server:
      # -- Server exposed port
      oidc:
        # -- Enable/Disable OIDC authentication for the Burrito server
        enabled: false
        # -- OIDC issuer URL
        issuerUrl: ""
        # -- OIDC client ID
        clientId: ""
        # -- OIDC client secret
        clientSecret:
          # -- Secret name that contains the OIDC client secret in the Burrito namespace
          secretName: "burrito-oidc-secret"
          # -- Secret key of the OIDC client secret in the secret
          secretKey: "clientSecret"
        # -- OIDC Redirect URL, should be the Burrito server URL with /auth/callback appended (ex: https://burrito.example.com/auth/callback)
        redirectUrl: ""
        # -- OIDC scopes to request
        scopes:
          - "openid"
          - "profile"
          - "email"

The OAuth authentication flow was tested with Google Auth Platform. Other non-standard OIDC providers might not work with the exposed interface. In such cases the interface should be updated.

Login page:

Main page as logged in user:

[codecov-commenter]

Codecov Report

❌ Patch coverage is 0% with 317 lines in your changes missing coverage. Please review.
✅ Project coverage is 36.41%. Comparing base (b405b2a) to head (7e0d176).
⚠️ Report is 4 commits behind head on main.

Files with missing lines	Patch %	Lines
internal/server/server.go	0.00%	103 Missing ⚠️
internal/server/auth/oauth/oauth.go	0.00%	90 Missing ⚠️
internal/server/auth/basic/basic.go	0.00%	65 Missing ⚠️
internal/server/utils/sessions.go	0.00%	22 Missing ⚠️
internal/server/utils/logger.go	0.00%	20 Missing ⚠️
internal/server/auth/auth.go	0.00%	17 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #611      +/-   ##
==========================================
- Coverage   38.21%   36.41%   -1.81%     
==========================================
  Files          84       89       +5     
  Lines        6303     6615     +312     
==========================================
  Hits         2409     2409              
- Misses       3720     4032     +312     
  Partials      174      174              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Copilot]

Pull Request Overview

This PR introduces Basic and OAuth authentication across the UI and API, adds session management on the server, and updates documentation and Helm charts for new auth settings.

• Adds profile picture display with initials fallback and settings toggle in UI
• Implements Basic and OIDC auth handlers, session middleware, and auth routes on the server
• Updates docs, mkdocs navigation, and Helm values/templates to configure OIDC and sessions

Reviewed Changes

Copilot reviewed 24 out of 24 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
ui/src/components/misc/ProfilePicture.tsx	Fetches user info, shows picture or initials, toggles settings menu
ui/src/components/core/Button.tsx	Added type prop to buttons
ui/src/components/buttons/SSOButton.tsx	New SSO login button wrapping core Button
ui/src/clients/auth/client.ts	Client methods for login, auth type, and user info
ui/src/App.tsx	Configured React Query defaults to handle 401 redirects
mkdocs.yml	Added user-authentication.md to documentation nav
internal/server/utils/sessions.go	Session cookie removal and invalidation helpers
internal/server/utils/logger.go	Request logger config logging user email
internal/server/server.go	Session store setup, static asset skipper, auth routes & middleware
internal/server/auth/oauth/oauth.go	OIDC provider setup, login and callback handlers
internal/server/auth/basic/basic.go	Basic auth secret generation and login handler
internal/server/auth/auth.go	Logout and user info endpoint
internal/burrito/config/config.go	Added OIDC and session config types
go.mod	Updated dependency versions
docs/operator-manual/user-authentication.md	New guide for Basic and OIDC authentication
docs/guides/ui.md	Added authentication section to UI guide
deploy/charts/burrito/values.yaml	Default OIDC and session values
deploy/charts/burrito/templates/rbac-server.yaml	Granted controller access to secrets
deploy/charts/burrito/templates/controllers.yaml	Removed hardcoded main-namespace env var
deploy/charts/burrito/templates/config.yaml	Injected mainNamespace into controller config

Comments suppressed due to low confidence (2)

internal/server/server.go:18

• [nitpick] The import alias a is ambiguous. Rename it to auth for clarity and consistency.

a "github.com/padok-team/burrito/internal/server/auth"

internal/server/server.go:218

• [nitpick] Consider adding unit or integration tests to cover authMiddleware, verifying behavior for authenticated and unauthenticated requests.

func (s *Server) authMiddleware() echo.MiddlewareFunc {