What this PR does / why we need it:

Operator: OIDC TokenReview RBAC

The operator now provisions a dedicated feast-oidc-token-review ClusterRole and ClusterRoleBinding when authz: oidc is configured. The ClusterRole contains exactly one rule:

• authentication.k8s.io/tokenreviews/create

This is the minimum permission needed for the SA token delegation path. No additional RBAC queries (rolebindings, clusterroles, namespaces) are granted, unlike the authz: kubernetes path which needs broader permissions for KubernetesTokenParser.

Cleanup is handled automatically when switching auth types:

• OIDC to kubernetes: OIDC ClusterRole + ClusterRoleBinding deleted
• OIDC to no_auth: OIDC ClusterRole + ClusterRoleBinding deleted
• kubernetes/no_auth to OIDC: OIDC ClusterRole + ClusterRoleBinding created

SDK: SSL Error Logging

When verify_ssl: true is set but the OIDC provider uses self-signed certificates without a configured ca_cert_path, the server fails to reach the JWKS/discovery endpoints. Previously, this produced a generic "Invalid token" log with no indication of the root cause. The token parser now detects SSL errors in the exception chain and logs a clear, actionable message:

OIDC provider SSL certificate verification failed. If using a self-signed certificate,
set verify_ssl: false or provide a CA certificate via ca_cert_path.

This applies to both the discovery endpoint (_validate_token) and the JWKS endpoint (_decode_token) error paths.

Which issue(s) this PR fixes:

Follow up to #6089

Checks

• I've made sure the tests are passing.
• My commits are signed off (git commit -s)
• My PR title follows conventional commits format

Testing Strategy

• Unit tests
• Integration tests
• Manual tests
• Testing is not required for this change

Misc