Add agentic deploy scripts, CRDs, and operator integration

[harche]

Summary

• Adds agentic stack deployment infrastructure to lightspeed-operator
• Deploy scripts (hack/agentic/): deploy.sh for full deploy with on-cluster builds (--provider=vertex|bedrock), redeploy-{operator,agent,console,skills,all}.sh for fast iteration, undeploy.sh for teardown, lib.sh with shared build helpers (parallel builds, worktree-safe image tags)
• Operator integration: Wires agentic controller in cmd/main.go with --agentic-console-image and --agentic-sandbox-image flags
• Agentic CRDs: ApprovalPolicy, Agent, LLMProvider, Proposal, result CRDs (analysis, execution, verification, escalation)
• RBAC: Agentic controller roles in config/rbac-agentic/
• Dockerfile.dev: Local module builds for agentic-operator dependency
• Build/CI: Tekton pipelines, integration test scenarios, OLM bundle manifests, catalog updates, related images

Test plan

• make test — unit tests pass
• KUBECONFIG=... bash hack/agentic/deploy.sh --provider=vertex — full deploy on fresh cluster
• KUBECONFIG=... bash hack/agentic/redeploy-operator.sh — fast iteration works
• Verify proposals work end-to-end on deployed cluster
• KUBECONFIG=... bash hack/agentic/undeploy.sh — clean teardown

🤖 Generated with Claude Code

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign raptorsun for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[iNecas]

Developer experience hint, many commands throw the output away, so the script fails without giving reasons why.

My agent suggests something like and I tent to agree

_run() {
    local _out
    _out=$(mktemp)
    if "$@" >"${_out}" 2>&1; then
        rm -f "${_out}"
    else
        local _rc=$?
        echo -e "    ${RED}✗${NC} Command failed: $*" >&2
        cat "${_out}" >&2
        rm -f "${_out}"
        return ${_rc}
    fi
}

[iNecas]

Suggested change

	local AGENT_IMAGE="${INTERNAL_REG}/${NS_OPERATOR}/lightspeed-agentic-sandbox:${TAG}"
	local AGENT_IMAGE="${INTERNAL_REG}/${NS_OPERATOR}/${BC_AGENT}:${TAG}"

[iNecas]

Suggested change

	local OPERATOR_IMG="${INTERNAL_REG}/${NS_OPERATOR}/lightspeed-operator:${TAG}"
	local CONSOLE_IMG="${INTERNAL_REG}/${NS_OPERATOR}/lightspeed-console-plugin:${TAG}"
	local OPERATOR_IMG="${INTERNAL_REG}/${NS_OPERATOR}/${BC_OPERATOR}:${TAG}"
	local CONSOLE_IMG="${INTERNAL_REG}/${NS_OPERATOR}/${BC_CONSOLE}:${TAG}"

[iNecas]

Given all the other envs are also set in one place, might make sense to do this for _IMG vars as well. I see the SKILLS_IMAGE in redeploy.sh as well… the consistency could help a bit.

I know it's just a dev script, but still…

[iNecas]

needs --wait as well, otherwise it returns 0 even on failure.

[iNecas]

given build_on_cluster and start_build_async are very similar, how about having just _build sync and _build async and handle the differences in particular places.

[harche]

Great feedback @iNecas , thanks, I will update the PR and test with those changes.