feat: native IRSA auth

[knechtionscoding]

What type of PR is this?

/kind feature

What this PR does / why we need it:

Add a new bedrock credential type that allows running Claude Code tasks via AWS Bedrock instead of the Anthropic API directly. Supports two modes:

1. Static credentials — AWS access keys stored in a Kubernetes Secret
2. IRSA (IAM Roles for Service Accounts) — no Secret needed; the pod assumes an IAM role via a projected service account token

Also refactors credential injection into a centralized credentialEnvVars() function so that adding future providers (e.g. Vertex) requires only a new case block.

Changes:

• Add CredentialTypeBedrock constant and update CRD enum validation
• Make Credentials.SecretRef a pointer (*SecretReference) — optional for bedrock, required for api-key/oauth (enforced via CEL validation)
• Add Credentials.Region and Credentials.ServiceAccountName fields for IRSA support
• Add credentialEnvVars() to centralize credential env var injection for all types
• Support bedrock config block in CLI for both static credentials and IRSA mode
• Add --region and --service-account CLI flags
• Add unit tests for both bedrock static credentials and IRSA mode
• Add example manifests in examples/09-bedrock-credentials/

Which issue(s) this PR is related to:

Fixes #780

Special notes for your reviewer:

• API breaking change: Credentials.SecretRef changed from value type to pointer. All existing manifests with secretRef set continue to work — the CRD is backwards-compatible. CEL validation ensures secretRef is still required for api-key and oauth types.
• AWS_SESSION_TOKEN and ANTHROPIC_BEDROCK_BASE_URL are injected with Optional: true on the SecretKeySelector, so pods won't fail if those keys are absent from the Secret.
• The credentialEnvVars() refactor is a no-op for existing api-key and oauth types — it just moves the same logic into a single function.
• In IRSA mode, only CLAUDE_CODE_USE_BEDROCK=1 and AWS_REGION are injected as literal env vars — the AWS SDK handles the rest via the projected token.

Does this PR introduce a user-facing change?

Add `bedrock` credential type for running Claude Code tasks via AWS Bedrock. Supports static AWS credentials via a Secret (`credentials.type: bedrock` with `secretRef`) and IAM Roles for Service Accounts (IRSA) without a Secret (`credentials.type: bedrock` with `region` and `serviceAccountName`).

---

Summary by cubic

Add a new bedrock credential type to run Claude Code via AWS Bedrock using either static AWS credentials or IRSA. Also updates CRD, CLI, and job env var injection to support region/service account and simplify adding future providers.

• New Features

  • credentials.type: bedrock with two modes:
    • Secret: injects AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY, AWS_REGION (optional AWS_SESSION_TOKEN, ANTHROPIC_BEDROCK_BASE_URL)
    • IRSA: no Secret; injects CLAUDE_CODE_USE_BEDROCK=1 and AWS_REGION
  • CRD: add credentials.region and credentials.serviceAccountName; secretRef optional for bedrock (enforced via CEL; still required for api-key and oauth)
  • CLI: support bedrock config block and --region, --service-account flags; prevents mixing oauthToken, apiKey, and bedrock
  • Centralized credential env var injection via credentialEnvVars()
  • Examples and tests for both static and IRSA modes

• Migration

  • API change: Credentials.SecretRef is now a pointer (*SecretReference). Existing manifests continue to work; no changes needed for api-key/oauth. For Bedrock IRSA, omit secretRef and set region and serviceAccountName.

^{Written for commit d9c9943. Summary will update on new commits.}

[cubic-dev-ai]

No issues found across 28 files

[knechtionscoding]

I have confirmed that this works by running locally against my cluster and spawning tasks with the new CRDs.