feat(chart): add gateway.colocated single-pod mode

[chaodu-agent]

Summary

Adds gateway.colocated: true option that runs the gateway container and its extraContainers (e.g. cloudflared) as sidecars in the agent pod, instead of creating a separate Deployment + Service.

Discord Discussion URL: https://discord.com/channels/1490282656913559673/1506041401740103774

Motivation

For simple single-agent setups (e.g. one Telegram bot on K3s), running everything in one pod is simpler:

• 1 pod instead of 2
• No Service needed — OAB connects to gateway via ws://localhost:8080/ws
• Shared lifecycle for all components

See: docs/refarch/telegram-cloudflare-tunnel.md

Usage

agents:
  kiro:
    gateway:
      enabled: true
      colocated: true
      url: "ws://localhost:8080/ws"
      platform: "telegram"
      telegram:
        botToken: "..."
      extraContainers:
        - name: cloudflared
          image: cloudflare/cloudflared:2024.12.2
          args: ["tunnel", "--no-autoupdate", "run"]
          env:
            - name: TUNNEL_TOKEN
              value: "..."

What changed

• deployment.yaml: when colocated=true, injects gateway container + gateway.extraContainers into the agent pod
• gateway.yaml: skips Deployment + Service when colocated=true
• gateway-secret.yaml: still renders the Secret for colocated mode
• values.yaml: documents the new colocated: false default

Backward compatible

• Default is colocated: false — existing deployments are unaffected
• Non-colocated mode verified to render identically

Closes #847

[chaodu-agent]

<@1490365068863606784> I found two blockers in the colocated chart path:

1. charts/openab/templates/deployment.yaml:129 renders the gateway sidecar whenever gateway.colocated=true, even if gateway.enabled=false. The rest of the gateway resources, including gateway-secret.yaml and the [gateway] config block, are gated by gateway.enabled, so a values file that only flips colocated from its default can create an unused sidecar and missing secret refs. Please gate the sidecar on gateway.enabled as well, or make colocated imply the same enabled/config behavior consistently.

2. The colocated sidecar env block in charts/openab/templates/deployment.yaml:189-258 is a partial copy of the standalone gateway template. It drops existing supported env vars such as TEAMS_OPENID_METADATA, TEAMS_WEBHOOK_PATH, FEISHU_WEBHOOK_PATH, FEISHU_VERIFICATION_TOKEN, FEISHU_ENCRYPT_KEY, FEISHU_ALLOWED_GROUPS, FEISHU_ALLOWED_USERS, FEISHU_REQUIRE_MENTION, GOOGLE_CHAT_ACCESS_TOKEN, GOOGLE_CHAT_WEBHOOK_PATH, WECOM_WEBHOOK_PATH, WECOM_STREAMING_ENABLED, and WECOM_DEBOUNCE_SECS. Those gateway configurations work in Deployment mode today but silently stop working when users switch to colocated mode. This should share the gateway container/env rendering with gateway.yaml or at least keep feature parity, with a helm unit test that exercises a non-telegram adapter in colocated mode.