⭐️ use Server-Side Apply (SSA) for resource reconciliation

[chris-rock]

Summary

This PR replaces the previous custom Server-Side Apply (SSA) implementation with controller-runtime's upstream CreateOrUpdate pattern.

• Restore pkg/utils/k8s/create_update.go wrapper around ctrl.CreateOrUpdate with controller reference and logging
• Add pkg/utils/k8s/update_fields.go with field-level update helpers (UpdateCronJobFields, UpdateDeploymentFields, UpdateDaemonSetFields) that copy only managed fields, preserving server-set defaults
• Convert all handlers (container_image, k8s_scan, nodes, resource_watcher) to use CreateOrUpdate with field-level mutate functions
• Replace DeleteAllOf with DeleteCompletedJobs to avoid killing running scan Jobs
• Add TerminationMessagePath/TerminationMessagePolicy to all container specs to prevent unnecessary diffs against server defaults
• Delete custom apply.go/apply_test.go (SSA approach)

Why the approach changed

The initial SSA implementation caused integration test failures because:

1. Constant update loop — obj.Spec = desired.Spec in mutate functions zeroed out server-set defaults (DNSPolicy, SchedulerName, TerminationGracePeriodSeconds, etc.), causing DeepEqual to find differences on every reconcile
2. Aggressive job cleanup — DeleteAllOf killed ALL Jobs (including running ones) on every detected "update", preventing scan pods from ever completing

The upstream CreateOrUpdate + field-level updates pattern avoids both issues by only mutating fields the operator manages, letting the API server retain its defaults.

Closes #687

Test plan

• All unit tests pass (make test)
• Linting passes (make lint, make lint/actions)
• Integration tests pass on a real cluster
• Verify resources are created/updated correctly without constant update loops

🤖 Generated with Claude Code

[github-actions]

Test Results

  5 files  ± 0   42 suites  ±0   42m 43s ⏱️ + 4m 36s
293 tests  - 55  293 ✅  - 55  0 💤 ±0  0 ❌ ±0 
315 runs   - 55  313 ✅  - 55  2 💤 ±0  0 ❌ ±0 

Results for commit 983969f. ± Comparison against base commit 784a806.

This pull request removes 55 tests.

go.mondoo.com/mondoo-operator/pkg/utils/k8s ‑ TestAreCronJobsEqual
go.mondoo.com/mondoo-operator/pkg/utils/k8s ‑ TestAreCronJobsEqual/should_be_equal_when_identical
go.mondoo.com/mondoo-operator/pkg/utils/k8s ‑ TestAreCronJobsEqual/should_not_be_equal_when_Pod_volume_definition(s)_differ
go.mondoo.com/mondoo-operator/pkg/utils/k8s ‑ TestAreCronJobsEqual/should_not_be_equal_when_concurrency_policy_differ
go.mondoo.com/mondoo-operator/pkg/utils/k8s ‑ TestAreCronJobsEqual/should_not_be_equal_when_container_args_differ
go.mondoo.com/mondoo-operator/pkg/utils/k8s ‑ TestAreCronJobsEqual/should_not_be_equal_when_container_commands_differ
go.mondoo.com/mondoo-operator/pkg/utils/k8s ‑ TestAreCronJobsEqual/should_not_be_equal_when_container_count_differ
go.mondoo.com/mondoo-operator/pkg/utils/k8s ‑ TestAreCronJobsEqual/should_not_be_equal_when_container_images_differ
go.mondoo.com/mondoo-operator/pkg/utils/k8s ‑ TestAreCronJobsEqual/should_not_be_equal_when_container_resource_requirements_differ
go.mondoo.com/mondoo-operator/pkg/utils/k8s ‑ TestAreCronJobsEqual/should_not_be_equal_when_env_vars_differ
…

♻️ This comment has been updated with latest results.

[imilchev]

I think we should use ctrl.CreateOrUpdate. Here's an example https://github.com/kubernetes-sigs/controller-runtime/blob/2053ba3d414e7cf9b47ae407e5c860556b3113b0/examples/multiclustersync/main.go#L165

[imilchev]

LGTM! Lots of deletes!