feature(operator): VersusIncident Kubernetes operator (CRD + controller)

[nghiadaulau]

What

A Kubernetes operator (kubebuilder / controller-runtime, group ops.versuscontrol.io) that manages Versus Incident declaratively — a self-healing alternative to the Helm chart. A single VersusIncident custom resource reconciles into a ConfigMap + Deployment + Service with owner references (garbage collection) and status reporting.

Lives in its own nested Go module under operator/ so the app module is untouched — CI's go build ./... skips it.

apiVersion: ops.versuscontrol.io/v1alpha1
kind: VersusIncident
spec:
  image: { repository: ..., tag: ... }
  gatewaySecretName: versus-secrets
  telegram: { enabled: true, secretName: versus-secrets }
  agent:
    mode: detect
    ai: { baseURL: "...gemini...", model: gemini-2.5-flash-lite, apiKeySecretName: versus-secrets }

Highlights

• CRD + RBAC + DeepCopy generated via controller-gen; standard kubebuilder layout (api/, internal/controller/, config/, Makefile, PROJECT).
• Secrets are referenced, never embedded in the CR.
• The rendered in-pod config includes the full agent detection config (regex/redaction/miner/catalog/service_patterns) so the agent works out of the box.
• make docker-build deploy, then kubectl apply a CR.

Verified

On minikube: CR → operator reconciles into Deployment/Service/ConfigMap (owner refs); pod healthy; agent boots mode=detect, runs the full detect → Gemini → Telegram loop; deleting the CR cascade-deletes all children; recreating self-heals. go build/go vet clean.

🤖 Generated with Claude Code