Respect INSECURE_DISABLE_URL_VALIDATION in upstream auth HTTP client

[jhrozek]

UserInfoConfig.Validate() and newHTTPClientForHost() did not check the INSECURE_DISABLE_URL_VALIDATION env var, unlike the rest of the networking validation code. This caused the embedded auth server to reject non-localhost HTTP userinfo URLs and block requests to in-cluster services on private IPs, even when the env var was explicitly set.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 68.57%. Comparing base (c46ae47) to head (87804c2).

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3981      +/-   ##
==========================================
+ Coverage   68.56%   68.57%   +0.01%     
==========================================
  Files         437      437              
  Lines       44662    44664       +2     
==========================================
+ Hits        30621    30628       +7     
+ Misses      11657    11652       -5     
  Partials     2384     2384              

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.